In addition to posting this article, you can also post the FAQ in the tianma xingkong jar for your convenience.
By: 0x0F3r
From Discovery to exploitation, this vulnerability is a pain point.
Let's talk about the process,
Open the http://v.163.com, found a search, habitually marked with aaaa ">
Http://search.v.163.com/search/00-00-00-0000-00-aaaaaa">/
Submitted to such a link.
Search for aaaa in the source code and find all the available filters.
I plan to change the page, but I click the "who brought this mountain to the Spring Festival Gala" in front of the search. After reading the source code, I found that the location of the page number also has these words, so I want to see if there is any result. I tested it like this.
Then I test it like this. Http://search.v.163.com/search/00-00-00-0000-00-%E6%9C%22%3E/ The expected result is displayed ..
The problem has not been solved yet. Just pop up a window. But when I add a pop-up window, the code will fail. What should I do ..
Continue the test.
After testing with spaces & |, we found that | can be used as a "logic or" filter result.
It is easy to pop up the window.
However, I thought it could be played. I opened aq.163.com with confidence, but I found that .... Http://search.v.163.com/search/00-00-00-0000-00-%E6%9C%AC%22%3E | % 3 Cimg % 20 onerror % 3D % 22 alert % 281% 29% 22% 20src % 3D % 22x/
In this case ..
Then we can see that the original space will serve as the "logic and" filter result.
Then it will be okay to remove the space.
Http://search.v.163.com/search/00-00-00-0000-00-%E6%9C%AC%22%3E | % 3 Cimg/onerror % 3D % 22 alert % 281% 29% 22src % 3D % 22x/ ..
|
Faq in Tmxk.org will space be used as the "logic and" filter result? You mean that the server will filter the strings before and after spaces respectively ??? I cannot figure this out. In tag processing <>, no matter whether there are spaces in the tag, the space in the tag should be regarded as a filter condition; if space is not entered, some restrictions may be imposed on the server. The tag attribute name and its value can be replaced by/AND. I still don't quite understand the operator. | &, why can I use logic or to execute the following alert? What is the server processing mechanism ?? When either of the two conditions is met, the result of the "logical or" operation is "true". In this case, why is the returned result not true? 0x0F and you guys, please answer the above questions. Thank you ~ X5ser posted at a.m. on November 8, will serve as the "logic and" screening result? Do you mean that the server will filter the strings before and after spaces respectively ?? ... The first question: I mean that the front and back spaces will be filtered as two keywords at the same time. For example, the previous keyword "who brought the mountain to the gala ", searching for the "mountain Spring Festival Gala" means that "Mountain" and "Spring Festival Gala" appear at the same time, but they can be separated. The second question is: why can alert be executed using logic or, because either logic or that is, the result is returned if either of the two sides is true. After the first test, "Ben"> "returns the result of searching" Ben ". In this way, quotation marks and angle brackets do not interfere with the search of" Ben, after "this"> ", add | and then add the xss code. The xss code search will certainly have no results, while" this ">" will have results, and either of them will return true, that is to say, selecting "Ben"> "to return true (results exist) forms an xss
