跨站之后，返回如下信息：

<!--
   - Unfortunately, Microsoft has added a clever new
   - "feature" to Internet Explorer. If the text in
   - an error's message is "too small", specifically
   - less than 512 bytes, Internet Explorer returns
   - its own error message. Yes, you can turn that
   - off, but *surprise* it's pretty tricky to find
   - buried as a switch called "smart error
   - messages" That means, of course, that many of
   - Resin's error messages are censored by default.
   - And, of course, you'll be shocked to learn that
   - IIS always returns error messages that are long
   - enough to make Internet Explorer happy. The
   - workaround is pretty simple: pad the error
   - message with a big comment to push it over the
   - five hundred and twelve byte minimum. Of course,
   - that's exactly what you're reading right now.
   -->

也没什么，就是告诉你百度杀毒频道使用的是Resin服务器平台，然而给你一个如何返回这样这样404页面的解决方案，以后也许可以用到。我一点都不知道。

http://shadu.baidu.com/xss.jsp?<script>alert('xss')</script>，变形一下：

http://shadu.baidu.com/<script>alert('xss')</script>.jsp ，可以很简短，不过不能利用常规加密方法如escape等伪造，因为.jsp前面应该必须是合法的文件名。遗憾的是，没发现注入点。真是小心翼翼的。我还以为我发现了什么。注入要看数据库的脸色，所以掌握各类主流数据库的相关知识很重要。顺便问一下，谁有耐心读完这段脚本？我看着头就晕了。

10.000 Sites JS Malware Source Code.