SiXSS attack tutorial

SiXSS attack tutorial

Author: HecTor

//Here can be some grammar mistakes, because English isnt my native language. Sorry, and tell me if you find a mistake
;)

[First]
This article tells about particularities of the use of such attacks as SQL Injection and XSS (Cross Site Scripting) in
one attack - SiXSS.
For who is written this article? The Article is for beginner in this area, but expects that there is some
knowledgeâ??s beside reader. That is to say, at least general notion about SQL-injection and XSS.
Well, do not forget about penal codes and criminal responsibility for your own actions. The author of the article has
not responsibility for possible caused damage.

[How to]
Adn what is a SiXSS? I already wrote above, this - joint use two types of the attacks. There can be a question: but why
this is necessary? There is SQL-inj, there is XSS, and there are dont need to be combinate!

But... Many people faced with such thing: fluent searching for of the criticality on web-put does not bring the success.
XSS is not seen, minimum of scriptsâ?¦ But! We have found the vulnerable request, removing inquired page
from database:

[vuln_url]
http://site.net/article.php?article=8
[/vuln_url]

Test on SQL injection vulnerability. We shall try so:

[vuln_url]
http://site.net/article.php?article=8+AND+1=2/*
[/vuln_url]

There is nothing.

[vuln_url]
http://site.net/article.php?article=8+AND+1=1/*
[/vuln_url]

Itâ??s executed. Its mean â?? this is SQL-injection. Next, hacker tries to pull out necessary given from
database. However, what we shall do if no concrete information comparatively database, or database forbids the access to
files? Time goes...
Right here, comes SiXSS.

[SQL and XSS]
The SQL language, have a UNION operator, which can combinate two requests. I'll try to explain:

[vuln_url]
http://site.net/news.php?id=1+union+select+1,DATABASE(),3/*
[/vuln_url]

The request select the news with identifier 1, and in this request to select information about this database.
However, UNION SELECT enables to show in browser window arbitrarily text. Due to this, just, we and can successfully use
SiXSS. In the beginning, certainly, it is necessary to pick up quantity water, since the quantity of fields taken from a
database, should be equal to quantity of taken fields after UNION.

[vuln_url]
http://site.net/article.php?article=8+union+select+1,2,3/*
[/vuln_url]

This can be us to help if UNION is not filtered. We shall introduce javascript through SQL inj. After all, he is
displayed in browser, due to particularities UNION SELECT.

[vuln_url]
http://site.net/article.php?article=8+union+select+<script>alert("Vulnerability");</script>/*
[/vuln_url]

Here is and alert-window with message â??Vulnerabilityâ??. If we will work with this script, we will get
passive XSS criticality - dispatch cookies passed on such reference of the person to us, on sniffer. This was to be
proved - now we can work with this vulnerability, like as with a usual XSS.

[Troubles]
Though, all not so simply, this is â??the ideal variantâ?? of â??ideal vulnerabilityâ??. To
example, what we going to do, if server have a directive "magic_quotes_ gpc", which filters the quotation
marks? This is not a trouble. To avoid this filtering, possible to use coding in HEX, with accompaniment 0x, or ASCII
encoding. You can use the some programs, or special script, or facility same MySQL Database or other (the function
char() and hex()).

So, we shall consider that we coded in HEX expression «<script>alert (" Vulnerability
");</script>». Let's try to substitute this value in vulnerable inquiry:

[vuln_url]
http://site.net/article.php?article=8+union+select+0x3C7363726970743E616C6572742822536958535322293B3C2F7363726970743E
[/vuln_url]

So, we are bypassing the magic_quotes. Now we shall speak â??bad look of URLâ??. They same, as well as at
usual passive XSS: the person can not pass to the link (long and not clear URL), or at the person performance javascript
is switched-off. We shall begin.

There is a set of different ways to force a victim to pass under the "poisonous" link without suspicion. I
shall tell about one of such ways.

If you have read some articles about XSS, and use this vulnerability in practice, you must have a notion about that: how
to use passive XSS in POST-request. I try to explain. To example, given are sent vulnerable reqest by POST-method.
Example: HTML-form:

[html code]
<HTML>
<BODY ONLOAD="send.submit();"
<FORM NAME=send ACTION=xss.php METHOD=POST>
<INPUT TYPE=hidden NAME=alert VALUE="<script>alert('XSS');</script>">
</FORM>
</BODY>
</HTML>
[/html code]

And here is script, with name xss.php:

[php code]
<?
echo $_POST['alert']
?>
[/php code]

So, if we shall transmit already known javascript - alert will appear, but in an address line the URL of a vulnerable
script donâ??t have any GET parameters. That is, a little suspicious.

The poisonous link palm off so: write a script which sends reqest to a vulnerable script, and fill it on any host. Then,
give the link on such script to victim. And victim, nothing not suspecting, passes on the link. Data, POST are sent
inquiry to a vulnerable script. Result - XSS has gone right!

Thus, it is possible a foreign script and to redirect a victim on the poisonous reference(link) with ours SiXSS.
Example: such script on PHP, will be redirect browser to the other page:

[php code]
<?
header("Location: link")
?>
[/php code]

Its fine, one more problem behind. But we will return to the JS switch off.

I have read about one interesting method. Using UNION SELECT, we can bring on page not only javascript, but also - HTML.
So, it is possible to fake the page with input of login and password with sending to our script, which will write all
data to a file. It is simple fishing. Sounds good, yes?

[Hacked, yeah =)]
Anything "supernew" in article is not present, all the same SQL-inj and XSS. I hope, you have gathered
something for yourself from it. If you find any thematic mistakes â?? tell me about this.

by r3dr0ot | 2008/02/19 08:31 | →Penetration Test | 트랙백(2)

트랙백 주소 : http://r3dr0ot.egloos.com/tb/80313
☞ 내 이글루에 이 글과 관련된 글 쓰기 (트랙백 보내기) [도움말]
Tracked from toms sko barn at 2014/07/28 17:47

제목 : コーチ バッグ
の Topdatum 100パーセント絶対に自由に直接ディレクトリ これは、モデルのプライベート動きだ:あなたはそれはあなたアカウ toms sko barn ンタビリティ /> 十分に良好な 、考えてみてくださ hogan scarpe い。 ""これらのレベルの種類は、多くの場合、現在行われていない - 私は あなたは間違いなく、場合によっては、これらの書籍のすべてを認識しその理由を高く評価しています。 「「私が稼いで、人々が />彼らは真剣に責任を プロジェクト。 " ......more

Tracked from オークリー http 7.. at 2014/07/29 15:44

제목 : フェラガモ 通販
提醒孕妈要加强运动 style="fon オークリー t-size:14px;"> 更多育儿及孕期知识请关 メンズ ルブタン 注我的QQ空间: 点击下面网址进入:http://982646070.qzone.qq.com 收听我的微博:http://t,オークリー.qq.com/yuerbaoku 每日会不间断更新 ,如果大家觉得不错,可以转载一下,メンズ ルブタン,让更多父母知道 相信很多妈妈回忆起怀孕时都知道早孕反 ポールスミス 時計 应是怀孕期......more

※ 로그인 사용자만 덧글을 남길 수 있습니다.

◀ 이전 페이지          다음 페이지 ▶