dzX 2.0/2.5ͨɱ0day 洢XSSһö
©ڲ帽ĵط˵帽λҲӦö뵽˿϶ļΪļǰձϴļʾġIJϵͳlinuxֱһͼƬļļ
1
<img src=javascript/alert(1);>.png
(/linux»ᱻת: payloadֻIE6²֪ܵǶǸ ԸҪ payload)
IJϵͳwindows,ϲץ(ҸϲTamper data)һϴӦץļģûץ
Ҫϴ룬֮±༭ͼƬʱץǿץɰfilenameġ
xxx.pngΪ
1
<img src=javascript:alert(1);>.png
ύ
xssᱻڵڶҳ棬ҲǵͼƬŴ֮
pwned!
ַ80ңˡ / etc..бܵһں
ΪXSSøԼĺõļλȥpayload˵бܹˣַ ϶ʧˡ
ȻXSSܻ𣬵ҸIJǺϲ
ѾȻ˵оֻԼӲͷƤˡ
ڳзַбҲʱҲŷⲻһxss filter⡣
ϴУǿɰ/ͷбӦָfilenamefilepath ԱɱҲӦõġOrz..
òƾǴ˵еmission impossibleˡ
Ҫбܵ⡣ֳػص˸ĵطûаյزһXSS payload.
1
<img src=x onerror=alert(document.cookie)>.png
ԭļǵˡ
pwned!
ѾԴǵбˣΪѾǰˣ
ҾӦѾûκε谭ˡ
ܾԣ˵payloadҳ©HTTPonly cookie,ڱơ
whatever!
ҾЩѾӦǸȥоˡ
Ϊûĸվôĺޡ
ȫ-ϴ-̳-ʾͼƬ-
㶨ˡ
ڷͼ
ҳ:
[1]