当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171136

漏洞标题:世纪佳缘xss

相关厂商:世纪佳缘

漏洞作者: 路人甲

提交时间:2016-01-19 17:00

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:XSS 跨站脚本攻击

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-19: 细节已通知厂商并且等待厂商处理中
2016-01-21: 厂商已经确认,细节仅向厂商公开
2016-01-31: 细节向核心白帽子及相关领域专家公开
2016-02-10: 细节向普通白帽子公开
2016-02-20: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

佳缘那么多妹子,x呀x……
咳咳~你们想不想X???

详细说明:

其实……我是抱着试试看的态度去的……

漏洞证明:

帮助中心最下面提交问题处(要登录)

http://www.jiayuan.com/helpcenter/postmail2.php?refresh=1&pid=294&id=336


QQ截图20160119164612.png


然后就蛋疼的等待着……
过会就出现了让我朝思暮想的信息

QQ截图20160119164731.png


location : http://check.jiayuan.com/admin.php?mod=jy_service&file=mastermail&action=view&newac=newpage&id=4822133&lang=zh
toplocation : http://check.jiayuan.com/admin.php?mod=jy_service&file=mastermail&action=view&newac=newpage&id=4822133&lang=zh
cookie : stadate1=127653735; myloc=71%7C7101; myage=26; mysex=m; myuid=127653735; myincome=30; save_jy_login_name=51505124747%40163.com; w_uk=20140706oJdvhl51t12; pgv_pvi=8083514368; __utma=82118797.873645300.1415169782.1415169782.1415169782.1; jy_ztlogin_zadan_29968824=zadan; jy_ztlogin_zhanbu_103214758=zhanbu; jy_ztlogin_llkan_103214758=llkan; jy_ztlogin_dafuweng_111386909=dafuweng; jy_ztlogin_dafuweng_103214758=dafuweng; pop_1436857144=1451014599035; pop_1408437601=1451811676914; buyhistory=106477258%2523%2523%2523%2523%25231451722843; FTtrgQEItkusername=LF_wangyahui; last_login_time=1453174767; upt=0eYFtf4XStLw6cxfR4ZiAKcYX1lFuA6ZjbkkYd4sjxv5ULu5c%2Aar39y4-gfNkjvDCLBSxRXkKp7kz-Ino3fn9v6AelFWRsQ.; buyhistory_v2=%2522%2522; PHPSESSID=4d0c955b218a1f4d1dbdfd586af4db10; DaSu92Mk8Kncauth=BVdaBT1aWlwOUAcCVAdVWwcFUwQAV1NVUFAEWVBbUF1WUgcADQ%3D%3D; DaSu92Mk8Knccookietime=0; BTSESSID=b37cebe556fa8747ac6490e95d81e37d; SESSION_HASH=28ded3a8ad0629ce55dfe3d50c4a9bfd3b6f9351; user_access=1; global_user_key=6cf83475a6dbd1a7b34937fbae66136b; PROFILE=128653735%3A0804%3Am%3Aimages2.jyimg.com%2Fw4%2Fglobal%2Fi%3A4%3A%3A0%3Azwzpytx_m.jpg%3A1%3A2%3A60%3A10; RAW_HASH=HtTkDGHpiLS7-4-%2A5U70Z9Hm7LsaxGxv0odAM1gmqBE4oOAsfexYGWbMv200mKfzzrvRhIlKrj%2AbW59RL7yiEKnFqPYBM2exaAAwp5XBQUSLJIc.; COMMON_HASH=eeb1db8a7dc300444ade2ae78bcf6ea0; pclog=%7B%22128653735%22%3A%221453174870878%7C1%7C0%22%7D; IM_S=%7B%22IM_CID%22%3A5702007%2C%22svc%22%3A%7B%22code%22%3A0%2C%22nps%22%3A0%2C%22unread_count%22%3A%2238%22%2C%22ocu%22%3A0%2C%22ppc%22%3A0%2C%22jpc%22%3A0%2C%22regt%22%3A%221418609050%22%2C%22using%22%3A%22%22%2C%22user_type%22%3A%2210%22%2C%22uid%22%3A128653735%7D%2C%22IM_SV%22%3A%22211.151.166.131%22%2C%22m%22%3A0%2C%22f%22%3A0%2C%22omc%22%3A0%7D; IM_CS=0; IM_ID=4; IM_TK=1453177342423; IM_M=%5B%7B%22cmd%22%3A54%2C%22data%22%3A%7B%22m%22%3A0%2C%22f%22%3A0%2C%22omc%22%3A0%7D%7D%5D; IM_CON=%7B%22IM_TM%22%3A1453177339526%2C%22IM_SN%22%3A4%7D
opener :


HTTP_REFERER : http://check.jiayuan.com/admin.php?mod=jy_service&file=mastermail&action=view&newac=newpage&id=4822133&lang=zh
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0
REMOTE_ADDR : 119.255.42.194


然后后台不能访问……
就不继续了……

修复方案:

……

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2016-01-21 17:39

厂商回复:

毕竟漏洞是真是存在的,不过因为很难进入后台,Rank恕不能给你太高,免得你骄傲。【呲牙】

最新状态:

暂无