Penetration Testing mailing list archives
Re: XSS/CSRF to a real command-shell
From: "Robin Wood" <dninja () gmail com>
Date: Wed, 23 Apr 2008 09:01:39 +0100
On 22/04/2008, Joseph McCray <joe () learnsecurityonline com> wrote:
Ok - I'm tired of beating my head against this wall on the subject - so some friends and I decided to put something together. I'm calling in the cavalry because I'd like to see if someone else is working on this before we get knee deep into development. Situation: I usually categorize XSS as a medium unless it is on a public facing and/or critical server in which case I classify it as a high. I'm looking to be able to BETTER illustrate the dangers of XSS to customers, and to move beyond cookie/session theft via XSS. If I could get XSS to at least be a stepping stone to full control over a machine then I could possibly classify it as a high, and for real fun of the job - have a shell. To make a long story short - I want to take XSS/CSRF to a REAL command-shell.
I watched a demo yesterday that had the XSS request something (probably an image) from a url which had metasploit listening on it. Metasploit then delivered a remote code execution exploit which dropped meterpreter on the client. Game over. I think that you may be looking for a more generic attack but this is a good start as you could have a set of exploits lined up then either use some kind of js checking to try to work out which browser is in use and chose the correct exploit or you could just run through all of them till one matches. Robin ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- XSS/CSRF to a real command-shell Joseph McCray (Apr 22)
- Re: XSS/CSRF to a real command-shell Robin Wood (Apr 23)
- Message not available
- Re: XSS/CSRF to a real command-shell Robin Wood (Apr 23)
- Message not available
- Re: XSS/CSRF to a real command-shell Robin Wood (Apr 23)
- <Possible follow-ups>
- Re: Re: XSS/CSRF to a real command-shell bin4ry (Apr 29)