EAdmin存储型XSS测试及修复
EasyAdmin极简社区环境搭建以及存储型XSS测试,简单代码修复
环境搭建 EAdmin v1.0.8
phpstudy环境
PS:要求php version > 5.3
查找可能存在的XSS点
1、用户注册类信息

点击确认修改的一瞬间,输入内容对img标签onerror作了处理

查看用户签名

F12审计源码,看到onerror被替换为了点号.

2、发布帖子

标题部分直接过滤掉js代码

内容中将onerror替换为点号.

标题和内容都不可行,在发布内容最后有一个标签栏

添加标签后弹框

发布之后访问时弹窗,说明XSS代码存储成功

查找这一部分代码内容

在application/index/controller/Forum.php中找到关键的发帖代码
public function add() { ...... $data['title']= strip_tags( $data['title']); $data['content']= remove_xss($data['content']); ...... return view(); }
对title和content进行了过滤,过滤方法为strip_tags和remove_xss
其中strip_tags()剥离字符串中的html标签,实现过滤
而remove_xss()对于很多XSS常用的标签和事件属性都进行了过滤和替换
所以在title和content处输入的XSS代码不会被有效执行
function remove_xss($html) { $html = htmlspecialchars_decode($html); preg_match_all("/\<([^\<]+)\>/is", $html, $ms); $searchs[] = '<'; $replaces[] = '<'; $searchs[] = '>'; $replaces[] = '>'; if ($ms[1]) { $allowtags = 'video|attach|img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|strike|pre|code|embed'; $ms[1] = array_unique($ms[1]); foreach ($ms[1] as $value) { $searchs[] = "<".$value.">"; $value = str_replace('&', '_uch_tmp_str_', $value); $value = string_htmlspecialchars($value); $value = str_replace('_uch_tmp_str_', '&', $value); $value = str_replace(array('\\', '/*'), array('.', '/.'), $value); $skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate', 'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange', 'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick', 'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate', 'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete', 'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel', 'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart', 'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop', 'onsubmit','onunload','javascript','script','eval','behaviour','expression'); $skipstr = implode('|', $skipkeys); $value = preg_replace(array("/($skipstr)/i"), '.', $value); if (!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) { $value = ''; } $replaces[] = empty($value) ? '' : "<" . str_replace('"', '"', $value) . ">"; } } $html = str_replace($searchs, $replaces, $html); $html=htmlspecialchars($html); return $html; }
标签关键字是什么呢?可以抓包查看
新建一个帖子如下

根据抓取的日志文件中fadd.html,其中输入的数据如下,所以标签栏对应的是keywords

但是程序没有对标签keywords进行有效的过滤,也就导致了标签一栏存在XSS漏洞
修复方法也非常简单,只需要添加对keywords的有效过滤就好了
$data['title']= strip_tags( $data['title']); $data['content']= remove_xss($data['content']); $data['keywords']= strip_tags( $data['keywords']);
保存再次测试

新添加的标签已经被过滤了
