π¦ When the browser's cookie value pops up, there is no privacy at all. If the account password is included in the cookie, the consequences will be disastrous. The attacker disguised the link, and then perfected the malicious script to steal the user's cookie value without knowing it.
If there is an XSS reflective cross-site vulnerability at http://test.com/xss1.php , the attacker's steps may be as follows:
1) test1 is a user of the website test.com and is currently logged in.
2) The attacker discovers that http://test.com/xss1.php has an XSS reflective cross-site vulnerability, and then carefully constructs JavaScript code, which can steal user cookies.
3) The attacker sends the URL with the reflective XSS vulnerability to the user test1 through the information in the station, and uses various inducement methods to allow the user test1 to open the link.
5) If user test1 opens a URL with XSS vulnerability, then his cookie will be sent to the attacker.
6)After receiving the session cookie of user test1, the attacker can directly use the cookie to log in to test.com as test1.
The above steps, through the use of reflective XSS vulnerabilities, can log in to the website as test1, which is its harm.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
If there is an XSS reflective cross-site vulnerability at http://test.com/xss1.php , the attacker's steps may be as follows:
1) test1 is a user of the website test.com and is currently logged in.
2) The attacker discovers that http://test.com/xss1.php has an XSS reflective cross-site vulnerability, and then carefully constructs JavaScript code, which can steal user cookies.
3) The attacker sends the URL with the reflective XSS vulnerability to the user test1 through the information in the station, and uses various inducement methods to allow the user test1 to open the link.
5) If user test1 opens a URL with XSS vulnerability, then his cookie will be sent to the attacker.
6)After receiving the session cookie of user test1, the attacker can directly use the cookie to log in to test.com as test1.
The above steps, through the use of reflective XSS vulnerabilities, can log in to the website as test1, which is its harm.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Storage XSS ATTACK :
t.me/UndercodeTesting
π¦ ππΌπ'π πππΈβπ :
1) Storage XSS is also known as persistent XSS. Storage XSS is the most dangerous type of cross-site scripting. Web applications that allow users to store data may have storage XSS vulnerabilities. When an attacker submits a piece of XSS code, it is received and stored by the server. When the page is accessed again, this piece of XSS code is read by the program to respond to the browser Device, causing XSS cross-site attacks, this is the storage XSS.
2) The scenes of storage XSS are generally message boards, post bars, forums, etc., we take the message board as an example;
process
a) Insert message => store content in database
b)View message => content is extracted from the database
c)Content is displayed on the page
d)If the input is a malicious script, every time someone checks the message, it will be pushed to the front end by the server and then executed by the browser, so the general storage XSS is more harmful.
> Note : When testing whether XSS exists, we must first determine the input point and output point. For example: if we want to test the XSS vulnerability on the message content , we must first find whether the output (display) of the message content is within the tag or tag attribute inside , or elsewhere, if the output data in the property, then XSS is not executed, then we need to judge closed the property in advance the contents of the closure, submitting malicious scripts.
π¦test:
This is a message board where we can enter some malicious scripts
π¦ Storage XSS ATTACK :
t.me/UndercodeTesting
π¦ ππΌπ'π πππΈβπ :
1) Storage XSS is also known as persistent XSS. Storage XSS is the most dangerous type of cross-site scripting. Web applications that allow users to store data may have storage XSS vulnerabilities. When an attacker submits a piece of XSS code, it is received and stored by the server. When the page is accessed again, this piece of XSS code is read by the program to respond to the browser Device, causing XSS cross-site attacks, this is the storage XSS.
2) The scenes of storage XSS are generally message boards, post bars, forums, etc., we take the message board as an example;
process
a) Insert message => store content in database
b)View message => content is extracted from the database
c)Content is displayed on the page
d)If the input is a malicious script, every time someone checks the message, it will be pushed to the front end by the server and then executed by the browser, so the general storage XSS is more harmful.
> Note : When testing whether XSS exists, we must first determine the input point and output point. For example: if we want to test the XSS vulnerability on the message content , we must first find whether the output (display) of the message content is within the tag or tag attribute inside , or elsewhere, if the output data in the property, then XSS is not executed, then we need to judge closed the property in advance the contents of the closure, submitting malicious scripts.
π¦test:
This is a message board where we can enter some malicious scripts
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ DOM XSS
A) WHAT IS DOM XSS ?
> The full name of DOM is Document Object Model , which is the document object model. DOM is usually used to represent objects in HTML , XHTML and XML . Using DOM allows programs and scripts to dynamically access and update the content, structure, and style of documents.
> The entire HTML page can be reconstructed through JavaScript , and to reconstruct a page or an object in the page, JavaScript needs to know the "position" of all elements in the HTML document. The DOM provides a structured representation of the document and defines how to access the document structure through scripts. According to DOM regulations, each component in an HTML document is a node.
π¦ The DOM regulations are as follows:
> The entire document is a document node
> Each HTML tag is an element node
>The text contained in the HTML element is a text node
>Each HTML attribute is an attribute node
> There is a hierarchical relationship between nodes
1) Traditional types of XSS vulnerabilities (reflective or storage) generally appear in server-side code, and DOM XSS is a vulnerability based on the DOM document object model, so it is affected by the script code of the client browser. DOM XSS depends on the output location and does not depend on the output environment, so it can also be said that DOM XSS may be either reflective or storage, and it is simple to understand because its output point is in DOM .
π¦We can look at this script:
<?php
error_reporting(0);
$name = $_GET["name"];
?>
<input id="text" type="text" value="<?php echo $name;?>" />
<div id="print"></div>
<script type="text/javascript">
var text = document.getElementById("text");
var print = document.getElementById("print");
print.innerHTML = text.value;
</script>
We can see that this string of scripts submits the value of a name through GET. Our input input is in the value attribute. If we still enter the script as before, it will not be executed. Then we need to change our thinking .
<input id = "text" type = "text" value = "<script> alert (' xss ') </ script>" />
Close the input tag so that he is not in the value attribute. "/> After closing
<input id = "text" type = "text" value = "" /> <script> alert ('xss ') </ script> "/>
π¦We can see that this string of scripts submits the value of a name through GET. Our input input is in the value attribute. If we still enter the script as before, it will not be executed. Then we need to change our thinking .
<input id = "text" type = "text" value = "<script> alert (' xss ') </ script>" />
Close the input tag so that he is not in the value attribute. "/> After closing
<input id = "text" type = "text" value = "" /> <script> alert ('xss ') </ script> "/>
WRITTEN BY UNDERCODERS
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ DOM XSS
A) WHAT IS DOM XSS ?
> The full name of DOM is Document Object Model , which is the document object model. DOM is usually used to represent objects in HTML , XHTML and XML . Using DOM allows programs and scripts to dynamically access and update the content, structure, and style of documents.
> The entire HTML page can be reconstructed through JavaScript , and to reconstruct a page or an object in the page, JavaScript needs to know the "position" of all elements in the HTML document. The DOM provides a structured representation of the document and defines how to access the document structure through scripts. According to DOM regulations, each component in an HTML document is a node.
π¦ The DOM regulations are as follows:
> The entire document is a document node
> Each HTML tag is an element node
>The text contained in the HTML element is a text node
>Each HTML attribute is an attribute node
> There is a hierarchical relationship between nodes
1) Traditional types of XSS vulnerabilities (reflective or storage) generally appear in server-side code, and DOM XSS is a vulnerability based on the DOM document object model, so it is affected by the script code of the client browser. DOM XSS depends on the output location and does not depend on the output environment, so it can also be said that DOM XSS may be either reflective or storage, and it is simple to understand because its output point is in DOM .
π¦We can look at this script:
<?php
error_reporting(0);
$name = $_GET["name"];
?>
<input id="text" type="text" value="<?php echo $name;?>" />
<div id="print"></div>
<script type="text/javascript">
var text = document.getElementById("text");
var print = document.getElementById("print");
print.innerHTML = text.value;
</script>
We can see that this string of scripts submits the value of a name through GET. Our input input is in the value attribute. If we still enter the script as before, it will not be executed. Then we need to change our thinking .
<input id = "text" type = "text" value = "<script> alert (' xss ') </ script>" />
Close the input tag so that he is not in the value attribute. "/> After closing
<input id = "text" type = "text" value = "" /> <script> alert ('xss ') </ script> "/>
π¦We can see that this string of scripts submits the value of a name through GET. Our input input is in the value attribute. If we still enter the script as before, it will not be executed. Then we need to change our thinking .
<input id = "text" type = "text" value = "<script> alert (' xss ') </ script>" />
Close the input tag so that he is not in the value attribute. "/> After closing
<input id = "text" type = "text" value = "" /> <script> alert ('xss ') </ script> "/>
WRITTEN BY UNDERCODERS
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Fast subdomains enumeration tool for penetration testers
t.me/UndercodeTesting
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone git clone https://github.com/aboul3la/Sublist3r.git
2) cd Sublist3r
3) Installation on Windows:
> c:\python27\python.exe -m pip install -r requirements.txt
Installation on Linux
> sudo pip install -r requirements.txt
Install for Windows:
> c:\python27\python.exe -m pip install requests
Install for Ubuntu/Debian:
> sudo apt-get install python-requests
Install for Centos/Redhat:
> sudo yum install python-requests
Install using pip on Linux :
> sudo pip install requests
π¦argparse Module
Install for Ubuntu/Debian:
> sudo apt-get install python-argparse
> Install for Centos/Redhat:
sudo yum install python-argparse
> Install using pip:
sudo pip install argparse
for coloring in windows install the following libraries
c:\python27\python.exe -m pip install win_unicode_console colorama
π¦Short Form Long Form Description
-d --domain Domain name to enumerate subdomains of
-b --bruteforce Enable the subbrute bruteforce module
-p --ports Scan the found subdomains against specific tcp ports
-v --verbose Enable the verbose mode and display results in realtime
-t --threads Number of threads to use for subbrute bruteforce
-e --engines Specify a comma-separated list of search engines
-o --output Save the results to text file
-h --help show the help message and exit
@UndercodeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Fast subdomains enumeration tool for penetration testers
t.me/UndercodeTesting
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone git clone https://github.com/aboul3la/Sublist3r.git
2) cd Sublist3r
3) Installation on Windows:
> c:\python27\python.exe -m pip install -r requirements.txt
Installation on Linux
> sudo pip install -r requirements.txt
Install for Windows:
> c:\python27\python.exe -m pip install requests
Install for Ubuntu/Debian:
> sudo apt-get install python-requests
Install for Centos/Redhat:
> sudo yum install python-requests
Install using pip on Linux :
> sudo pip install requests
π¦argparse Module
Install for Ubuntu/Debian:
> sudo apt-get install python-argparse
> Install for Centos/Redhat:
sudo yum install python-argparse
> Install using pip:
sudo pip install argparse
for coloring in windows install the following libraries
c:\python27\python.exe -m pip install win_unicode_console colorama
π¦Short Form Long Form Description
-d --domain Domain name to enumerate subdomains of
-b --bruteforce Enable the subbrute bruteforce module
-p --ports Scan the found subdomains against specific tcp ports
-v --verbose Enable the verbose mode and display results in realtime
-t --threads Number of threads to use for subbrute bruteforce
-e --engines Specify a comma-separated list of search engines
-o --output Save the results to text file
-h --help show the help message and exit
@UndercodeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Dangerous Vuln since few days :
"8220" mining Trojans invade the server to mine, set up a "tsunami" botnet, ready to launch DDoS attacks
twitter.com/undercodeNews
π¦ππΌπ'π πππΈβπ :
> Tencent Security Threat Intelligence Center detected the "8220" mining Trojan variant attack. The "8220" mining gang is good at exploiting WebLogic, JBoss deserialization vulnerabilities, Redis, Hadoop unauthorized access vulnerabilities and other web vulnerabilities to attack server mining. Recently, we found that the gang Trojans spreading through Apache Struts remote code execution vulnerability (CVE-2017-5638) and Tomcat weak password blasting in the attack activities have increased significantly.
> In the horizontal movement stage, the Trojan will use the Redis unauthorized vulnerability access vulnerability implemented by Python to scan about 160,000 randomly generated IPs, and use the implanted shell script hehe.sh to continue to use the machine with the public key authentication record to establish The SSH connection spreads on the intranet, and eventually a variety of Monero mining trojans and Tsunami botnet Trojans are implanted in the trapped machine. The latter is used by the gang to conduct DDoS attacks.
> The attack targets of the "8220" mining Trojan gang include Windows and Linux servers. On the FTP servers it uses, attack modules targeting different operating systems can be found. When the gang releases the mining trojan, it will check whether there are other mining trojans running on the server, and end all competing mining trojans to monopolize server resources.
> According to the similarity of codes, C2 correlation, the same Monero wallet used in mining, decryption method of configuration files, and similar FTP servers, Tencent security experts believe that the StartMiner that appeared in early 2020 is the same as the "8220" mining Trojan Gang. The gang's current version of the malicious program communicates with the C2 server no longer uses the "8220" port. According to the recently captured samples, it summarizes the file names used in its attack preferences and finds that it has a variety of scripts including VBS, PHP, Python , Powershell, Shell features combined attacks.
@UndercodeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Dangerous Vuln since few days :
"8220" mining Trojans invade the server to mine, set up a "tsunami" botnet, ready to launch DDoS attacks
twitter.com/undercodeNews
π¦ππΌπ'π πππΈβπ :
> Tencent Security Threat Intelligence Center detected the "8220" mining Trojan variant attack. The "8220" mining gang is good at exploiting WebLogic, JBoss deserialization vulnerabilities, Redis, Hadoop unauthorized access vulnerabilities and other web vulnerabilities to attack server mining. Recently, we found that the gang Trojans spreading through Apache Struts remote code execution vulnerability (CVE-2017-5638) and Tomcat weak password blasting in the attack activities have increased significantly.
> In the horizontal movement stage, the Trojan will use the Redis unauthorized vulnerability access vulnerability implemented by Python to scan about 160,000 randomly generated IPs, and use the implanted shell script hehe.sh to continue to use the machine with the public key authentication record to establish The SSH connection spreads on the intranet, and eventually a variety of Monero mining trojans and Tsunami botnet Trojans are implanted in the trapped machine. The latter is used by the gang to conduct DDoS attacks.
> The attack targets of the "8220" mining Trojan gang include Windows and Linux servers. On the FTP servers it uses, attack modules targeting different operating systems can be found. When the gang releases the mining trojan, it will check whether there are other mining trojans running on the server, and end all competing mining trojans to monopolize server resources.
> According to the similarity of codes, C2 correlation, the same Monero wallet used in mining, decryption method of configuration files, and similar FTP servers, Tencent security experts believe that the StartMiner that appeared in early 2020 is the same as the "8220" mining Trojan Gang. The gang's current version of the malicious program communicates with the C2 server no longer uses the "8220" port. According to the recently captured samples, it summarizes the file names used in its attack preferences and finds that it has a variety of scripts including VBS, PHP, Python , Powershell, Shell features combined attacks.
@UndercodeOfficial
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Twitter
UNDERCODE NEWS (@UndercodeNews) | Twitter
The latest Tweets from UNDERCODE NEWS (@UndercodeNews). We provides you daily hacking News & Security Warning & Technologies news & Bugs reports & Analysis... @UndercodeNews @UndercodeUpdate @iUndercode @DailyCve. Aus/Leb
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦SOLUTION AGAINST THIS NEW MINING VULNERABILITY FOR LINUX :
>the solution
E nterprise operation and maintenance personnel can refer to the following methods to manually remove mining Trojans infected by Linux and Windows systems, and refer to security recommendations to improve server security.
Linux system
a. Kill process / tmp / sh, / tmp / x32b, / tmp / x64b
b. Delete Files
/ tmp / i686 (md5: D4AE941C505EE53E344FB4D4C2E102B7),
/ tmp / x86_64 (md5: 9FE932AC3055045A46D44997A4C6D481)
/ tmp / x32b (md5: EE48AA6068988649E41FEBFA0E3B2169),
/ tmp / x64b (md5: C4D44EED4916675DD408FF0B3562FB1F)
c. Delete crontab scheduled tasks containing "www.jukesxdbrxd.xyz" and "107.189.11.170"
Security recommendations:
a. Do not expose Redis to the public network if necessary. Use a strong Redis password
b. Tomcat server is configured with high-strength password authentication
c. Set ssh non-interactive login StrictHostKeyChecking = ask or StrictHostKeyChecking = yes
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦SOLUTION AGAINST THIS NEW MINING VULNERABILITY FOR LINUX :
>the solution
E nterprise operation and maintenance personnel can refer to the following methods to manually remove mining Trojans infected by Linux and Windows systems, and refer to security recommendations to improve server security.
Linux system
a. Kill process / tmp / sh, / tmp / x32b, / tmp / x64b
b. Delete Files
/ tmp / i686 (md5: D4AE941C505EE53E344FB4D4C2E102B7),
/ tmp / x86_64 (md5: 9FE932AC3055045A46D44997A4C6D481)
/ tmp / x32b (md5: EE48AA6068988649E41FEBFA0E3B2169),
/ tmp / x64b (md5: C4D44EED4916675DD408FF0B3562FB1F)
c. Delete crontab scheduled tasks containing "www.jukesxdbrxd.xyz" and "107.189.11.170"
Security recommendations:
a. Do not expose Redis to the public network if necessary. Use a strong Redis password
b. Tomcat server is configured with high-strength password authentication
c. Set ssh non-interactive login StrictHostKeyChecking = ask or StrictHostKeyChecking = yes
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦SOLUTION AGAINST THIS NEW MINING VULNERABILITY FOR windows :
Windows system
a. Kill process isassx.exe, steamhuby.exe, issaasss, isasss.exe, ready.exe, oity.exe, kkw2.exe, 12.exe, 13.exe, mess.exe
b. Delete Files:
c: \ windows \ temp \ app.vbs
c: \ windows \ temp \ apps.vbs
C: \ Windows \ Temp \ ready.exe
C: \ ProgramData \ guvpgnkpwv \ steamhuby.exe
C: \ ProgramData \ tumtkffywq \ issaasss
C: \ Windows \ temp \ 12.exe
C: \ Windows \ temp \ 12.exe
C: \ Windows \ Temp \ mess.exe
% HOMEPATH% \ why.ps1
% HOMEPATH% \ schtasks.ps1
c. Delete scheduled tasks that include "why.ps1, why2.ps1, why3.ps1, kkmswx.ps1"
Security recommendations:
Timely fix Apache Struts high-risk vulnerabilities;
The Tomcat server is configured with high-strength password authentication.
It is recommended that government agencies, large and medium-sized enterprises, and scientific research units adopt Tencent security complete solutions to comprehensively improve the security of information systems.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦SOLUTION AGAINST THIS NEW MINING VULNERABILITY FOR windows :
Windows system
a. Kill process isassx.exe, steamhuby.exe, issaasss, isasss.exe, ready.exe, oity.exe, kkw2.exe, 12.exe, 13.exe, mess.exe
b. Delete Files:
c: \ windows \ temp \ app.vbs
c: \ windows \ temp \ apps.vbs
C: \ Windows \ Temp \ ready.exe
C: \ ProgramData \ guvpgnkpwv \ steamhuby.exe
C: \ ProgramData \ tumtkffywq \ issaasss
C: \ Windows \ temp \ 12.exe
C: \ Windows \ temp \ 12.exe
C: \ Windows \ Temp \ mess.exe
% HOMEPATH% \ why.ps1
% HOMEPATH% \ schtasks.ps1
c. Delete scheduled tasks that include "why.ps1, why2.ps1, why3.ps1, kkmswx.ps1"
Security recommendations:
Timely fix Apache Struts high-risk vulnerabilities;
The Tomcat server is configured with high-strength password authentication.
It is recommended that government agencies, large and medium-sized enterprises, and scientific research units adopt Tencent security complete solutions to comprehensively improve the security of information systems.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Lenovo Premium Serial Keys
PF1MJJQD ? Product: S145-15IWL Laptop (ideapad)
PF0ZFNFH ? Product: X1 Carbon 5th Gen - Kabylake (Type 20HR, 20HQ) Laptop (ThinkPad)
PF1MJVUX ? Product: 330S-15IKB Laptop (ideapad)
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Lenovo Premium Serial Keys
PF1MJJQD ? Product: S145-15IWL Laptop (ideapad)
PF0ZFNFH ? Product: X1 Carbon 5th Gen - Kabylake (Type 20HR, 20HQ) Laptop (ThinkPad)
PF1MJVUX ? Product: 330S-15IKB Laptop (ideapad)
β β β ο½ππ»βΊπ«Δπ¬πβ β β β