Tencent mailbox storage xss reuse and repair

1. The preceding construction process is the same. First, jpg is constructed.
2. Send the constructed jpg file to any friend's QQ mailbox.

 

3. Obtain the image address that can be viewed by the peer
After sending the email, click "view this email"

 

Get image address

 

 

 

 

Whether the pop-up window is opened when the address obtained by the test is logged on to the sender's QQ mailbox. If the pop-up window appears, the available address is used.
If you are prompted to download the file, your destination address is incorrect.

 

After you get the address that can pop up the window
... Click to recall the email...
... Click to edit again...
... Return to the edit box ....
Do not touch the previous figure.

 

 

-------------------------------------
The key step is to copy the image address
Add text to text in the form of Hyperlink
Previously, I directly threw the link to this edit box.
I compared the differences
The a tag generated when the connection is directly lost
Is opened in a new window and is an absolute path
By adding a hyperlink through the edit box, it is a qq domain
The absolute path changes to the relative path, and if
Click this link to use the iframe framework.
-------------------------------------

 

Send the edited content again.
Now the construction process is complete.

4. Clear all cache cookies in the browser to view the effect.

... Open the account and click the hyperlink to open the email you just sent.

 

... Alert is displayed successfully.

 


I don't know why adding an image address to a hyperchain sid does not work. (is it because of the relative path ?) The biggest reason why sid does not work is that the same image address can be sent to anyone.

Source of inspiration: pictures uploaded by QQ mail can be viewed by anyone. This may mean that the image address will not change, so there may be no permission for verification. I think that the QQ mail image preview function outputs not the image itself, but the byte output by the program. As further mining and discovery can be used, because at the time of mining, it was based on physical attacks. Therefore, the whole construction process did not take more than an hour.
I did not expect to encounter so many obstacles when I reproduce the attack again.

Solution:

Don't let him play.