### 简要描述:
由此次漏洞和上次的命令注入,看出Discuz官方开发4大坑:
1.发的补丁和diff官方最新版本安装包的结果不一定相同(导致后台升级,手动更新后已经在新版本修了的漏洞还在)
2.发补丁不发修复点的公告(导致二次开发的站考虑到兼容性不愿第一时间更新)
3.在线上改代码修漏洞却不发补丁
4.发补丁,发新版本安装包的时间,论坛发补丁帖的时间不一致,参见:http://download.comsenz.com/DiscuzX/3.2/
http://www.discuz.net/forum-10-1.html
### 详细说明:
Discuz编辑器JS处理不当导致的存储型XSS。
产生原因:
JS原生取ELEMENT中HTML内容的方法,会将服务端转义过的单双引号实体编码进行反转。
代码分析:
这里用最新版本本地测payload为:[align="onmouseover="alert(1)]
官方论坛站点悄悄于2015-1-21改了代码,导致以上payload被过滤,不过用[email=2"onmouseover="alert(2)]2[/email]可绕过。
/forum.php?mod=post&action=edit&fid=xx&tid=xx&pid=xx&page=x
[<img src="https://images.seebug.org/upload/201503/070920106f1edb701fa557de37e5c040fd51bcb1.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/070920106f1edb701fa557de37e5c040fd51bcb1.png)
[<img src="https://images.seebug.org/upload/201503/070920540ed4ecc9cfa7567efeaafc6822566a52.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/070920540ed4ecc9cfa7567efeaafc6822566a52.png)
/static/js/common.js:
[<img src="https://images.seebug.org/upload/201503/070921032e3277f5095ff70e1a9b716d0cc59924.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/070921032e3277f5095ff70e1a9b716d0cc59924.png)
[<img src="https://images.seebug.org/upload/201503/070921121e982818d310aece6b5fcf6b2cc698e6.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/070921121e982818d310aece6b5fcf6b2cc698e6.png)
/static/js/bbcode.js:
[<img src="https://images.seebug.org/upload/201503/07092154e451a55052c68a763c20620927b19ad1.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092154e451a55052c68a763c20620927b19ad1.png)
/static/js/editor.js
[<img src="https://images.seebug.org/upload/201503/0709220801a3fcad77d6220fe3d0c90dbf2ea907.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0709220801a3fcad77d6220fe3d0c90dbf2ea907.png)
[<img src="https://images.seebug.org/upload/201503/07092219f0332b5d1b560f9cd546071d4c0996ba.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092219f0332b5d1b560f9cd546071d4c0996ba.png)
调试流程:
[<img src="https://images.seebug.org/upload/201503/07092320b39e940855784f502cad864d4d7947f6.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092320b39e940855784f502cad864d4d7947f6.png)
[<img src="https://images.seebug.org/upload/201503/07092332f29e0737ad1c7cdb737940974f827823.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092332f29e0737ad1c7cdb737940974f827823.png)
[<img src="https://images.seebug.org/upload/201503/07092340c050b63bf052c036ad6553504746e487.png" alt="10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092340c050b63bf052c036ad6553504746e487.png)
[<img src="https://images.seebug.org/upload/201503/07092349555fd381c029441d79fd9628df31ad7d.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092349555fd381c029441d79fd9628df31ad7d.png)
[<img src="https://images.seebug.org/upload/201503/07092358b74ae67f404822f4d9d16880666404e8.png" alt="12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092358b74ae67f404822f4d9d16880666404e8.png)
[<img src="https://images.seebug.org/upload/201503/07092405f34553413ff24d14f2c0fda5042727dd.png" alt="13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092405f34553413ff24d14f2c0fda5042727dd.png)
[<img src="https://images.seebug.org/upload/201503/0709241415fe1a95598e5e5ec9e9343706294736.png" alt="14.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0709241415fe1a95598e5e5ec9e9343706294736.png)
[<img src="https://images.seebug.org/upload/201503/07092424951c1c83ad7a9879620eb082ceb12e98.png" alt="15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092424951c1c83ad7a9879620eb082ceb12e98.png)
[<img src="https://images.seebug.org/upload/201503/07092432713559e1c2ad7d902ac1781fbd477035.png" alt="16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092432713559e1c2ad7d902ac1781fbd477035.png)
### 漏洞证明:
触发过程:
发表帖子,编辑器内输入[email=2"onmouseover="alert(2)]2[/email],支持的bbcode类型可在bbcode.js中查看。
点击编辑时即可触发,由于是编辑器前端产生的问题,因此有权限编辑帖子的角色都会受到影响,包括版主,管理员。
[<img src="https://images.seebug.org/upload/201503/07092832e423bac343487d33be701c231d14dd43.png" alt="17.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092832e423bac343487d33be701c231d14dd43.png)
[<img src="https://images.seebug.org/upload/201503/070928406463b48d6791972188f158b166bfc870.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/070928406463b48d6791972188f158b166bfc870.png)
[<img src="https://images.seebug.org/upload/201503/07092848058fe917f27d7e96d6c560490c56c3dc.png" alt="19.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/07092848058fe917f27d7e96d6c560490c56c3dc.png)
京公网安备 11010502034610号
暂无评论