### 简要描述:
uhome 设计接口缺陷 通篇xss 和一处存储型xss
### 详细说明:
我下载了集成包:
UCenter1.5.1/UCHome2.0/Discuz!7.2 集成安装包
直接看代码:
admincp_doing.php:
```
if(submitcheck('batchsubmit')) {
include_once(S_ROOT.'./source/function_delete.php');
if(!empty($_POST['ids']) && deletedoings($_POST['ids'])) {
cpmessage('do_success', $_POST['mpurl']);
} else {
cpmessage('choose_to_delete_events', $_POST['mpurl']);
}
}
```
跟进去这个函数:
cpmessage('do_success', $_POST['mpurl']);
```
function cpmessage($msgkey, $url_forward='', $second=1, $values=array()) {
global $_SGLOBAL, $_SC, $_SCONFIG, $_TPL, $_SN, $space;
//去掉广告
$_SGLOBAL['ad'] = array();
include_once(S_ROOT.'./language/lang_cpmessage.php');
if(isset($_SGLOBAL['cplang'][$msgkey])) {
$message = lang_replace($_SGLOBAL['cplang'][$msgkey], $values);
} else {
$message = $msgkey;
}
//显示
obclean();
//菜单激活
$menuactive = array('index' => ' class="active"');
if(!empty($url_forward)) {
$second = $second * 1000;
$message .= "<script>setTimeout(\"window.location.href ='$url_forward';\", $second);</script>";
}
include template('admin/tpl/message');
exit();
}
```
没有经过任何过滤直接到了:
$message .= "<script>setTimeout(\"window.location.href ='$url_forward';\", $second);</script>";
发送url:
http://localhost/dz72https://images.seebug.org/upload/home/admincp.php?ac=feed
postdata:
formhash=120f00ad&ids[]=10&mpurl=javascript:alert(1)&deletesubmit=æ¹éå é¤
[<img src="https://images.seebug.org/upload/201412/02173420f24ec7b9ef3ab46ba45374731a7efc9d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/02173420f24ec7b9ef3ab46ba45374731a7efc9d.png)
我们搜索一下:
[<img src="https://images.seebug.org/upload/201412/02173457f42c4d6affff34687ae5f25a9fd962eb.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/02173457f42c4d6affff34687ae5f25a9fd962eb.png)
下来我们看存储型xss:
[<img src="https://images.seebug.org/upload/201412/021735579a92eca9f6a7ce6a4952c591835695cc.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/021735579a92eca9f6a7ce6a4952c591835695cc.png)
然后javascript:alert(document.cookie)/aaa.swf
[<img src="https://images.seebug.org/upload/201412/02173638efc7107ab815a65cf024f9d1d4cb9aa9.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/02173638efc7107ab815a65cf024f9d1d4cb9aa9.png)
[<img src="https://images.seebug.org/upload/201412/02173710b944762a0f5afa6c7bfef4725508d0c1.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/02173710b944762a0f5afa6c7bfef4725508d0c1.png)
我们分析一下代码:
cp_thread.php:
```
if(strlen($subject) < 2) showmessage('title_not_too_little');
$_POST['message'] = checkhtml($_POST['message']);
$_POST['message'] = getstr($_POST['message'], 0, 1, 0, 1, 0, 1);
$_POST['message'] = preg_replace("/\<div\>\<\/div\>/i", '', $_POST['message']);
$message = $_POST['message'];
```
跟进函数checkhtml
function_blog.php:
```
function checkhtml($html) {
$html = stripslashes($html);
if(!checkperm('allowhtml')) {
preg_match_all("/\<([^\<]+)\>/is", $html, $ms);
$searchs[] = '<';
$replaces[] = '<';
$searchs[] = '>';
$replaces[] = '>';
if($ms[1]) {
$allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|object|param|embed';//允许的标签
$ms[1] = array_unique($ms[1]);
foreach ($ms[1] as $value) {
$searchs[] = "<".$value.">";
$value = shtmlspecialchars($value);
$value = str_replace(array('\\','/*'), array('.','/.'), $value);
$value = preg_replace(array("/(javascript|script|eval|behaviour|expression)/i", "/(\s+|"|')on/i"), array('.', ' .'), $value);
if(!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) {
$value = '';
}
$replaces[] = empty($value)?'':"<".str_replace('"', '"', $value).">";
}
}
$html = str_replace($searchs, $replaces, $html);
}
$html = addslashes($html);
return $html;
}
//视频标签处理
function blog_bbcode($message) {
$message = preg_replace("/\[flash\=?(media|real)*\](.+?)\[\/flash\]/ie", "blog_flash('\\2', '\\1')", $message);
return $message;
}
//视频
function blog_flash($swf_url, $type='') {
$width = '520';
$height = '390';
if ($type == 'media') {
$html = '<object classid="clsid:6bf52a52-394a-11d3-b153-00c04f79faa6" width="'.$width.'" height="'.$height.'">
<param name="autostart" value="0">
<param name="url" value="'.$swf_url.'">
<embed autostart="false" src="'.$swf_url.'" type="video/x-ms-wmv" width="'.$width.'" height="'.$height.'" controls="imagewindow" console="cons"></embed>
</object>';
} elseif ($type == 'real') {
$html = '<object classid="clsid:cfcdaa03-8be4-11cf-b84b-0020afbbccfa" width="'.$width.'" height="'.$height.'">
<param name="autostart" value="0">
<param name="src" value="'.$swf_url.'">
<param name="controls" value="Imagewindow,controlpanel">
<param name="console" value="cons">
<embed autostart="false" src="'.$swf_url.'" type="audio/x-pn-realaudio-plugin" width="'.$width.'" height="'.$height.'" controls="controlpanel" console="cons"></embed>
</object>';
} else {
$html = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="'.$width.'" height="'.$height.'">
<param name="movie" value="'.$swf_url.'">
<param name="allowscriptaccess" value="always">
<embed src="'.$swf_url.'" type="application/x-shockwave-flash" width="'.$width.'" height="'.$height.'" allowfullscreen="true" allowscriptaccess="always"></embed>
</object>';
}
return $html;
}
```
最终流入到了blog_flash函数里面,这里就不用说了 allowscriptaccess 这个还是always
修复方案:
### 漏洞证明:
京公网安备 11010502034610号
暂无评论