WordPress <4.1.2 & <=4.2 Storage-type XSS (features that use MySQL to truncate special characters and super-long characters inode)

Turn from: Baidu Security Lab xteam http://xteam.baidu.com/?p=177

Vulnerability overview

This vulnerability presents two storage-type XSS using different truncation methods, one for special character truncation, one for database field length truncation, which could allow an attacker to obtain a user cookie and simulate the browser's normal operation, and when the administrator accesses the injected payload, Combined with WordPress background function can even getshell.

Vulnerability Analysis

1. Character truncation via official website "The character set named UTF8 uses a maximum of three bytes per character and contains only BMP characters. "When MySQL uses UTF8, the upper limit of the size of a character is 3 bytes, and when a four-byte character is present, it is necessary to use UTF8MB4 encoding, and if not used, the unrecognized four-byte character is discarded along with the subsequent string. Examples, use special characters

 update  ' wp_comments ' set  ' Comment_ Content ' =  

Execution results, it can be seen that the following 55555555 has been truncated, not inserted into the database. UTF-8 encoding in the case of different character areas, the number of bytes used by the encoding varies, of course, we focus on the 4-byte range through the understanding of the official website, the MySQL utf-8 encoding is not recognized for four-byte characters, then this part occupies a byte-coded area, Inserting a database can produce the same effect as a symbol, in which a random test discovery results in truncation, such as,, and so on, for a complete validation conjecture, which can be fuzz for the range in the diagram. When the MySQL database is encoded as UTF-8MB4 or latin1, there is no such problem, because these two character sets can be normal recognition of such characters, no truncation effect, in addition, when MySQL is turned on strict mode, will be more strictly processed, Ensure that blocking occurs before the data is stored effectively, and that the problem does not occur. 2 longer than the length of the MySQL type=text, the maximum length of text is 64KB, when the database insert operation, will be greater than 64KB of the partial discard, only insert the first 64KB, at this time also caused a truncation. While the WordPress save Comment field of the type is TEXT3 exploit WordPress, for anonymous comments in the content of the tags and attributes, will be filtered according to the whitelist, as shown below. \wp411\wp-includes\kses.php 419 Lines

$allowedtags=Array(        ' A ' + =Array(            ' href ' =true, ' title ' = =true,        ), ' abbr ' =Array(            ' Title ' =true,        ), ' acronym ' =Array(            ' Title ' =true,        ), ' B ' + =Array(), ' blockquote ' =Array(            ' Cite ' =true,        ), ' cite ' =Array(), ' Code ' =Array(), ' del ' = =Array(            ' DateTime ' =true,        ), ' em ' =Array(), ' I ' =Array(), ' q ' =Array(            ' Cite ' =true,        ), ' strike ' =Array(), ' strong ' =Array(),    );

WordPress will only allow the labels in the whitelist to appear, and in each array with the name of the tag, the attributes allowed under the tag are saved. It is normal to not allow properties such as onmouseover to appear, we use POC to test

<abbr title= "123 Onmouseover=alert (1) special characters" >

After submitting a comment under IE, it can be found that the successful pop-up window, code as can be seen in the POC, onmouseover is in the double quotation marks as the title property of the value appears, and when the special characters played the role of truncation, The content of this comment is stored in the database as follows, where the double quotation marks on the left side are replaced when the output, while the other package onmouseover the double quotation mark is truncated not in the database, at this time the onmouseover successfully become an event not within the whitelist allowed range, and is successfully parsed. The same goes for constructing truncation over a fixed length.

<abbr title= "123 Onmouseover=alert (1) Add useless characters here to 64KB" >

The right double and angle brackets are successfully truncated, causing it to not enter the database, as shown in

Exploit exploits

 The Klikki Oy team gives a successful Poc,chrome,ie,firefox test that is compatible with multiple browsers sssss<a title= ' x Onmouseover=alert (unescape. SOURCE))

style=position:absolute;left:0;top:0;width:5000px;height:5000px here with special characters or length truncation can ' ></a>

Combined with this POC, reference external JS, the use of WordPress administrator in the background to edit the function of the template can be automated Getshell, before the WordPress XSS has been issued, there is no longer repeat

Vulnerability Impact Range

Special character truncation affects version: WordPress < 4.1.2 (requires MySQL to use UTF8 character set and strict mode off) longer than length truncation affects version: WordPress < = 4.2 This exploits the exploit for MySQL features, Other CMS that uses MySQL may also have similar problems.

Interception advice

WAF interception of two XSS is recommended as follows: 1-character truncation: Block 2-length truncation for comment requests with a range of characters in the image: Comment request exceeds 64KB to intercept the specific situation also please WAF students to consider

Fix suggestions

For ultra-long truncation, the official has not given a patch, so it is recommended to temporarily close the comment function to prevent this XSS-------------my summary--------------1. MySQL character encoding is best used UTF-8MB4(or Latin1) 2. mysql must use Strict Mode(mysql5.7 seems to be the default strict mode) 3. The length is over, the procedure should be processed, so the program is not written Strictly 4. XSS White list 5. The attack is based on the principle that the use of MySQL in processing special characters and extra-long characters, it will be truncated, so that the final "truncated, resulting in quotation marks" is not closed, so that the browser will be the property of the tag as a JS code to execute. 6. <abbr title= "123 Onmouseover=alert (1) at output,no HTML encoding, encode < into &lt;, Onmouseover,alert, etc. are not filtered at the time of input. 7. Storage-type XSS, which requires the mouse to move to the top to trigger.

WordPress <4.1.2 & <=4.2 Storage-type XSS (features that use MySQL to truncate special characters and super-long characters inode)