-
Notifications
You must be signed in to change notification settings - Fork 22
/
fix-servervars-global.php
66 lines (60 loc) · 1.45 KB
/
fix-servervars-global.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<!DOCTYPE html>
<html>
<head>
<title>VueJS serverside template xss</title>
</head>
<body>
<ul>
<li><a href="index.php">Broken version</a></li>
<li><a href="fix-v-pre.php">Fix with v-pre</a></li>
<li><a href="fix-servervars-global.php">Fix with global SERVER_VARS variable</a></li>
</ul>
<form action="">
<label>
<strong>Inject Here:</strong>
<input
type="text"
name="injectme"
value="<?= htmlspecialchars((string) $_GET['injectme']) ?>"
/>
<button>Go!</button>
</label>
</form>
<div id="injectable-app">
<div>
You have injected: {{ SERVER_VARS.injectMe }}
</div>
<button type="button" @click="dec">-</button>
{{counter}}
<button type="button" @click="inc">+</button>
</div>
<script>
window.addEventListener('load', function () {
new Vue({
el: '#injectable-app',
data: {
counter: 0
},
methods: {
inc: function () {
++this.counter;
},
dec: function () {
--this.counter;
}
}
});
});
</script>
<script src="https://cdn.jsdelivr.net/npm/vue@2.5.13/dist/vue.js"></script>
<?php
$serverVars = [
'injectMe' => (string) $_GET['injectme']
];
?>
<script>
window.SERVER_VARS = JSON.parse(atob('<?= base64_encode(json_encode($serverVars)) ?>'));
Vue.prototype.SERVER_VARS = window.SERVER_VARS;
</script>
</body>
</html>