### 简要描述: ThinkSNS微吧储存型XSS(无视WAF,无任何过滤,可插入任意代码) 官网demo测试。 ### 详细说明: 进入http://demo.thinksns.com/t3/weiba 发布新贴, 在正文里面输入HTML转码后的脚本,例如: ``` <script>alert(1);</script> ``` HTML编码后为: ``` <script>alert(1);</script> ``` 即为我们要加到正文的内容。 [<img src="https://images.seebug.org/upload/201411/13104446b78c569b7b6ee2c35d0d02b18ca5e0fe.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/13104446b78c569b7b6ee2c35d0d02b18ca5e0fe.png) 确定之后即可看到脚本被执行了。 [<img src="https://images.seebug.org/upload/201411/1310472359b57d59cc30f2d5f24179674af4c16c.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1310472359b57d59cc30f2d5f24179674af4c16c.png) 看看代码: apps/weiba/Lib/Action/IndexAction.class.php ``` 413 public function postDetail(){ 414 $post_id = intval($_GET['post_id']); 415 $post_detail =...
### 简要描述: ThinkSNS微吧储存型XSS(无视WAF,无任何过滤,可插入任意代码) 官网demo测试。 ### 详细说明: 进入http://demo.thinksns.com/t3/weiba 发布新贴, 在正文里面输入HTML转码后的脚本,例如: ``` <script>alert(1);</script> ``` HTML编码后为: ``` <script>alert(1);</script> ``` 即为我们要加到正文的内容。 [<img src="https://images.seebug.org/upload/201411/13104446b78c569b7b6ee2c35d0d02b18ca5e0fe.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/13104446b78c569b7b6ee2c35d0d02b18ca5e0fe.png) 确定之后即可看到脚本被执行了。 [<img src="https://images.seebug.org/upload/201411/1310472359b57d59cc30f2d5f24179674af4c16c.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1310472359b57d59cc30f2d5f24179674af4c16c.png) 看看代码: apps/weiba/Lib/Action/IndexAction.class.php ``` 413 public function postDetail(){ 414 $post_id = intval($_GET['post_id']); 415 $post_detail = D('weiba_post')->where('is_del=0 and post_id='.$post_id)->find(); 416 if(!$post_detail || D('weiba')->where('weiba_id='.$post_detail['weiba_id'])->getField('is_del')) $this->error('帖子不存在或已被删除'); 417 if(D('weiba_favorite')->where('uid='.$this->mid.' AND post_id='.$post_id)->find()){ 418 $post_detail['favorite'] = 1; 419 } 420 if ( $post_detail['attach'] ){ 421 $attachids = unserialize( $post_detail['attach'] ); 422 $attachinfo = model('Attach')->getAttachByIds( $attachids ); 423 foreach($attachinfo as $ak => $av) { 424 $_attach = array( 425 'attach_id' => $av['attach_id'], 426 'attach_name' => $av['name'], 427 'attach_url' => getImageUrl($av['save_path'].$av['save_name']), 428 'extension' => $av['extension'], 429 'size' => $av['size'] 430 ); 431 $post_detail['attachInfo'][$ak] = $_attach; 432 } 433 } 434 $post_detail['content'] = html_entity_decode($post_detail['content'], ENT_QUOTES, 'UTF-8'); 435 $this->assign('post_detail',$post_detail); 436 //dump($post_detail); ``` 帖子在存储的时候做了一次HTML解码,line 434在显示帖子的时候对content又做了一次html_entity_decode(), 导致HTML编码的脚本又恢复成了HTML。 ### 漏洞证明: ``` http://demo.thinksns.com/t3/index.php?app=weiba&mod=Index&act=postDetail&post_id=2455 ``` [<img src="https://images.seebug.org/upload/201411/1310472359b57d59cc30f2d5f24179674af4c16c.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1310472359b57d59cc30f2d5f24179674af4c16c.png)
