CVE-2021-39427: 188Jianzhan V 2.10 XSS vulnerability exists · Issue #4 · vtime-tech/188Jianzhan

In ‘/admin/reg.php’

We can see that after the user and pwd parameters are obtained, the length of the user name and other characters are directly stored in the database without verification
Only the ‘/system/safe/360webscan. PHP’ file is filtered in the middle!

The interception rules are as follows

$postfilter = “<.=(&#\d+?;?)+?>|<.data=data:text\/html.>|\b(alert\(|confirm\(|expression\(|prompt\(|benchmark\s?(.)|sleep\s?(.)|\b(group_)?concat[\s\/\]?\([^\\)]+?\)|\bcase[\s/*]?when[\s/*]?([^\)]+?)|load_file\s?\()|<[^>]?\b(onerror|onmousemove|onload|onclick|onmouseover)\b|\b(and|or)\b\s?([\(\)'"\d]+?=[\(\)'"\d]+?|[\(\)'"a-zA-Z]+?=[\(\)‘"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?(|\blike\b\s+?["’])|\/\.\_\/|<\s_script\b|\bEXEC\b|UNION.+?SELECT\s*((.+)\s*|@{1,2}.+?\s*|\s+?.+?|(|’|”).?(|’|")\s*)|UPDATE\s*((.+)\s*|@{1,2}.+?\s*|\s+?.+?|(|’|").?(|’|")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)(\(.+\)|\s+?.+?\s+?|(|’|").?(|’|"))FROM(\(.+\)|\s+?.+?|(|’|").?(|’|"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)|<.*(iframe|frame|style|embed|object|frameset|meta|xml|a|img)";

We only need to set the user name to XSS code when registering,like

<input onfocus=\u0061\u006c\u0065\u0072\u0074(1)

The protection can be bypassed
Where onfocus attribute is’ alert (1) 'after HTML encoding
This coding can bypass the detection and execute arbitrary JS code, which is triggered when the administrator clicks
After registration, you can see XSS in the background ‘/ admin / userlist. PHP’ file