Malaysian WackWall Forum

Now Malaysian Can Connect Over The World
 
HomePortalCalendarGalleryFAQSearchMemberlistUsergroupsRegisterLog in
Navigation
:: Portal ::
:: Forum ::
 :: Memberlist ::
:: Profile ::
:: FAQ ::
:: Search ::


AlertPay Easy Money Transfer 100% Free to register
 
Log in
Username:
Password:
Log in automatically: 
:: I forgot my password
Google Translator
Latest topics
» IRC Flooder Script For Sale
Mon Oct 08, 2012 12:39 am by maxi.y.mateo

» utusan.com.my Being DDOS
Fri Jan 20, 2012 5:33 pm by Penjejak Badai

» PHP IRC Bot
Fri Dec 02, 2011 11:31 am by siperda

» SQL Injection Scanner By XShimeX
Mon Oct 24, 2011 6:22 pm by sucide_bomber

» Website Vulnerable Scanner Tools V1.01 By proqrammer
Mon Oct 24, 2011 6:21 pm by sucide_bomber

» Slowloris or XerXes Leak Version
Tue Sep 13, 2011 7:45 pm by sucide_bomber

» maisarah wuz here
Tue Sep 13, 2011 7:32 pm by sucide_bomber

» Sql Injection Tutorial
Tue Jul 19, 2011 2:56 pm by sucide_bomber

» XerXes Source Codes!!
Wed Jul 13, 2011 8:55 am by wackwall

» SQL Injection dalam bahasa Malaysia
Thu Jun 30, 2011 9:11 pm by sucide_bomber

» LFI Scanner ( Perl )
Mon Jun 27, 2011 8:21 am by wackwall

» Muhasabah diri tingkat kesyukuran, keinsafan umat
Mon Jun 27, 2011 3:56 am by sucide_bomber

» 5013 Webs With SQL Vuln
Mon Jun 27, 2011 3:50 am by sucide_bomber

» Saya mencari part time job online?
Mon Jun 27, 2011 1:19 am by sucide_bomber

» 16 exploits for hacking CC databases
Mon Jun 13, 2011 1:33 pm by sucide_bomber

Link Exchange
Online News


















Churp2x Campaign
Click Pada Iklan DiBawah & Dapatkan Ganjaran Anda
SEKARANG!



















Mangga Ads
NuffNang Ads

Share | 
 

 vbSEO – From XSS to Reverse PHP Shell

View previous topic View next topic Go down 
AuthorMessage
wackwall
Admin


Zodiac : Cancer Chinese zodiac : Rooster
Posts : 159
Points : 2620
Reputation : 2
Join date : 10/12/2010
Age : 35
Location Location : Sarawak

PostSubject: vbSEO – From XSS to Reverse PHP Shell   Tue Mar 22, 2011 9:53 am

XSS is not a big deal, or is it? On
many occasions, I’ve seen this vulnerability being classified as
useless, not serious, and being a low threat. What I’ve always had in
mind is that it’s only the capabilities of the browser, and the hackers
mind which sets the limit for a XSS attack.


[You must be registered and logged in to see this image.]

It may seem impossible to do anything
else other than stealing sessions, cookies and performing phishing,
client side defacements etc. But take a look at the picture above, that
is a reverse php shell automatically injected into the site, when a
vBulletin administrator viewed a malicious linkback.
The vulnerability itself I’m referring to, is a 0day within vBSEO
which exists within the administrator and moderator panel only. However,
the attacker is able to inject persistent scripts via this linkback
feature directly into the part of these panels handling these linkbacks.

[You must be registered and logged in to see this image.]

In short, the attacker crafts a
malicious HTML page as shown in the advisory. Then, the attacker clicks a
link to the target forum with vBSEO installed, and when the target is
reached, vBSEO performs a GET-request to the attacker’s malicious HTML
page (if it’s served online and if RefBacks are enabled).
The title of this page is then loaded directly into the database, and
an administrator can see it sanitized in the actual thread, but also in
the admin and mod panel where the title is not sanitized at all,
allowing the script to run.
What is actually possible?



After discovering and researching this
vulnerability, I realised it was a fine case to do further studies on
and then develop a XSS worm. Fortunately I got away from that idea due
to the fact it could’ve been abused globally on forums with vBSEO
installed. However, the idea itself was not bad so I began developing
the payload aka the javascript, which would eventually inject a PHP
payload via the nice plugin feature in vBulletin.

[You must be registered and logged in to see this image.]

Initially, the XSS trojan I wrote should
be able to do all of this silently without the user knowing, so instead
of document.write being used, appendChild which uses DOM objects, was
used instead. This took a bit more work in order to function better, but
the result was that the visible window would not change to the affected
user getting infected with this trojan.

[You must be registered and logged in to see this image.]

When the user browses to, in this case
“Moderate Linkbacks”, the script is executing as soon as the user hits
that page. When this happens, the trojan checks whether infection has
already happened once and if not, continues. Then an iframe is created
outside the visible frames, where the adminhash and securitytoken
(CSRF-token) is read and saved in a local variable in the browser.
Then a new form is injected into this iframe, which contains the
adminhash and the securitytoken. The form itself contains the values
needed to create a new and completely valid plugin which in this case,
is PHP code. At this point, the script checks again if the user has
already been infected and if not, the form is submitted, the plugin is
created, and a cookie is set to prevent the script from going in loops.

[You must be registered and logged in to see this image.]

Most administrators, would notice the
broken lock icon in case they use HTTPS / SSL, and then they would view
the source. The great thing about using javascript to create HTML
objects, especially with “appendChild” etc. is that it is not visible. A
debugger, such as Firebug shown in the picture above is needed, unless
the admin finds the malicious javascript payload and reads what it does,
but then it might be too late.
During the execution of the XSS trojan, a time-out is set. When time
runs out, the XSS trojan will try to delete itself leaving almost no
traces, besides the possible injected plugin, and the remains of the
hidden iframe outside the frames which cannot be viewed due to the way
HTML works in FireFox.

[You must be registered and logged in to see this image.]

If the attacker was successful, and
patient as well, he would eventually see that the target website had
already connected back to retrieve the title, but also that another user
had triggered the XSS Trojan which hopefully injected the PHP plugin
specified by the attacker.

[You must be registered and logged in to see this image.]

So what’s this tool I’ve been using
during my presentation of this vulnerability? It’s a recently developed
tool written in Python, where the payload is written in Javascript,
freely available to anyone in the bottom of this blog. I recommend
however, that a user of this tool looks inside the source code.
Is XSS a serious threat then?


Yes, it definitely is.
For a demonstration of the tool and this vulnerability, check either the YouTube or RapidShare link below.
References:
Advisory: vBSEO 3.5.2 & 3.2.2 – Persistent XSS via LinkBacks
Advisory #2: vbSEO Multiple Vulnerabilities
EvilWebTool: EvilWebTool
YT Video: [You must be registered and logged in to see this link.]
HQ Video: [You must be registered and logged in to see this link.]
Back to top Go down
View user profile http://malaysia.1talk.net
 
vbSEO – From XSS to Reverse PHP Shell
View previous topic View next topic Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
Malaysian WackWall Forum :: Internet :: h4ck3d :: Tutorials-
Jump to: