当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152241

漏洞标题:百度糯米某站后台/XSS/CSRF可入管理后台

相关厂商:百度

漏洞作者: zowie

提交时间:2015-11-06 09:37

修复时间:2015-12-25 10:44

公开时间:2015-12-25 10:44

漏洞类型:xss跨站脚本攻击

危害等级:低

自评Rank:1

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-06: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经确认,细节仅向厂商公开
2015-11-20: 细节向核心白帽子及相关领域专家公开
2015-11-30: 细节向普通白帽子公开
2015-12-10: 细节向实习白帽子公开
2015-12-25: 细节向公众公开

简要描述:

百度SRC审核又慢还经常忽略 伤感情啊
不说了来支持乌云吧

详细说明:

首先是在
http://www.nuomi.com/uc/order/
进行退单处插入XSS(存储型)
成功的插到管理后台

nuomi.jpg


后台存在iframe对iframe进行替换成钓鱼页面进行垂钓
得到管理员
v_sunliting@baidu.com
查询订单页面

nuomi-1.jpg


本来想自己给自己快速退单,不知道会不会被封账户
附上后台源码

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="http://static.nuomi.com/favicon.ico" rel="shortcut icon" type="image/x-icon" />
<title>糯米网 - 客服单处理</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link href="http://static.nuomi.com/favicon.ico" rel="shortcut icon" type="image/x-icon" />
<script type="text/javascript" src="http://apps.bdimg.com/libs/jquery/2.1.4/jquery.min.js"></script>
<link rel="stylesheet" type="text/css" href="http://sso.nuomi.com/jquery/css/smoothness/jquery-ui-1.8.15.custom.css" media="all" />
<link rel="stylesheet" type="text/css" href="http://sso.nuomi.com/jquery/css/smoothness/jquery-ui-timepicker-addon.css" media="all" />
<link rel="stylesheet" type="text/css" href="http://sso.nuomi.com/jquery/css/zTreeStyle/zTreeStyle.css" />
<link rel="stylesheet" type="text/css" href="http://sso.nuomi.com/css/support.css?version=2014-04-02" media="all" />
<script type="text/javascript" src="http://sso.nuomi.com/js/jquery-migrate-1.2.1.min.js"></script>
<script type="text/javascript" src="http://sso.nuomi.com/jqueryhttp://sso.nuomi.com/js/jquery-ui-1.8.15.custom.min.js"></script>
<script type="text/javascript" src="http://sso.nuomi.com/jqueryhttp://sso.nuomi.com/js/jquery.bgiframe.js"></script>
<script type="text/javascript" src="http://sso.nuomi.com/jqueryhttp://sso.nuomi.com/js/jquery-ui-timepicker-addon.js"></script>
<script type="text/javascript" src="http://sso.nuomi.com/jqueryhttp://sso.nuomi.com/js/jquery.ui.datepicker-zh-CN.js"></script>
<script type="text/javascript" src="http://sso.nuomi.com/jqueryhttp://sso.nuomi.com/js/jquery-ui-timepicker-zh-CN.js"></script>
<script type="text/javascript" src="http://sso.nuomi.com/jqueryhttp://sso.nuomi.com/js/jquery.ztree.core-3.0.js"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/nm.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/support.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/file.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/dataRegistry.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/aclUser.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/sellerCsProp.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/user.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/area.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/deal.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/order.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/toShopPayOrder.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/promoCoupon.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/dealCsProp.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/dealMerchantStaff.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/certificate.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/giftCard.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/ticket.data.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/ticket.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/refund.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/userSeatMap.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/knowledge.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/customerAdvice.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/walletCard.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/email.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/sms.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/smsLog.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/smsRecord.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/supportSmsLog.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/advanceRefund.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/csPay.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/csTimer.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/ticketStatistics.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/saleStatistics.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/userCancel.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/supportUserManage.js?version=2014-04-02"></script>
<!-- wuxiaoliang 红包 -->
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/redEnvelope.js?version=2014-04-02"></script>
<script type="text/javascript" src="http://sso.nuomi.com/js/modules/baiduPayLog.js?version=2014-04-02"></script>
<script type="text/javascript"> document.domain = "nuomi.com"; $(function() { var version = '2014-04-02'; if(version.indexOf('beta') != -1){ $('<div style="position : absolute; top : 0;right : 0;background:#AAAAFF;">SUPPORT : IE8; version : ' + version + '</div>').appendTo(document.body); } NM.support.bootstrap(); }); </script>
<script src="http://sso.nuomi.com/js/jsTree/jstree.js"></script>
<script src="http://sso.nuomi.com/js/jsxtreehttp://sso.nuomi.com/js/ComboBoxTree.js"></script>
<script src="http://sso.nuomi.com/js/treeUtils.js"></script>
<link rel="stylesheet" href="http://sso.nuomi.com/js/jsTree/themes/proton/style.css" />
<link rel="stylesheet" href="http://sso.nuomi.com/js/jsxtree/css/ComboBoxTree.css" />
<script type="text/javascript"> var editDialog $(function(){ if('0' == 2){ NM.support.modules.ticket.processRemarkTextarea({ textarea : $('#remark'), type : '', needSend : '', sevenRefund : '' == 'true', expireRefund : '' == 'true' }); } $('#origDesc').val($('#remark').val()); editDialog = NM.support.modules.ticket.editDialog({ ok : function(){ var progress = NM.support.progress({ title : '请等待', message : '正在加载', value : 'auto' }) window.location.reload(); } }) editDialog.load({ id : '', type : '', finalType : '', contact : '', dealId : '', userId : '', orderIds : '', csJudgeDutys : '', otherJudgeDutys : '', finalJudgeDutys : '', processResults : '', species : '', speciesIndex :'', username : '', replyStatus : '', replyType : '', csTicketCertificateListArray : '' }); $('#edit').click(function(){ editDialog.open(); }); var sign = true; $(window).scroll(function () { setTimeout(function() { var s= $(window).scrollTop(); var ticketId = $(".nm-module-ticket-ticketId").html(); var auth = '0'; if(sign&&s>=200){ $.ajax({ type : "POST", url : '/support/ticket/findTicketButton', dataType : "html", async:false, data : { ticketId : ticketId, auth : auth }, success : function(html) { $("#ticketButtonForm").html(html); sign =false; }, error : function() { NM.support.alert({ overlayOn : dialogWidget, message : '连接服务器失败' }) } }) } }, 1000) }); $('input[class=nm-field-noticeTime][name=noticeTime]').each(function(){ var noticeTime = $(this); noticeTime.datetimepicker({ showOtherMonths : true, selectOtherMonths : true, changeMonth : true, changeYear : true, showSecond: true, timeFormat: 'hh:mm:ss' }); }); $('input[name=replyTime]').each(function(){ var replyTime = $(this); replyTime.datetimepicker({ showOtherMonths : true, selectOtherMonths : true, changeMonth : true, changeYear : true, showSecond: true, timeFormat: 'hh:mm:ss' }); }); var param = $('#replyStatus'); replyStatusValidate(param); function replyStatusValidate(param) { if(param.val()==2){ $("#certFolderPage").show(); $("#certTable").show();
<tr>
<td><label class="nm-label-species">工单种类:</label></td>
<td><input type="text" class="nm-field-speciesText input-text" style="width: 200px;" readonly="readonly" /> <input type="hidden" class="nm-field-species" name="type" /></td>
<td><label class="nm-label-finalSpecies">最终工单种类:</label></td>
<td><select id="finalSpecies" name="finalSpecies" class="nm-field-finalSpecies" style="width: 200px;"> <option value="0">--请选择--</option> <option value="1">咨询</option> <option value="3">业务受理</option> <option value="2">投诉</option> </select></td>
</tr>
<tr>
<td><label>客服判定责任:</label></td>
<td colspan="3"><input type="checkbox" name="csJudgeDuty" value="0" class="nm-field-csJudgeDuty-0 ticketResult-checkbox" /> <label class="nm-label-csJudgeDuty-0">用户责任</label><br /> <input type="checkbox" name="csJudgeDuty" value="3" class="nm-field-csJudgeDuty-3 ticketResult-checkbox" /> <label class="nm-label-csJudgeDuty-3">销售责任</label> <input type="checkbox" name="csJudgeDuty" value="31" class="nm-field-csJudgeDuty-31 ticketResult-checkbox" /> <label class="nm-label-csJudgeDuty-31">技术责任</label> <input type="checkbox" name="csJudgeDuty" value="32" class="nm-field-csJudgeDuty-32 ticketResult-checkbox" /> <label class="nm-label-csJudgeDuty-32">文案责任</label> <input type="checkbox" name="csJudgeDuty" value="33" class="nm-field-csJudgeDuty-33 ticketResult-checkbox" /> <label class="nm-label-csJudgeDuty-33">客服责任</label> <input type="checkbox" name="csJudgeDuty" value="4" class="nm-field-csJudgeDuty-4 ticketResult-checkbox" /> <label class="nm-label-csJudgeDuty-4">糯米包邮(物流)责任</label><br /> <input type="checkbox" name="csJudgeDuty" value="1" class="nm-field-csJudgeDuty-1 ticketResult-checkbox" /> <label class="nm-label-csJudgeDuty-1">商家责任</label> <input type="checkbox" name="csJudgeDuty" value="2" class="nm-field-csJudgeDuty-2 ticketResult-checkbox" /> <label class="nm-label-csJudgeDuty-2">商家包邮(物流)责任</label><br /> <br /></td>
</tr>
<tr>
<td><label>合作方判定责任:</label></td>
<td colspan="3"><input type="checkbox" name="otherJudgeDuty" value="0" class="nm-field-otherJudgeDuty-0 ticketResult-checkbox" /> <label class="nm-label-otherJudgeDuty-0">用户责任</label><br /> <input type="checkbox" name="otherJudgeDuty" value="3" class="nm-field-otherJudgeDuty-3 ticketResult-checkbox" /> <label class="nm-label-otherJudgeDuty-3">销售责任</label> <input type="checkbox" name="otherJudgeDuty" value="31" class="nm-field-otherJudgeDuty-31 ticketResult-checkbox" /> <label class="nm-label-otherJudgeDuty-31">技术责任</label> <input type="checkbox" name="otherJudgeDuty" value="32" class="nm-field-otherJudgeDuty-32 ticketResult-checkbox" /> <label class="nm-label-otherJudgeDuty-32">文案责任</label> <input type="checkbox" name="otherJudgeDuty" value="33" class="nm-field-otherJudgeDuty-33 ticketResult-checkbox" /> <label class="nm-label-otherJudgeDuty-33">客服责任</label> <input type="checkbox" name="otherJudgeDuty" value="4" class="nm-field-otherJudgeDuty-4 ticketResult-checkbox" /> <label class="nm-label-otherJudgeDuty-4">糯米包邮(物流)责任</label><br /> <input type="checkbox" name="otherJudgeDuty" value="1" class="nm-field-otherJudgeDuty-1 ticketResult-checkbox" /> <label class="nm-label-otherJudgeDuty-1">商家责任</label> <input type="checkbox" name="otherJudgeDuty" value="2" class="nm-field-otherJudgeDuty-2 ticketResult-checkbox" /> <label class="nm-label-otherJudgeDuty-2">商家包邮(物流)责任</label> <br /> <br /></td>
</tr>
<tr>
<td><label>最终判定责任:</label></td>
<td colspan="3"><input type="checkbox" name="finalJudgeDuty" value="0" class="nm-field-finalJudgeDuty-0 ticketResult-checkbox" /> <label class="nm-label-finalJudgeDuty-0">用户责任</label><br /> <input type="checkbox" name="finalJudgeDuty" value="3" class="nm-field-finalJudgeDuty-3 ticketResult-checkbox" /> <label class="nm-label-finalJudgeDuty-3">销售责任</label> <input type="checkbox" name="finalJudgeDuty" value="31" class="nm-field-finalJudgeDuty-31 ticketResult-checkbox" /> <label class="nm-label-finalJudgeDuty-31">技术责任</label> <input type="checkbox" name="finalJudgeDuty" value="32" class="nm-field-finalJudgeDuty-32 ticketResult-checkbox" /> <label class="nm-label-finalJudgeDuty-32">文案责任</label> <input type="checkbox" name="finalJudgeDuty" value="33" class="nm-field-finalJudgeDuty-33 ticketResult-checkbox" /> <label class="nm-label-finalJudgeDuty-33">客服责任</label> <input type="checkbox" name="finalJudgeDuty" value="4" class="nm-field-finalJudgeDuty-4 ticketResult-checkbox" /> <label class="nm-label-finalJudgeDuty-4">糯米包邮(物流)责任</label><br /> <input type="checkbox" name="finalJudgeDuty" value="1" class="nm-field-finalJudgeDuty-1 ticketResult-checkbox" /> <label class="nm-label-finalJudgeDuty-1">商家责任</label> <input type="checkbox" name="finalJudgeDuty" value="2" class="nm-field-finalJudgeDuty-2 ticketResult-checkbox" /> <label class="nm-label-finalJudgeDuty-2">商家包邮(物流)责任</label><br /> <br /></td>
</tr>
<tr>
<td><label>最终处理结果:</label></td>
<td colspan="3"><input type="checkbox" name="processResult" value="5" class="nm-field-processResult-5 ticketResult-checkbox" /> <label class="nm-label-processResult-5">不作处理</label> <input type="checkbox" name="processResult" value="6" class="nm-field-processResult-6 ticketResult-checkbox" /> <label class="nm-label-processResult-6">退款</label> <input type="checkbox" name="processResult" value="7" class="nm-field-processResult-7 ticketResult-checkbox" /> <label class="nm-label-processResult-7">先行赔付</label> <input type="checkbox" name="processResult" value="8" class="nm-field-processResult-8 ticketResult-checkbox" /> <label class="nm-label-processResult-8">邮费先行赔付</label> <input type="checkbox" name="processResult" value="9" class="nm-field-processResult-9 ticketResult-checkbox" /> <label class="nm-label-processResult-9">退货</label> <input type="checkbox" name="processResult" value="10" class="nm-field-processResult-10 ticketResult-checkbox" /> <label class="nm-label-processResult-10">换货</label> <input type="checkbox" name="processResult" value="11" class="nm-field-processResult-11 ticketResult-checkbox" /> <label class="nm-label-processResult-11">补货</label> <input type="checkbox" name="processResult" value="12" class="nm-field-processResult-12 ticketResult-checkbox" /> <label class="nm-label-processResult-12">提现</label> <input type="checkbox" name="processResult" value="13" class="nm-field-processResult-13 ticketResult-checkbox" /> <label class="nm-label-processResult-13">查询</label> <input type="checkbox" name="processResult" value="14" class="nm-field-processResult-14 ticketResult-checkbox" /> <label class="nm-label-processResult-14">重发</label> <input type="checkbox" name="processResult" value="15" class="nm-field-processResult-15 ticketResult-checkbox" /> <label class="nm-label-processResult-15">转发</label> <input type="checkbox" name="processResult" value="16" class="nm-field-processResult-16 ticketResult-checkbox" /> <label class="nm-label-processResult-16">激活</label> <input type="checkbox" name="processResult" value="17" class="nm-field-processResult-17 ticketResult-checkbox" /> <label class="nm-label-processResult-17">解绑</label> <input type="checkbox" name="processResult" value="18" class="nm-field-processResult-18 ticketResult-checkbox" /> <label class="nm-label-processResult-18">免打扰</label> <input type="checkbox" name="processResult" value="19" class="nm-field-processResult-


漏洞证明:

首先是在
http://www.nuomi.com/uc/order/
进行退单处插入XSS(存储型)
成功的插到管理后台

nuomi.jpg


后台存在iframe对iframe进行替换成钓鱼页面进行垂钓
得到管理员
v_sunliting@baidu.com
查询订单页面

nuomi-1.jpg


本来想自己给自己快速退单,不知道会不会被封账户
附上后台源码

修复方案:

没你们清楚

版权声明:转载请注明来源 zowie@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-10 10:43

厂商回复:

非常感谢您的报告,问题已着手处理,感谢您对百度安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无