Cross-site access to user cookies for century jiayuan storage XSS

I recently analyzed Jia Yuan and made a few holes. It was too troublesome to send them one by one. I hope the "Little Girl" will give it to more than 15 rank, and ask someone who will give it to me, I don't want. That's all about the requirements, enn ...... Serving food (please do not despise my title. Century jiayuan claims that there are so many dishes. If there is no such thing, I will not go into details. Which brother is interested in this question, let's explore the injection points)

----- A critical vulnerability -----

Originally, I wanted to write a javascript worm program. The idea was to get a friend list and send worm to friends. The friends sent emails without knowing it, and then passed worm to their friends .... There is no problem with the implementation. After testing, we will do it considering that there is a great impact. We hope the official website can be repaired in time to avoid damage to users.

I hereby solemnly declare that this vulnerability is only used for testing and learning. If you use it to harm others and violate the law, you shall be liable for any consequences.

I promise that the cookie in the testing process will be deleted before being published.

The content input points are not filtered and can be output to the friend mailbox. worm can be propagated in the export system, seriously affecting million users.

---- Send two more small xss vulnerabilities -------

Vulnerability 1

Jiayuan focuses on protection on input points, but it still finds that one input point is not filtered.

Stored xss Vulnerability

Http://www.jiayuan.com/msg/draft.php? Moban = 1-> mb_input-> subject is a storage-type xss instance.

No problem across yourself

The output to the letter is escaped, and no better output point is found, so it has little impact.

Vulnerability 2

Reflected xss

Http://webim.jiayuan.com/webim/helper/bridge.php? Www.google.co.jp

Response: www.google.co.jp/bridge-

It can be used across specified targets and has certain impact.

Images and real images

--- In the end, let's get a glimpse of what you are interested in ----

The initial idea was to create a free email-reading cave to benefit yuan members.

After analysis, we can figure out the relationship between id <-> uidhash, msgidhash, and msgid in the plain text. We wrote a script to run newmsgid, even if the decrypted msgid does not read the email, the return to add is blank.

Of course, this is why I haven't analyzed it yet. However, we can send the stars we found in the early stage to our later siblings. The analysis may be helpful for a long time.

If you find the limit point, you may find a way to pass it out. This will benefit humanity! Haha

OK ......

For example, I found

Msgid plaintext

73600000019ac57

Msgid ciphertext is

9wXc3q4MNpMVoTERJROUTEzKlmMfB * k4qyy3104dvurh9umvfmajvcp0pkk6skai0k7sxczfbhp4sbmsojlomuccqiwa.

(Later, I learned that someone mentioned this question on wooyun. At that time, msgid was md5 or something. Now it seems to have changed. Hun ~~ Better security, more interested)

I did not go into the encryption algorithm because jiayuan has made holes in this aspect, so it has made a focus on protection. Similar to id <-> uidhash (it was mentioned later that I knew it would not have to be so troublesome. Oh, there is no temptation for my sister paper !)

It is difficult to completely fix the uidhash hole, and many other functions need to be modified. The reason may be that this problem does not affect security. Who knows about the future...

Continue above...

Although we cannot find the encryption algorithm for ciphertext, the plaintext is regular and the base is

["0", "1", "2", "3", "4", "5", "6", "7", "8 ", "9", "a", "B", "c", "d", "e", "f"]

F + 1 carry

Image Msg1 = 73600000019ac57

Msg2 = 73600000019ac57 + 1

The premise is that you want to run with a cookie. Here we find that SESSION_HASH, RAW_HASH, and COMMON_HASH are never changed, and it seems that the cookie is valid for an indefinite period of time. At least it can be used during the test, generally, SESSION_HASH should change. I don't know if this is a pretty cool ......

... Other cookie items can be ignored.

32-bit ciphertext. I guess SESSION_HASH, RAW_HASH, and COMMON_HASH are all MD5 values. I didn't go into details about RAW. I seem to have seen it in any js or function module. I didn't pay attention to it, if you are interested, continue the tuning.

If the assumption is true, it is estimated that this hole is annoying. To protect million users, we recommend that the security personnel of jiayuan eliminate this risk and discover it better than others. Don't make up for it!

OK. The following work will be handed over to the program...

After running it again, we found that:

Response. body = 47686 is a regular message

Response. body = 3593 is someone else's message

Response. body = 8.36 KB is the administrator's letter (I forgot to record the specific amount, which has little impact)

Response. body = NULL, which is the key !! It is a mail sent by others without stamps. (You can focus on how to use bypass, or it is not as simple as I thought. Let's take it for yy! Oh, Sister paper, driver, no fear !! Energy Chong Pei Sai !!!) "Data Exception" is returned"

If the inference is correct, pass out the "Data Exception" restriction or get RAW, SESSION, and COMMON out or stolen, then the member will not be private, you can also view others' messages and do what they want.