JSP平安開辟之XSS破綻詳解。本站提示廣大學習愛好者:(JSP平安開辟之XSS破綻詳解)文章只能為提供參考,不一定能成為您想要的結果。以下是JSP平安開辟之XSS破綻詳解正文
媒介
年夜家好,好漢子就是我,我就是好漢子,我就是-0nise。在各年夜破綻告發平台,我們經常會看到XSS破綻。那末成績來了,為什麼會湧現這類破綻?湧現這類破綻應當怎樣修復?
注釋
1.XSS?XSS?XSS是甚麼鬼?
XSS又叫跨站劇本進擊(Cross Site Scripting),我不會告知他本來是叫CSS的,然則為了和睦我們所用的層疊款式表(Cascading Style Sheets)CSS弄混。CSS(跨站劇本進擊),CSS(層疊款式表)傻傻分不清。所以就叫XSS咯。
2.XSS的傷害是甚麼?
試驗一:
0x00結構代碼
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <% String path = request.getContextPath(); String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <base href="<%=basePath%>"> <title>My JSP 'index.jsp' starting page</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="expires" content="0"> <meta http-equiv="keywords" content="keyword1,keyword2,keyword3"> <meta http-equiv="description" content="This is my page"> </head> <body> <div > <% //設置編碼 request.setCharacterEncoding("UTF-8"); //吸收用戶傳入值 String tmp = request.getParameter("opr"); //加速傳入值能否為空 if(tmp == null){ out.print("111"); }else{ //轉碼 String opr = new String(tmp.getBytes("ISO-8859-1"),"utf-8"); out.print(opr); } %> 我是內容 </div> </body> </html>
0x01情況結構
0x02破綻練習訓練
我們拜訪:http://localhost:8080/XSS/index.jsp?opr=i%E6%98%A5%E7%A7%8B
然後拜訪:http://localhost:8080/XSS/index.jsp?opr=0nise
最初我們發明了一個“巨大的紀律”:
opr參數等於甚麼頁面就打印甚麼。(似乎是空話)
我們接著來加載一個圖片看看
拜訪:http://localhost:8080/XSS/index.jsp?opr=%3Cimg%20src=%221.png%22%3E%3C/img%3E
既然圖片都可以加載,那末我們JS文件是否是也闊以加載呢?
拜訪:http://localhost:8080/XSS/index.jsp?opr=%3Cscript%3Ealert(/i%E6%98%A5%E7%A7%8B%E7%A4%BE%E5%8C%BA%E6%AC%A2%E8%BF%8E%E5%A4%A7%E5%AE%B6/)%3C/script%3E
Js?Js?那末是否是可以來轉變跳轉後地址?
拜訪:http://localhost:8080/XSS/index.jsp?opr=%3Cscript%3Elocation.href=%27http://bbs.ichunqiu.com%27%3C/script%3E
既然xss都可以加載js,那末,我們是否是經由過程js來翻開當地的某些器械?
提早放了一個MD5.exe文件
拜訪:http://localhost:8080/XSS/index.jsp?opr=<script> var objShell = new ActiveXObject("wscript.shell");objShell.Run("G:/work/XSS/WebRoot/Md5.exe");</script>
既然連當地文件都可以翻開那末長途文件木馬?來個電腦惡弄?這個本身漸漸象限。我可沒說啊。。。。。
文件都可以翻開,那末寫一些文件呢?
拜訪:http://localhost:8080/XSS/index.jsp?opr=%3Cscript%3Evar%20fso,tf;fso%20=%20new%20ActiveXObject(%22Scripting.FileSystemObject%22);tf%20=%20fso.CreateTextFile(%22d:\\test.txt%22,true);tf.WriteLine(%22i%E6%98%A5%E7%A7%8B%E7%A4%BE%E5%8C%BA%E6%AC%A2%E8%BF%8E%E6%82%A8%22);tf.Close();alert(%22%E6%96%87%E4%BB%B6%E5%86%99%E5%85%A5%E6%88%90%E5%8A%9F%EF%BC%81%22);%3C/script%3E
經由過程以上試驗我們可以看出opr參數賦值操作。假如opr參數沒有值的話,就沒法履行履行,被進擊者必需拜訪進擊者提早設計好的能力進擊。這類XSS進擊方法叫做:存儲型XSS
假如你想看到更給力的試驗,請接著往下看。
試驗二:
媒介:
年夜部門網站都邑和數據打交道那末,XSS破綻湧現這些網站是甚麼模樣的?
0x00結構代碼
數據庫部門
BaseDao.java
import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; public class BaseDAO { //翻開銜接 public Connection getConn(){ Connection conn = null; try { Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver"); conn = DriverManager.getConnection("jdbc:sqlserver://localhost:1433;databaseName=SQLTMP","sa","sa"); } catch (ClassNotFoundException e) { e.printStackTrace(); } catch (SQLException e) { e.printStackTrace(); } return conn; } //封閉鏈接的辦法 public void closeAll(Connection conn,Statement stat,ResultSet rs){ try { if(rs != null) rs.close(); if(stat != null) stat.close(); if(conn != null) conn.close(); } catch (SQLException e) { e.printStackTrace(); } } //重載封閉辦法 public void closeAll(Connection conn,PreparedStatement pstat,ResultSet rs){ try { if(rs != null) rs.close(); if(pstat != null) pstat.close(); if(conn != null) conn.close(); } catch (SQLException e) { e.printStackTrace(); } } //持續重載 public void closeAll(Connection conn,PreparedStatement pstat){ try { if(pstat != null) pstat.close(); if(conn != null) conn.close(); } catch (SQLException e) { e.printStackTrace(); } } //增刪改的公用辦法 public int upDate(String sql,Object[] pram){ PreparedStatement pstat = null; Connection conn = null; int a = 0; try { conn = getConn(); pstat =conn.prepareStatement(sql); //遍歷參數聚集,將聚集中的參數對應添加到sql語句中 for (int i = 1; i <= pram.length; i++) { pstat.setObject(i, pram[i-1]); } //挪用辦法 a = pstat.executeUpdate(); } catch (SQLException e) { e.printStackTrace(); }finally{ closeAll(conn, pstat); } return a; } }
CommentDao.java
import java.sql.*; import java.util.*; import entity.*; public class CommentDao extends BaseDAO { /** * 獲得一切留言 * */ public List<comm> GetComment(){ //SQL語句 String sql = "SELECT CID,CName,CContext FROM Comments"; List<comm> list = new ArrayList<comm>(); //數據庫銜接對象 Connection conn = null; //SQL履行對象 PreparedStatement pstmt = null; //數據庫履行前往值 ResultSet rs = null; try { //創立數據庫鏈接 conn = this.getConn(); //創立SQL履行對象 pstmt = conn.prepareStatement(sql); //履行SQL語句 前往值 rs = pstmt.executeQuery(); //讀取 while (rs.next()) { comm comment = new comm(); comment.setCID(rs.getInt("CID")); comment.setCName(rs.getString("CName")); comment.setCContext(rs.getString("CContext")); list.add(comment); } } catch (Exception e) { e.printStackTrace(); }finally{ //封閉 this.closeAll(conn, pstmt, rs); } return list; } public int AddComment(comm comment){ String sql = "INSERT INTO Comments VALUES(?,?)"; //受影響行數 int result = 0; //數據庫銜接對象 Connection conn = null; //SQL履行對象 PreparedStatement pstmt = null; try { //創立數據庫鏈接 conn = this.getConn(); //創立SQL履行對象 pstmt = conn.prepareStatement(sql); //設置參數 pstmt.setString(1, comment.getCName()); pstmt.setString(2, comment.getCContext()); //履行SQL語句 result = pstmt.executeUpdate(); } catch (Exception e) { e.printStackTrace(); }finally{ this.closeAll(conn, pstmt); } return result; } }
CommentServlvet
import java.io.*; import javax.servlet.*; import javax.servlet.http.*; import entity.*; public class CommentServlvet extends HttpServlet { /** * doGet() */ public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { request.setCharacterEncoding("UTF-8"); response.setContentType("text/html;charset=UTF-8"); PrintWriter out = response.getWriter(); String opr = request.getParameter("opr"); CommentDao commentDao = new CommentDao(); //檢索參數能否為空 if(opr == null || opr.equals("all")){ request.setAttribute("all", commentDao.GetComment()); //轉發 request.getRequestDispatcher("comment.jsp").forward(request, response); }else if (opr.equals("add")){ comm comment = new comm(); comment.setCName(request.getParameter("UName")); comment.setCContext(request.getParameter("context")); if(commentDao.AddComment(comment) > 0){ out.print("<script>alert('留言勝利');location.href='CommentServlvet?opr=all';</script>"); }else{ out.print("<script>alert('留言掉敗');location.href='CommentServlvet?opr=all';</script>"); } }else{ request.setAttribute("all", commentDao.GetComment()); //轉發 request.getRequestDispatcher("comment.jsp").forward(request, response); } out.flush(); out.close(); } /** * doPost() */ public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }
Comment.jsp
<%@ page language="java" import="java.util.*,entity.*" pageEncoding="UTF-8"%> <% String path = request.getContextPath(); String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <base href="<%=basePath%>"> <title>My JSP 'comment.jsp' starting page</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="expires" content="0"> <meta http-equiv="keywords" content="keyword1,keyword2,keyword3"> <meta http-equiv="description" content="This is my page"> </head> <body> <% request.setCharacterEncoding("UTF-8"); if(request.getAttribute("all") == null){ request.getRequestDispatcher("CommentServlvet?opr=all").forward(request, response); } %> <table> <% List<entity.comm> list = (List<entity.comm>)request.getAttribute("all"); for(int i = 0; i < list.size(); i++ ){ %> <tr> <td><%=list.get(i).getCName() %></td> <td><%=list.get(i).getCContext() %></td> </tr> <% } %> </table> <form action="CommentServlvet?opr=add" method="post"> <textarea rows="5" cols="30" name="context"></textarea> 昵稱:<input type="text" name="UName" /> <input type="submit" value="提交" /> </form> </body> </html>
0x01破綻試驗
root@1~#
我們在留言板留言:
<script> var objShell = new ActiveXObject("wscript.shell");objShell.Run("G:/work/XSS/WebRoot/Md5.exe");</script>
然後拜訪:http://localhost:8080/XSS/comment.jsp
如許只需拜訪這個頁面,軟件就主動翻開了,來個長途文件?漸漸融會。
root@2~#
我們在留言板留言:
<script>var fso,tf;fso = new ActiveXObject("Scripting.FileSystemObject");tf = fso.CreateTextFile("d:\\test.txt",true);tf.WriteLine("i年齡社區迎接您");tf.Close();alert("文件寫入勝利!");</script>
然後拜訪: http://localhost:8080/XSS/comment.jsp
文件寫入勝利。
root@3~#
留言內容:
[code]<script>location.href='http://bbs.ichunqiu.com'</script>[code]
拜訪頁面:http://localhost:8080/XSS/comment.jsp
拜訪留言頁面主動跳轉到進擊者特定的網站。豈非這就是傳說中的劫持嗎?
3.XSS進攻計劃
正所謂哪裡有進擊,哪裡就有進攻。XSS一樣,有進擊的方法,也有進攻的計劃。
EL表達式+JSTL標簽庫
EL(Expression Language):[size=12.0000pt]為了使JSP寫起來更簡略。表達式說話的靈感來自於ECMAScript和XPath表達式語說話,他供給了JSP中簡化表達式的辦法,讓jsp代碼更簡略。
JSTL(JSP Standard Tag Library):開放源代碼的JSP標簽庫。
試驗一進攻代碼:
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <% String path = request.getContextPath(); String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <base href="<%=basePath%>"> <title>My JSP 'index.jsp' starting page</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="expires" content="0"> <meta http-equiv="keywords" content="keyword1,keyword2,keyword3"> <meta http-equiv="description" content="This is my page"> </head> <body> <div > <% request.setCharacterEncoding("UTF-8"); String tmp = request.getParameter("opr"); //加速傳入值能否為空 if(tmp == null){ out.print("111"); }else{ //轉碼 String opr = new String(tmp.getBytes("ISO-8859-1"),"utf-8"); request.setAttribute("name", opr); %> <c:out value="${requestScope.name }"></c:out> <% } %> 我是內容 </div> </body> </html>
試驗二進攻代碼:
<%@ page language="java" import="java.util.*,entity.*" pageEncoding="UTF-8"%> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <% String path = request.getContextPath(); String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <base href="<%=basePath%>"> <title>My JSP 'comment.jsp' starting page</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="expires" content="0"> <meta http-equiv="keywords" content="keyword1,keyword2,keyword3"> <meta http-equiv="description" content="This is my page"> </head> <body> <% request.setCharacterEncoding("UTF-8"); if(request.getAttribute("all") == null){ request.getRequestDispatcher("CommentServlvet?opr=all").forward(request, response); } %> <table> <!-- 進攻XSS計劃 --> <c:forEach var="x" items="${requestScope.all }"> <tr> <td> <c:out value="${x.getCName() }"></c:out> </td> <td> <c:out value="${x.getCContext() }"></c:out> </td> </tr> </c:forEach> </table> <form action="CommentServlvet?opr=add" method="post"> <textarea rows="5" cols="30" name="context"></textarea> 昵稱:<input type="text" name="UName" /> <input type="submit" value="提交" /> </form> </body> </html>
停止語
技巧無诟谇,專研甚好。