PHP审计-存储XSS挖掘-阿里云开发者社区

PHP审计-存储XSS挖掘

2023-05-28 39

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： PHP审计-存储XSS挖掘

+关注继续查看

明确目的存储XSS

直接在页面内搜索

留言板评论区等

没有分类后台添加

添加了但是还是没有显示定位代码

if($act == 'select')
{
  $cats = get_cat_list();
  $here = array('name'=>'选择分类', 'url'=>'post.php');
  
  $seo['title'] = '选择分类' . ' - Power'.'ed by Php'.'mps';
  $seo['keywords'] = $CFG['keywords'];
  $seo['description'] = $CFG['description'];
  
  include template('select');
}
elseif($act == 'post')
{
  $catid = intval($_REQUEST['id']);
  if(empty($catid)) {
    showmsg('没有选择分类');
  }

  $catinfo = get_cat_info($catid);
  if(empty($catinfo)) showmsg('不存在此分类');
  
  $verf = get_one_ver();
  $member = member_info($_userid);
  $custom = cat_post_custom($catid);
  $mappoint = $CFG['map'] ? explode(',', $CFG['map']) : '';
  
  $seo['title'] = '发布信息 - Powered by Phpmps';
  $seo['keywords'] = $CFG['keywords'];
  $seo['description'] = $CFG['description'];

  include template('post');
}
elseif($act == 'postok')
{
  $catid     = $_POST['catid'] ? intval($_POST['catid']) : '';
  $title     = $_POST['title'] ? htmlspecialchars(trim($_POST['title'])) : '';
  $areaid    = $_POST['areaid'] ? intval($_POST['areaid']) : '';
  $postdate  = time();
  $enddate   = $_POST['enddate']>0 ? (intval($_POST['enddate']*3600*24)) + time() : '0';
  $content   = $_POST['content'] ? htmlspecialchars(trim($_POST['content'])) : '';
  $keywords  = $_POST['keyword'] ? htmlspecialchars(trim($_POST['keyword'])) : '';
  $description = cut_str($content,100);
  $linkman   = $_POST['linkman'] ? htmlspecialchars(trim($_POST['linkman'])) : '';
  $phone     = $_POST['phone'] ? htmlspecialchars($_POST['phone']) : '';
  $qq        = $_POST['qq'] ? intval($_POST['qq']) : '';
  $email     = $_POST['email'] ? htmlspecialchars(trim($_POST['email'])) : '';
  $password  = $_POST['password'] ? trim($_POST['password']) : '';
  $address   = $_POST['address'] ? trim($_POST['address']) : '';
  $mappoint  = $_POST['mappoint'] ? trim($_POST['mappoint']) : '';
  $checkcode = $_POST['checkcode'] ? trim($_POST['checkcode']) : '';
  $number    = $_POST['number'] ? intval($_POST['number']) : '';
  $top_type  = $_POST['top_type'] ? intval($_POST['top_type']) : '';
  $is_type   = $_POST['is_top'] ? intval($_POST['is_top']) : '';
  $is_check  = $CFG['post_check'] == '1' ?  '0' : '1';
  $title = censor($title);
  $content = censor($content);

如果act=postok 则显示下面的信息

有提示标题不能为空继续审查代码

http://192.168.5.8/phpmps/post.php?act=post&id=1