Very similar to my last post this is just a simple script using Python with Mechanize to log into Damn Vulnerable Web App from OWASP.
Here is the script:
#!/usr/bin/python
import mechanize
browser = mechanize.Browser()
browser.open("http://192.168.1.152/dvwa")
print "#" *50
print "# " + browser.title()
print "#" *50 + "\n"
# There is only one form on this page so I jump right in
browser.select_form(nr=0)
#below I am filling out the form fields and submitting
browser.form['username'] = 'admin'
browser.form['password'] = 'admin'
browser.submit()
print "#" *50
print "# " + browser.title()
print "#" *50
Here is a screen shot of the output. Notice I print the title of the "Log In" page and once credentials are submitted the I print the title of the "Welcome" page.
.
Showing posts with label dvwa. Show all posts
Showing posts with label dvwa. Show all posts
Saturday, February 23, 2013
.
Saturday, December 29, 2012
XSS for Stealing Cookies and Mozzila for Using Them: article 201207
Takeaway: Using stored cross site scripting, XSS, a user's cookie can be stolen and used to bypass authentication to a website. You need a vulnerable website, a script to steal the cookie, a server to write to, a script to write the cookie to a log, and an appendable log file. Once you have the cookie you can utilize a Mozilla add on to use it.
My primary resource of information for this blog can be found at this YouTube video.
I have played with stored XSS before using the script message box to create a pop up:
and to read my own cookie:
but I decided today to take the opportunity to simulate actually stealing another users cookie.
iexploit.org has posted a decent set of videos on YouTube from which I used as my guide to simulate this attack.
The first thing I needed was a vulnerable site. I chose to use Damn Vulnerable Web App. Here is a link to a video showing how to install DVWA with XAMPP. XAMPP can be downloaded here.
I changed the security setting of DVWA to "Low".
The target of DVWA of course was XSS stored. An issue I ran into was that the Messages text box only allowed for a maximum of 50 characters; too few to pull this simulation off.
To resolves this I navigated to:
C:\xampp\htdocs\dvwa\vulnerabilities\xss_s
and modified the index.php script, in my case line 49, from
maxlength=\"50\" to maxlength=\"500\"
Next, two files needed to be created. First a blank file named cookielogs.txt and a second file named stealer.php that receives the cookie and appends it to the cookielogs.txt file. The code for stealer.php is:
I uploaded these two files to a personal website.
A third piece to this is the malicious script to post to the guest book; it is seen here:
Next it was time to post my script to the DVWA vulnerable guest book:
The next user that came along and clicked on the XSS stored link
Would have the cookie stolen and shipped off to my cookielogs.txt text file:
We have a cookie! Now what? Consume that cookie!
There is an add-on for the Mozilla browser titled cookie editor. It is a tool that will let you view your cookies and, as the name says; edit them.
Once the editor is installed it can be found under the Tools menu of the browser.
Now as the attacker I browsed to the cookielogs.txt file and selected the cookie I wanted to try. In the case the one at the bottom of the list.
I then browsed to the DVWA login page.
I opened the cookie editor
Notice in the above pic the IP address of the site I am visiting and next to each IP are the cookie names "PHPSESSID" and "security". Notice back on the cookielogs.txt file that each of those are defined. So I edited these to match the cookie I had captured. First the PHPSESSID. Highlight then select edit.
Then replace the "Content" string with the string captured:
Click save and then repeat for the "security" cookie:
Here I changed it from "high" to "low", just as I had captured. I then clicked "Save"
I clicked "Close"
Now back the web page I removed the "login.php" from the URL address:
I hit my keyboards "Enter" key and "Boom goes the dynamite".
I was able to get to the log in screen without credentials.
As always I hope this helps others. Please provide any feedback and I will be happy to answer any pertinent questions that I can.
.
My primary resource of information for this blog can be found at this YouTube video.
I have played with stored XSS before using the script message box to create a pop up:
and to read my own cookie:
but I decided today to take the opportunity to simulate actually stealing another users cookie.
iexploit.org has posted a decent set of videos on YouTube from which I used as my guide to simulate this attack.
The first thing I needed was a vulnerable site. I chose to use Damn Vulnerable Web App. Here is a link to a video showing how to install DVWA with XAMPP. XAMPP can be downloaded here.
I changed the security setting of DVWA to "Low".
The target of DVWA of course was XSS stored. An issue I ran into was that the Messages text box only allowed for a maximum of 50 characters; too few to pull this simulation off.
To resolves this I navigated to:
C:\xampp\htdocs\dvwa\vulnerabilities\xss_s
and modified the index.php script, in my case line 49, from
maxlength=\"50\" to maxlength=\"500\"
Next, two files needed to be created. First a blank file named cookielogs.txt and a second file named stealer.php that receives the cookie and appends it to the cookielogs.txt file. The code for stealer.php is:
I uploaded these two files to a personal website.
A third piece to this is the malicious script to post to the guest book; it is seen here:
The next user that came along and clicked on the XSS stored link
Would have the cookie stolen and shipped off to my cookielogs.txt text file:
We have a cookie! Now what? Consume that cookie!
There is an add-on for the Mozilla browser titled cookie editor. It is a tool that will let you view your cookies and, as the name says; edit them.
Once the editor is installed it can be found under the Tools menu of the browser.
I opened the cookie editor
Notice in the above pic the IP address of the site I am visiting and next to each IP are the cookie names "PHPSESSID" and "security". Notice back on the cookielogs.txt file that each of those are defined. So I edited these to match the cookie I had captured. First the PHPSESSID. Highlight then select edit.
Click save and then repeat for the "security" cookie:
I clicked "Close"
Now back the web page I removed the "login.php" from the URL address:
I hit my keyboards "Enter" key and "Boom goes the dynamite".
I was able to get to the log in screen without credentials.
As always I hope this helps others. Please provide any feedback and I will be happy to answer any pertinent questions that I can.
.
Subscribe to:
Posts (Atom)
