Webz Posted April 23, 2016 Report Posted April 23, 2016 (edited) This is where the trouble starts. You’ve seen them. They are all over the web. Sometimes they contain valuable information or warn you before closing an important browser window. But most of the time they are really annoying and almost everybody clicks on “Ok” without really reading them. I’m talking about alert boxes. If you hear “XSS” you almost immediately think of them. And that’s a huge problem. Yes, they are a good way to show that it’s possible to to execute JavaScript on a vulnerable website. And with document.domain you also show that it is running under the sites context. But what does that mean to a website owner? He just sees an annoying box and if he doesn’t read about the dangers of XSS he won’t fully understand what it is capable of. But what can we do once we located such a flaw on a website? Stealing session cookies won’t work most of the time as they are often httponly which basically means for us that it’s not readable by JavaScript. There’s a way to abuse an XSS flaw nonetheless and I’ll show you how we can escalate it to a full blown RCE, considering we know a thing or two about the admin panel (guessing might also help sometimes). In this case we escalate our privileges from an unauthenticated remote user to www-data. The vulnerable software is described like this on wikipedia: “CMS Made Simple has a web-based admin section for theme, template, and stylesheet development, installing and updating add-on modules, configuring page content blocks, and user groups and permissions.” SSRF By default CMSMS has an activated module called “CMSPrinting”. It shows you a page in print mode. When we look at the url it’s generating we see one parameter that looks suspicious. It’s a base64 encoded string. When we decode it it shows us the following link: http://172.16.15.142/index.php?showtemplate=false That host is the IP of my lab machine and the false showtemplate parameter removes unnecessary stuff from the page. Of course I immediately tried to include a local file and a remote website. Both didn’t work unfortunately. There must be something in place to prevent us from including any website we want. When we look inside the source code we see this: You see that in order to retrieve content the decoded url parameter has to start with the root url. In my case it was http://172.16.15.142 . You already know where this is going. Since there is no slash at the end we can easily create a subdomain called 172.16.15.142 and make the cms read a file from our Server. This looks totally pointless first. We can’t execute PHP code that way and we don’t get any sensitive files. We can only mirror something from our Server to the page. But if you think about it, that’s exactly what we need to make it an… XSS You think of the alert box again, don’t you? Now you are going to be disappointed. This post is alert free. Instead we escalate it further. Since we are able to create a file on our own server that will be retrieved by the victim cms and then mirrored to the victims browser we don’t have to worry about getting caught by any XSS filter or waf. We can simply write our payload inside our local file. Here’s what it’s doing: First we use JavaScript to get the content of the Admin panel, which contains a CSRF token that has to be passed for any action the admin executes in the ACP. We then extract this key. CSRF With our obtained token and the XSS flaw we can make requests on behalf of the administrator. What we are interested in is the file upload functionality that’s also included in the standard installation. What do we do? We now have to simulate a file upload to the CMS via XSS. This can be done with an ajax post request. RCE We now upload a php file containing a reverse shell. To trigger it we create an img tag pointing to our uploaded file. And there you go. SSRF->XSS->CSRF->RCE If you have XSS on your website in almost every case your CSRF protections are useless. This can lead to account takeover, privilege escalation and also to a complete compromise of your Server. With this in mind, tell me: is an alert box really a good way to show a website owner the dangers of XSS? You decide. https://3.sendvid.com/hajs932z.mp4 Articol preluat de pe site-ul https://blog.asdizzle.com Toate drepturile rezervate asdizzle_ Edited April 23, 2016 by Webz 2 Quote
