Hello Everyone,
This is my first blog post, it's about multiple security vulnerabilities found from a single request on a private program recently.
The vulnerabilities found are simple Stored and Reflected XSS, SSRF and Command Injection.
But since I have never written any pocs before, so just wanted to write about this one.
So let's call the website as privatesite.com
After login, the first thing I saw was a feature to upload images.
So started testing the uploader functionality, like directly uploading PHP, SWF, SVG, etc., but nothing worked as the uploader looked secured from my end.
Then I noticed there is a feature to crop the image, the post request of this feature looked kind of interesting.
There was a parameter http_path which had the image URL, so I fired up a socket listening to a port on my server, and in that http_path parameter I put my server's IP and port, and the socket received the connection.
So an external SSRF was confirmed.
On the Images page, I noticed that the cropped image has the img src value as https://privatesite/images/xx/myip
So I tried if I could break out of the quotes and it worked, so entering a simple XSS payload "><img src=x onerror=prompt(0)> in the same http_path parameter resulted in Stored XSS.
There was sitewide CSRF issue so we could have exploited this XSS using CSRF.
Unfortunately, this was a duplicate :(
This is my first blog post, it's about multiple security vulnerabilities found from a single request on a private program recently.
The vulnerabilities found are simple Stored and Reflected XSS, SSRF and Command Injection.
But since I have never written any pocs before, so just wanted to write about this one.
So let's call the website as privatesite.com
After login, the first thing I saw was a feature to upload images.
So started testing the uploader functionality, like directly uploading PHP, SWF, SVG, etc., but nothing worked as the uploader looked secured from my end.
Then I noticed there is a feature to crop the image, the post request of this feature looked kind of interesting.
1. SSRF
So an external SSRF was confirmed.
2. Stored XSS
So I tried if I could break out of the quotes and it worked, so entering a simple XSS payload "><img src=x onerror=prompt(0)> in the same http_path parameter resulted in Stored XSS.
There was sitewide CSRF issue so we could have exploited this XSS using CSRF.
Unfortunately, this was a duplicate :(
3. OS Command Injection
After finding SSRF and Stored XSS, I started fuzzing around other parameters.
On passing double quotes ( " ) in one parameter, ImageMagick details was reflected in the output, it seemed like user input is passed in OS command.
So I tried |echo xxxxxxx|| and xxxxxxx was reflected in response.
So it looked a direct Command Injection, tried |cat /etc/passwd|| and it worked.
4. Reflected XSS
The POST parameters of the crop functionality also worked as a GET request, and one of the parameters was vulnerable to Reflected XSS.
https://www.privatesite.com/function.php?parameter1=x¶meter2="><script>alert(1)</script>&&http_path=http://privatesite.com/xxx
So that's all from my first blog post :P
I hope it was not that bad
Bdhia h :3
ReplyDeletenice
ReplyDeleteit would be better if you provide images for all findings. hope you will find amd write better writeups next time.
ReplyDeleteyou should write in more detail with image it's good but can be improve.
ReplyDeleteMore details would have been better, anyways good Writeup!
ReplyDelete