### 简要描述: php云人才系统存储型跨站两处 ### 详细说明: WooYun-2014-73319( [WooYun: php云人才系统存储型跨站多处](http://www.wooyun.org/bugs/wooyun-2014-073319) )曾经报道过这两处存储型跨站,虽然厂商修了,但是还是可以以奇葩的方式XSS跨站。 0x01: 我要提问 ================================================================ 我们先将要注入的代码做HTML编码,例如: ``` <script>alert(1);</script> ``` 编码后为: ``` <script>alert(1);</script> ``` 然后贴到内容里面: [<img src="https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png) 添加 [<img src="https://images.seebug.org/upload/201412/24133819af5c902eee5ba5b3a3228d12c28d8435.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133819af5c902eee5ba5b3a3228d12c28d8435.png) 添加成功后就可以看到弹框: [<img...
### 简要描述: php云人才系统存储型跨站两处 ### 详细说明: WooYun-2014-73319( [WooYun: php云人才系统存储型跨站多处](http://www.wooyun.org/bugs/wooyun-2014-073319) )曾经报道过这两处存储型跨站,虽然厂商修了,但是还是可以以奇葩的方式XSS跨站。 0x01: 我要提问 ================================================================ 我们先将要注入的代码做HTML编码,例如: ``` <script>alert(1);</script> ``` 编码后为: ``` <script>alert(1);</script> ``` 然后贴到内容里面: [<img src="https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png) 添加 [<img src="https://images.seebug.org/upload/201412/24133819af5c902eee5ba5b3a3228d12c28d8435.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133819af5c902eee5ba5b3a3228d12c28d8435.png) 添加成功后就可以看到弹框: [<img src="https://images.seebug.org/upload/201412/24133846bd128e41b2cdede2eae1ee2c0d651d1c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133846bd128e41b2cdede2eae1ee2c0d651d1c.png) 0x02: 追加问题 ================================================================ 同样,先将要注入的代码做HTML编码,例如: ``` <script>alert(document.cookie);</script> ``` 编码后的内容为: ``` <script>alert(document.cookie);</script> ``` 然后贴到内容里面: [<img src="https://images.seebug.org/upload/201412/241341151484e629315ab38e69bb6af68ebd6657.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/241341151484e629315ab38e69bb6af68ebd6657.png) 回答提交后,即可弹框: [<img src="https://images.seebug.org/upload/201412/24134212c05a57ecbe169ac1c8a0b998f6a64da7.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24134212c05a57ecbe169ac1c8a0b998f6a64da7.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png) [<img src="https://images.seebug.org/upload/201412/24133846bd128e41b2cdede2eae1ee2c0d651d1c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133846bd128e41b2cdede2eae1ee2c0d651d1c.png) [<img src="https://images.seebug.org/upload/201412/241341151484e629315ab38e69bb6af68ebd6657.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/241341151484e629315ab38e69bb6af68ebd6657.png) [<img src="https://images.seebug.org/upload/201412/24134212c05a57ecbe169ac1c8a0b998f6a64da7.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24134212c05a57ecbe169ac1c8a0b998f6a64da7.png) 后台看到INSERT的SQL语句为: ``` INSERT INTO `phpyun_question` SET `title`='aaaa',`cid`='54',`content`='<script></script>',`uid`='1',`add_time`='1419394975' ``` 应该显示的时候有转了一次编码。
