Skip to main content

Exploiting a Single Request for Multiple Vulnerabilities

Hello Everyone,

This is my first blog post, it's about multiple security vulnerabilities found from a single request on a private program recently.

The vulnerabilities found are simple Stored and Reflected XSS, SSRF and Command Injection.

But since I have never written any pocs before, so just wanted to write about this one.

So let's call the website as privatesite.com

After login, the first thing I saw was a feature to upload images.

So started testing the uploader functionality, like directly uploading PHP, SWF, SVG, etc., but nothing worked as the uploader looked secured from my end.

Then I noticed there is a feature to crop the image, the post request of this feature looked kind of interesting.

1. SSRF


There was a parameter http_path which had the image URL, so I fired up a socket listening to a port on my server, and in that http_path parameter I put my server's IP and port, and the socket received the connection.

So an external SSRF was confirmed.

2. Stored XSS


On the Images page, I noticed that the cropped image has the img src value as https://privatesite/images/xx/myip

So I tried if I could break out of the quotes and it worked, so entering a simple XSS payload "><img src=x onerror=prompt(0)> in the same http_path parameter resulted in Stored XSS.



There was sitewide CSRF issue so we could have exploited this XSS using CSRF.

Unfortunately, this was a duplicate :(

3. OS Command Injection


After finding SSRF and Stored XSS, I started fuzzing around other parameters.

On passing double quotes ( " ) in one parameter, ImageMagick details was reflected in the output, it seemed like user input is passed in OS command.



So I tried |echo xxxxxxx|| and xxxxxxx was reflected in response.

So it looked a direct Command Injection,  tried |cat /etc/passwd|| and it worked.



4. Reflected XSS


The POST parameters of the crop functionality also worked as a GET request, and one of the parameters was vulnerable to Reflected XSS.

https://www.privatesite.com/function.php?parameter1=x&parameter2="><script>alert(1)</script>&&http_path=http://privatesite.com/xxx


So that's all from my first blog post :P  

I hope it was not that bad


Comments

  1. it would be better if you provide images for all findings. hope you will find amd write better writeups next time.

    ReplyDelete
  2. you should write in more detail with image it's good but can be improve.

    ReplyDelete
  3. More details would have been better, anyways good Writeup!

    ReplyDelete

Post a Comment

Popular posts from this blog

How I Pwned a company using IDOR & Blind XSS

This post is about exploiting Blind XSS and IDOR to gain access to company's Slack, Facebook Workplace and other services used by the company.

Special Thanks to Inti De Ceukelaire without his disclosure this would not have been possible.

And also thanks to my friend Harsh Jaiswal for giving some ideas.

Most of the people from infosec community must have read the disclosure by Inti De Ceukelaire regarding Ticket Trick, if you have not read I would suggest reading that first. ( https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c )

After reading the article, first thing came to my mind was exploiting this on a company as it had similar functionality on Support Tickets.

The company's website had a Support Portal. We could create a Ticket by sending an email.

Exploiting Ticket Trick to gain access to company's Slack or Facebook Workplace was not possible as Slack and Facebook included a random token while sending verification …