Strict SQL filtering leads to xss injection vulnerability
plr47 opened this issue · comments
description
The code problem occurred in OJ / admin-tools / cal_scores.php. The $ realname in the output form was obtained from the database. There was no filtering of angle brackets “<>” during registration, which caused the reorganization here. xss injection
Attack process
First register an account on the /OJ/modifypage.php page,Class is "软工163",Real Name is
<details open ontoggle=['yds_is_so_handsome'].find(\u0070rompt)>
Then visit / OJ / admin-tools / cal_scores.php, set the classList to soft 软工163, and click submit
the attack works
poc
<details open ontoggle=['yds_is_so_handsome'].find(\u0070rompt)>
