<<  WebZine [0x02] | 首页 | 犯了个很严重的错误 :(  >>

  • 2008-06-21

    Data:_URI_scheme

    版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
    http://superhei.blogbus.com/logs/23355141.html

    Data:_URI_scheme

    前几天FD上公布了一个vbb的xss: http://seclists.org/fulldisclosure/2008/Jun/0181.html,这个bug比较有意思:

    admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

    代码:admincp/index.php 98-107

    if (!empty($vbulletin->GPC['redirect']))
    {
        require_once(DIR . '/includes/functions_login.php');
        $redirect = htmlspecialchars_uni(fetch_replaced_session_url($vbulletin->GPC['redirect']));

        print_cp_header($vbphrase['redirecting_please_wait'], '', "<meta http-equiv=\"Refresh\" content=\"0; URL=$redirect\" />");
        echo "<p>&nbsp;</p><blockquote><p>$vbphrase[redirecting_please_wait]</p></blockquote>";
        print_cp_footer();
        exit;
    }

    http-equiv里的url使用data:text/html 实现xss。

    在firefox官方的资料:http://www.mozilla.org/quality/networking/testing/datatests.html
    wiki的资料:http://en.wikipedia.org/wiki/Data:_URI_scheme

    可以看得出来data:类似于javasript:,那么这个估计可以跨很多程序了,在你测试xss不要忘记了data:

    data:有几个特点:
       
        1.可以指定MIME-type如text/html
        2.可以指定编码如data:;charset=UTF-8,Hello
        3.firefox/ie8/Opera等支持它
        

    随机文章:


    收藏到:Del.icio.us




    Tag:
    引用地址:
    superhei 发表于23:39:48 | 编辑 | 继续话题 | 转发 | 分享 0

    评论

  • I received my<a href="http://www.buddyugg.com/"><strong> ugg boots</strong></a> today, very impressed. They are like sort of a massive slipper, soft, easy to wear and light.

    There is nothing that touches these <a href="http://www.buddyugg.com/"><strong>ugg boots</strong></a> for just lazing around at home. Bar sleeping I don’t take mine off now that its getting colder, they are not quite as stiff as they were when they first arrived but still extremely comfortable. It would be nice if they had a little more arch support but other than that I’m very pleased.
    asdf | 发表于2009-11-03 19:22:45 [回复]
  • I received my<a href="http://www.buddyugg.com/"><strong> ugg boots</strong></a> today, very impressed. They are like sort of a massive slipper, soft, easy to wear and light.

    There is nothing that touches these <a href="http://www.buddyugg.com/"><strong>ugg boots</strong></a> for just lazing around at home. Bar sleeping I don’t take mine off now that its getting colder, they are not quite as stiff as they were when they first arrived but still extremely comfortable. It would be nice if they had a little more arch support but other than that I’m very pleased.
    asdf | 发表于2009-11-03 19:19:47 [回复]
  • 过客踩踩踩踩踩!!!!!!!!!!
    Nike Air Jordan | 发表于2009-09-17 00:21:52 [回复]
  • IE8也支持这个该死的data:了?我日。
    est | 发表于2008-06-24 01:11:58 [回复]