标签:nts ble parse other over nginx round HERE javascrip
This also valid in website.
Absolute URL: “https://www.site.com/styles.css”
Relative URL in html:
??????
In this case, the styles.css is a relative path in server’s root directory.
var/www/
|— index.html
|— styles.css
Using relative directory can be easier when has a complex file structure.
var/www
|— index.html
|— login
| |— login.php
| |— register.php
| |— pc.css
| |— mobile.css
|— static
|— js
| |— jQuery.js
| |— bootstrap.js
|— css
|— styles.css
In this case, we can load css using relative path like “pc.css”(Its absolute path is /login/pc.css)
Client side(Incorrect url parse):
Considering the following urls:
www.site.com/login/login.php
www.site.com/login/login.php/
In server side, the two urls returns same page named index.php.
But as client side, the two urls differs from each other.
To load css style with relative urls, client requests resource as follows:
www.site.com/static/css/style.css
www.site.com/login/static/css/style.css
Obversely the second url is invalid which would return 404 from server when adding a forward slash.
In this case we can perform XSS without server side checking.
Server side(Incorrect server action and properties):
Some server framework like Apache and Nginx parse url differently.
Urls as follows:
www.site.com/login%2flogin.php
Apache would return 404 cause there is no file named login%2flogin.php, at the same time, Nginx would return the login.php page currectly.
index.php
Hi, my name is .
Press the green button below to friend me and the red to cancel.
<button id=”green”>...</button>
<button id=”red”>...</button>When accessing the page through https://www.site.com/index.php, the included stylesheet will be loaded from https://www.site.com/style.css. If the page is loaded through https://www.site.com/index.php/[anything] instead, the stylesheet will be loaded from https://www.site.com/index.php/style.css.
As stated before, the URL router on the server side will ignore everything after friend.php/ and the included stylesheet will therefore be loaded from the page itself. By changing the name on a vulnerable social network, the attacker can control the value of name and, consequently, the stylesheet.
We can get valid CSS within the HTML page by putting “{}” in front of the CSS, so the result is this:
https://www.site.com/index.php?name={}#green{background-color:red;}#red{background-color:green;}
The button intended to be green is now red.
The source code contents following segment:
Which has a RPO attack exploit with a relative path.
So we can exploit it this way:
Write article section to post a XSS file. Then edit a url using PRO exploit with Overview section’s text as malicious JavaScript. Bot will access malicious JavaScript after post the RPO url.
This url is equivalent as
https://www.site.com/login/login.php?u=user&p=pass
标签:nts ble parse other over nginx round HERE javascrip
原文地址:https://www.cnblogs.com/Mountain2/p/8799012.html
