1首先打开kali,更新apt (apt-get update)
![图片[1]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292214_600a5e366118fd52349ab.png)
2 安装beef (apt-get install beef-xss)
![图片[2]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292229_600a5e45c03197d1cdcfb.png)
3 输入命令beef-xss运行beef,并给beef设置新的密码123456
![图片[3]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292238_600a5e4ea54f3ec66d071.png)
4 输入ip a ,查看到当前ip为192.168.233.131
![图片[4]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292262_600a5e662f29ca67d1318.png)
5在本机浏览器输入http://192.168.233.131:3000/ui/panel 登陆beef
![图片[5]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292271_600a5e6f0398bb4619771.png)
登陆成功
![图片[6]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292282_600a5e7a6ba428a0ebeb6.png)
6在本地浏览器打开靶场,并修改前端message输入框最大输入长度为500,添加恶意脚本
![图片[7]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292305_600a5e91ab682130a76ee.png)
7其他用户浏览到该页面时存储在靶场后端服务器上的恶意代码执行,当前用户被上线
![图片[8]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292319_600a5e9f600c4d871e056.png)
8 选择192.168.233.1,点击get cookie,可以获取当前web用户的cookie
![图片[9]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292342_600a5eb61d7147c633098.png)
社工钓鱼
1 选择192.168.233.1这台受害主机,点击社攻,再点谷歌钓鱼
![图片[10]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292441_600a5f19bd39fe51dc5c4.png)
2在钓鱼web页面,用户名输入haha,密码为123456
![图片[11]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292450_600a5f2212d0bc24746b2.png)
3在beef上可以看到用户输入的用户名为haha,密码为123456
![图片[12]-beef结合xss窃取cookie社工钓鱼 – 作者:为你而来xss-安全小百科](http://aqxbk.com/./wp-content/uploads/freebuf/image.3001.net/images/20210122/1611292475_600a5f3bcccdc4d681b96.png)
来源:freebuf.com 2021-01-22 13:20:40 by: 为你而来xss
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册