通达OA微讯功能持久性XSS漏洞

2013-06-19T00:00:00

Description

### 简要描述：通达oa的微讯功能，可以时时发送信息给在线的用户(不在线的用户当登录时即可收到)，信息中可以插入脚本代码，当发送信息给指定的用户时，对方会立刻接收到信息，可能造成cookie被盗，以及执行某些操作，如自动发布分享，添加日志，删除日志等操作。 ### 详细说明：测试的版本是office anywhere 2011 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201306/081147388733c7db4dba4033d78a742529f25a74.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/081147388733c7db4dba4033d78a742529f25a74.jpg) [<img src="https://images.seebug.org/upload/201306/0811480323f4347a0b57c9b089887c1bc4ef5cbb.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/0811480323f4347a0b57c9b089887c1bc4ef5cbb.jpg) 微讯发送后的效果，发现并没有弹出对画框。通过burp suite看是某些符号在输入的时候被转译了 [<img src="https://images.seebug.org/upload/201306/08114836c405527f561b7b49108719c0df990614.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/08114836c405527f561b7b49108719c0df990614.jpg) 尝试把被转译后的符号修改回来后再次发送 [<img src="https://images.seebug.org/upload/201306/08114859033a2e1e945ceb6e08b590c6d5b72282.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/08114859033a2e1e945ceb6e08b590c6d5b72282.jpg) 修改数据包后再次发送的效果图如下： [<img src="https://images.seebug.org/upload/201306/0811492519fc2522c2ad443fbeab81cbe1232ba5.jpg" alt="5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/0811492519fc2522c2ad443fbeab81cbe1232ba5.jpg) 发送盗取cookie的js脚本如下： [<img src="https://images.seebug.org/upload/201306/081150166261d69f0566f0331afceada09659bd5.jpg" alt="6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/081150166261d69f0566f0331afceada09659bd5.jpg) 成功盗取某个在线用户的cookie [<img src="https://images.seebug.org/upload/201306/081150395313df367679e83b127ea788da8ec4e1.jpg" alt="7.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/081150395313df367679e83b127ea788da8ec4e1.jpg)

{"href": "https://www.seebug.org/vuldb/ssvid-96133", "status": "details", "bulletinFamily": "exploit", "modified": "2013-06-19T00:00:00", "title": "\u901a\u8fbeOA\u5fae\u8baf\u529f\u80fd\u6301\u4e45\u6027XSS\u6f0f\u6d1e", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "", "cvelist": [], "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\u901a\u8fbeoa\u7684\u5fae\u8baf\u529f\u80fd\uff0c\u53ef\u4ee5\u65f6\u65f6\u53d1\u9001\u4fe1\u606f\u7ed9\u5728\u7ebf\u7684\u7528\u6237(\u4e0d\u5728\u7ebf\u7684\u7528\u6237\u5f53\u767b\u5f55\u65f6\u5373\u53ef\u6536\u5230)\uff0c\u4fe1\u606f\u4e2d\u53ef\u4ee5\u63d2\u5165\u811a\u672c\u4ee3\u7801\uff0c\u5f53\u53d1\u9001\u4fe1\u606f\u7ed9\u6307\u5b9a\u7684\u7528\u6237\u65f6\uff0c\u5bf9\u65b9\u4f1a\u7acb\u523b\u63a5\u6536\u5230\u4fe1\u606f\uff0c\u53ef\u80fd\u9020\u6210cookie\u88ab\u76d7\uff0c\u4ee5\u53ca\u6267\u884c\u67d0\u4e9b\u64cd\u4f5c\uff0c\u5982\u81ea\u52a8\u53d1\u5e03\u5206\u4eab\uff0c\u6dfb\u52a0\u65e5\u5fd7\uff0c\u5220\u9664\u65e5\u5fd7\u7b49\u64cd\u4f5c\u3002\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u6d4b\u8bd5\u7684\u7248\u672c\u662foffice anywhere 2011 \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\n\n[<img src=\"https://images.seebug.org/upload/201306/081147388733c7db4dba4033d78a742529f25a74.jpg\" alt=\"1.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201306/081147388733c7db4dba4033d78a742529f25a74.jpg)\n\n\n\n[<img src=\"https://images.seebug.org/upload/201306/0811480323f4347a0b57c9b089887c1bc4ef5cbb.jpg\" alt=\"2.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201306/0811480323f4347a0b57c9b089887c1bc4ef5cbb.jpg)\n\n\n\u5fae\u8baf\u53d1\u9001\u540e\u7684\u6548\u679c\uff0c\u53d1\u73b0\u5e76\u6ca1\u6709\u5f39\u51fa\u5bf9\u753b\u6846\u3002\n\u901a\u8fc7burp suite\u770b\u662f\u67d0\u4e9b\u7b26\u53f7\u5728\u8f93\u5165\u7684\u65f6\u5019\u88ab\u8f6c\u8bd1\u4e86\n\n\n[<img src=\"https://images.seebug.org/upload/201306/08114836c405527f561b7b49108719c0df990614.jpg\" alt=\"3.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201306/08114836c405527f561b7b49108719c0df990614.jpg)\n\n\n\u5c1d\u8bd5\u628a\u88ab\u8f6c\u8bd1\u540e\u7684\u7b26\u53f7\u4fee\u6539\u56de\u6765\u540e\u518d\u6b21\u53d1\u9001\n\n\n[<img src=\"https://images.seebug.org/upload/201306/08114859033a2e1e945ceb6e08b590c6d5b72282.jpg\" alt=\"4.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201306/08114859033a2e1e945ceb6e08b590c6d5b72282.jpg)\n\n\n\u4fee\u6539\u6570\u636e\u5305\u540e\u518d\u6b21\u53d1\u9001\u7684\u6548\u679c\u56fe\u5982\u4e0b\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201306/0811492519fc2522c2ad443fbeab81cbe1232ba5.jpg\" alt=\"5.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201306/0811492519fc2522c2ad443fbeab81cbe1232ba5.jpg)\n\n\n\u53d1\u9001\u76d7\u53d6cookie\u7684js\u811a\u672c\u5982\u4e0b\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201306/081150166261d69f0566f0331afceada09659bd5.jpg\" alt=\"6.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201306/081150166261d69f0566f0331afceada09659bd5.jpg)\n\n\n\u6210\u529f\u76d7\u53d6\u67d0\u4e2a\u5728\u7ebf\u7528\u6237\u7684cookie\n\n\n[<img src=\"https://images.seebug.org/upload/201306/081150395313df367679e83b127ea788da8ec4e1.jpg\" alt=\"7.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201306/081150395313df367679e83b127ea788da8ec4e1.jpg)", "viewCount": 2, "published": "2013-06-19T00:00:00", "sourceData": "", "id": "SSV:96133", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T17:41:51", "reporter": "Root", "enchantments": {"score": {"value": 1.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 1.1}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645580299, "score": 1659785532, "epss": 1678850553}}