{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"前言","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"UEditor是由百度web前端研發部開發的所見即所得富文本web編輯器,具有輕量,可定製,注重用戶體驗等特點。UEditor存在一個XSS漏洞,編輯器在定義過濾規則的時候不嚴和讀取內容的時候的繞過導致了該","attrs":{}},{"type":"link","attrs":{"href":"https://jq.qq.com/?_wv=1027&k=iEtHV6pZ","title":null,"type":null},"content":[{"type":"text","text":"漏洞","attrs":{}}]},{"type":"text","text":",此漏洞已經上報,由於技術略菜,有分析不到位的還請多多見諒。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"漏洞成因分析","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"漏洞文件產生在前端配置文件ueditor.config.js:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以下爲純文本粘貼爲true時的過濾規則,對一些危險的標籤沒有做過濾,怪不得好多二次開發的。","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"//純文本粘貼模式下的過濾規則 //'filterTxtRules' : function(){ // function transP(node){ // node.tagName = 'p'; // node.setStyle(); // } // return { // //直接刪除及其字節點內容 // '-' : 'script style object iframe embed input select', // 'p': {$:{}}, // 'br':{$:{}}, // 'div':{'$':{}}, // 'li':{'$':{}}, // 'caption':transP, // 'th':transP, // 'tr':transP, // 'h1':transP,'h2':transP,'h3':transP,'h4':transP,'h5':transP,'h6':transP, // 'td':function(node){ // //沒有內容的td直接刪掉 // var txt = !!node.innerText(); // if(txt){ // node.parentNode.insertAfter(UE.uNode.createText(' '),node); // } // node.parentNode.removeChild(node,node.innerText()) // } // } //}()","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如下圖,在官方文檔裏也進行了說明,通過getContent和setContent方法用標籤讀取編輯器內容","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"#通getContent和setContent方法可以設置和讀取編輯器的內容 var ue = UE.getEditor();//對編輯器的操作最好在編輯器ready之後再做ue.ready(function(){ //設置編輯器的內容 ue.setContent('hello'); //獲取html內容,返回:
hello
var html = ue.getContent(); //獲取純文本內容,返回: hello var txt = ue.getContentTxt();});","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"HTML中的p標籤爲段落標籤,目前所有主流瀏覽器都支持標籤。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從編輯器裏的左上角顯示html可以看出,是帶有
標籤的,所以在標籤內寫入payload是不被執行的","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/b4/b41989cb74f1d63d332158a258beb9db.jpeg","alt":"1617005741_60618cad57418d4fa5d14.png!small?1617005741335","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/73/7353a918e46b5d667743ab0504cdf8a1.jpeg","alt":"1617005787_60618cdb55a481ca94b07.png!small?1617005787723","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/44/44add444c907ef4d636b2245163b52f8.jpeg","alt":"1617005749_60618cb5abaaefdb62d5a.png!small?1617005749735","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如下圖,在刪除掉
標籤後寫入payload可觸發XSS漏洞","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/25/25886969975d98a4ec5b32c9603bc3c4.jpeg","alt":"1617005826_60618d020e509237a2884.png!small?1617005826019","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d1/d160bfefc65bc8e40a4282db98968464.jpeg","alt":"1617005840_60618d10d6d6b15edb3f9.png!small?1617005840843","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果沒有提交或者保存的功能,那麼無法與數據庫交互形成存儲XSS,但是依然可多次點擊左上角html按鈕觸發xss","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/db/db4ccbd8a1d3c2337073ad9da5013fe7.jpeg","alt":"1617006008_60618db845b43ac326228.png!small?1617006008695","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"漏洞利用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先安裝部署環境:https://github.com/fex-team/ueditor/releases/tag/v1.4.3.3","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"存儲型XSS需要寫入後端數據庫,這裏要把編輯器部署到一個可與數據庫交互的環境中。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先我們打開編輯器輸入正常的文本:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/55/5519084eff4f831a8128e7144331c326.jpeg","alt":"1617006369_60618f21778f46d9f3e6e.png!small?1617006369503","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1f/1f9bf7677e7bafd00929194a4eecf836.jpeg","alt":"1617006404_60618f44963b9894db568.png!small?1617006404641","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"抓包並將
標籤以及原本的文本刪除","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a0/a00f268722a75d1166d780a30af7af70.jpeg","alt":"1617006439_60618f6743357de1b6253.png!small?1617006439339","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"插入payload:","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"%3Cp%3E1111111\">