### 简要描述: demo站点测试成功 ### 详细说明: 漏洞主要源码 ``` case 'updateinfo': $id = intval($_POST['id']); checkInfoUser($id, trim($_REQUEST['password'])); $title = $_POST['title'] ? htmlspecialchars_deep(trim($_POST['title'])) : ''; $areaid = $_POST['areaid'] ? intval($_POST['areaid']) : ''; $enddate = !empty($_POST['enddate']) ? (intval($_POST['enddate']*3600*24)) + time() : '0'; $content = $_POST['content'] ? htmlspecialchars_deep(trim($_POST['content'])) : ''; $linkman = $_POST['linkman'] ? htmlspecialchars_deep(trim($_POST['linkman'])) : ''; $phone = $_POST['phone'] ? trim($_POST['phone']) : ''; //没用html函数处理 $qq = $_POST['qq'] ? intval($_POST['qq']) : ''; $email = $_POST['email'] ? htmlspecialchars_deep(trim($_POST['email'])) : ''; $address = $_POST['address'] ? trim($_POST['address']) : ''; $mappoint = $_POST['mappoint'] ? trim($_POST['mappoint']) : ''; if(empty($title))showmsg("标题不能为空"); if(empty($phone) && empty($qq) && empty($email))showmsg("电话、qq、email,必须填写一项");...
### 简要描述: demo站点测试成功 ### 详细说明: 漏洞主要源码 ``` case 'updateinfo': $id = intval($_POST['id']); checkInfoUser($id, trim($_REQUEST['password'])); $title = $_POST['title'] ? htmlspecialchars_deep(trim($_POST['title'])) : ''; $areaid = $_POST['areaid'] ? intval($_POST['areaid']) : ''; $enddate = !empty($_POST['enddate']) ? (intval($_POST['enddate']*3600*24)) + time() : '0'; $content = $_POST['content'] ? htmlspecialchars_deep(trim($_POST['content'])) : ''; $linkman = $_POST['linkman'] ? htmlspecialchars_deep(trim($_POST['linkman'])) : ''; $phone = $_POST['phone'] ? trim($_POST['phone']) : ''; //没用html函数处理 $qq = $_POST['qq'] ? intval($_POST['qq']) : ''; $email = $_POST['email'] ? htmlspecialchars_deep(trim($_POST['email'])) : ''; $address = $_POST['address'] ? trim($_POST['address']) : ''; $mappoint = $_POST['mappoint'] ? trim($_POST['mappoint']) : ''; if(empty($title))showmsg("标题不能为空"); if(empty($phone) && empty($qq) && empty($email))showmsg("电话、qq、email,必须填写一项"); check_words(array($title,$content)); $items = array( 'areaid' => $areaid, 'title' => $title, 'content' => $content, 'linkman' => $linkman, 'email' => $email, 'qq' => $qq, 'phone' => $phone, 'mappoint' => $mappoint, 'address' => $address, 'enddate' => $enddate ); $res = editInfo($items, $_POST['cus_value'], $id); $res ? $msg="恭喜您,修改成功!" : $msg="抱歉修改失败,请与客服联系。"; $link = "view.php?id=$id"; showmsg($msg, $link); break; ``` ### 漏洞证明: 漏洞证明 随便注册一个用户然后登陆官网demo 在个人中心处 点击 发布 [<img src="https://images.seebug.org/upload/201502/0216195109e5aebcc257f3051ad2619308cd930d.png" alt="45.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0216195109e5aebcc257f3051ad2619308cd930d.png) 随便输入内容 后 然后点击我的信息 [<img src="https://images.seebug.org/upload/201502/0216201659b41e814074a044db22b860c4aac1f9.png" alt="46.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0216201659b41e814074a044db22b860c4aac1f9.png) 点击编辑 在移动电话处输入 ``` ');alert('xss ``` 然后确定 然后查看发布内容 点击查看归属地按钮 就弹框了 [<img src="https://images.seebug.org/upload/201502/02162106bc1d0461436568475511a3897965bdc4.png" alt="47.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/02162106bc1d0461436568475511a3897965bdc4.png) [<img src="https://images.seebug.org/upload/201502/021621196bd943b07b3235765b080453f26dac8d.png" alt="48.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/021621196bd943b07b3235765b080453f26dac8d.png) [<img src="https://images.seebug.org/upload/201502/0216221948f936ca21a6e2fbdb160662996a19f1.png" alt="49.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0216221948f936ca21a6e2fbdb160662996a19f1.png)
