Open P0wfuu opened 3 years ago
gongfuxiang
commented
3 years ago 'index.php?s=order/index'的模板文件解析后,这里有一个可控变量。 通过使用payload ,我们可以获得一个xss警报。但是它需要任何人登录,所以黑客可以在访问恶意链接时获取用户的cookie。
index.php?s=order&ids="><script>alert(1);</script>
您好、非常感谢您的反馈,这个是新版本框架升级忘记开启参数验证了,前几天已在dev分支修复。
P0wfuu
commented
3 years ago Yeah,you hava fixed it.
P0wfuu
commented
3 years ago No,No,No.This vulnerability still exists. You only use htmlspecialchars for data_request, and then url-decode $params['ids'], so we can bypass it using the second url encoding.
?s=order&ids=%2522%253E%253Cscript%253Ealert(1)%3B%253C%2Fscript%253E
gongfuxiang
commented
3 years ago No,No,No.This vulnerability still exists. You only use htmlspecialchars for
data_request, and then url-decode$params['ids'], so we can bypass it using the second url encoding.?s=order&ids=%2522%253E%253Cscript%253Ealert(1)%3B%253C%2Fscript%253E
您好,非常感谢您的深度测试反馈,刚才已在 dev 分支提交了新的修复方案,如有问题可以再次提交记录。
After the template file of ‘index.php?s=order/index' is parsed, there is a controllable variable here.
By using payload 
index.php?s=order&ids="><script>alert(1);</script>,we can get an xss alert.But it need anyone is logining,so hacker can get user's cookies when they visit the evil link.