How to steal developer''s local database

The HTML Form Protocol Attack

Using the enctype trick. (Ref - Paper - The HTML Form Protocol Attack)

<form enctype="text/plain" method="POST" action="http://localhost:6379">
<textarea name="abc">

SET abc 123
QUIT
</textarea>
<input type="submit" value="Submit" />
</form>

当server接收到textarea中的内容后,将逐行运行。(Ref - The HTML Form Protocol Attack

不过While we can execute any command, we can’t actually retrieve the result. This is because of the browser’s same-origin policy, which ensures that reading data from a request to another domain is not possible. That’s where the second technique comes in!

DNS Rebinding

DNS rebinding attacks subvert the same-origin policy by confusing the browser into aggregating network resources controlled by distinct entities into one origin, effectively converting browsers into open proxies.

Using DNS rebinding, an attacker can circumvent firewalls to spider corporate intranets, exfiltrate sensitive documents, and compromise unpatched internal machines. An attacker can also hijack the IP address of innocent clients to send spam e-mail, commit click fraud, and frame clients for misdeeds.

DNS rebinding vulnerabilities permit the attacker to read and write directly on network sockets, subsuming the attacks possible with existing JavaScript-based botnets, which can send HTTP requests but cannot read back the responses.

Same-origin policy

如果存在http://www.example.com/dir/目录,那么同源规则解释如下:

  1. http://www.example.com/dir2 目录不同,但是domain相同,所以符合同源规则,资源可以互相引用
  2. http://www.example.com:82/dir/ 由于端口不同,所以不符合同源规则
  3. http://www.anotherone.com/ 不同域名,所以不符合同源规则

但是!!这个规则不适用于<script>,<link>,<iframe>,<img>等标签的SRC属性。同源规则最大的帮助就是帮我们区分开各个网站的cookie,不同源的cookie信息会保存到不同的域名文件下哦。

参考

Show Comments