|cmseasy存储型xss漏洞（代码分析） - VULHUB开源网络安全威胁库

cmseasy存储型xss漏洞（代码分析）

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： cmseay存储型xss 下载的版本为CmsEasy_5.5_UTF-8_20130910 ### 详细说明： bbs/add-archive.php ``` <?php require_once 'bbs_public.php'; //验证用户登陆相关操作,所以测试前需要注册一个用户 $admin = new action_admin(); $admin->check_login(); //验证用户登录 ......省略........ if(isset($_POST['submit'])){ if(strtolower(trim($_POST['verify'])) != strtolower($_SESSION['verify'])){ //确认验证码 action_public::turnPage('index.php','验证码输入错误！'); } $archive = db_bbs_archive::getInstance(); unset($_POST['submit']); unset($_POST['verify']); $_POST['username'] = $_COOKIE['login_username']; //验证用户登录 $_POST['userid'] = $admin->userid; $_POST['ip'] = $_SERVER['REMOTE_ADDR']; $_POST['addtime'] = mktime(); if($id = $archive->inserData($_POST)){ //问题在这里，title没有未过滤 action_public::turnPage('archive-display.php?aid='.$id,'文章添加成功'); }else{ action_public::turnPage('index.php','添加失败，请联系我们！'); } } ``` 跟进路径inserData()->insert()->getInsertString()函数 ``` public function inserData($data){ $r = $this->odb->insert($this->tblName,$data); // if($r) return $this->odb->getInsertId(); else return false; } 跟进insert public function insert($table, $data) { $sql = $this->getInsertString($table, $data); return $this->execSql($sql); } 跟进getInsertString public function getInsertString($table, $data) { $n_str = ''; $v_str = ''; $table = $this->filterString($table); foreach ($data as $k => $v) { $n_str .= $this->filterString($k).','; //此处进行过滤 $v_str .= "'".$this->filterString($v)."',"; } $n_str = preg_replace( "/,$/", "", $n_str ); $v_str = preg_replace( "/,$/", "", $v_str ); $str = 'INSERT INTO '.$table.' ('.$n_str.') VALUES('.$v_str.')'; return $str; } ``` 分析filterString()函数 ``` public function filterString($str) { if ($this->magic_quotes) { $str = stripslashes($str); } if ( is_numeric($str) ) { return $str; } else { $ret = @mysqli_real_escape_string($this->con, $str); if ( strlen($str) && !isset($ret) ) { $r = $this->checkConnection(); if ($r !== true) { $this->closeDB(); $ret = $str; } } return $ret; } ``` 应用mysqli_real_escape_string过滤'"进行了过滤,不完整发表文章查看数据： [<img src="https://images.seebug.org/upload/201309/281248331585a87e4675373cb76fad9a57c333d4.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/281248331585a87e4675373cb76fad9a57c333d4.png) [<img src="https://images.seebug.org/upload/201309/28124931ab2b2b272c8129202d6c5ca78c1d6782.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/28124931ab2b2b272c8129202d6c5ca78c1d6782.png) 分析再看一下bbs/index.php输出 ``` <?php foreach ($category_data as $v) { $archive_arr = $archive->getDataLimit('aid,cid,lid,title,username,replynum,click,addtime',"cid='{$v['cid']}' AND isstop='0' order by aid desc limit 10 "); ?> 跟进getDataLimit public function getDataLimit($field = '*',$where = '1'){ $sql = "SELECT {$field} FROM {$this->tblName} WHERE {$where}";//构成sql语句 $data = $this->odb->getRows($sql);//跟进瞧了一眼没有过滤 return $data;//输出数据 } ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201309/281252053d7dd883add1482397f37b92fc3dd38b.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/281252053d7dd883add1482397f37b92fc3dd38b.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™