Hacking Book | Free Online Hacking Learning


analysis of history hack, painstaking loopholes, css spoofing, sql injection and csrf attacks

Posted by verstraete at 2020-03-04

There are two main reasons for the loopholes: system mechanism and coding specification. Due to the openness of network protocol, web loopholes are the majority at present

JavaScript / CSS history hack is a typical vulnerability of system mechanism, while heart bleed is a typical vulnerability of coding specification. After a certain understanding of the concept of vulnerability, a test website will be built to test CSS spoofing, SQL injection and CSRF attacks.

Vulnerability impact: an attacker can obtain some history of the user's browser.

Attack method: since JavaScript can read the CSS information of any element, it can distinguish which style the browser applies to judge whether the user has visited the link. Attackers can build their own websites and define hyperlinks of some websites. When other users visit the website, the browser will automatically determine which websites have been visited according to the user's history, so as to present them in different colors.

The attacker's website background can send the website visited by the user back to the server. The effect is to detect whether the user has visited a website, but not to directly obtain the history of the user's visit.

The vulnerability has been fixed. Although we can see different displays of hyperlink status, JS can't get the color difference.

Also known as bleeding hole, No. (cve-2014-0160)

Origin of vulnerability: the vulnerability is proposed by Google white hat Neil Mehta, who can randomly obtain 64K work logs from a specific server. The whole process is like fishing. Attacks can be carried out continuously and a large number of sensitive data will be leaked.

Cause: encoding failed to check the length boundary before memcpy() called user input. An attacker can enter bytes that are out of range and return the same length of cache content.

Each query will be attached with a query character length. If the character length is longer than the actual length, the server will still return the same size of character information, thus forming the out of bounds access of information in memory.

Vulnerability impact: every time a heartbeat is initiated, the server can disclose a little bit of data (64 K at most in theory), which may or may not contain information such as the user's login account password, e-mail or even encryption key, but the attacker can constantly use "heartbeat" to obtain more information. In this way, the server leaks more and more information bit by bit, just like the heart is bleeding slowly. The name of heart bleeding comes from this. The vulnerability has been fixed at present, but it is not known whether the vulnerability has been used before it was proposed.

The above is a brief introduction of two types of vulnerabilities. The following will experiment with CSS spoofing, SQL injection and CSRF attacks

Just like the name, CSS deception is mainly used as a kind of deception to present false information to browser users.


Deception principle: realize the content coverage of web pages through CSS positioning and pseudo classes

Html is like human skeleton, CSS is exterior decoration, JS controls the effect of the page similar to nerve, CSS deception mainly uses CSS to render the page.

Introduction to positioning method and pseudo class

There are four ways for CSS to locate web page elements:

Common positioning method: child absolute parent phase

CSS pseudo classes can be used with CSS classes, such as anchor pseudo class, first child pseudo class, etc.

For example, the anchor pseudo class:

Cheating case: in the early years, Taobao store decoration directly used CSS control page to display the effect, and some merchants made false store information.

The following is a store information map around 2012, which presents information that is not true. The actual sales volume in 30 days is 0. Through setting the background map when the shop is decorated, 580 pieces of words are displayed. "Shopping notice" is disguised by the background map as "high quality merchants return for 7 days without reason". The evaluation details and transaction records are also used for false publicity. In fact, there is no buyer evaluation, just added background pictures.

Why is CSS spoofing simple but widely used?

As far as personal web browsing experience is concerned, before or at the beginning of 4G, it is very common to make fake pages with pictures.

The most recent one was on the 11th day of 2018, when an e-commerce platform applied for a refund, the merchants ignored it all the time. When the platform complained, they found that the button to submit the complaint didn't respond at all. At first, I thought that the mobile display was not compatible, but later I found that the bottom half of the page was a picture, and the submit button was just a part of the picture.

However, we can also understand the double 11, but for most of the Internet users who have little computer foundation, CSS deception is still very effective.

Next, we will introduce SQL injection first, and then combine CSS spoofing with SQL injection to implement CSS spoofing using SQL injection front-end code on the built test website.

SQL injection refers to the fact that web applications do not judge or filter the legitimacy of user input data. Attackers can add additional SQL statements at the end of pre-defined query statements in web applications, and implement illegal operations without the knowledge of administrators. It is one of the most common dangerous vulnerabilities at present.

SQL injection is not an out of date security problem, on the contrary, it is a very easy to use attack. SQL injection does not need a deep attack means to easily make sensitive database information be illegally browsed or deleted.

General injection process:

There are two types of SQL injection that can make your zoobars more:

Method 1

Injection Code:

userA的个人简介', Zoobars='20 ?php if($_POST['profile_submit']) { // Check for profile submission $profile = $_POST['profile_update']; $sql = "UPDATE Person SET Profile='$profile' ". "WHERE PersonID=$user-id"; $db-executeQuery($sql); // Overwrite profile in database } $sql = "SELECT Profile FROM Person WHERE PersonID=$user-id"; $rs = $db-executeQuery($sql); $rs = mysqli_fetch_array($rs); echo $rs["Profile"]; ?

The $SQL value in lines 4 and 5 is the statement to be executed by the database. Method 1 makes the actual executed SQL statement become:

UPDATE Person SET Profile='userA的个人简介', Zoobars='20' WHERE PersonID=userA

Method two

Due to different scenarios, sometimes method 2 injection is used to modify the display of web pages only for CSS spoofing: the number of zoobars of usera is 20, and the number of zoobars that users of this website can see when searching usera is 200 through SQL injection of front-end code. In order to facilitate observation, the spoofing font is set in red.

Injection Code:

span style="color:#000000;position:relative;left:60px;top:-54px;"0/span

Different from the previous introduction that Taobao merchants use CSS to directly set the background picture, here is a relative positioning tag written in the personal profile through SQL injection. When the website user searches the personal profile of usera, the HTML code in the personal profile will be interpreted and rendered into the number 0 by the browser, and displayed behind the number of zoobars. Next, we will introduce another attack mode related to browser mechanism.

CSRF (Cross Site Request Forgery), that is, cross site request forgery.

To lure browser users to visit their own attack website for cross site access, through the mechanism of browser to save the user's original website cookie, obtain the user's identity permission in the attack website and forge the request for attack.

Browser mechanism:


Unlike JavaScript / CSS history hack, CSRF is temporarily unable to fix vulnerabilities like modifying CSS or JS engine, because current browsers need this mechanism.

Scenario simulation: the programmer logs in to the blog park to browse the blog, and after finding a good blog, he intends to share it with the circle of friends, but when sharing for the first time, the web page will ask to log in to the circle of friends first. After logging in and sharing successfully, it wasn't long before the programmer found a good blog and planned to share again, so as to cycle back and forth, what would the browser do?

At present, the mechanism of browser is to save the user's cookie after the first login, so that the user does not need to repeatedly authenticate identity within the validity period, so the subsequent cross site does not need to log in again. (no actual operation, or blog Park sharing needs to log in every time, just for example to simulate the cross site situation of web page)

The mechanism of the browser to save cookies is needed, but at the same time, it gives the attacker an opportunity to take advantage of it.

Vulnerability of user authentication in Web:


In other words, the user's browser sends a request, and the cookie of the browser can also prove the user's identity, but it can't guarantee that the request is the user's active operation on the original website.

Take the website as an example to demonstrate the attack

Attack steps:

Building web pages

Original webpage and code: click send in transfer interface to send a request for transfer operation.

The attacker needs to make a website of his own and write the attack operation on the website. Here, the original website interface code is copied directly, and the amount of send is written into the default value 1. The transfer object is set to the attacker's usera account by default, and then the website can automatically execute the submit operation of send button when loading through JS code.

Attack web page and code: although it looks the same, you can see this other web page through the browser address, which is used to simulate the attack site.

Then add a hyperlink to your profile: