Tencent mailbox storage xss reuse and repair

Source: Internet
Author: User

1. The preceding construction process is the same. First, jpg is constructed.
2. Send the constructed jpg file to any friend's QQ mailbox.


3. Obtain the image address that can be viewed by the peer
After sending the email, click "view this email"


Get image address





Whether the pop-up window is opened when the address obtained by the test is logged on to the sender's QQ mailbox. If the pop-up window appears, the available address is used.
If you are prompted to download the file, your destination address is incorrect.


After you get the address that can pop up the window
... Click to recall the email...
... Click to edit again...
... Return to the edit box ....
Do not touch the previous figure.



The key step is to copy the image address
Add text to text in the form of Hyperlink
Previously, I directly threw the link to this edit box.
I compared the differences
The a tag generated when the connection is directly lost
Is opened in a new window and is an absolute path
By adding a hyperlink through the edit box, it is a qq domain
The absolute path changes to the relative path, and if
Click this link to use the iframe framework.


Send the edited content again.
Now the construction process is complete.

4. Clear all cache cookies in the browser to view the effect.

... Open the account and click the hyperlink to open the email you just sent.


... Alert is displayed successfully.


I don't know why adding an image address to a hyperchain sid does not work. (is it because of the relative path ?) The biggest reason why sid does not work is that the same image address can be sent to anyone.

Source of inspiration: pictures uploaded by QQ mail can be viewed by anyone. This may mean that the image address will not change, so there may be no permission for verification. I think that the QQ mail image preview function outputs not the image itself, but the byte output by the program. As further mining and discovery can be used, because at the time of mining, it was based on physical attacks. Therefore, the whole construction process did not take more than an hour.
I did not expect to encounter so many obstacles when I reproduce the attack again.


Don't let him play.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.