discuz2.5-3.3版本的存储型XSS漏洞分析(需权限)

时隔多日终于能把文章编辑完了。对，没错我就是不靠谱的临时工。反正老板没有给我发工资，为啥这么勤快干活？

行了，你们自己看下面的内容吧……（文章是在飞机上编辑的，可怜可怜我吧QAQ）

首先/forum.php文件中

require DISCUZ_ROOT.'./source/module/forum/forum_'.$mod.'.php';

传入mod参数包含文件 http://localhost:8081/dz/forum.php?mod=modcp&action=announcement这个是添加公告的url 所以包含的文件为 /source/module/forum/forum_modcp.php 继续跟踪action=announcement s

witch ($_GET['action']) {	case 'announcement':		$_G['group']['allowpostannounce'] && $script = 'announcement'; 		break;

赋值$script = 'announcement' 继续跟踪$script

require DISCUZ_ROOT.'./source/include/modcp/modcp_'.$script.'.php';

继续包含文件 跟踪到 /source/include/modcp/modcp_announcement.php

switch($op) {  	case 'add':		$announce['starttime'] = dgmdate(TIMESTAMP, 'd');		$announce['endtime'] = dgmdate(TIMESTAMP + 86400 * 30, 'd'); 		if(submitcheck('submit')) {			$message = is_array($_GET['message']) ? $_GET['message'][$_GET['type']] : ''; 			save_announce(0, $_GET['starttime'], $_GET['endtime'], $_GET['subject'], $_GET['type'], $message, 0);			$add_successed = true; 		} 		break;

继续跟踪save_announce

/source/include/modcp/modcp_announcement.phpfunction save_announce($id = 0, $starttime, $endtime, $subject, $type, $message, $displayorder = 0) { 	global $_G;	$displayorder = intval($displayorder);	$type = intval($type);	$starttime = empty($starttime) || strtotime($starttime) < TIMESTAMP ? TIMESTAMP : strtotime($starttime);	$endtime = empty($endtime) ? 0 : (strtotime($endtime) < $starttime ? ($starttime + 86400 * 30) : strtotime($endtime));	$subject = dhtmlspecialchars(trim($subject));  	if($type == 1) { 		list($message) = explode("n", trim($message));		$message = dhtmlspecialchars($message); 	} else {		$type = 0;		$message = trim($message); 	}  	if(empty($subject) || empty($message)) { 		acpmsg('modcp_ann_empty'); 	} elseif($type == 1 && substr(strtolower($message), 0, 7) != 'http://') { 		acpmsg('modcp_ann_urlerror'); 	} else {		$data = array('author'=>$_G['username'], 'subject'=>$subject, 'type'=>$type, 'starttime'=>$starttime, 'endtime'=>$endtime,			'message'=>$message, 'displayorder'=>$displayorder);  		if(empty($id)) { 			C::t('forum_announcement')->insert($data); 		} else { 			C::t('forum_announcement')->update($id, $data, true);

可以看到$message = trim($message);这里没有过滤html 然后$data =

array('author'=>$_G['username'], 'subject'=>$subject, 'type'=>$type, 'starttime'=>$starttime, 'endtime'=>$endtime,			'message'=>$message, 'displayorder'=>$displayorder);		if(empty($id)) { 			C::t('forum_announcement')->insert($data);

这里直接插入了xss代码

输出点在http://localhost:8081/dz/forum.php?mod=announcement

所以跟踪到文件在/source/module/forum/forum_announcement.php

/**  *      [Discuz!] (C)2001-2099 Comsenz Inc.  *      This is NOT a freeware, use is subject to license terms  *  *      $Id: forum_announcement.php 25246 2011-11-02 03:34:53Z zhangguosheng $  */if(!defined('IN_DISCUZ')) { 	exit('Access Denied'); }  require_once libfile('function/discuzcode');$announcedata = C::t('forum_announcement')->fetch_all_by_date($_G['timestamp']);if(!count($announcedata)) { 	showmessage('announcement_nonexistence'); }$announcelist = array(); foreach ($announcedata as $announce) {	$announce['authorenc'] = rawurlencode($announce['author']);	$tmp = explode('.', dgmdate($announce['starttime'], 'Y.m'));	$months[$tmp[0].$tmp[1]] = $tmp; 	if(!empty($_GET['m']) && $_GET['m'] != dgmdate($announce['starttime'], 'Ym')) { 		continue; 	}	$announce['starttime'] = dgmdate($announce['starttime'], 'd');	$announce['endtime'] = $announce['endtime'] ? dgmdate($announce['endtime'], 'd') : '';	$announce['message'] = $announce['type'] == 1 ? "
{$announce[message]}
" : $announce['message'];	$announce['message'] = nl2br(discuzcode($announce['message'], 0, 0, 1, 1, 1, 1, 1));	$announcelist[] = $announce; }$annid = isset($_GET['id']) ? intval($_GET['id']) : 0;  include template('forum/announcement');  ?>

这里$announce['message'] =

$announce['type'] == 1 ? "
{$announce[message]}
" : $announce['message'];	$announce['message'] = nl2br(discuzcode($announce['message'], 0, 0, 1, 1, 1, 1, 1));

传入了模板输出/template/default/forum/announcement.htm

id="ct" class="ct2_a wp cl">	<div class="mn"> 		<div class="bm bw0"> 			<div id="annofilter"></div> 			<!--{loop $announcelist $ann}--> 				<div id="announce$ann[id]_c" class="umh{if $messageid != $ann[id]} umn{/if}"> 					<h3 onclick="toggle_collapse('announce$ann[id]', 1, 1);">$ann[subject]<em>($ann[starttime])</em></h3> 					<div class="umh_act"> 						<p class="umh_cb"><a href="javascript:;" onclick="toggle_collapse('announce$ann[id]', 1, 1);">[ {lang open} ]</a></p> 					</div> 				</div> 				<div id="announce$ann[id]" class="um" style="display: none"> 					<p class="mbn">{lang author}: <a href="home.php?mod=space&username=$ann[authorenc]" class="xi2">$ann[author]</a></p> 					$ann[message]				</div> 			<!--{/loop}--> 		</div> 	</div> 	<div class="appl"> 		<div class="tbn"> 			<h2 class="mt bbda">{lang

$ann[message]也是没有过滤就输出在模板上了

最终导致的效果

本文始发于微信公众号（逢人斗智斗勇）：discuz2.5-3.3版本的存储型XSS漏洞分析(需权限)