This presentation demonstrates how an attacker can utilise XSS to execute arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload. Custom tools and payloads integrated with Metasploit’s Meterpreter in a highly automated approach will be demonstrated live, including post-exploitation scenarios and interesting data that can be obtained from compromised web applications. This version includes cool notifications and new attack vectors!
- Version 2.0 – 2015: https://www.youtube.com/playlist?list=PLIjb28IYMQgqqqApoGRCZ_O40vP-eKsgf
- Version 2.5 – 2016: https://www.youtube.com/playlist?list=PLRic6PgcrsWGkgacL6WFnSQKVRZIoofRj
- Python (2.7.*, version 2.7.11 was used for development and demo)
- Msfconsole (accessible via environment variables)
- Netcat (nc)
- cURL (curl) [NEW]
- PyGame (apt-get install python-pygame) [NEW]
- Chrome (14 Nov 2015) – This should still work.
- Firefox (04 Nov 2016) – Tested live at Black Hat Arsenal 2016
- WordPress http://wordpress.org/
- Better WP Security 3.5.3 http://www.exploit-db.com/wp-content/themes/exploit/applications/c6d6beb3c11bc58856e15218d512b851-better-wp-security.3.5.3.zip
- Optional: WPSEO https://yoast.com/wordpress/plugins/seo/
- Joomla https://www.joomla.org/
- SecurityCheck 2.8.9 https://www.exploit-db.com/apps/543ccd00b06d24be139d7e18212a0916-com_securitycheck_j3x-2.8.9.zip
- Audio: Contains remixed audio notifications.
- Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.
- Joomla_Backdoor: Contains a sample Joomla extension backdoor which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with system($_GET[‘c’]).
- Shells: Contains the PHP shells to inject, including a slightly modified version of pentestmonkey’s shell that connects back via wget.
- Hans-Michael Varbaek
- Sense of Security
- MaXe / InterN0T