DNF每日簽到送豪
lol7月神秘商店
LOL黑市亂斗怎么
LOL英雄成就標(biāo)志相關(guān)資訊
本類常用軟件
-
福建農(nóng)村信用社手機(jī)銀行客戶端下載下載量:584204
-
Windows優(yōu)化大師下載量:416918
-
90美女秀(視頻聊天軟件)下載量:366961
-
廣西農(nóng)村信用社手機(jī)銀行客戶端下載下載量:365699
-
快播手機(jī)版下載量:325855
HTMLencode解決QQ空間缺陷導(dǎo)致日志存儲(chǔ)型XSS
2013/5/5 21:37:40 出處:本站原創(chuàng) 人氣:102次 字號(hào):小 中 大
騎自行車的正確
在校大學(xué)生該如
微信朋友圈怎么在這個(gè)系列的第一個(gè)漏洞時(shí),由于2個(gè)缺陷點(diǎn)距離不遠(yuǎn),當(dāng)時(shí)就已經(jīng)發(fā)現(xiàn)了這個(gè)問題,想著騰訊可能對(duì)第一個(gè)漏洞采用某些方式修復(fù);如果是用 json.parse的方式修復(fù),那么這第2個(gè)問題應(yīng)該會(huì)依然存在,如我所料,于是。。。
1. 接著看這個(gè)系列的第一個(gè)漏洞(content_gridsblog.js)中那部分的代碼。
騰訊為了修復(fù)這個(gè)漏洞,采用了更為安全的JSON.parse函數(shù)作為修復(fù)方案。這種修復(fù)是沒有問題的。
其它有類似缺陷的網(wǎng)站可以參考騰訊的修復(fù)方案。
2. 但實(shí)際上,在這段代碼下方的不遠(yuǎn)處,還存在著另外一處缺陷,如下圖所示:
可以看到, oGridInfo為 JSON.parse解析出來的一個(gè)[Object]
而 oGridInfo.templateName 取出來后,沒有經(jīng)過任何過濾,就傳入到了 innerHTML 中。
而從抓包的數(shù)據(jù)來看,json數(shù)據(jù)里的templateName 我們是可控的,那么這里就顯然存在問題啦~
3. 修改日志數(shù)據(jù)包中的templateName,并發(fā)送。
{"g0":{"visible":1,"id":0,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"?????????"},"g5":{"visible":1,"id":5,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"2012?????????"},"g1":{"visible":1,"id":1,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????"},"templateName":"
","g4":{"visible":1,"id":4,"content":{"mood":"","image":"","date":"2013-03-20&1","text":""},"type":0,"title":"???? 2013-3-20"},"g7":{"visible":1,"id":7,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"??????????"},"version":"1.2","g2":{"visible":1,"id":2,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"??????"},"bgItem":{"bgId":"130","bgURL":"/qzone/newblog/v5/flashassets/bg130.swf?bgver=1.0&max_age=31104000","gridcolor":"0xF06368","alpha":1,"align":"right","wordcolor":"0xFFFFFF"},"tempId":56,"g8":{"visible":1,"id":8,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????????"},"g6":{"visible":1,"id":6,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"????????????"},"g3":{"visible":1,"id":3,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"2012?????????"}}
4. 用另外一個(gè)號(hào),查看已經(jīng)發(fā)表的日志。 成功彈出啦。
由于代碼邏輯上,只有他人查看日志時(shí),才會(huì)觸發(fā)此段代碼,故測試時(shí),請(qǐng)以第三者身份查看包含缺陷代碼的日志
修復(fù)方案:
oGridInfo.templateName取出后,HTMLencode一下。