Shulou(Shulou.com)06/01 Report--

This article will explain in detail about bypassing a general information management system to achieve XSS, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Preface

I met when I was infiltrating a site in actual combat. After several days of research, I finally succeeded in bypassing the restrictions and calling the administrator cookie. I hereby record the memo. Organic combination and comprehensive practice of some trivial trick and knowledge points. I hope this article can be helpful to readers. If there are any fallacies, please correct them.

Preparatory work

First of all, take a look at the site, pre-tested vulnerabilities such as SQL, here only test XSS.

First try to fill in some normal data to determine whether the payload will be echoed. After testing, the site submission information will jump back to the home page directly, unable to view the implementation of payload parsing.

Note: when testing xss, don't always attack /:. And other dangerous characters, there is a risk of exposing infiltration behavior and it is difficult to control the display of the page.

Do you have to fight blindly if you can't see the echo?

Here is an idea: try to get the source code of the system and build it locally for testing.

Well, now that the idea is clear, let's try to get the source code of the system.

Scan sensitive directories and files to see if there are code engineering files such as .git / .svn, and if so, you can restore the system source code directly through the sensitive file.

Related tools: https://github.com/lijiejie/GitHack

Seay-svn restore tool, you can download it yourself.

Start from the source code itself, look for copyright-related information, and then go online to find and download the source code.

Method 2 was used when infiltrating the site, and the web page revealed the information we wanted when we tried to visit the background.

Search the relevant source code and download it, and successfully build it locally.

All right, so we can safely test xss.

The show begins.

Get ready for payload:

A website shortening service is recommended here:

X.co

Just access the settings url.

If there is a shorter URL shortening service to share, after all, in the test xss, sometimes only one character can determine whether the penetration is successful or not.

After submitting the payload, we go to the background to check the results.

Compare this:

It can be found that the'/'in = and url is filtered out.

And the page parses our tags.

Here's a trick:

When using the developer tools of browsers such as chrome to view the source code, if the tag is colored, it is parsed, and if it is black, the tag has been escaped rather than parsed.

Then let's consider how to get around the restrictions.

Xss with other tags that do not contain = /

Coding bypass

Let's start with idea 1:

"=" compliance is common in attributes, and most xsspayload uses the attributes of tags. It is not easy to find a tag that does not use "=".

But there are a few special cases.

[xss_clean] (String.fromCharCode) (String.fromCharCode); ascii code bypasses eval (Dec ('203041263543203); @ im\ port'\ ja\ vasc\ ript:alert ("X3SS");

In fact, the idea of coding bypass has been combined here, so I won't repeat it any more.

We use the first payload here, which perfectly bypasses the "=" and "/" restrictions, because the special symbols are all encoded into the corresponding ascii codes.

Submit the payload to the backend to check the results

Obviously, our payload was executed successfully.

Do you think this is over?

Let's go to the target station and test it now.

And look at the length of the payload.

So the fun has just begun.

Some readers may ask why the same payload is limited.

This can be answered in the management background.

Indicates that the length of the data item of the target station is limited. After testing, the length of all data items in the target station is limited to 40 characters, so let's consider bypassing it.

Here is an ingenious idea: split the payload and store it in the corresponding variables, and then execute the concatenated variables.

The payload used is generally:

Zonal documentation.' Z=z+'write ("'zodiac'") 'eval_r (z)

Note: this payload requires all characters to be injected into the same page.

The idea is determined, but for the target system, how to get around the restrictions of'= 'and' /'?

As mentioned earlier, using encoding to bypass special characters is a more effective idea, so we will consider combining segmentation injection with coding.

Additional knowledge:

Unicode coding bypass

Url coding bypass

Hex bypass

Octal system

Base64 bypass

Through observation, we can find that the characters encoded by url, ascii and base64 need to be decoded by corresponding functions or methods, which undoubtedly increases the length of payload, but it is not conducive to execution when the overall length is limited.

So is there a coding method that can be parsed directly and has a moderate length after coding?

Yes!

Hex code octal unicode code!

Take unicode coding as an example (the principle is more or less the same as the hex,8 system, and interested readers can test it themselves)

Let's replace'= 'first.

Eval (z\ u003ddocumentation.') eval (z\ u003dz+'write ("') eval (z\ u003dzdocumentation') eval_r (z)

Note:

The eval () function is required when coding such as unicode,hex,8 decimal is used

As a matter of fact, the payload here is not available and needs to be processed, just to show the thought process.

The next step is to deal with some details:

Quotation marks in eval need to be escaped

Further shorten payload

Please think about it:

Using only one variable z for storage, is it the best way to concatenate strings in each step after that?

Personally, I think that if the total length allows, different payload can be stored in different variables.

For example:

Eval ('a\ u003d\ 'docu\') eval ('b\ u003d\ 'ment\') eval ('c\ u003d\ '.wri\') eval ('d\ u003d\'te ('') eval ('e\ u003d\')

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.