Sohu mailbox storage type XSS (for & quot; & lt; & gt; () [] \ %; all filters)

Sohu mailbox storage type XSS (for "<> () [] \ %; are filtered)

A classic black box XSS bypass analysis, filtering so much will eventually be done. This should be the first case of wooyun!
At present, too many wooyun vulnerability reports are in the form of one url + one image. I hope there will be more technology-sharing vulnerability reports like brother 2 in the future.

Detailed description:

1. I started to go to the rich text area of the text. After testing it for a while, I did not find anything amazing. Then I added a question to the front of the from parameter.

">

 

2. After reading the source code, I found that the filtering was done. But when I saw the filtering result, I felt a bit playful, So I continued to study it.


 

3. After testing, we found that the from parameter cannot be changed at will. It must end with a mailbox like @ sohu.com.


 

Up to now, there is still no situation. Based on the above filtering, we can see that we have filtered out "> <directly. It seems that it is impossible to break through the angle brackets. Try to find out the double quotation mark filtering rule here, and then construct XSS inside the td tag after the breakthrough.



4. Then we conducted some tests.



Enter "onfocus =" alert (2) "@ sohu.com to return the following information.


 

If you continue to test "onfocus = alert (2) @ sohu.com, the following information is returned.


 

After some tests, it is found that this can break through "onfocus =" alert (2) // @ sohu.com will return the following information.


 

5, we can see that double quotation marks have been broken, but we found that brackets () are filtered out here.

Don't panic. Use location = 'javascript: alert % 281% 29' or location = 'javascript: alert \ alert.



Enter "onfocus =" location = 'javascript: alert % 281% 29' // @ sohu.com to return the following information.


 

Enter "onfocus =" location = 'javascript: alert \ response to return the following information.


 

It seems that all of them are filtered out again.



6. After a long time, I still failed to find out the filtering mechanism. Then I thought I was using "> @ sohu.com for testing and returned to this position, see> <can these symbols bypass the mechanism here.



Enter "> @ sohu.com



There are different responses!



However, there is nothing to use, because the backslash \ is filtered out.


 

Then I tried again. "> @ sohu.com, as expected, the percentage % was also filtered out. Will return the following situation, the direct output will not be parsed.


 

The html encoding has also been tried, and will be directly truncated from the semicolon; position, and then the output will not be parsed directly.

For example, if you enter "> @ sohu.com, the following information is returned.


 

It has been tested for more than an hour now. In this step, it is really tough because there are different filtering mechanisms for "<> () \ %.



Symbol "<> () \ %; so many cannot be used, so how to construct http://www.2cto.com/article/201602/xssah, the biggest problem is that the nickname is useless.



It seems that it is no fun to directly construct the code here. You have to change your mind. Can you separate the js Code and write it separately.



We can see that the second brother has a previous case. When there are many restrictions on one point, it is transferred to another point structure, for example, code is transferred to the name position, and then this. name is used



Similar to this



However, the restriction of this. name here is the same as that of this insert point, so this cannot be achieved.



8. I had been on the road for more than two hours without knowing it. Baidu flipped through, did not find any good inspiration, and I could not think of any good posture, so I had to make a trick (that is, Open QQ, call the second brother to ask ).



Indeed, the second brother is indeed the god of XSS, indicating that this is a good thing. this. name can't be used, you location = http://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/x.yy.zz.mm.innerHTML is like this, find a location that can be used.



9. Sort out your ideas and proceed. Because the insertion point is at the sender's location, there seems to be only one controllable location on this page, that is, the title here. Because the content of the text is not loaded here, otherwise, the Rich Text of the text is of course the best position.


 

10. This test point is a defect in the sender's location in the mail list. It seems that only the subject can be combined. Number one.

The label is the 9th elements of the parent node of the insert point.

Then try to construct "> @ sohu.com



This. parentNode will get the parent node of the insertion point (that is, the node in the tr label). Then, in children [8], it will get the 9th elements of the node, and then innerTehttp: // www.2cto.com/article/201602/xtcan get the content of this element. Then the title text location is written into javascript: alert (1) so that an XSS can be constructed successfully.



I didn't expect the brackets [] to be filtered out, and I cut them from the [position into two parts!


 

It has been three hours since then. Let's calm down and continue the analysis. Here, we can't use brackets [] again. Let's change the posture. before continuing to read the following content, we will first popularize the knowledge of Javascript DOM tree nodes.



First child element node of firstElementChild

LastElementChild last child Element Node

Nehttp: // www.2cto.com/Article/201602/xtElementSibling

Previuselementsibling previous sibling Element Node



In this way, you can use firstElementChild and nehttp: // combine and previuselementsibling to locate the element you want to obtain when you cannot use braces.





There are a total of 11 elements in the parent node, and we want to get 9th titles. It is obvious that it is easier to combine lastElementChild and previuselementsibling to get the parent node first, then get the last one, and then get the tehttp: // www.2cto.com/article/201602/xt#content of the previous one. Then the code becomes.



"> @ Sohu.com





12. Check the code and write it successfully, but it is not executed, because it is only tested by onfocus. to execute it, add tabindehttp: // www.2cto.com/article/201602/x4240.


 

Modify the code based on the parsing.



"> @ Sohu.com



In this step, right-click the recipient in Google's browser and it can be triggered.


 

13 However, after such a long time, we had to right-click it. It seems very helpful, so we still need to find a way to make it automatically triggered. Here we will try to break through and construct a code that applies to all labels.



One http://www.2cto.com/Article/201602/xss payload by killing all tags





# C

For example, the htm address is http: // http://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/x.htm

Then the XSS address is http: // http://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/xhttp://www.2cto.com/Article/201602/x.htm#c



Check that the inbox url of Sohu mail is http://mail.sohu.com/bapp/177/main?maillist_1. In other words, you only need to add an id = mailList_1 to this code so that the message will be automatically triggered!



14 but the fact is often not so simple. From the result of "> @ sohu.com inserted for the first time, it is impossible to directly write multiple id attributes on the basis of the current Code.



Because "> will be parsed


Then here I try to separate them with/> and it will be parsed


"> @ Sohu.com



With the equal sign, the tragedy will happen again.


 

15. I tried a variety of positions, but I couldn't do it. Then I simply tried these filtered tags to see if they could cause some parsing problems and write them into the elements.



"> Id = mailList_1 onfocus = location = this. parentNode. lastElementChild. previousElementSibling. previuselementsibling. innerTehttp: // response> phttp: // response

"> Phttp: // www.2cto.com/Article/201602/x1624%40sohu.com

"> Phttp: // www.2cto.com/Article/201602/x1624%40sohu.com



......



Finally, I found that the following [] seems to be able to be truncated, but there will be a problem with the space position.

"> Phttp: // www.2cto.com/Article/201602/x1624%40sohu.com


 

So = Try "> [Email protected]



It seems that the logic [] here can be used to separate empty characters.


 

16. Click the inbox to trigger. The detailed principle is shown in. In the inbox, # mailList_1 locates the focus to the td tag Based on the id, triggers onfocus, and executes location, then dom acquisition, and obtains the text at the title, to form XSS.


 

Now, the mainstream browsers that support DOM can all be used for blocking. The code controlled by DOM in IE8 earlier versions of IE browser should be slightly changed, which is a compatibility issue. As follows:



"> [Email protected]


 

Of course, writing an external js is not a problem at all. For example, pay attention to javascript: The js Code behind it should first perform url encoding, otherwise it will be truncated from the middle.


 

It took half a day to complete the process.

Summary:

If you try more, think more, and go to Baidu when you encounter difficulties, you can't get stuck. call your second brother.
 

Solution:

Modify the filtering logic.