Weibo high-risk storage XXS, Weibo, and worms

1. Activate dual-play Weibo and open the form on the modify data page. It looks very simple to hide xuanjicang. 2. Check the packet capture directly. The field owner who pays attention to Post should say that the programmer of Dual-play, js writes are really not the case. Almost every js function has comments, and some functions are full of loopholes. For example, here is the form, nick has front-end verification + backend verification. sex has front-end verification. Others have front-end verification, but wood has backend verification, for example, if the province, address, and birthday are verified on the backend, the type conversion is strong! If we do not play XXS, we can submit the address here as a Mars installation ratio! We have a birthday in May 3000! 3: Let's analyze the Weibo homepage. What about the homepage ~~ I don't need to say that, as you know! The key lies in the photo_url field. To be honest, I am too lazy to analyze what it is doing. I only need XXS 4: Next, IE9 will be on the stage. It is convenient for me to use IE9's Developer Tools to debug js, some outputs use jQuery. text function, which is impeccable, some of which are directly taken out and put variables. We are concerned about photo_url. In fact, I am not very familiar with XXS, and I am not engaged in web development. I have learned how many things I have been doing for a long time, so I first wrote this sentence: xxs "! = (Function () {alert ("xxs"); return "xxs" ;}) () & "originally expected if (photo_url &) to be executed smoothly, but brother doesn't know why direct if ("xxs "! = (Function () {alert ("xxs"); return "xxs" ;}) () & ") is acceptable, however, if (photo), you cannot add this xxs to the photo_url field ~~ If this is not the case, you can find another method to continue reading it ~~ If you dare to construct the src of img, you will be welcome. Follow up the getPhotoUrl function to see if it is 5: the author of the getPhotoUrl function. Your boss will call you to have tea! Very good, so don't be polite. directly construct the statement; xxs "onerror =" javascript: alert (0); void (0 );". "6: Next, success ~~ After the success of xxs passion, I will submit the vulnerability for the first time. I am a civilized man and will not engage in worms or anything else! Solution: You know ~!