Wednesday, July 16, 2014

XSS/SQL Injection Playground

So here I am finally documenting this two days worth of time not spent at work. One day I had a few hours of free time, something that is rare that this point in my life.  I decided to spend this time working on my cross site scripting and sql injection. I started off with a very basic php script that would mirror whatever I entered into a text box.  I don't feel the need to show this code, if you can't figure out how to write that this isn't the blog for you.  Here is a picture of the very first version:

Very simple and should take no more than 2 minutes to whip together.  I began to inject my submit buttons with malicious onclick functions.  The first things I noticed was that chrome was removing anything I placed after onclick.  Here is the picture of chrome fucking with my inputs:

I attempted my input without quotes around onclick and received the same result.  I tried a few mote things such as replacing < and > with &lt; and &gt; with no luck. Tested on firefox and same code works.  We now know that this is a chrome sanitization.  I began research on chrome sanitization and heavens to betsy I’m not crazy.  Chrome has built in xss detection.  and just as I realize this online I pop open my resources tab in my developer tools almost by accident. Yea I said fucking almost by accident… get over it. As if the computer gods themselves had fat fucked this clue into my hands  another dead giveaway that chrome was interfering .  Here is a picture of my clue:

So I began to keep going at this point and come back to defeating chromes sanitization when I am a little more exploit savvy.  It is now 4:23am and I am about to consume a massive dose of caffeine while continuing to improve my playground.  I added a login system and an emulation of a comment system.  Here is the current picture of my site.

If anyone would like to see the code I have put it on github (

My next step was to bypass my login.  I have no input checking or sanitization so this shouldnt be very hard.  I made sure mySQL and my machine in general were up to date.  The first problem I ran into was anything I put into the password input field was md5 encrypted and passed a hash rather than my input.  I removed the md5 and was able to bypass my login with a simple 1’ or ‘1’=‘1.  This is not realistic though as any site that is not encrypting passwords should be shunned to the darkest corner of the internet. I added the encryption back and went to town.  I realized that I would need to implement my injection in the username field and comment out whatever was inserted into the password field.  After a few tries I landed here: ' OR 1 = 1 LIMIT 1 -- ' ] Bam login achieved.  I then went back to playing with xss(cross site scripting(In case your too slow to know what this means yet)).  It would seem that chrome does not filter out anything coming from sql.  I began playing with dumping cookies.  I cloned the google account login page and made a few slight modifications.  I wrote another python script to parse through the html file for links to external images and files, download them locally and re-create the html with the new local links.  I will put all of this on github and link later.  Next it was time to make my google page accept get parameters from the url and pass whatever data it gets to a python CGI script for logging the data.  I injected the code for a submit button(but this can simply be applied to a link or any other object) to pull all cookie data remove semicolons from it as it was breaking my params and pass it to my fake google login page, that page takes the data passes it to the cgi script and then redirects you to the real google login page.  I will continue to improve on this and update in the near future.

  If you want to know more about me or you are looking for someone with my skill set my contact info can be found at

No comments:

Post a Comment