|uhome 设计接口缺陷通篇xss 和一处存储型xss

uhome 设计接口缺陷通篇xss 和一处存储型xss

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： uhome 设计接口缺陷通篇xss 和一处存储型xss ### 详细说明：我下载了集成包: UCenter1.5.1/UCHome2.0/Discuz!7.2 集成安装包直接看代码： admincp_doing.php: ``` if(submitcheck('batchsubmit')) { include_once(S_ROOT.'./source/function_delete.php'); if(!empty($_POST['ids']) && deletedoings($_POST['ids'])) { cpmessage('do_success', $_POST['mpurl']); } else { cpmessage('choose_to_delete_events', $_POST['mpurl']); } } ``` 跟进去这个函数： cpmessage('do_success', $_POST['mpurl']); ``` function cpmessage($msgkey, $url_forward='', $second=1, $values=array()) { global $_SGLOBAL, $_SC, $_SCONFIG, $_TPL, $_SN, $space; //去掉广告 $_SGLOBAL['ad'] = array(); include_once(S_ROOT.'./language/lang_cpmessage.php'); if(isset($_SGLOBAL['cplang'][$msgkey])) { $message = lang_replace($_SGLOBAL['cplang'][$msgkey], $values); } else { $message = $msgkey; } //显示 obclean(); //菜单激活 $menuactive = array('index' => ' class="active"'); if(!empty($url_forward)) { $second = $second * 1000; $message .= "<script>setTimeout(\"window.location.href ='$url_forward';\", $second);</script>"; } include template('admin/tpl/message'); exit(); } ``` 没有经过任何过滤直接到了： $message .= "<script>setTimeout(\"window.location.href ='$url_forward';\", $second);</script>"; 发送url: http://localhost/dz72https://images.seebug.org/upload/home/admincp.php?ac=feed postdata: formhash=120f00ad&ids[]=10&mpurl=javascript:alert(1)&deletesubmit=æ¹éå é¤ [<img src="https://images.seebug.org/upload/201412/02173420f24ec7b9ef3ab46ba45374731a7efc9d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/02173420f24ec7b9ef3ab46ba45374731a7efc9d.png) 我们搜索一下： [<img src="https://images.seebug.org/upload/201412/02173457f42c4d6affff34687ae5f25a9fd962eb.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/02173457f42c4d6affff34687ae5f25a9fd962eb.png) 下来我们看存储型xss： [<img src="https://images.seebug.org/upload/201412/021735579a92eca9f6a7ce6a4952c591835695cc.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/021735579a92eca9f6a7ce6a4952c591835695cc.png) 然后javascript:alert(document.cookie)/aaa.swf [<img src="https://images.seebug.org/upload/201412/02173638efc7107ab815a65cf024f9d1d4cb9aa9.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/02173638efc7107ab815a65cf024f9d1d4cb9aa9.png) [<img src="https://images.seebug.org/upload/201412/02173710b944762a0f5afa6c7bfef4725508d0c1.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/02173710b944762a0f5afa6c7bfef4725508d0c1.png) 我们分析一下代码: cp_thread.php: ``` if(strlen($subject) < 2) showmessage('title_not_too_little'); $_POST['message'] = checkhtml($_POST['message']); $_POST['message'] = getstr($_POST['message'], 0, 1, 0, 1, 0, 1); $_POST['message'] = preg_replace("/\<div\>\<\/div\>/i", '', $_POST['message']); $message = $_POST['message']; ``` 跟进函数checkhtml function_blog.php: ``` function checkhtml($html) { $html = stripslashes($html); if(!checkperm('allowhtml')) { preg_match_all("/\<([^\<]+)\>/is", $html, $ms); $searchs[] = '<'; $replaces[] = '<'; $searchs[] = '>'; $replaces[] = '>'; if($ms[1]) { $allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|object|param|embed';//允许的标签 $ms[1] = array_unique($ms[1]); foreach ($ms[1] as $value) { $searchs[] = "<".$value.">"; $value = shtmlspecialchars($value); $value = str_replace(array('\\','/*'), array('.','/.'), $value); $value = preg_replace(array("/(javascript|script|eval|behaviour|expression)/i", "/(\s+|"|')on/i"), array('.', ' .'), $value); if(!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) { $value = ''; } $replaces[] = empty($value)?'':"<".str_replace('"', '"', $value).">"; } } $html = str_replace($searchs, $replaces, $html); } $html = addslashes($html); return $html; } //视频标签处理 function blog_bbcode($message) { $message = preg_replace("/\[flash\=?(media|real)*\](.+?)\[\/flash\]/ie", "blog_flash('\\2', '\\1')", $message); return $message; } //视频 function blog_flash($swf_url, $type='') { $width = '520'; $height = '390'; if ($type == 'media') { $html = '<object classid="clsid:6bf52a52-394a-11d3-b153-00c04f79faa6" width="'.$width.'" height="'.$height.'"> <param name="autostart" value="0"> <param name="url" value="'.$swf_url.'"> <embed autostart="false" src="'.$swf_url.'" type="video/x-ms-wmv" width="'.$width.'" height="'.$height.'" controls="imagewindow" console="cons"></embed> </object>'; } elseif ($type == 'real') { $html = '<object classid="clsid:cfcdaa03-8be4-11cf-b84b-0020afbbccfa" width="'.$width.'" height="'.$height.'"> <param name="autostart" value="0"> <param name="src" value="'.$swf_url.'"> <param name="controls" value="Imagewindow,controlpanel"> <param name="console" value="cons"> <embed autostart="false" src="'.$swf_url.'" type="audio/x-pn-realaudio-plugin" width="'.$width.'" height="'.$height.'" controls="controlpanel" console="cons"></embed> </object>'; } else { $html = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="'.$width.'" height="'.$height.'"> <param name="movie" value="'.$swf_url.'"> <param name="allowscriptaccess" value="always"> <embed src="'.$swf_url.'" type="application/x-shockwave-flash" width="'.$width.'" height="'.$height.'" allowfullscreen="true" allowscriptaccess="always"></embed> </object>'; } return $html; } ``` 最终流入到了blog_flash函数里面，这里就不用说了 allowscriptaccess 这个还是always 修复方案： ### 漏洞证明：

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™