On 23/04/2008, Shenk, Jerry A <jshenk@decommunications.com> wrote:
So, in your example, Robin, XSS was the vehicle to deliver hostile code
to a vulnerable application.
So for Joseph, for you to get a command-shell via XSS, you're going to
need to fine some other vulnerability on the client that views the
XSSable web site.
Ye, the XSS just gets their browser to visit the url with the exploit
in it. As it is all done behind the scenes you don't have to trick
them into visiting a real hostile site.
Robin
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Robin Wood
Sent: Wednesday, April 23, 2008 4:02 AM
To: Joseph McCray
Cc: pen-test
Subject: Re: XSS/CSRF to a real command-shell
On 22/04/2008, Joseph McCray <joe@learnsecurityonline.com> wrote:
> Ok - I'm tired of beating my head against this wall on the subject -
so
> some friends and I decided to put something together. I'm calling in
the
> cavalry because I'd like to see if someone else is working on this
> before we get knee deep into development.
>
>
> Situation:
> I usually categorize XSS as a medium unless it is on a public facing
> and/or critical server in which case I classify it as a high. I'm
> looking to be able to BETTER illustrate the dangers of XSS to
customers,
> and to move beyond cookie/session theft via XSS. If I could get XSS
to
> at least be a stepping stone to full control over a machine then I
could
> possibly classify it as a high, and for real fun of the job - have a
> shell.
>
>
> To make a long story short - I want to take XSS/CSRF to a REAL
> command-shell.
>
I watched a demo yesterday that had the XSS request something
(probably an image) from a url which had metasploit listening on it.
Metasploit then delivered a remote code execution exploit which
dropped meterpreter on the client. Game over.
I think that you may be looking for a more generic attack but this is
a good start as you could have a set of exploits lined up then either
use some kind of js checking to try to work out which browser is in
use and chose the correct exploit or you could just run through all of
them till one matches.
Robin
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the
use of the individual or entity to which they are addressed and may contain
information that is privileged, proprietary and confidential. If you are not
the intended recipient, you may not use, copy or disclose to anyone the
message or any information contained in the message. If you have received
this communication in error, please notify the sender and delete this e-mail
message. The contents do not represent the opinion of D&E except to the
extent that it relates to their official business.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
