黑色海岸线论坛 - Powered by Discuz! Board

标题: [转帖]动网跨站的原因 [打印本页]

作者: 青蛙 时间: 2006-9-5 13:48 标题: [转帖]动网跨站的原因

动网换LOGO标志了 *)>" Str = re.Replace(Str,"<$1$3>") .............. FormatCode = Str End Function 2、在"Dv_FilterJS()"中的过滤代码中加入：style和class。 (|function|meta|window\.|script|js:|about:|文件:|Document\.|vbs:|frame|cookie|on(finish|mouse|Exit|error|click|key|load|focus|Blur|style|class)) 二、头像跨站注：详细原理及利用请阅读《黑客X档案》 2006年第8期。动网mymodify.asp对提交的自定义头像内容过滤不严，导致头像中可以写入跨站代码。动网头像分myface（内置头像）和face（自定义头像），如果myface的提交值为空，就使用face的提交值。采用如下过滤方式： face=Dv_FilterJS(Replace(face,"';","")) face=Replace(face,"..","") face=Replace(face,"\","/") face=Replace(face,"^","") face=Replace(face,"#","") face=Replace(face,"%","") face=Replace(face,"|","") face=Left(face,200) 其中"Dv_FilterJS"的部分内容如下： Function Dv_FilterJS(v) .............. re.Pattern="(script)" t=re.Replace(t,"script") ';将字符script替换为script re.Pattern="(js:)" t=re.Replace(t,"js:") ............... End Function 这里，动网犯了一个逻辑错误，在代码未检测完之前就进行了过滤，如果提交的是： javasc|ript，或是 javasc^ript ,就能绕过动网的过滤。修补方法：对replace采取如下过滤方式。 face=Dv_FilterJS(Replace(face,"';","';';")) ';JMDCW 2006-06-22 face=Replace(face,"\","/") face=Replace(face,"^","^") face=Replace(face,"#","#") face=Replace(face,"%","%") face=Replace(face,"|","|") face=Replace(face,"..","..") face=Replace(face," "," ") ';TAB值

欢迎光临黑色海岸线论坛 (http://bbs.thysea.com/)