Author:amxku[c.r.s.t]
Version:sablog 1.6
由于过滤不严,存在多个跨站漏洞
PS:
http://www.blackunion.cn/?viewmode=list&curl=>">
http://www.blackunion.cn/?action=index&cid=>">
http://www.blackunion.cn/?action=index&setdate=200804&setday=>">
临时解决办法:
在global.php中过滤curl,cid,setday等 $modelink = '';
if ($action) {
$modelink .= '&action='.$action;
}
if ($curl) {
$modelink .= '&curl='.htmlspecialchars($curl);
}
if ($cid) {
$modelink .= '&cid='.htmlspecialchars($cid);
}
if ($setdate) {
$modelink .= '&setdate='.htmlspecialchars($setdate);
}
if ($setday) {
$modelink .= '&setday='.htmlspecialchars($setday);
}
if (intval($_GET['searchid'])) {
$modelink .= '&searchid='.htmlspecialchars($_GET['searchid']);
}
if (intval($_GET['userid'])) {
$modelink .= "&userid=".htmlspecialchars($_GET['userid']);
}
if ($_GET['item']) {
$item = urlencode(addslashes($item));
$modelink .= '&item='.$item;
}
如何最大程度的利用,化被动为主动 正是XSS的乐趣
![[POCO网摘]](javascript:d=document;t=d.selection?(d.selection.type!='None'?d.selection.createRange().text:''):(d.getSelection?d.getSelection():'');void(keyit=window.open('http://my.poco.cn/fav/storeIt.php?t='+escape(d.title)+'&u='+escape(d.location.href)+'&c='+escape(t)+'&img=http://www.h-strong.com/blog/logo.gif','keyit','scrollbars=no,width=475,height=575,status=no,resizable=yes'));keyit.focus();){kind=link}