標籤:

記一次XSS防禦繞過的過程

01-26

一個閑的蛋疼的周末,總想搞點事情,於是在網上找到了個cms系統,得挖出點什麼來,嘿嘿

doccms.com/DocCms2016/

下載完安裝後,默認前台交互處少的可憐,只有一個在線留言處,既然有在線留言,我想你們跟我一樣,都想到了insert注入和儲存型XSS,可惜注入經過多次測試發現被完全過濾死了。只能玩玩XSS。

像往常一樣輸入XSS代碼然後進入後台查看過濾了哪些

後台查看源代碼

我們插入的代碼是

<script>alert(0)</script>

程序過濾後是:

<sc<x>ript>alert(0)</sc<x>ript>

那麼我們看下程序是如何過濾的:

//inc/function.php 505-507行 $ra1 = Array("javascript", "vbscript", "expression", "applet", "meta", "xml", "blink", "link", "style", "script", "embed", "object", "iframe", "frame", "frameset", "ilayer", "layer", "bgsound", "title", "base"); $ra2 = Array("onabort", "onactivate", "onafterprint", "onafterupdate", "onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate", "onbeforeeditfocus", "onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur", "onbounce", "oncellchange", "onchange", "onclick", "oncontextmenu", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag", "ondragend", "ondragenter", "ondragleave", "ondragover", "ondragstart", "ondrop", "onerror", "onerrorupdate", "onfilterchange", "onfinish", "onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete", "onload", "onlosecapture", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend", "onmovestart", "onpaste", "onpropertychange", "onreadystatechange", "onreset", "onresize", "onresizeend", "onresizestart", "onrowenter", "onrowexit", "onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart", "onstart", "onstop", "onsubmit", "onunload"); $ra = array_merge($ra1, $ra2);

$ra1定義的過濾標籤,可以看到常見的script,iframe,link都在其中

$ra2定義的過濾事件,喜聞樂見的onclick,ondblclick,oncopy也都被過濾掉了。

把上面隨便一句代碼複製到搜索引擎,你會發現這整個過濾函數都是在程序員無腦copy的

那麼到底能不能繞過呢?

答案是肯定能繞過的,我大JavaScript豈止這些事件?經過fuzz後,還有這些關鍵字沒被過濾掉

此時oncanplay事件是無疑是最好的,因為他無需交互,打開直接執行代碼,並支持所有瀏覽器

oncanplay事件為當在視頻(video)準備開始播放時執行

此事件需要配合video標籤,巧的是在$ra1中,video標籤也沒被過濾

$ra1 = Array("javascript", "vbscript", "expression", "applet", "meta", "xml", "blink", "link", "style", "script", "embed", "object", "iframe", "frame", "frameset", "ilayer", "layer", "bgsound", "title", "base");

那麼構造出Payload:

<video width="0" height="0" oncanplay=alert`0`> <source src="http://www.runoob.com/try/demo_source/mov_bbb.mp4" type="video/mp4"></video>

再次嘗試:

進入後台查看留言處

查看源代碼:


推薦閱讀:

為什麼信用卡在銷卡之後要將磁條剪斷?
「點開我的鏈接我就能控制你的電腦」之Facebook Messenger版(需安裝軟體)
谷歌更新Gmail郵箱安全功能

TAG:XSS | 信息安全 | 网络安全 |