搜索
查看: 507|回复: 0

New IE mutation vector

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2015-6-18 11:10:30 | 显示全部楼层 |阅读模式
I was messing around with a filter that didn’t correctly filter attribute names and allowed a blank one which enabled me to bypass it. I thought maybe IE had similar issues when rewriting innerHTML. Yes it does of course
The filter bypass worked like this:

  1. <img ="><script>alert(1)</script>">
复制代码

The filter incorrectly assumed it was still inside an attribute and therefore allowed raw html to be injected and the various browsers treat it as an invalid attribute and execute the script. I then decided to fuzz the attribute name to see what characters are allowed. IE of course proved to be interesting because two equals one as an attribute name created an invalid attribute.
I began to use my mxss tool to see if I could find a new vector. Attribute names with equals seemed a good place to start. After various tests using multiple attributes and mixing quotes I found a vector using an equal after the tag name.

  1. <div='/x=&quot;&#39&gt;&lt;iframe/onload=alert(1)&gt;'>
复制代码
POC

IE renders the entities inside the x attribute and therefore breaks out of the attribute when innerHTML is read. If you remove the equal after the tag name the vector no longer works so maybe the parser loses track of the character position or confuses itself which quotes the attribute is part of.
过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表