1. 接著看這個系列的第一個漏洞(content_gridsblog.js)中那部分的代碼。

　　騰訊為了修復這個漏洞，采用了更為安全的JSON.parse函數作為修復方案。這種修復是沒有問題的。

　　其它有類似缺陷的網站可以參考騰訊的修復方案。

　　2. 但實際上，在這段代碼下方的不遠處，還存在著另外一處缺陷，如下圖所示：

　　可以看到， oGridInfo為 JSON.parse解析出來的一個[Object]

　　而 oGridInfo.templateName 取出來后，沒有經過任何過濾，就傳入到了 innerHTML 中。

　　而從抓包的數據來看，json數據里的templateName 我們是可控的，那么這里就顯然存在問題啦～

　　3. 修改日志數據包中的templateName，并發送。

{"g0":{"visible":1,"id":0,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"?????????"},"g5":{"visible":1,"id":5,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"2012?????????"},"g1":{"visible":1,"id":1,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????"},"templateName":"

","g4":{"visible":1,"id":4,"content":{"mood":"","image":"","date":"2013-03-20&1","text":""},"type":0,"title":"???? 2013-3-20"},"g7":{"visible":1,"id":7,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"??????????"},"version":"1.2","g2":{"visible":1,"id":2,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"??????"},"bgItem":{"bgId":"130","bgURL":"/qzone/newblog/v5/flashassets/bg130.swf?bgver=1.0&max_age=31104000","gridcolor":"0xF06368","alpha":1,"align":"right","wordcolor":"0xFFFFFF"},"tempId":56,"g8":{"visible":1,"id":8,"content":{"mood":"","image":"","date":"","text":"1"},"type":1,"title":"???????????"},"g6":{"visi

鄭重聲明：本文版權歸原作者所有，轉載文章僅為傳播更多信息之目的，如作者信息標記有誤，請第一時間聯系我們修改或刪除，多謝。