蓝客社区

游客 您好,登录 | 注册

致蓝客社区的会员们:
即日起,社区论坛部分技术交流版块启用身份验证机制,须符合该版块要求的技术标准才能进入,不便之处敬请见谅!
网络信息安全交流QQ群:187228、会员交流聊天QQ群:42417627
论坛 » WEB安全渗透 » 大家有对 Discuz! X2.5 有研究的没啊

大家有对 Discuz! X2.5 有研究的没啊 (1蓝豆) (直接结帖)

Sea积分等级:LV0 经验等级:Exp0
#1发表于 2012-09-29 16:23 回复:3 查看:15846
神牛们对 Discuz! X2.5 有研究的没..
给透漏点校弱点呗


小累D积分等级:LV0 经验等级:Exp0
#2发表于 2012-09-29 22:42
Discuz!X2.5及以下CSRF
漏洞出在/source/function/function_blog.php里的checkhtml函数:

Sea积分等级:LV0 经验等级:Exp0
#3发表于 2012-09-30 12:59

@小累D
Discuz!X2.5及以下CSRF
漏洞出在/source/function/function_blog.php里的checkhtml函数:

……

是这吗?


function checkhtml($html,$allowtags = null) {
    $html = trim($html);
    preg_match_all("/<([^<]+)>/is", $html, $ms);

    $searchs[] = '<';
    $replaces[] = '<';
    $searchs[] = '>';
    $replaces[] = '>';

    if($ms[1]) {
        if(empty($allowtags)) {
            $allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|object|param|embed';
        }
        $ms[1] = array_unique($ms[1]);
        foreach ($ms[1] as $value) {
            $searchs[] = "<".$value.">";

            $value = str_replace('&', '_uch_tmp_str_', $value);
            $value = htmlspecialchars($value);
            $value = str_replace('_uch_tmp_str_', '&', $value);

            $value = str_replace(array('','/*'), array('.','/.'), $value);
            $skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate',
            'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange',
            'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick',
            'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate',
            'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete',
            'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel',
            'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart',
            'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop',
            'onsubmit','onunload','javascript','script','eval','behaviour','expression','style','class');
            $skipstr = implode('|', $skipkeys);
            $value = preg_replace(array("/($skipstr)/i"), '.', $value);
            if(!preg_match("/^[/|s]?($allowtags)(s+|$)/is", $value)) {
                $value = '';
            }
            $replaces[] = empty($value)?'':"<".str_replace('"', '"', $value).">";
        }
    }
    $html = str_replace($searchs, $replaces, $html);
    return $html;
}
//输出安全的html
function h($text, $tags = null){
    return checkhtml($text,$tags);


ruanhong火积分等级:LV0 经验等级:Exp0
#4发表于 2012-10-22 15:22
.............................