### 简要描述: cmseasy 5.5.0.20140605 ### 详细说明: bbs/ajax.php ``` $data = array(); $_POST['content'] = unescape($_POST['content']); $data['aid'] = isset($_POST['aid']) ? intval($_POST['aid']) : exit(0); $data['tid'] = isset($_POST['tid']) ? intval($_POST['tid']) : 0; $data['content'] = isset($_POST['content']) ? $_POST['content'] : exit(0); $data['username'] = isset($_COOKIE['username']) ? $_COOKIE['username'] : ''; //$data['userid'] = $admin->userid; $data['addtime'] = mktime(); $data['ip'] = $_SERVER['REMOTE_ADDR']; $reply = db_bbs_reply::getInstance(); $r = $reply->inserData($data); if($r){ $archive = db_bbs_archive::getInstance(); $archive->updateClickReply($data['aid'],'replynum'); ...... ``` 看到unescape 函数。 ``` function unescape($str) { $str = rawurldecode($str); preg_match_all("/%u.{4}|&#x.{4};|&#d+;|.+/U",$str,$r); $ar = $r[0]; foreach($ar as $k=>$v){ if(substr($v,0,2) == "%u"){ $ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4))); }elseif(substr($v,0,3) == "&#x"){ $ar[$k] =...
### 简要描述: cmseasy 5.5.0.20140605 ### 详细说明: bbs/ajax.php ``` $data = array(); $_POST['content'] = unescape($_POST['content']); $data['aid'] = isset($_POST['aid']) ? intval($_POST['aid']) : exit(0); $data['tid'] = isset($_POST['tid']) ? intval($_POST['tid']) : 0; $data['content'] = isset($_POST['content']) ? $_POST['content'] : exit(0); $data['username'] = isset($_COOKIE['username']) ? $_COOKIE['username'] : ''; //$data['userid'] = $admin->userid; $data['addtime'] = mktime(); $data['ip'] = $_SERVER['REMOTE_ADDR']; $reply = db_bbs_reply::getInstance(); $r = $reply->inserData($data); if($r){ $archive = db_bbs_archive::getInstance(); $archive->updateClickReply($data['aid'],'replynum'); ...... ``` 看到unescape 函数。 ``` function unescape($str) { $str = rawurldecode($str); preg_match_all("/%u.{4}|&#x.{4};|&#d+;|.+/U",$str,$r); $ar = $r[0]; foreach($ar as $k=>$v){ if(substr($v,0,2) == "%u"){ $ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4))); }elseif(substr($v,0,3) == "&#x"){ $ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1))); }elseif(substr($v,0,2) == "&#"){ $ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1))); } } return join("",$ar); } ``` 有了 rawurldecode 所以提交 url格式编码数据。绕过remove_xss检测。再rawurldecode还原。即可xss 列如 %3Cscript%3Ealert(1)%3C%2Fscript%3E [<img src="https://images.seebug.org/upload/201406/2119140462a636392fc409323c16cb53a323fe30.jpg" alt="c11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/2119140462a636392fc409323c16cb53a323fe30.jpg) [<img src="https://images.seebug.org/upload/201406/211914203f901e6b6f44c2c4f85c47b585bd4b43.jpg" alt="c5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/211914203f901e6b6f44c2c4f85c47b585bd4b43.jpg) ### 漏洞证明: 如上所诉
