Baidu consortium code defects cause dom xss to exist for websites promoted by Baidu (in Tianya, 58 cities, and Ganji as an example)

Baidu consortium code defects cause dom xss to exist for websites promoted by Baidu (in Tianya, 58 cities, and Ganji as an example)

The http://cpro.baidustatic.com/cpro/ui/c.js file is called with the following code:

Y && Y("union/common/logic", [], function() {        return {ze: function(e) {                (e = e || "") && (e = e.replace(/%u[\d|\w]{4}/g, function(e) {                    return encodeURIComponent(unescape(e))                }));                return e            },ja: function(e, f) {                return e.replace(/{(.*?)}/g, function(c, e) {                    return f[e] || ""                })            },Kd: function(e) {                return (new Function("return " + e))()            },vc: function(e, f) {                if (e && f) {                    var c = e.match(RegExp("(^|&|\\?|#)" + f + "=([^&]*)(&|$)", ""));                    if (c)                        return c[2]                }                return o            },Ke: function(e, f) {                var e = e || "", f = f || "?", c = arguments.callee;                c.hasOwnProperty[f] || (c[f] = {});                c = c[f];                if (c.hasOwnProperty(e))                    return c[e];                var i = {}, b = e.indexOf(f), j = e.substring(b + 1).split("&");                if (-1 !== b)                    for (var b = 0, g = j.length; b < g; b++) {                        var d = j[b].split("="), a = decodeURIComponent(d[0]), d = decodeURIComponent(d[1]);                        i.hasOwnProperty(a) ? (i[a].constructor !== Array && (i[a] = [i[a]]), i[a].push(d)) : i[a] = d                    }                return c[e] = i            }}    });

Pay attention to the function Kd. If e can be controlled, attackers can execute any JS Code.

The function is actually used to process JSON. Don't ask me how to know. debugging is always tearful)

Actually, the source is:

Http://zhan.baidu.com/s/7k7k.com

Can be viewed online.

The code generated by browsing is as follows:

Http://news.7k7k.com/gf/

? Bd_cpro_prev = {"selectScale": 10010, "showUrl": "http://wm.baidu.com", "src": "", "type": 2, "title ":"", "isUpload": "0", "imgWidth": "960", "imgHeight": "60", "imgUrl": "http://cpro.baidu.com/cpro/ui/preview/default_img_unit/fix/960x60.jpg", "image, 10010,10013, 10006,10015, 10014], "tip": 0, "linkUrl": "http://wm.baidu.com", "imgTitle": "", "des1": "", "des2 ": ""}

Standard JSON.

Figure 1:
 

Here we can try to replace imgUrl to see the effect.

Figure 2:
 

Check the call:
 

Y && Y("union/preview", ["union/common/bom", "union/common/logic", "union/common/cookie"], function(e, f, c) {        function i(b) {            b = decodeURIComponent(b).replace(/\\x1e/g, "&").replace(/\\x1d/g, "=").replace(/\\x1c/g, "?").replace(/\\x5c/g, "\\");            return f.Kd(b)        }        function b(b, g) {            var d;            d = g ? g.substring(g.indexOf("?")) : e.T(window) ? window.location.search.slice(1) : window.top.location.search.slice(1);            var a = document.referrer, k = 0 <= b.indexOf("inlay") || "ui" === b ? "bd_cpro_prev" : "bd_cpro_fprev", h = "", i;            try {                i = document.cookie            } catch (n) {            }            -1 !==             d.indexOf(k) && (h = f.vc(d, k));            !h && i && -1 !== i.indexOf(k) && (h = c.ha(k));            !h && -1 !== a.indexOf(k) && (h = f.vc(a, k));            return h        }        return {Hb: function(c, g) {                var d = window.location.href, a = parseInt(c.rsi0, 10), e = parseInt(c.rsi1, 10), h = parseInt(c.at, 10), f = t, n = b(g, d);                if (n)                    if (n = i(n), h === l && (h = 1), 1 !== parseInt(n.type, 10) && 2 === (h & 2))                        f = parseInt(n.imgWidth, 10) === parseInt(a, 10) && parseInt(n.imgHeight, 10) === parseInt(e, 10);                    else if (1 === parseInt(n.type, 10) && (1 === (h & 1) || 64 === (h & 64) || 32 === (h & 32)))                        f = m;                return f ? (a = 0 <= g.indexOf("inlay") || "ui" ===                 g ? "bd_cpro_prev" : "bd_cpro_fprev", d = b(g, d), e = c.tn, h = i(d), f = o, 0 <= g.indexOf("inlay") ? f = {serviceUrl: "http://cpro.baidu.com/cpro/ui/preview/templates/" + (1 === parseInt(h.type, 10) ? e + ".html" : 2 === parseInt(h.type, 10) ? "image.html" : 4 === parseInt(h.type, 10) ? "flash.html" : "blank_tips.html") + "?",paramString: ("" + a + "=#" + d + "&ut=" + +new Date).replace(/\.(?!swf)/g, "%252e")} : "float" === g && (h = parseInt(h.type, 10), h = "http://cpro.baidu.com/cpro/ui/preview/templates/" + (2 === h ? "float_image.html" : 4 === h ? "float_flash.html" : "blank_tips.html") +                 "?", d = "tn=" + e + ("&" + a + "=" + d).replace(/\./g, "%252e") + "&ut=" + +new Date, f = {serviceUrl: h,paramString: d}), f) : o            }}    });

See

Var d = window. location. href,

N = B (g, d );

The parameter d is controllable in the address bar.

Function B (B, g) {...} shows the familiar bd_cpro_prev in the function. Do you remember the preceding section about JSON processing?

If (n) n = I (n) ---> function I (B) {...} ---> f. Kd (B), that is, we can execute JS at will.


As shown above, bd_cpro_prev can execute js without any restrictions.

Http://xxx.com /? Bd_cpro_prev = alert (document. domain)

(Please remember to disable ad blocking)

7k7k:

Http://news.7k7k.com/rxjlp? Bd_cpro_prev = alert (document. domain)
 

Tianya:
 

Collection:
 

58 city:
 

 

Solution:

Try JSON. parse ().

Browser verification is not supported.