Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Xss through sqli ? Share/Save - My123World.Com!

  1. #1

    Xss through sqli ?

    Hi friends,I am just a starter in web-app sec

    I got reading some stuff as usual i ended up with some doubts ,so i decided to ask here,

    say a phbb forum has a stored xss
    and also assume the cpanel of the admin has a sql injection vulnerability,
    now the attacker posts a malicious thread with the sql query to exploit the admin panel ,once the admin visits the thread he gets pwned.


    I think this type of attack is xsssqli


    And i had read a interesting point in sql injection bible by syngress publication
    They had mentioned that it is possible to inject xss code with a sql injection,

    It made me think and raised some questions in my mind


    1)say a web site is vulnerable to sql injection,
    is it possible to inject xss code in to the sql vulnerable part and make it vulnerable to xss ?

    2)Also can we Introduce All the threee types of xss like persistent,non-persistent and DOM based with this ?

    3)In general Assume if a web-application is vulnerable to sqli and xss means ,what are the other possible attacks
    we can introduce with those vulnerabilities(just mentioning Names would be enough) ?


    Bear with me

  2. #2
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    Hey mandi,

    I'm not aware about the xsssqli attack you mentioned. Will be better if you can link the post or the resource you used. Here is one instance of xss via SQLi happened in real world where the attacker has used SQL injection to inject XSS which later used to compromise the user account.

    Take a look:
    Analysis of LizaMoon: Stored XSS via SQL Injection - SpiderLabs Anterior

    Now coming back to questions:
    1)say a web site is vulnerable to sql injection,
    is it possible to inject xss code in to the sql vulnerable part and make it vulnerable to xss ?

    -- I didn't get this part "sql vulnerable part", please enlight. With SQLi, we can read as well as write contents to/from database. The above link is one example where attacker injected XSS payload through SQLi.

    2)Also can we Introduce All the threee types of xss like persistent,non-persistent and DOM based with this ?

    -- All these three types differs from their nature of working. With this type of attack, we can surely implement persistent XSS which will be injected into database and called by specific page/module. Non-persistent XSS is one which is not stored in nature. So u need xss payload for each n every user u want to exploit where in case of persistent, u need to store the xss payload once and whoever visits injected page/mode, will get exploited. DOM-XSS can not be used introduced with this I guess.

    3)In general Assume if a web-application is vulnerable to sqli and xss means ,what are the other possible attacks
    we can introduce with those vulnerabilities(just mentioning Names would be enough) ?

    -- You can do all those things listed as impact of SQLi & XSS attacks. Things like cookie stealing, phishing, redirection for XSS and from data mining to db server ownage for SQLi.

    Hope this clarifies your doubts.

  3. #3
    Thanks amolnaik4 for replying

    Code:
    I'm not aware about the xsssqli attack you mentioned. Will be better if you can link the post or the resource you used
    I am just a beginner and i have heard from many guys in the past about this xsssqli attack,
    As you had asked some proof here you go

    Using XSS to perform SQL Injection
    Using XSS to Launch a SQL Injection Attack

    I am sure the proofs are not enough,but i can confirm that this attack vector(xsssqli) is there .


    Code:
    -- I didn't get this part "sql vulnerable part", please enlight. With SQLi, we can read as well as write contents to/from database. The above link is one example where attacker injected XSS payload through SQLi.
    I mean say "id=" part of a web-application is vulnerbale to sqli,can we inject the xss code here ? or it is possible only logging in to the db ?


    Code:
    -- All these three types differs from their nature of working. With this type of attack, we can surely implement persistent XSS which will be injected into database and called by specific page/module. Non-persistent XSS is one which is not stored in nature. So u need xss payload for each n every user u want to exploit where in case of persistent, u need to store the xss payload once and whoever visits injected page/mode, will get exploited. DOM-XSS can not be used introduced with this I guess.
    hmmm i had mentioned non-persistent in the sense,my xss code will need to be executed only to a specific user say admin
    is it possible to do that ?

    Code:
    -- You can do all those things listed as impact of SQLi & XSS attacks. Things like cookie stealing, phishing, redirection for XSS and from data mining to db server ownage for SQLi.
    
    Hope this clarifies your doubts.

    Thanks for the information mate, i am seeing some developers atleast in my real life seeing xss as a client side vulnerability,just tell me from your experience
    how will you see xss as a SERVER SIDE THREAT ?

    Bear with me mate,i am just a learner ,so have some patience while answering me
    Last edited by mandi; 02-03-2012 at 02:57 PM.

  4. #4
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    Well, those links helped to understand which was unknown to me. Unfortunately I never came across such situation. But as pointed by DoctorDan on sla.cker.org, it may be possible to usee persistent XSS to fire SQLi payload via AJAX, but not tested it though. This can be used in your example you mentioned in first post.

    I mean say "id=" part of a web-application is vulnerbale to sqli,can we inject the xss code here ? or it is possible only logging in to the db ?
    -- Yes, it may possible that the same parameter can be vulnerable to XSS n SQLi both. This is mainly the injected output is reflectd somewhere in returned page. I seen a different scenario where error from SQLi is vulnerbale to XSS, a non-persistent one.

    hmmm i had mentioned non-persistent in the sense,my xss code will need to be executed only to a specific user say admin
    is it possible to do that ?
    -- Well, if u can inject xss payload to the pages/modules which are only accessible to that perticular user, then it'll only affect that user. But you need to find a way to inject payload.

    Thanks for the information mate, i am seeing some developers atleast in my real life seeing xss as a client side vulnerability,just tell me from your experience
    how will you see xss as a SERVER SIDE THREAT ?
    -- Every vulnerability has impact which decides who is going to get exploited. This is used to decide the vulnerability is server-side or client-side. Bugs like File inclusions, SQLi directly impact server so comes under server-side wherein xss, clickjacking, csrf exploits users which is client-side.

    Developers need to fix vulnerability at server-side only (code/configuration) for both types as we can not blame user saying he clicked the link and got pwned. There are some protections available at client-side like Noscript but all users do not use it. So to protect your users from XSS, dev need to patch that xss bug in code.

    Hope this helps.

    AMol NAik

  5. #5
    Security Researcher
    Join Date
    May 2011
    Location
    Pune, Maharashtra, India
    Posts
    237
    Blog Entries
    1
    XSS based SQLi attack interesting it sounds

    use cases i can think of where applications have SQLi bug in code but only for admin and a XSS attack is available on a normal page or post of thread.

    so if someone launches XSS towards admin and admin fell for it then SQLi could be possible. (XSS need not be on same site.)

    another use-case which i thing would be very generiic is if you have a SQLi you can inject XSS strings directly in DB which could be displayed on webpage directly from DB.
    Website :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  6. #6
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    Hey mandi,

    The scenario you mentioned "xsssqli" works perfectly. I have tested it and soon will publish a writeup.

    My scenario is based on following assumptions:
    1. Both the main site having xss and admin panel having sqli is on same server and same port. Otherwise the same origin policy will prevent the access to admin panel and we won't be able to get any data returned by sql injection.
    2. Admin panel is package with know sqli bug and login page to this panel is well protected.
    3. Cookies of admin panel are "httpOnly" which cannot be accessed by javascript. Otherwise if it's not, you can use classical cookie stealing with xss and compromise admin account.
    4. SQL injection is error based.

    It works like this:
    Attacker knows about xss in main site and sqli in admin panel. He crafts a xss payload with malicious javascript and sends it to Admin. When admin logged in into admin panel and clicks the payload, the sql injection is exploited and the returned data from the injection will be sent to attacker site which will typically has the username & password hashes for admin users.

    Thanks again for pointing me in this direction.

    AMol NAik

  7. #7
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    Hey mandi,

    Please find the detailed blogpost here:
    http://www.garage4hackers.com/blogs/...n-via-xss-287/

    Let me know if you have any queries.

    Cheers,
    AMol NAik

  8. #8
    XSS based SQLi attack interesting it sounds

    use cases i can think of where applications have SQLi bug in code but only for admin and a XSS attack is available on a normal page or post of thread.

    so if someone launches XSS towards admin and admin fell for it then SQLi could be possible. (XSS need not be on same site.)

    another use-case which i thing would be very generiic is if you have a SQLi you can inject XSS strings directly in DB which could be displayed on webpage directly from DB.

    you mentioned a nice point

    Assume like this if the admin owns a high profile site and if the attacker wants to pwn the admin,even he can set up a xss vulnerable forum and post a attractive thread in his forum and ask him to take a look and pwn him,so i think you mentioned a pretty good point

    Also i would like to learn some thing by asking some questions,so bear with me and my question

    In some cases i had seen in my real life where i don't have the privileges to add INSERT , UPDATE commands in the DB.

    I only have the privileges read things stored in the db,And to my little knowledge most secured sites storing the db passwords (always complex with name,numbers and special symbols) in salted hashes and also they run the db servers with least privileges etc...

    beyond cracking the salted hashes(which is time consuming),how can i overcome these difficulties and what are all the other things I can do to own the database ?
    Last edited by mandi; 02-17-2012 at 11:25 AM.

  9. #9
    @amolnaik4---->
    First of all sorry for the late reply,I didn't came to online for the past few days,
    And Thanks for answering my questions and also Thank you for creating a reference kind of video which would be a good learning material for the guys like me

    Both the main site having xss and admin panel having sqli is on same server and same port. Otherwise the same origin policy will prevent the access to admin panel and we won't be able to get any data returned by sql injection.
    I am bit confused about this point especially about the word "same port",can you please clarify mate ?

    Cookies of admin panel are "httpOnly" which cannot be accessed by javascript
    I had read a book before some months about accessing the "httponly" from the client side,
    I can definitely say reading "httponly" cookies is possible,I will post that book here soon

    EDIT:
    Code:
    http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
    Have a look at this book especially from the end of the 4th page of this book

    based on that book only i had asked a question before some months in this forum
    http://www.garage4hackers.com/f30/lo...kies-1421.html

    But unfortunately i didn't get any replies

    Right now i am watching the video you made,Thanks once again for this video mate
    Last edited by mandi; 02-17-2012 at 11:52 AM.

  10. #10
    Namaste

    I dont know, earlier you both were indulged into quite serious stuff, and in this thread why discussing the noob things and forgetting the main motif.
    In malware2.0 the approach is to achieve the XSS via sqli.
    And the XSS is not used for the cookie or session stealing, but for more robust and stealth and advanced motif, I mean to serve the exploits and transplant the malware payload & not just the one time shell.

    In underground world, such XSSed targets( via sqli) are sold and baught.

    Even Skiddies used to deface sites using these tactics, but this is the activity of noobs and novices, an intelligent attacker or agency will utilize such a hole and infect the whole traffic.


    "vinnu"
    Last edited by "vinnu"; 02-17-2012 at 04:45 PM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •