Weibo high-risk storage XXS, Weibo, and worms

Source: Internet
Author: User

1. Activate dual-play Weibo and open the form on the modify data page. It looks very simple to hide xuanjicang. 2. Check the packet capture directly. The field owner who pays attention to Post should say that the programmer of Dual-play, js writes are really not the case. Almost every js function has comments, and some functions are full of loopholes. For example, here is the form, nick has front-end verification + backend verification. sex has front-end verification. Others have front-end verification, but wood has backend verification, for example, if the province, address, and birthday are verified on the backend, the type conversion is strong! If we do not play XXS, we can submit the address here as a Mars installation ratio! We have a birthday in May 3000! 3: Let's analyze the Weibo homepage. What about the homepage ~~ I don't need to say that, as you know! The key lies in the photo_url field. To be honest, I am too lazy to analyze what it is doing. I only need XXS 4: Next, IE9 will be on the stage. It is convenient for me to use IE9's Developer Tools to debug js, some outputs use jQuery. text function, which is impeccable, some of which are directly taken out and put variables. We are concerned about photo_url. In fact, I am not very familiar with XXS, and I am not engaged in web development. I have learned how many things I have been doing for a long time, so I first wrote this sentence: xxs "! = (Function () {alert ("xxs"); return "xxs" ;}) () & "originally expected if (photo_url &) to be executed smoothly, but brother doesn't know why direct if ("xxs "! = (Function () {alert ("xxs"); return "xxs" ;}) () & ") is acceptable, however, if (photo), you cannot add this xxs to the photo_url field ~~ If this is not the case, you can find another method to continue reading it ~~ If you dare to construct the src of img, you will be welcome. Follow up the getPhotoUrl function to see if it is 5: the author of the getPhotoUrl function. Your boss will call you to have tea! Very good, so don't be polite. directly construct the statement; xxs "onerror =" javascript: alert (0); void (0 );". "6: Next, success ~~ After the success of xxs passion, I will submit the vulnerability for the first time. I am a civilized man and will not engage in worms or anything else! Solution: You know ~!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.