Program Official Website: http://www.youyax.com/vulnerability program: http://www.bkjia.com/ym/201402/44952.html vulnerability file location in: \ YouYaX \ Tpl \ mobile \ home \ mypub.html 23rd row eval () function ......
............Doc ument. onreadystatechange = function () {if (document. readyState = "complete") {var aes = document. getElementById ("pagination "). getElementsByTagName ("a"); var url = window. location. href; 18 rows var url_array = url. split ("="); var page = url_array [1]; var uclass = document. getElementById ("pagination "). getElementsByTagName ("a"); for (var n in uclass) {23 rows var str = eval ("/fy" + page + "/"); if (str. test (uclass [n]. ClassName) & uclass [n]. className! = Undefined) {uclass [n]. style. background = "# deccb1 ";}}}}..................
Looking at the code above, it is not difficult to find that the var url_array = url. split ("=") at the 18 rows is the culprit. Throughout the process, the URL is sent to the page variable with characters after the equal sign (=), and then the variable in the page is executed through the eval function after the AJAX-onreadystatechange event is triggered on the page. After knowing the program logic, we can construct the following URL: http: // 127.0.0.1/YouYaX/Tpl/mobile/home/mypub.html? = //. Source + alert ()/when we access http: // 127.0.0.1/YouYaX/Tpl/mobile/home/mypub.html? =/. Source + alert ()/
Solution:Choose whether to retain or filter based on the business