Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200922291
HistoryFeb 24, 2009 - 12:00 a.m.

Translation software hijacking attacks-vulnerability warning-the black bar safety net

2009-02-2400:00:00
佚名
www.myhack58.com
6
JSON

Original link: http://xeye.us/blog/2009/02/翻译软件劫持攻击/

You believe of your mouse?

Ever wondered, when your mouse in the selected passage, by translation software the flat-screen takes the word function to be translated, then it is hiding in the corner of a guy to hack.

–xeye hack team.

If we are to accomplish the above attack, the need to meet the conditions:

  1. Find translation of software vulnerabilities, and is remote.

  2. Hypothesis 1 holds, then the remote can use the browser to bypass, so the browser must be translation software to take the word, and so on.

Then going to find some translation software problems.

The most common is Kingsoft and GOOGLE’s cooperation version, followed by a Lingoes and youdao。

Since the translation software is not and the browser directly to the presence of the ACTIVE interface or the like of the call, among them the Association will only take the word.

Then, from the take the word here to start. First look at the software for the built-in browser has nothing to do with protection:

Lingoes: a

If directly in software search word in the search<iframe width=1 0 height=1 0 src=http://www. baidu. com></iframe>the like statement is not executed, you will see it is automatically smart to take the word to translate, because the current symbol is not in the dictionary.

But if the structure has only one symbol in the dictionary can be found, then it will be identified as a statement, full-text translation, this time the problem came:

! 0 9 2 2 2 0 1

Analysis of network packets can be found. The other call is to GOOGLE’s online translation, and then in the returned data carried out, it is to use google’s full-text translation function. That white thing is a framework. But this framework may be due to the software inside some of the restrictions, was not able to read to Baidu’s data and display.

But at least you can execute the code.

Now look at the word fighter:

! 0 9 2 2 2 0 2

Does not require any configuration, directly on the perfect Cross Station.

But using the script tag, will find that not be executed, because the translation is found. So what can we do?

On the other tab, and then add the Js pseudo-Protocol:

<img onerror=”javascript:alert();” src =G. cn></img>

Okay. But since the input block length limit, in fact, can’t do anything. You can put the word Super into the browser, inside with Baidu, or you can try inside access to hang horse website, will not be overflowed, etc… Maybe will find a simple secure browser…

In addition the word translated. It is calling its own website’s Search service, and then in the client display, apparently of its own website filter do good. Nothing obvious problems. It does not find it stubble.

But! We need to remote in!

Then take a look at that 2 go wrong, the software provides what function can be used. Through local testing, it has been can probably think about how to structure the statement to trigger the problematic functions, because you already know which place to go wrong, and what are the limits, what’s the filter.

Lingoes screen takes the word function: using the mouse to select the specified number of characters, and then for full-text translation.

The word PA the the screen takes the word function: if you open a word function that can be achieved and Lingoes the same function. Otherwise, just the word translation.

Through the packet capture you can see, Lingoes is by linking the network to achieve a full translation, it sends a similar string to:

www.google.com/uds/Gtranslate?callback=google.language.callbacks.id100&context=2 2&q=%3Ctextarea%20id%3D%22txt1%2 2%3EHello%20world…% 3C%2Ftextarea%3E&langpair=%7Czh-CN&key=notsupplied&v=1.0

There

http://www.hudong.com//dict.do?title=<textarea id%3D"txt1">Hello world....<%2Ftextarea>&amp;from=lingoes&amp;type=1

http://lingoes.cn/wapi.php?q=\u003ctextarea id\u003d\"txt1\"\u003e您好世界.... \u003c%2Ftextarea\u003e&amp;client=lingoes

Then try returns the results to find the translation results. But generally can only find google’s full-text translation result.

After testing found that Lingoes in processing Full-Text Translation, for GOOGLE to return the data processing problems on the screen to take the word if contains the HTML code, The software will be parsed. That as long as the structure of a simple string let Lingoes for translation can be achieved the beginning of this article said the effect.

Since the WP of punctuation are automatically converted to Chinese punctuation, so the test string is modified here:

http://hi.baidu.com/xeye_g/blog/item/de60cecbabf35481c91768a0.html

As long as the use Lingoes to all of the character select screen to take the Word will be full-text translation, you can open the Baidu home page.

On a variety use of skills, everyone can leave a message together with the discussion.

Lustful day has begun!

Just for fun !

JSON