Log storage XSS caused by a function defect in the QQ space

The stored XSS is caused by a functional defect in the log of the QQ space. Every time you want to take a look at the QQ space, you can always find the stored XSS. Key code positioning + debugging tips.
1. QQ space log contains a cube log function. We can write an imitation log at will. 2. Capture packets and view the published logs. It is worth noting that the log Content output in HTML is an img tag, and FLASH exists in the log we see. 3. It can be introduced from above. Here, some dom operations are required to convert the IMG tag to the OBJECT tag. We first get the FLASH name, and then locate the Function Code related to this cube log. ----------------------------- Split line ---------------- 5. Okay, the above are all nonsense. The focus is on the following. FLASH brings us to this JS file. We will http://ctc.qzs.qq.com/qzone/app/blog/v6/script/content_gridsblog.js Beautify the page and check the code. We found that the FLASH part is not controllable. However, you can find the following code. GridsScheduler. _ showGridBlogShortcut (); --> In the _ showGridBlogShortcut function, eval ('var oGridInfo = '+ PageScheduler. blogInfo. getGridData (); 6. pageScheduler. blogInfo. what is the eval data of getGridData? Because it is a variable on the iframe page, PageScheduler. blogInfo. getGridData cannot be output directly in the console. We can use the "ing Network JS to local files" method ". Modify the ing to a local JS file .... alert (pageschedert. blogInfo. getGridData (); eval ('var oGridInfo = '+ PageScheduler. blogInfo. getGridData ());.... 7. next, refresh the page and re-open the log. (* Because the _ showGridBlogShortcut function has judgment, logs must be viewed by a non-person identity before triggering .) The pop-up PageScheduler. blogInfo. getGridData () data is shown below. 8. Is this data controllable? The answer is, we are very likely to be controllable, because this data exists when we submit logs, such as: 9. in this case, modify the gridJson field and add your own JS Code. 10. Check the test number log with your own number and run the code successfully.


Ie and chrome.
 Solution:


The eval data is judged or filtered without affecting the function.