挖洞经验｜UEditor编辑器存储型XSS漏洞

{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"前言","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"UEditor是由百度web前端研发部开发的所见即所得富文本web编辑器，具有轻量，可定制，注重用户体验等特点。UEditor存在一个XSS漏洞，编辑器在定义过滤规则的时候不严和读取内容的时候的绕过导致了该","attrs":{}},{"type":"link","attrs":{"href":"https://jq.qq.com/?_wv=1027&k=iEtHV6pZ","title":null,"type":null},"content":[{"type":"text","text":"漏洞","attrs":{}}]},{"type":"text","text":"，此漏洞已经上报，由于技术略菜，有分析不到位的还请多多见谅。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"漏洞成因分析","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"漏洞文件产生在前端配置文件ueditor.config.js：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以下为纯文本粘贴为true时的过滤规则，对一些危险的标签没有做过滤，怪不得好多二次开发的。","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"//纯文本粘贴模式下的过滤规则 //'filterTxtRules' : function(){ // function transP(node){ // node.tagName = 'p'; // node.setStyle(); // } // return { // //直接删除及其字节点内容 // '-' : 'script style object iframe embed input select', // 'p': {$:{}}, // 'br':{$:{}}, // 'div':{'$':{}}, // 'li':{'$':{}}, // 'caption':transP, // 'th':transP, // 'tr':transP, // 'h1':transP,'h2':transP,'h3':transP,'h4':transP,'h5':transP,'h6':transP, // 'td':function(node){ // //没有内容的td直接删掉 // var txt = !!node.innerText(); // if(txt){ // node.parentNode.insertAfter(UE.uNode.createText('    '),node); // } // node.parentNode.removeChild(node,node.innerText()) // } // } //}()","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如下图，在官方文档里也进行了说明，通过getContent和setContent方法用

标签读取编辑器内容","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"#通getContent和setContent方法可以设置和读取编辑器的内容 var ue = UE.getEditor();//对编辑器的操作最好在编辑器ready之后再做ue.ready(function(){ //设置编辑器的内容 ue.setContent('hello'); //获取html内容，返回:

hello

var html = ue.getContent(); //获取纯文本内容，返回: hello var txt = ue.getContentTxt();});","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"HTML中的p标签为段落标签，目前所有主流浏览器都支持

标签。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"从编辑器里的左上角显示html可以看出，是带有

标签的，所以在标签内写入payload是不被执行的","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/b4/b41989cb74f1d63d332158a258beb9db.jpeg","alt":"1617005741_60618cad57418d4fa5d14.png!small?1617005741335","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/73/7353a918e46b5d667743ab0504cdf8a1.jpeg","alt":"1617005787_60618cdb55a481ca94b07.png!small?1617005787723","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/44/44add444c907ef4d636b2245163b52f8.jpeg","alt":"1617005749_60618cb5abaaefdb62d5a.png!small?1617005749735","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如下图，在删除掉

标签后写入payload可触发XSS漏洞","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/25/25886969975d98a4ec5b32c9603bc3c4.jpeg","alt":"1617005826_60618d020e509237a2884.png!small?1617005826019","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d1/d160bfefc65bc8e40a4282db98968464.jpeg","alt":"1617005840_60618d10d6d6b15edb3f9.png!small?1617005840843","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果没有提交或者保存的功能，那么无法与数据库交互形成存储XSS，但是依然可多次点击左上角html按钮触发xss","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/db/db4ccbd8a1d3c2337073ad9da5013fe7.jpeg","alt":"1617006008_60618db845b43ac326228.png!small?1617006008695","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"漏洞利用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先安装部署环境：https://github.com/fex-team/ueditor/releases/tag/v1.4.3.3","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"存储型XSS需要写入后端数据库，这里要把编辑器部署到一个可与数据库交互的环境中。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先我们打开编辑器输入正常的文本：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/55/5519084eff4f831a8128e7144331c326.jpeg","alt":"1617006369_60618f21778f46d9f3e6e.png!small?1617006369503","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1f/1f9bf7677e7bafd00929194a4eecf836.jpeg","alt":"1617006404_60618f44963b9894db568.png!small?1617006404641","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"抓包并将

标签以及原本的文本删除","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a0/a00f268722a75d1166d780a30af7af70.jpeg","alt":"1617006439_60618f6743357de1b6253.png!small?1617006439339","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"插入payload：","attrs":{}}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"%3Cp%3E1111111\">%3Cbr%2F%3E%3C%2Fp%3E","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"点击并拖拽以移动","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/b1/b1a1e338a78987b2146322f9dbe9740c.jpeg","alt":"1617005619_60618c3350cbbf52665b5.png!small?1617005619486","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d1/d1ceebf5bee67db9b6b4a32e3f650763.jpeg","alt":"1617006474_60618f8a7495ed8da15a6.png!small?1617006474352","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"成功触发存储型XSS漏洞","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/85/8585ed23536b4a85596bc8cdca24e118.jpeg","alt":"1617006515_60618fb3439e3d17ccab9.png!small?1617006515419","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/65/65edc02141c2ebb78c672b0f6b027ad2.jpeg","alt":"1617006641_60619031caf0d7311cafd.png!small?1617006642187","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"经笔者调查在互联网上存在着许多ueditor编辑器在线展示的网站，这些大都存在没有与后端交互的反射型XSS，但是如果存在与后端数据库交互的功能譬如一些写作平台即可形成存储型XSS漏洞，结合一些xss平台，或者再和其他漏洞配合形成组合拳，威力也不容小藐。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"防御措施","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1、修改 xss过滤白名单 配置文件ueditor.config.js，增加白名单过滤，比如对一些非法的参数和标签，像       <>、,\",'，img标签的onerror属性，script标签等进行自动转义，或者是强制的拦截并提示。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2、对输入的数据也进行html转义，使其不会识别为可执行脚本。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"看到这里的大佬，动动发财的小手 点赞 + 回复 + 收藏，能【 关注 】一波就更好了","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我是一名渗透测试工程师，为了感谢读者们，我想把我收藏的一些网络安全/渗透测试学习干货贡献给大家，回馈每一个读者，希望能帮到你们。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"干货主要有：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"①　2000多本网安必看电子书（主流和经典的书籍应该都有了）","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"②　PHP标准库资料（最全中文版）","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"③　项目源码（四五十个有趣且经典的练手项目及源码）","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"④ 网络安全基础入门、Linux运维，web安全、渗透测试方面的视频（适合小白学习）","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"⑤ 网络安全学习路线图（告别不入流的学习）","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"⑥ ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"渗透测试工具大全","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"⑦ 2021网络安全/Web安全/渗透测试工程师面试手册大全","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"各位朋友们可以关注+评论一波 然后加下","attrs":{}},{"type":"link","attrs":{"href":"https://jq.qq.com/?_wv=1027&k=iEtHV6pZ","title":null,"type":null},"content":[{"type":"text","text":"QQ群：581499282 ","attrs":{}}]},{"type":"text","text":"备注：csdn  联系管理大大即可免费获取全部资料（一起来群里聊天吹水阿）","attrs":{}}]}]}