-
-
[原创]腾讯qq.com 域名xss漏洞
-
发表于: 2025-2-22 12:19
-
src既然说内部已知,没有危害,0积分,
那就分享给朋友们学习吧
基本信息
漏洞类型:Web漏洞-存储型XSS
业务归属:未设置
贡献值 :0
当前状态:您的报告已经完结,再次感谢
危害等级:无
积分评定:0
安全币 : 0
漏洞详情
一、详细说明:
# 请提供危害说明和测试步骤
手机或移动端测试,useragent检测,免杀过qq 微信 可信域名
二、漏洞复现辅助信息:
1. 漏洞URL:
263K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3K9h3y4Q4x3X3g2C8k6#2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3K9$3N6E0N6Y4y4S2k6X3g2Q4x3V1j5H3i4K6u0r3x3U0c8Q4y4h3j5J5z5r3j5^5x3r3q4V1x3U0p5@1x3h3b7H3y4$3u0T1k6U0V1&6j5X3f1$3k6e0b7^5x3$3j5&6k6X3q4X3j5K6f1&6z5o6p5$3k6h3x3^5i4K6y4r3M7X3g2K6M7r3!0F1M7$3g2Q4x3X3c8U0L8$3&6@1k6h3&6@1i4K6u0V1N6s2W2Q4x3U0k6S2L8i4m8Q4x3@1u0Q4y4h3k6X3M7X3!0E0i4K6y4p5i4K6t1$3j5h3#2H3i4K6y4n7i4K6g2X3N6%4k6Q4x3@1b7I4x3K6p5H3y4K6y4Q4x3U0k6S2L8i4m8Q4x3@1u0Q4y4h3k6%4N6%4k6Q4x3@1b7$3y4o6k6Q4x3U0k6S2L8i4m8Q4x3@1u0Q4y4h3k6X3N6W2)9K6c8o6m8Q4x3U0k6S2L8i4m8Q4x3@1u0Q4y4h3k6T1K9h3c8Q4x3@1b7#2x3e0l9K6
2. 功能入口:
3. 漏洞复现所需的HTTP报文(代码块格式):
GET / HTTP/1.1
Host: pic.kg.qq.com
请提供完整报文(请使用代码插入功能粘贴数据包)
GET /kgmvsafe/0/24_28f80ad2141d07bbf99be6e483f9fafc59816ec8?response-content-ty&_from=&_wv=131073&_wwv=646&_fv=0&_bid=5103 HTTP/1.1Host: pic.kg.qq.comConnection: keep-aliveCache-Control: max-age=0DNT: 1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPad; CPU OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1 Edg/132.0.0.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Accept-Encoding: gzip, deflate
被恶意加载的js文件url:02dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1j5J5x3o6t1#2M7i4q4Z5j5W2)9J5k6h3!0K6M7#2)9J5k6r3y4F1i4K6u0V1K9r3q4F1k6%4A6Z5L8%4g2Q4x3X3g2S2L8r3W2&6N6h3&6U0M7#2)9J5k6h3y4G2L8g2)9J5c8X3A6K6i4K6u0r3M7$3#2Q4x3X3f1J5x3o6t1#2i4K6u0W2K9Y4y4Q4x3@1k6@1i4K6y4p5x3e0M7K6z5e0l9%4y4e0b7H3z5e0p5@1y4b7`.`.
4. 测试账号:
账号A: 用户/密码
账号B: 用户/密码
三、漏洞证明:
# 请提供截图或视频
被黑的xss页面如下:
