| 动网换LOGO标志了
*)>"
Str = re.Replace(Str,"<$1$3>")
..............
FormatCode = Str
End Function
2、在"Dv_FilterJS()"中的过滤代码中加入:style和class。
(|function|meta|window\.|script|js:|about:|文件:|Document\.|vbs:|frame|cookie|on(finish|mouse|Exit|error|click|key|load|focus|Blur|style|class))
二、头像跨站
注:详细原理及利用 请阅读《黑客X档案》 2006年第8期。
动网mymodify.asp对提交的自定义头像内容过滤不严,导致头像中可以写入跨站代码。
动网头像分myface(内置头像)和face(自定义头像),如果myface的提交值为空,就使用face的提交值。采用如下过滤方式:
face=Dv_FilterJS(Replace(face,"';",""))
face=Replace(face,"..","")
face=Replace(face,"\","/")
face=Replace(face,"^","")
face=Replace(face,"#","")
face=Replace(face,"%","")
face=Replace(face,"|","")
face=Left(face,200)
其中"Dv_FilterJS"的部分内容如下:
Function Dv_FilterJS(v)
..............
re.Pattern="(script)"
t=re.Replace(t,"script") ';将字符script替换为script
re.Pattern="(js:)"
t=re.Replace(t,"js:")
...............
End Function
这里,动网犯了一个逻辑错误,在代码未检测完之前就进行了过滤,如果提交的是: javasc|ript,或是 javasc^ript ,就能绕过动网的过滤。
修补方法:
对replace采取如下过滤方式。
face=Dv_FilterJS(Replace(face,"';","';';")) ';JMDCW 2006-06-22
face=Replace(face,"\","/")
face=Replace(face,"^","^")
face=Replace(face,"#","#")
face=Replace(face,"%","%")
face=Replace(face,"|","|")
face=Replace(face,"..","..")
face=Replace(face," "," ") ';TAB值
|
