Re: XSS/CSRF to a real command-shell

On 22/04/2008, Joseph McCray <joe@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Ok - I'm tired of beating my head against this wall on the subject - so
some friends and I decided to put something together. I'm calling in the
cavalry because I'd like to see if someone else is working on this
before we get knee deep into development.


Situation:
I usually categorize XSS as a medium unless it is on a public facing
and/or critical server in which case I classify it as a high. I'm
looking to be able to BETTER illustrate the dangers of XSS to customers,
and to move beyond cookie/session theft via XSS. If I could get XSS to
at least be a stepping stone to full control over a machine then I could
possibly classify it as a high, and for real fun of the job - have a
shell.


To make a long story short - I want to take XSS/CSRF to a REAL
command-shell.


I watched a demo yesterday that had the XSS request something
(probably an image) from a url which had metasploit listening on it.
Metasploit then delivered a remote code execution exploit which
dropped meterpreter on the client. Game over.

I think that you may be looking for a more generic attack but this is
a good start as you could have a set of exploits lined up then either
use some kind of js checking to try to work out which browser is in
use and chose the correct exploit or you could just run through all of
them till one matches.

Robin

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------