cmseay存储型跨站xss
### 简要描述: 绕过防护 ### 详细说明: /bbs/ajax.php 19行 ``` $data['username'] = isset($_COOKIE['username']) ? $_COOKIE['username'] : ''; ``` 无过滤。。 ### 漏洞证明: ./bbs/360safe.php ``` $cookiefilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)|\\/\\*.*?\\*\\/|'"; ``` 没有过滤iframe img 这些标签 在bbs回复时 将cookie中的login_username 改为username [<img src="https://images.seebug.org/upload/201501/15125155dba38d49bb49d959a7c3cf4fc3e4f645.jpg" alt="54afca8c14233.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/15125155dba38d49bb49d959a7c3cf4fc3e4f645.jpg) 回复之后 [<img src="https://images.seebug.org/upload/201501/15125248f3ef696bd93924fa6ea33bb2ac1076f3.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/15125248f3ef696bd93924fa6ea33bb2ac1076f3.jpg)
