EAdmin存储型XSS测试及修复
EasyAdmin极简社区环境搭建以及存储型XSS测试,简单代码修复
环境搭建 EAdmin v1.0.8
phpstudy环境
PS:要求php version > 5.3
查找可能存在的XSS点
1、用户注册类信息
点击确认修改的一瞬间,输入内容对img标签onerror作了处理
查看用户签名
F12审计源码,看到onerror被替换为了点号.
2、发布帖子
标题部分直接过滤掉js代码
内容中将onerror替换为点号.
标题和内容都不可行,在发布内容最后有一个标签栏
添加标签后弹框
发布之后访问时弹窗,说明XSS代码存储成功
查找这一部分代码内容
在application/index/controller/Forum.php中找到关键的发帖代码
public function add()
{
......
$data['title']= strip_tags( $data['title']);
$data['content']= remove_xss($data['content']);
......
return view();
}
对title和content进行了过滤,过滤方法为strip_tags和remove_xss
其中strip_tags()剥离字符串中的html标签,实现过滤
而remove_xss()对于很多XSS常用的标签和事件属性都进行了过滤和替换
所以在title和content处输入的XSS代码不会被有效执行
function remove_xss($html) {
$html = htmlspecialchars_decode($html);
preg_match_all("/\<([^\<]+)\>/is", $html, $ms);
$searchs[] = '<';
$replaces[] = '<';
$searchs[] = '>';
$replaces[] = '>';
if ($ms[1]) {
$allowtags = 'video|attach|img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|strike|pre|code|embed';
$ms[1] = array_unique($ms[1]);
foreach ($ms[1] as $value) {
$searchs[] = "<".$value.">";
$value = str_replace('&', '_uch_tmp_str_', $value);
$value = string_htmlspecialchars($value);
$value = str_replace('_uch_tmp_str_', '&', $value);
$value = str_replace(array('\\', '/*'), array('.', '/.'), $value);
$skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate',
'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange',
'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick',
'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate',
'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete',
'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel',
'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart',
'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop',
'onsubmit','onunload','javascript','script','eval','behaviour','expression');
$skipstr = implode('|', $skipkeys);
$value = preg_replace(array("/($skipstr)/i"), '.', $value);
if (!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) {
$value = '';
}
$replaces[] = empty($value) ? '' : "<" . str_replace('"', '"', $value) . ">";
}
}
$html = str_replace($searchs, $replaces, $html);
$html=htmlspecialchars($html);
return $html;
}
标签关键字是什么呢?可以抓包查看
新建一个帖子如下
根据抓取的日志文件中fadd.html,其中输入的数据如下,所以标签栏对应的是keywords
但是程序没有对标签keywords进行有效的过滤,也就导致了标签一栏存在XSS漏洞
修复方法也非常简单,只需要添加对keywords的有效过滤就好了
$data['title']= strip_tags( $data['title']);
$data['content']= remove_xss($data['content']);
$data['keywords']= strip_tags( $data['keywords']);
保存再次测试
新添加的标签已经被过滤了
